KoreLogic Blog
WMkick - MITM MS-RPC, WMI, WinRM to Capture NetNTLMv2 Hashes 2021-08-21 20:24

WMkick is a tool we recently released to MITM and capture NetNTLMv2 hashes for some protocols not (yet?) supported by other tools like Responder, such as WMI access to MS-RPC (135/tcp) and Powershell Remoting/WSMan/WinRM (5985/tcp).

We have observed various enterprise software that continues to rely on Microsoft's Windows Management Instrumentation (WMI) for remote authentication, which can be leveraged by attackers, even passively, to steal hashes that can be converted to credentials. There are WMI clients programs that initiate NTLMSSP authentication flow over the WMI access port (tcp/135), which can be redirected in order to gather all the pieces needed to obtain a valid NetNTLMv2 hash. A valid NetNTLMv2 hash can be cracked into plaintext credentials, to gain further access into the network. The accounts used in these applications are often privileged accounts, as WMI remote authentication is often used to perform administrative tasks such as running remote commands, asset inventory management, and scanning.

WMkick is a TCP protocol redirector/MITM tool that targets the Windows NTLM authentication message flow. Anyone with access to an internal network can leverage WMkick to capture administrative hashes if WMI is being used to remotely administer within the network and mitigations have not been enforced, such as disabling NTLM authentication.

We think the security community should give MS-RPC more attention, and others are starting to do so. Eventually we hope to build/add enough of an MS-RPC implementation and impersonation into WMkick that redirecting is no longer needed.

Read more ...

0 comments Posted by Houston Hunt at: 20:24 permalink

WePresent... vulnerabilities! 2021-01-05 20:21

This blog post describes an exploit chain to go from a completely unauthenticated attacker to a root shell on a WePresent WiPG-1600. The device was running firmware version, which was the latest version available at the time this research was performed. Several vulnerabilities were found, and CVEs and fixes for each have since been published.

CVE-2020-28329 - Default API credentials

The first vulnerability is the existence of default, hardcoded credentials that can be used to access an API service listening on port 4001/tcp. The password exists as clear text in /etc/lighthttp/admin and in a hashed form in etc/lighttpd/lighttpd.user. This information was obtained by downloading and unpacking the firmware from WePresent's site. The URL for the firmware is https://www.barco.com/en/support/wepresent-wipg-1600w/drivers. Binwalk, with recursive scanning of extracted files, does partially unpack the firmware. A simple, more elegant approach will be discussed later in this blog post.

Read more ...

0 comments Posted by Jim Becher at: 20:21 permalink

Cellebrite Good Times, Come On: Reverse-Engineering Phone Forensics Tools 2020-06-29 17:18

How can vulnerabilities in technologies used by our judicial system affect the outcome of cases brought to the courts?

The Universal Forensic Extraction Device (UFED) device from Cellebrite is used by law enforcement agencies throughout the world. The popularity of their offerings has been well documented by journalists, which is what initially caught my attention. Today I will talk about the process I used to establish a debugging environment and locate issues in their UFED product, which I believe pose a significant concern. This concern demonstrates a need for additional scrutiny of any tool that is designed to acquire digital forensic evidence for use in any court of law. Along the way, we generated multiple advisories and CVEs, which the vendor has addressed, and a bonus "WONTFIX" in Android.

Read more ...

0 comments Posted by Matt Bergin at: 17:18 permalink

FTimes, KLEL, and File Hooks 2019-11-08 10:00

This is another blog post in the FTimes series showcasing various aspects and controls that can be utilized within the FTimes framework. This blog post will focus on using file hooks, a feature that offers the ability to run external programs or scripts on matching files during dig, map, or mad stages.

Read more ...

0 comments Posted by Jay and Klayton at: 10:00 permalink

Building FTimes With Lua 2019-09-05 15:40

This is the next part in a series of blog posts focusing on the open-source tool FTimes. This blog post will demonstrate building FTimes with XMagic and an embedded Lua interpreter. In so doing, FTimes will be able to perform more complex searches by utilizing file hooks.

For this exercise, we will be using Kali Linux as our build environment.

Read more ...

0 comments Posted by Jay at: 15:40 permalink

FTimes 3.13.0 Released 2019-09-04 17:30

Version 3.13.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. The most significant changes in this release are the addition of new encoder/decoder/embedded routines, support for B-Tree file systems (BTRFS) under Linux, and the introduction of KLEL-based include/exclude filters. Note that both PCRE and KLEL (1.2.0 or higher) libraries are now required. For now, PCRE-base filters are still enabled by default, but the plan is to phase them out completely in a future release.

0 comments Posted by Klayton at: 17:30 permalink

Unpatched Fringe Infrastructure Bits 2019-08-19 11:00

Typically during internal network penetration tests, pentesters come across many different types of devices. Much of the focus is likely on the Windows/UNIX-like systems and critical infrastructure devices (e.g., storage, DNS servers, routers, switches, etc.). There are, however, a number of other network connected devices that often times get passed over due to factors such as function, purpose, placement, or lack of sensitive data contained within.

