It has been while story about SMB version 2 vulnerability since this post. Finally public exploit to take over control windows vista SP1 and SP2 are out! You can catch the exploit at exploit-db.

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
---------------------------------------------------------------------

Exploited by Piotr Bania // www.piotrbania.com
Exploit for Vista SP2/SP1 only, should be reliable!

Tested on:
Vista sp2 (6.0.6002.18005)
Vista sp1 ultimate (6.0.6001.18000)

Kudos for:
Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace.
Special kudos for prdelka for testing this shit and all the hosters.

Sample usage
------------

> smb2_exploit.exe 192.167.0.5 45 0
> telnet 192.167.0.5 28876

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>

When all is done it should spawn a port TARGET_IP:28876

RELEASE UPDATE 08/2010:
----------------------
This exploit was created almost a year ago and wasnt modified from that time
whatsoever. The vulnerability itself is patched for a long time already so
i have decided to release this little exploit. You use it for your own
responsibility and im not responsible for any potential damage this thing
can cause. Finally i don't care whether it worked for you or not.

P.S the technique itself is described here:
http://blog.metasploit.com/2009/10/smb2-351-packets-from-trampoline.html

===========================================================================
Download:
http://www.exploit-db.com/sploits/smb2_exploit_release.zip

For your information, two days later at 19th August 2010, Kingcope released root exploit for FreeBSD 8.x and 7.x by poisoning mbufs() function. You may download Kingcope’s exploit here. Now happy exploiting while waiting “SAHUR” guys!

Just like what we promised before, this time we want to release grid toolkit which usable to perform pentest against grid computing infrastructure. It’s almost two years after we release paper related to grid computing [in]security at 2008. The paper contains of:

• Introduction to grid computing
• Grid computing scanning and enumeration
• Exploiting network and transport layer related to grid security
• Exploiting DNS to stop grid infrastructure trusteeship
• Exploiting web based - grid computing portal
• Cracking certificate authority pass phrase
• Exploiting headnode trusteeship using XML file

Some points mentioned can be exploited using existing network security tool while others are already supported by Grid Toolkit. Grid Toolkit uses python with some additional module which must be installed. The additional python module are:

• Module goto to support grid toolkit core program
• Module ClientForm to support grid portal guessing
• Module Paramiko to support certificate authority cracking

Grid toolkit supports to:

• Scanning and enumeration grid infrastructure
• Guessing login gridsphere - web based grid portal
• Cracking pass phrase of certificate authority private key file
• Exploiting headnode trusteeship using XML file

More reference about how to install and use this tool will be available soon, so just keep in touch with IPSECS. Finally you can download grid toolkit on gridtoolkit.sourceforge.net or reading python source code on core.ipsecs.com!

GSM A5 Cracking topic is started to be public material since The Hacker Choice disclosed their research. Many open source materials related to GSM are released to the public on Osmocomm. Now, tool called Kraken is freely distributed on internet to crack GSM A5.

I am pleased to announce the first release of a A5/1 cracker capable
using the full Berlin set of rainbow tables for lookups. I have named
this beast Kraken, after a Norse mythological creature capable of eating
many things for breakfast. Kraken feeds of an exclusive diet of A5/1
encrypted data.

Currently only a bare bone functionality is present, but the UI will be
improved, with the specific goal of providing an easy to use tool for
cracking GSM intercepts. But setting up this Leviathan can a bit
cumbersome, so I will give a short howto here:

Prerequisites:

* Linux machine, multicore min 3GB RAM
* 1.7 - 2TB of HD partitions without filsystem ( ex Samsung spinpoint F3s,
  with 4k aligned start of partition )
* The Berlin A5/1 Rainbow table set
* GPU support will be added for ATI Radeon HD

Setup:

Find out how many tables you want on each partition, (usually roughly
equal on each) and make the initial configuration file. An example
configuration folder can be found in tinkering/A5Util/indexes. This
folder should contain a tables.conf file. The example files shows a
setup of 4 disk having 10 tables each. The index files for the various
tables will be added to the index folder as they are written to disk.
The first section of the config file needs to be set up with the list of
available partitions, and the number of tables that each partition
should hold. A single table needs 42GB of space. (Do NOT change the
order of this section)

For safety reasons it is best not to build the tables running as root.
The you will then have to make your table partitions user accessible.
Add a file such as 10-disk.rules in /etc/udev/rules.d with one line for
each partition:

KERNEL=="sda1", OWNER="frank"

Then manually change the ownership of the device nodes with chown. Take
care when doing this, as you do not want to nuke any of your system
partitions.

Add tables to your disk array:

First build and make a symlink from your index folder to the
TableConvert tool. It is assumed that the Berlin tables are available in
either SSD or index free delta format. The python script Behemoth.py
will recursively search for tables, and add them to the disk array and
configuration file as needed. (Duplicates will not be added) - This
operation(s) will take some hours to complete, but when done you should
end up with a tables.conf file listing ~40 tables, their advance
parameter (id), which device they reside on, and a block offset into the
device.