A pentester may take a second look at a given device because telnet or FTP is enabled, but after a cursory glance at the HTTP listener and thinking it is a UPS - maybe they will likely skip over it in favor of the Linux system running Apache, MySQL, and SSH.

Welcome to the land of forgotten and misfit toys ... this is not exciting, cutting-edge, sexy stuff. These are devices organizations typically plug in, configure minimally (just enough to "do the job"), and forget about. In this post, I discuss a particular vulnerability of a TrippLite Power Distribution Unit (PDU).

Read more ...

0 comments Posted by Jim Becher at: 11:00 permalink

Password Audits – Focus on the Admins 2019-05-09 17:00

Have you considered adding periodic password audits to your corporate security plan? Compared to the cost of a security breach or standard pentest, periodic password audits are relatively inexpensive (e.g., on the order of $7K/quarter for a single medium-sized domain), yet they shed light on an important aspect of security that management has little ability to control: the passwords that administrators and end users choose.

In this article, I discuss the impact of weekly audits on chosen admin passwords over a 4-year period.

Read more ...

0 comments Posted by Klayton at: 17:00 permalink

Building FTimes With Python3 2019-04-25 11:10

This is the next part in a series of blog posts focusing on the open-source tool FTimes. This blog post will demonstrate building FTimes with XMagic and an embedded Python interpreter. In so doing, FTimes will be able to perform more complex searches by utilizing file hooks.

For this exercise, we will be using Devuan Linux as our build environment.

Read more ...

0 comments Posted by Jay at: 11:10 permalink

Building FTimes With Perl 2019-04-11 00:00

This is a first in a series of blog posts focusing on the open-source tool FTimes. This blog post will demonstrate building FTimes with XMagic and an embedded Perl interpreter. In so doing, FTimes will be able to perform more complex searches by utilizing file hooks.

For this exercise, we will be using Ubuntu Linux as our build environment.

Read more ...

0 comments Posted by Jay at: 00:00 permalink

FTimes 3.12.0 Released 2019-03-15 17:00

Version 3.12.0 is a minor release of FTimes. Basically, the various changes, enhancements, additions, and bug fixes that have accumulated over the past few years reached critical mass. Some of the noteworthy changes include: a new option for depth-limited mapping/digging, additional encoding/decoding/transformer options/functionality, and support for a number of additional file systems (APFS, AUTOFS, JFFS2, OVERLAYFS, SMB2, UBIFS). Additionally, two new tools, ftimes-srm and ftimes-xpatool, have been added to the project. Finally, this is likely to be the last release in the 3.X branch. Going forward, the project will be setting up a new public-facing code repository (SF discontinued CVS support late in 2017), and all new effort will focus on the 4.X branch.

0 comments Posted by Klayton at: 17:00 permalink

New LibPathWell Release, and an Updated Talk 2017-05-12 23:30

A couple of weeks ago we released a PathWell update, version 0.7.0, available here. I had the pleasure of giving a talk about it at RMISC yesterday that highlighted the new features; the slides are here. [PDF warning]

The primary user-visible change in this release is an administrator-configurable hinting engine, to provide different levels of feedback to users whose new password choice is rejected.

Read more ...

0 comments Posted by Hank at: 23:30 permalink

Virtual Appliance Spelunking 2016-10-10 15:35

Hello again and welcome back. Today I want to talk about a Sunday I spent reversing the Cisco Firepower Management Console virtual appliance that resulted in multiple CVEs being issued. The tricks I will show have worked on four or five other virtual appliances from other vendors. Results from those are either pending disclosure or have already been reported by other researchers. Either way, this should be something you can easily recreate to find vulnerabilities.

Read more ...

0 comments Posted by Matt at: 15:35 permalink

Nothing To See Here, Move Along 2016-08-08 13:45

Vendors often have interesting ways to facilitate support for their appliances. Today, I'll discuss a few ways we have seen it implemented: one that is vulnerable to exploitation and others that aren't so bad.

When we find vulnerabilities doing independent research, we work with the vendors through our disclosure program to attempt to get the issues fixed, and we are free to publish whether or not the vendor addresses the problems. Occasionally while on an engagement for a client, we come across one or more vulnerabilities in third-party platforms. When this happens, we work with our client to inform their vendor in an effort to get the vulnerabilities corrected, and coordinate disclosure.

Usually, vendors are responsive, and our client and other customers of that vendor get the fix. However, it does not always work that way.

Read more ...

0 comments Posted by Matt at: 13:45 permalink

Cracking Grid – Essential Attributes 2016-05-25 11:30

Here at KoreLogic, we are constantly cracking passwords – it's just one of the things we do. While we haven't made a concerted effort to track it, I'd venture to say that cracking for us is pretty close to a 24/7/365 operation. Between paid cracking engagements and penetration tests, our resident cracking expert, Rick, almost always has something cooking on our Distributed Cracking Grid ("Grid"). This week, it happens to be LinkedIn hashes. This level of uptime is made possible by the WebJob framework, the foundation upon which our Grid was built (check out this paper for a brief overview of the technology). WebJob's queuing system allows us to maintain a number of concurrent work orders at any given time. Today, for instance, we have 22 active work orders consisting of 151,995 jobs (or attacks) spread out over 35 queues. At any time, a single attack can be in one of several states (e.g., waiting, working, complete), and resources (i.e., GPU and CPU cores) can be shifted from queue to queue as needs dictate. Additionally, attacks within any given queue can be prioritized. All of this allows us to keep work orders active for days, weeks, or even months at a time, and that's pretty darn cool.

As the Grid's chief architect and primary developer, it's my job to keep the Grid running and add new features/capabilities over time. In this article, I'd like to share with you our aspirations and reasons for creating a cracking grid that is secure, distributed, scalable, and extensible.

Read more ...

0 comments Posted by Klayton at: 11:30 permalink

LinkedIn Revisited – Full 2012 Hash Dump Analysis 2016-05-19 15:00

As you may know, a "full" dump of email addresses and password hashes for the Linkedin.com attack that occured in 2012 has become available. Here at KoreLogic, we got our hands on the list of emails and the separate list of passwords (but nothing linking the two together, which we don't want or need). We started to gather some statistics on them using our Password Recovery Service (PRS). The following analysis assumes the lists are real; due to the valid email addresses and confirming some of our own accounts' data from back then, we believe that the dump is real.

What we know so far:

Read more ...

0 comments Posted by Rick Redman / Minga / @CrackMeIfYouCan at: 15:00 permalink

Update on Crack Me If You Can – DEFCON 2016 2016-03-28 12:12

The @CrackMeIfYouCan team at KoreLogic has had a lot of questions about this year's DEFCON Crack Me If You Can (CMIYC) contest ...

The short answer is, we are not doing a CMIYC this year at DEFCON. That does not mean that 2015 was our last year, it just means we aren't doing one in 2016. It's been a very busy year for us so far, and CMIYC is a huge commitment on our schedules. We just cannot make it happen this year.

On a more personal note, I dreamed up CMIYC in 2010 with multiple goals in mind:

Read more ...

0 comments Posted by Rick Redman / Minga / @CrackMeIfYouCan at: 12:12 permalink

Hacking an Arris Cablemodem 2016-02-12 15:00

Welcome to part four in our four part series on firmware and embedded devices. In our final part, we will discuss a remote root vulnerability in a popular cable modem. Awhile ago, we were shown the administrator portal for a particular cable modem vendor. Old school, right? Still, what an interesting attack vector, we thought. We realize ISPs need some degree of access in order to properly provision modems, but how much should you trust your ISP (and who they partner with) to make security decisions for you? Personally, we only believe in what can be measured and this meant our hands needed to get dirty... Don't worry root, we're coming for you!

Read more ...

4 comments Posted by Matt & Hank at: 15:00 permalink

The importance of access to firmware files 2015-12-18 16:25

Welcome to the third part of our series! Today I hope to spark a conversation amongst the readers about an important topic in a world filled with IoT: access to device firmware. And not just (at best) encrypted opaque blobs provided for device updates, but usable images that can be deconstructed, evaluated, and reconstructed.

There are a few categories of devices for which firmware access would apply. These are consumer, enterprise, medical, and military. My coworkers and I have dealt with all of these to varying degrees. You might think military procurement would always include full firmware/source code access; I mean, they'll want to make sure the device is not designed in a way that is counter to their interests in the same way that I want to ensure the same thing when I (and most other people for that matter) also purchase a device. Mumble mumble...

What about consumer or enterprise grade devices? Most vendors have some support level (i.e. price point) at which they'll give an enterprise customer access to firmware. But for smaller organizations, or one-off purchases, they are often told what I am as a consumer a majority of the time: "no". In the last two parts of our series, I'll go into deeper thought on firmware access using current and upcoming examples from our vulnerability disclosure program.

Read more ...

1 comments Posted by Matt at: 16:25 permalink

Unplugging An IoT Device From The Cloud 2015-12-11 17:45

Hello again and welcome back. This is part two in our four-part series on firmware and embedded devices. Today, I will be discussing home automation and the Internet of Things (IoT). More specifically, I'll be talking about Blossom. Blossom is a cloud-based smart lawn watering system that will 'automatically' water your lawn. Normally, our goal is to break into the target device so I may inspect running processes and resident binaries to ensure they are not designed to work in ways that are counter to our interests. Today, I won't be doing that. Instead, I am going to observe the functionality of the device and how it interacts with the manufacturers cloud-based API. Then, I'll force network traffic redirection from the device to a server I control. Finally, I will recreate a bare minimum copy of the manufacturer's API available internally so that the device will no longer require internet access for a somewhat normal operation.

What does this mean? I am going to write an application to water my lawn, when I want my lawn watered. Why? Because I like the functionality of smart-enabled devices, but I do not like adding network potential pivot points anywhere on my networks. My hope is that this part in our series serves as a soft introduction into the thought process I typically use when removing an unwanted third-party from my networks or even attempting to attack the underlying software of a target device.

Read more ...

0 comments Posted by Matt at: 17:45 permalink

Q: Can I have your password? A: Yes you can. 2015-12-04 16:45

Hello folks, welcome to the first of a four part blog mini-series on firmware and embedded devices. My name is Matt Bergin and i'll be guiding you through the series. We plan to release each part of the series on the Friday of each week in December. The release of the final part in our series is dependent on our responsible disclosure timeline holding for a finding, but we're pretty confident.