Build and fire up Kraken:

./kraken path_to_index_folder

Currently it will only load up all tables, and crack TDMA burst 998 for
the challenge data. This takes 1.5 minutes on a 4 core Phenom II using
only CPU power, and the output should look like:

Cracking
0011011100110000000010000011000110001001101101100110110100111100011010
10100100101111111010111100000110101001101011
Found de6bb5e60617f95c @ 12
Found 6fb7905579e28bfc @ 23

A more interactive UI with appropriate data formats (representations)
will be added for easy interfacing with airprobe. Optional GPU support
will also be added for faster cracking time.

cheers,
Frank

Source : http://lists.lists.reflextor.com/pipermail/a51/2010-July/000683.html

Well the article form http://computerworld.com is really nice to read!

Read more »

It’s easy to intercept data communication inside linux/unix environment since there are so many tools to help us. We have tcpdump, wireshark, ettercap, dsniff, and still many others. But, can you imagine how to sniff data flows trough router? If our router are Juniper family, then we are lucky enough because Juniper has internal command which works like tcpdump on unix/linux system. For example, we can use this following command to sniff traffic on Juniper interface ge-0/0/0.0

monitor traffic interface ge-1/0/0.0 detail no-resolve
monitor traffic interface ge-1/0/0.0 detail no-resolve print-ascii print-hex

These two commands will work in Juniper like tcpdump in linux/unix below:

tcpdump -nev -i ge-1/0/0.0
tcpdump -nev -X -i ge-1/0/0.0

But remember, ge-1/0/0.0 interface is not known in linux/unix so that’s why you have to change this with Network Interface Card (NIC) in linux/unix. Then, how if our router is not Juniper family? Here, i’ll write my experience in sniffing inside Cisco router which’s known as the most popular router over the world.

Read more »

Can you imagine our indonesian internet core routing to be shutted down? None can browse their email, open facebook, or just search through google. Can you imagine indonesian internet banking stopped working for a while? Automatic Teller Machine (ATM) won’t work to response your request? That’s all just the lowest risk when core routing to be compromised.

Can you imagine when your confidential data to be sniffed without none notice it? Can you imagine when your username and password to be stealed? Oh that’s not big deal huh? But try to imagine your banking transaction to be intercepted and modified, yeah that’s the real fear on digital world. Hell yeah, this paper explains you how that problems are possible. This paper try to tell you how weak our indonesian core routing infrastructure, check it out!

Yupe, that’s true when sock_sendpage() is discovered to be vulnerable by Tavis Ormandy and Julien Tinnes. The function is vulnerable to NULL pointer dereference that can be exploited to escalate priviledge to be root. Most of linux kernel are reported to be vulnerable. Exploit to take advantage of this flaw has been developed and spreaded freely on internet. The exploit can be used to bypass security restriction like SElinux.

http://milw0rm.com/exploits/9435 - the first written exploit by spender of gresecurity
http://milw0rm.com/exploits/9436 - another exploit taken from www.frasunek.com
http://milw0rm.com/exploits/9479 - another exploit from p0c73n1
http://milw0rm.com/exploits/9545 - another exploit written by Ramon de Carvalho Valle of risesecurity

Download the exploit, compile and execute! BOOMMM It’s root! Finally, this post is a little bit late :D.

It just fun to try exploiting pulseaudio to gain root priviledge, well my Ubuntu Intrepid is indeed exploitable.

Searching more about linux, i find an exploit to attack RHEL family with SELinux enabled here. So, is that true linux more secure than windows?? The fact which makes linux more secure is the people behind the machine. So many linux administrators is much more skilled than windows ones.

Password cracking which uses some computers to accelerate password cracking process. It usually uses computer clusters and some software to support parallel computing. Some known software to do parallel computing in cluster computers are:

• John The Ripper and Condor, John works as password cracker while Condor works as scheduler which parallelizes cracking proccess and distributes it to clusters.
• John The Ripper and Djohn, John works as password cracker while Djohn works as client-servers application which parallelizes cracking proccess and distributes it to clusters.
• Medussa, password cracker which’s originally designed to do parallel password cracking. It contains client servers application to parallelize cracking proccess and distribute it to clusters.
• John The Ripper with MPI patch, john which’s developed using MPI programming. MPI is standard de facto for parallel programming which’s implemented on some softwares i.e : OpenMPI, MPICH, and LAM/MPI.

Our presentation describes how to do parallel cracking using John The Ripper with MPI patch. We use 15 dual core computers and LAM/MPI in distributing cracking proccess. Download our presentation here.