We're going to start slowly and with something simple. Today's tale is about a little access point that tried and tried but just couldn't keep its mouth shut. If it has an IP it'll talk, and what it says you might not like. Though, we tried to make it stop (see the timeline in the advisory), it didn't seem to matter to the manufacturer. So here we are: an 0day to help start your holiday season.


Onward and upward!

You can purchase the vulnerable device and download the corresponding firmware here: http://www.linksys.com/us/support-product?pid=01t80000003cVuwAAE

Read more ...

3 comments Posted by Matt at: 16:45 permalink

LibPathWell 0.6.3 Released 2015-10-01 15:45

I am pleased to announce that a new release of the Password Topology Histogram Wear-Leveling (PathWell) library and PAM module for dynamic password-strength enforcement is now available for download here.

Version 0.6.3 is an update release of PathWell. Generally, code was cleaned up and refined as necessary. The API remains unchanged, but the library did get a revision bump -- the new version is 1:1:0. The primary goals of this release were to work out the build issues previously encountered for some flavors of Linux and to extend configure/build support to MinGW/MSYS build environments. And while the library along with the associated command line utilities compile cleanly and pass all their unit tests under Windows, setting up that build environment and getting the various dependencies (e.g., GMP, PCRE, SQLite, etc.) to compile involves a number of steps, a few hurdles, and fair amount of determination, so be prepared if you decide to venture down that road. Perhaps that will be the topic of a future blog post. Who knows? ...

Anyway, this will likely be our last release for the 0.6.0 branch as our attention has shifted to the 0.7.0 release, which includes new features and tools. More on that to follow in the coming days, so stay tuned ...

0 comments Posted by Klayton at: 15:45 permalink

MASTIFF Output Plug-ins 2015-09-25 17:00

MASTIFF is a living project whose continuous goal is to provide an automated means for static analysis of files. To meet this end, the project has multiple short and long term goals in place. Recently we silently released an update that hit one of the major goals we have been working towards since inception of the project: output plug-ins.

Read more ...

0 comments Posted by Tyler at: 17:00 permalink

How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #9 – #11 2015-08-21 11:20

So far I've discussed how puzzles #1-#4 and puzzles #5-#8 in the Yara CTF for Black Hat 2015 contest were solved. In this post, I'll go over the final three puzzles.

As noted before, the puzzles are still accessible at the CTF page, so there are spoilers if you plan to go through them.

Read more ...

0 comments Posted by Tyler at: 11:20 permalink

How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #5 – #8 2015-08-19 17:00

Previously, I posted how I solved puzzles #1-#4 of the Yara CTF for Black Hat 2015, sponsored by phishme.com. In this post, I'll go into how I solved puzzles #5-#8.

As noted before, the puzzles are still accessible at the CTF page, so there are spoilers if you plan to go through them.

Read more ...

0 comments Posted by Tyler at: 17:00 permalink

How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #1 – #4 2015-08-17 08:00

During Black Hat, Ron Tokazowski of phishme.com put together a Yara Capture The Flag (CTF) contest for Black Hat 2015. This CTF consisted of 11 logic and Yara-based puzzles that participants had to solve for a chance to win a DJI Quadcopter. The best part is you could participate in the CTF if you weren't at Black Hat!

I participated in the CTF and won!!! I got through 10 out of 11 puzzles; the 11th and my lack of doing it is explained later. This post, as well as two more, describe how I went through each puzzle and solved them. The puzzles are still accessible at the CTF page, so be warned that spoilers are below!

Read more ...

0 comments Posted by Tyler at: 08:00 permalink

LibPathWell 0.6.1 Released 2015-07-31 16:35

I am thrilled to announce the first public release of the Password Topology Histogram Wear-Leveling (PathWell) library and PAM module for dynamic password-strength enforcement. Version 0.6.1 is available for download here.

We have blogged and written and presented about PathWell several times, but now we've finally dropped the code.

The LibPathWell release is a PAM module and supporting library to implement password topology complexity enforcement. There is a static component called blacklisting that allows you to seed the PathWell database with the most popular password topologies, so instead of an attacker cracking 25%+ in their first few mask attacks, they get zero. And then there are dynamic components ensuring that enterprise users, as they change their passwords, are forced to choose new passwords that are substantially different from one another.

tl;dr: PathWell makes enterprise user passwords 5-6 orders of magnitude harder to guess!

Read more ...

0 comments Posted by Hank at: 16:35 permalink

Hacking Team Documents Claim BIOS-based Persistence 2015-07-09 16:15

A search through the online mirror of the information stolen from Hacking Team shows indications that a BIOS-based infection capability was developed as part of the Remote Control System software. This may be the first time a commercial spyware product claims this type of capability.

0 comments Posted by Don at: 16:15 permalink

Giles at Black Hat and in the ISSA Journal 2015-06-23 18:20

The Giles production rule system compiler (which we described here) has gotten some good press lately!

An article describing Giles and its use has been published in the June 2015 issue of The ISSA Journal, which can be seen by subscribers here. The ISSA Journal is the official journal of the Information Systems Security Association, and we're very proud to have an opportunity to discuss Giles on its pages. The article describes what Giles is, how to use it, and how to use the engines it creates. It also talks a little bit about how it works under the hood.

Also of note, I will be presenting a talk about Giles at this year's Black Hat USA in Las Vegas on August 1-6th. This talk will describe the reasons behind the creation of Giles, how it works, and how it can help you build efficient, simple event correlation engines and expert systems. Let us know if you're going to be at Black Hat this summer; we hope to see you there!

And remember, Giles is open source, so be sure to check it out (both in the look-at-it sense and in the grab-a-copy-of-its-code sense) at https://korelogic.com/tools.html.

0 comments Posted by Rob at: 18:20 permalink

MASTIFF Online Updated to Add pyOLEScanner 2015-06-19 16:08

The MASTIFF Online site was updated on 2015-06-05 which included the following:
  • Enabled pyOLEScanner version 1.2 tool as part of processing samples. pyOLEScanner is a python based script written by Giuseppe 'Evilcry' Bonfa and inspired from OfficeMalScanner. It scans office documents in order to assess if they could be malicious. Within MASTIFF Online the plugin is only executed for office document file types (a.k.a., "Office"), and the results of the plugin can be seen by clicking on the "office-analysis" record in the detail pane for those file types.
  • Added an "x" icon next to the GUI search box which clears the search box text and refreshes the list when clicked.
We will re-process samples when necessary (e.g., after a MASTIFF upgrade or plugin addition) and as time allows. In this case the existing samples have been re-processed so that they now have the new plugin results.

0 comments Posted by Andy at: 16:08 permalink

The WebJob Framework: An Endpoint Security Solution 2015-06-10 17:30

The WebJob framework is a next generation endpoint security solution that, from a centralized management location, can execute virtually any program on an arbitrary number of end systems at any time. This framework has been deployed in a number of production environments including the Federal government and Fortune 500 businesses to perform various activities such as evidence collection, enterprise searches, incident response, live forensics, system management and monitoring, and grid computing.

The WebJob framework is an open source client-server solution that acts as a force multiplier for anyone who needs to automate various tasks or work on an enterprise scale. It does this by enabling engineers to run arbitrary programs and/or scripts on a wide array of operating systems (e.g., UNIX®, Linux®, Mac OS®, Windows®, Android®, etc.). The results, if any, can be aggregated and collated on the WebJob server where they can be operated on in bulk. With the flexibility that the framework provides, administrators who are inclined to write their own scripts can achive a high level of automation and efficiencies of scale. With the WebJob framework, you can effectively do more with less.

Please click the link below to read more about how the framework could be the next generation endpoint security solution for you.

The WebJob Framework: A Generic, Extensible, and Scalable Endpoint Security Solution

0 comments Posted by Andy at: 17:30 permalink

One Month of MASTIFF Online! 2015-05-27 11:30

It has been exactly one month since MASTIFF Online was opened, and to celebrate, we have released the next stable version of MASTIFF! Version 0.7.1 includes a large number of bug fixes, as well as some new analysis plug-ins to get more information out of the files you are analyzing. The new version can be found at https://korelogic.com/tools.html.

Read more ...

0 comments Posted by Tyler at: 11:30 permalink

What Did CCleaner Wipe? 2015-05-18 15:35

The use of CCleaner is encountered at times during forensic investigations of computer systems. It has been labeled an "anti-forensics" tool as it has a secure deletion mode where it can overwrite data, filenames, and free space.

Overwriting files and filenames removes the chance to recover the data and subject it to further analyses; hence, the anti-forensics label. There may be some remnants and data left for analysis and comparison; but, at best you can infer what had been wiped. What you are faced with is a case of "You don't know what you don't know".

That is, until now. CCleaner will actually tell you what files it wiped. You just have to work for it.

Read more ...

0 comments Posted by Don at: 15:35 permalink

MASTIFF Online Free 1.0.0 Released 2015-04-27 13:15

KoreLogic is pleased to announce the release of MASTIFF Online, a web interface into the open source MASTIFF static analysis framework. With this free online tool, anyone can upload files to be examined by MASTIFF, returning the results within minutes. MASTIFF Online can be accessed at https://mastiff-online.korelogic.com.

Read more ...

0 comments Posted by Andy at: 13:15 permalink

SSD Storage - Ignorance of Technology is No Excuse 2015-03-24 09:15

Digital evidence storage for legal matters is a common practice. As the use of Solid State Drives (SSD) in consumer and enterprise computers has increased, so too has the number of SSDs in storage increased. When most, if not all, of the drives in storage were mechanical, there was little chance of silent data corruption as long as the environment in the storage enclosure maintained reasonable thresholds. The same is not true for SSDs.

A stored SSD, without power, can start to lose data in as little as a single week on the shelf.

Read more ...