The complete title is “global trend attack in local network“, this is my presentation in Telkom RDC Bandung at last 2007. It’s old but still nice enough to know what threats may disturb your network. Download my presentation here.

This presentation explains top 6 flaws which’s commonly exploited in Local Network. They are:

• Spoofing; ARP Spoofing, IP Spoofing, DHCP Spoofing, DNS Spoofing are commonly exploited.
• Man In The Middle; Using some spoofing techniques to do Man In The Middle attack.
• Sniffing; Combining Man in The Middle with some tricks to passively intercept communication in Local Network.
• TCP/IP Hijacking; Doing active sniffing and modificating data traffic to take over active TCP/IP connection.
• Remote Code Execution; Using some software application flaws to exploit local network infrastructure. Buffer Overflow and Format String are the most common flaws to be exploited in Local Network.
• Denial of Service; Most powerful denial of service (DoS) comes from Local Network.

This presentation is completed with ways to defend this attacks and minimize security risks.

Introduction

Grid computing is kind of new technology which has been known since 1990s. It idea was brought together by Ian Foster, Carl Kesselman, and Steve Tuecke, widely regardes as “Father of Grid”. Grid computing is defined as group of node computation which works together in distributed computing. You can find some grid project in wikipedia article here.

Each node in grid has computer cluster to perform high performance computing through parallel computation. A computer cluster consists of a headnode (master) and some computational nodes (slaves). Headnode is responsible in communicating with the other headnode in grid, managing computation resource, and scheduling computation jobs to slave. We don’t want to explain detail how computer cluster works. In this article, our interest is in grid computing and why it’s vulnerable to some hacking exploitation.

How Grid Works

Grid computing is really complex inside its technology, so the chance of being exploited is really big. Grid computing needs a good network connectivity, many TCP/IP services, encryption, parallel programming, and web service. A headnode of cluster trusts the other because valid Certificate Authority (CA) is installed on both of headnode. CA which installed on headnode is called as Host CA. TCP/IP services is needed in headnode to send or receive data or execute jobs between two or more headnodes. There is two services in headnode which need to communicate a headnode to other, 1st is GridFTP service which is responsible in data transfer between two or more headnodes and 2nd is Web Service Container which is responsible in receiving jobs from user. Both services can be activated by installing Globus Toolkit which is de facto standard open source software for grid.

Read more »

Introduction

802.1x is an IEEE standard for port-based (well, we would rather say interface-based) enduser authentication on LANs. While it supports (and was initially designed for) Ethernet, the main current use of 802.1x is wireless users’ authentication as a part of the wireless security scheme provided by the 802.11i security standard. The 802.1x authentication chain consists of three elements:

• Supplicant An end-user station, often a laptop, that runs 802.1x client software.
• Authenticator A switch, a wireless gateway, or an access point to which the authenticating users connect. It must be configured to support 802.1x on the involved interfaces with commands like aaa authentication dot1x default group radius (global configuration) and dot1x port control auto (switch interface).
• Authentication server A RADIUS server to which authenticators forward end users’ authentication requests for verification and authentication decision.

EAP-LEAP Basics

The Extensible Authentication Protocol (EAP) is used by all three 802.1x component devices to communicate with each other. It is extensible since many different EAP types exist for all kinds of authentication plans—for example, employing SIM cards, tokens, certificates, and more traditional passwords. Here we are interested only in Cisco-related protocols and products, thus the security weaknesses of EAP-LEAP are the target of the discussion.

Read more »

Description

VLAN Hopping is an exploitation method used to attack a network with multiple VLANs. It is an attack that involves an attacking system to deploy packets. These packets have a destination of a system on a separate VLAN which would, in normal circumstances, not be accessible by the attacker. VLAN Hopping attacks are primarily conducted within the Dynamic Trunking Protocol (DTP). Often, VLAN Hopping attacks are directed at the trunking encapsulation protocol (802.1q or ISL).

Malicious traffic used for VLAN Hopping is tagged with a VLAN ID destined outside the VLAN on which the system conducting the attacks belongs to. An attacker can also attempt to behave and look like a switch, which will negotiate trunking, allowing the attacker to not only send, but receive traffic across more than one VLAN.

There are two common methods of VLAN Hopping; Switch Spoofing and Double Tagging.

Read more »

Common Vulnerabilities and Exposures
http://cve.mitre.org/cgi-bi/cvename.cgi?name=CVE-2009-0065

“Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID. “

Ubuntu Security Notice USN-751-1
http://www.ubuntu.com/usn/usn-751-1

“The SCTP stack did not correctly validate FORWARD-TSN packets. A remote attacker could send specially crafted SCTP traffic causing a system crash, leading to a denial of service. (CVE-2009-0065)”

RedHat Security Advisory
http://rhn.redhat.com/errata/RHSA-2009-0331.html

“a buffer overflow was found in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) ”

Read more »