0 comments Posted by Don at: 09:15 permalink

Windows 2003 Privilege Escalation via tcpip.sys 2015-01-28 22:00

In my post for today, I will be discussing a vulnerability that I found within the TCP/IP driver as implemented by Microsoft within their Windows 2003 Operating System with Service Pack 2 installed (advisory here). If an attacker has obtained unprivileged access into the operating system, this vulnerability may be used to elevate their privilege to that of SYSTEM. This is accomplished by abusing a null near pointer dereference within code that runs during the processing of a specific unprivileged IOCTL call.

This vulnerability was issued identifiers: KL-001-2015-001, MS14-070, and CVE-2014-4076.

In order to avoid duplicating content from the advisory issued for this vulnerability, I will only provide a brief tl;dr before diving into the exploit.

Read more ...

0 comments Posted by Matt at: 22:00 permalink

Giles 3.0.0 Released 2015-01-22 17:55

The Giles production rule system compiler has just been released! It is available for download here.

Production rule systems (or "engines" in Giles parlance) are tools that are commonly used to efficiently find patterns in streams of data where any number of data items (or "facts") can be added or removed over time. They're very commonly used to perform complex behavior detection (i.e., event correlation), like fraud detection for credit cards via transaction history or multi-part attacks against servers via combined analysis of firewall and server logs. They can also be used to provide some form of artificial intelligence, forming the core of many expert systems and automated planners.

All that sounds great, but what is Giles?

Read more ...

0 comments Posted by Rob at: 17:55 permalink

Brain Bleeding JavaScript Obfuscation 2015-01-12 16:00

JavaScript is often used to facilitate web-based attacks. To make analysis more difficult and hide from signature-based systems, attackers will often obfuscate their JavaScript. Fortunately, there are many ways to deobfuscate JavaScript, or at least determine what it is doing. Sometimes, however, you come across obfuscated JavaScript that just makes your brain bleed.

UPDATE: Some have requested the actual JS used in this analysis, so here it is:

Read more ...

9 comments Posted by Tyler at: 16:00 permalink

Using Windows Resource Language Codes for Attribution 2014-12-23 20:25

Since news of the Sony hack broke, a number of reports have been pointing to North Korea as the source of the compromise. Part of the reasoning that North Korea is to blame is undoutedly because the malware recovered from the compromise, and subsequently made available on a number of malware analysis websites, had internal resources that had the Korean language. While the languages associated with Windows resources on executables can be used for attribution, this post will show that they should not be singularly relied upon.

Disclosure: KoreLogic is not involved with this investigation, nor do we have any inside knowledge. This post is based on the public information available and our experience and expertise.

Read more ...

0 comments Posted by Tyler at: 20:25 permalink

VMware: "It's not a vulnerability, mmkkkayyy" 2014-11-18 16:15

During a recent review of the VMWare Workstation application, I discovered a method that allows any member of the __vmware__ group to extract arbitrary sections of kernel memory. When you consider the fact that members of this group are not required to already have administrative privileges, this suddenly becomes a significant vulnerability in the sense that it implies that otherwise unprivileged users now have the means to extract and subsequently use/abuse sensitive data like process-level tokens, encryption keys, etc. Needless to say, this poses a significant security risk to any organization that allows unprivileged users to operate virtual machines by way of the __vmware__ group.

To date, VMWare has declined to mitigate this vulnerability despite the detailed evidence we have provided and our repeated attempts to convince them that there is an underlying design flaw here that needs to be addressed. Also note that this vulnerability, officially documented here, has not been assigned a CVE identifier because MITRE declined to do so.

Read more ...

0 comments Posted by Matt at: 16:15 permalink

im in ur scm, bein a ninja 2014-11-05 12:45

A few months ago I posted a high-level overview of some source code repository tampering risks.

The other day I presented a much deeper dive at BSides DC, with examples of multiple ways to manipulate CVS, Git, and Subversion repositories, and some thoughts on how companies and code-hosting sites could/should harden their infrastructures.

Watch the presentation, or download the slides. (PDF warning)

Watch for future blog posts that extract and expand upon some of those examples.

Thanks to the BSidesDC folks for a great conference, and to ComputeCycle for the recordings!

0 comments Posted by Hank at: 12:45 permalink

Password Security Research Featured in the Huffington Post 2014-10-17 12:00

Check out the recent Huffington Post article The Big Password Mistake That Hackers Are Hoping You'll Make by Jeff Fox that talks about the need to "avoid a little-known mistake recently uncovered by password researchers" (i.e., the overuse of common password patterns (or topologies) by users as they create their passwords). This article references some of the conclusions that came out of our PathWell (Password Topology Histogram Wear-Leveling) project, which was sponsored by DARPA (Defense Advanced Research Projects Agency) in 2013 under its Cyber FastTrack program. Stay tuned for more PathWell-related news as we are preparing to release the software developed for that project in the near future.

0 comments Posted by Klayton at: 12:00 permalink

Vuln Analysis: Classic write-what-where in XP's BthPan 2014-10-07 18:00

Recently, we came across the BthPan.sys driver while researching Microsoft's Bluetooth implementation within 32-bit Windows XP (SP3), and after conducting a number of fuzzing tests, we discovered that this driver has a vulnerability known as a write-what-where condition. It should be noted that the BthPan.sys driver is not enabled or even installed by default. Thus, the attack described below will only function if the end user or operating system administrator has installed the driver, such as via 'Add/Remove Programs' within the Control Panel, or installing some hardware driver that implicitly enables it.

Read more ...

0 comments Posted by Matt at: 18:00 permalink

CISO's Corner: Password Cracking Best Practices and Myths 2014-10-02 16:00

Despite repeated breaches of password repositories, most recently the rumored cause of the Apple iCloud celebrity image theft, password-based authentication remains the norm for most users even though solutions like multi-factor authentication offer superior protection. Not only are user accounts at risk, but more importantly, so are their data. More often than not, default passwords have been the root cause of multiple high-profile system and company compromises. As with any recurring, successful attack, the bar must be raised to prevent the inevitable question from management: "This attack is well known, so why didn't we prevent it?"

Read more ...

2 comments Posted by Bob at: 16:00 permalink

FTimes 3.11.0 Released 2014-07-30 16:00

Version 3.11.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. This release introduces file hooks support for an embedded Python interpreter. Finally, a new tool, ftimes-bimvl, has been added to the project.

0 comments Posted by Klayton at: 16:00 permalink

KLogTail 1.2.0 Released 2014-07-22 14:00

Version 1.2.0 is a minor release of KLogTail. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed; all warning and error messages have been enhanced to facilitate post-processing by log analysis tools; a basic man page has been added; and the project has been completely restructured to use autoconf/automake for the configure/build process.

0 comments Posted by Klayton at: 14:00 permalink

Repository Tampering: What You Don't Know Can Hurt You 2014-06-26 18:05

Consider this security scenario: Attackers gain access to developer or sysadmin accounts. They find and target the revision control system that is used to manage system configurations, internal code, or even software that is shipped to customers. The attackers use the compromised accounts to modify the source code and insert back doors or logic bombs. Now ask this question: How long will it take the organization to notice?

This scenario may seem far-fetched, but think about all of the breaches of software vendors you've read about: Adobe, the victims of Aurora, APT1, etc. Who says they only had their code read?

Read more ...

0 comments Posted by Hank at: 18:05 permalink

Callback Functions in Malware 2014-05-27 15:18

Recently, KoreLogic examined a number of malware downloaders that use API callback functions to redirect the flow of execution and make malware analysis more difficult. While this is not a new technique our research did not find many public resources discussing this topic. The purpose of this blog post is to describe KoreLogic's analysis on what callback functions are, how malware uses them, and how this technique can be detected and analyzed.

Read more ...

0 comments Posted by Tyler at: 15:18 permalink

MASTIFF Updates and Git SSL Issue 2014-04-17 01:50

Over the last few weeks, a number of updates have been pushed to the dev version of MASTIFF located in the Git repository. One of these updates is a major change to the analysis plug-in architecture.

The updates are described below.

Read more ...

0 comments Posted by Tyler at: 01:50 permalink

Mini-Crack Me If You Can for ISSW 2014 2014-04-07 11:45

This weekend at Infosec SouthWest 2014 KoreLogic's Crack Me If You Can (CMIYC) team ran a mini-CMIYC contest for the people attending the conference. The prize was a $100 dollar gift card.

We made the challenge pretty simple, with 1-2 hashes that were a little bit harder.

The winner was Scot Perkins. Congratulations to the winner! Here are the hashes we posted if you want to play along after the fact:

Read more ...

0 comments Posted by Rick at: 11:45 permalink

PathWell Topologies 2014-04-04 20:55

As previously discussed at multiple conference and in this blog, KoreLogic worked on the PathWell project for the DARPA Cyber Fast Track program. PathWell identifies and blocks common passwords based upon common password topologies and learned user behavior.

Watch a presentation on PathWell, or download the slides here.

The PathWell software is not yet public, but people have frequently asked us to publish the list of the most popular topologies within enterprises that we compiled during that research. So, that is what we are doing today.

Read more ...

1 comments Posted by Rick at: 20:55 permalink

MASTIFF in KoreLogic Git Repository 2014-03-25 16:03

In order to make new development versions of MASTIFF available to the masses, KoreLogic has put MASTIFF in a GitHub repo. This repository can be accessed at https://github.com/KoreLogicSecurity/mastiff or the repository can be cloned with:
git clone https://github.com/KoreLogicSecurity/mastiff

Read more ...

0 comments Posted by Tyler at: 16:03 permalink

ShmooCon Epilogue Prologue: PathWell 2014-01-09 15:14

On January 20, I will be giving a talk at ShmooCon Epilogue on PathWell, a project we did last summer. Epilogue is a great event and is much easier to get tickets for than ShmooCon, and I highly recommend it. (And I said that before they accepted my talk ;)

Over the past couple of years, we - mostly my coworker Rick Redman (Minga) - have given many talks about how enterprise password strength enforcement rules, as currently implemented, are broken and harmful. They make enterprise passwords easy to crack. The only thing worse than having them is not having them.

PathWell ("Password Topology Histogram Wear-Leveling") introduces a new dimension for measuring and enforcing enterprise password strength that attempts to take away from the attacker the advantages that they currently have when cracking (or even just flat-out guessing blindly) an enterprise's passwords.

Read more ...

0 comments Posted by Hank at: 15:14 permalink

Converting IDA PAT to Yara Signatures 2013-11-15 13:15

One of the issues when analyzing malicious Linux executables occurs when the executable has been statically linked and the debugging symbols stripped. Since the debugging symbols are stripped, IDA Pro is unable to identify the names of the library functions and we are left to determine the names on our own, or load and/or create the appropriate IDA signatures to identify the functions. To do this, we need to know which libraries were used during compilation, and possibly the OS (Linux distribution name and version) it was compiled on as well.

Read more ...

0 comments Posted by Tyler at: 13:15 permalink

MASTIFF on Mac OS X 2013-10-30 17:22

One of the reasons MASTIFF was written in Python was to give it the flexibility to run wherever it was needed. Linux and other *nix's have been supported since the initial release, but one goal was to have MASTIFF work on Mac OS X. It was suspected that MASTIFF would run without a problem on OS X, but it had never been tested...until now.

This week MASTIFF was finally tested and proven to work on Mac OS X. Mac OS X 10.8.5 (Mountain Lion) was used during testing, although other versions of OS X will likely work as well.

The instructions to install MASTIFF on Mac OS X are below. In these instructions we used Homebrew to install a number of packages. There are many ways to install packages on OS X, this is the one that was chosen this time.

Read more ...

0 comments Posted by Tyler at: 17:22 permalink

CMIYC 2013 Encrypted Challenge Files, Password Creation, and Hints 2013-09-04 23:59

We've just published details about the Crack Me If You Can 2013 encrypted file challenges here: the passphrase for each encrypted file, and the hints that are included in each one.

Encrypted File Types
Each encrypted file type had an Easy, Medium, and Hard file, with increasingly complex passphrases.

Read more ...

2 comments Posted by Hank at: 23:59 permalink

Mini-Password Cracking Challenge for LOLBitCoin Party 2013-08-12 12:12

As a favor to @Druidian, I supplied a mini password cracking challenge for hackers at DEFCON. It was a small list of NTLM hashes that the teams had to crack. They had no idea what the significance of them was.

I supplied the following NTLM hashes:

Read more ...

0 comments Posted by Rick at: 12:12 permalink

CMIYC 2013 Post-game 2013-08-08 15:15

This is the first of several posts we'll make post-Crack Me If You Can 2013. Later we'll gather things up and add content to the main 2013 contest site.

In this post I'll talk a little about the structural changes we made in this year's DEFCON contest, what we did that we think worked well, some not so well. We'd love feedback that we can use when planning future contests.


Read more ...

1 comments Posted by Hank at: 15:15 permalink

Submerging a GPU Cluster in Mineral Oil 2013-06-05 20:55

You may have seen the recent article on Ars Technica by Dan Goodin about KoreLogic. We (Rick Redman and Dale Corpron, KoreLogic consultants) dipped a computer in oil, and left it there, running, 24x7.

Although this idea isn't really all that new (Cray did it in 1985!), our use of it is relatively rare. We dipped a GPU powered password cracking system in the oil. Thanks to Midas Green Tech's help, it was really easy to do. Our hardware wasn't new or even custom, but it's running, right now, in mineral oil.

So, why did we do it?

Read more ...

2 comments Posted by Rick at: 20:55 permalink

Crack Me If You Can 2013 Is On! 2013-05-09 21:15

It's official, Crack Me If You Can will definitely be back for DEFCON 21 in August.

We've been planning what to do for this year's contest, combining all our lessons learned. Will get the 2013 site up, and start announcing structure and rules soon.

0 comments Posted by Hank at: 21:15 permalink

MASTIFF 0.6.0 Released 2013-04-19 09:50

The latest version of MASTIFF, 0.6.0, has just been released! Run over to the download site and grab the latest version!

The official changelog is located here, but the major improvements are described below.

Upgrading MASTIFF to the latest version is easy. You can follow this process:
  1. Download and install pydeep.
  2. Download MASTIFF 0.6.0 and untar it.
  3. Run "make test" to ensure you are not missing any dependencies.
  4. Run "sudo make install" to install the latest version.
  5. Copy the analysis plug-ins (the plugins directory in the tarball) to your location of choice and ensure the config file is pointing to that directory.
  6. Add any new options to your MASTIFF config file. The easiest way may be to use sdiff.

Read more ...

0 comments Posted by Tyler at: 09:50 permalink

FTimes 3.10.0 Released 2013-04-01 18:15

Version 3.10.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. This release includes updated support for file hooks and introduces KLEL-based XMagic. Consequently, the minimum required version of libklel has been rasied to 1.1.0, which has a library version of 2:0:1. Finally, file system support for SquashFS was added.

0 comments Posted by Klayton at: 18:15 permalink

KLEL 1.1.0 Released 2013-02-15 17:36

The latest version of KLEL, 1.1.0, has just been released! It's available for download at its SourceForge site.

This release brings a much cleaner and faster parser, and a more consistent API for developers. The KLEL standard library has been extended with a family of "abort" functions to trigger runtime errors in expressions.

Read more ...

0 comments Posted by Rob at: 17:36 permalink