Pentest

WPA-PSK Research Paper Review

Posted on

I’m Handler for the day! Check out my post on the new WPA-PSK paper.

https://isc.sans.edu/forums/diary/Exposing+WPA2+Paper/18061/1#30725

Advertisements

EMET and IE 0 day ie_execcommand_uaf

Posted on Updated on

Update: Microsoft has issued a “Fix it” for this issue. A offical patch should be in place tomorrow 21-Sept-2012.

A new IE zero-day is out and is available from Metasploit.  I needed to find out if EMET would protect against this. My two platforms I tested on were Windows 7 (Full patched) and Windows XP SP3 (fresh install) with IE 7.  I tested EMET 3.0 and EMET 2.1 to make sure that both versions prevented the exploit.

The Metasploit exploit worked flawlessly on Windows 7. I then enabled EMET and added the IE executable to the protected programs.  With both versions of EMET  prevented the exploit. The odd thing is that EMET 3.0 is suppose to generate a pop-up and create an event log when it catches an exploit. It did not notify me during any of my tests. On Windows XP SP3 with IE 7, as expected, the exploit worked when EMET was not configured. Once setup to protect IE, the exploit failed to run.

While having individual users at home switch to another browser (e.g. Chrome) make sense, for large cooperate environments deploying EMET will give you a stop gap for many of the exploits that we see.

Determine Rogue DNS for IP Space

Posted on Updated on

Determining what domains are registered to a network is important to both attackers and defenders. Attackers have been performing DNS recon for years, but defenders generally do not use this technique. Why would we need to? We can just get a dump of the DNS database and search it. Well this only works for domains that you control, but users can point to your IP space with a different domain name and you would never know about it. This could be a legitimate subsidiary standing up a site, or it could be a rogue server “borrowing bandwidth”. Either way it’s better to know these things before attackers do.

I wrote a bash script (Tested on Ubuntu and OSX) to use the robtex’s website to determine what DNS names have been assigned to a specific network. Their website looks up DNS names based on class C networks. For class A and B networks, it will break them down into class c networks and query the site. The results are displayed to standard out in csv format.

Lets try this out on a Google subnet.

#nslookup google.com
Name: google.com Address: 74.125.67.105
#./dns_recon.sh 74.125.67 >74.125.67.csv

The file looks like this.

#head 74.125.67.csv
 gw-in-f16.1e100.net,a,74.125.67.16
 gw-in-f17.1e100.net,a,74.125.67.17
 gw-in-f18.1e100.net,a,74.125.67.18
 mail.miamichildrensmuseum.org,a,74.125.67.18
 gw-in-f19.1e100.net,a,74.125.67.19
 gmr-test.google.com,a,74.125.67.23
 gw-in-f23.1e100.net,a,74.125.67.23
 a.mx.systembrasil.com.br,a,74.125.67.27
 alt2.aspmx.l.ipmgr.net,a,74.125.67.27
 alt22.aspmx.l.google.com,a,74.125.67.27

Lets quickly see what other domains besides google.com are listed by filtering out google.com. You can also import this into a spreadsheet and filter your results with it.

#grep -v google.com 74.126.76.txt
...(trunckated)
velure.info,a,74.125.67.100
youtube.ca,a,74.125.67.100
youtube.co.il,a,74.125.67.100
youtube.co.in,a,74.125.67.100
...(truncated)

This technique has worked out great for me. I have the user agent set as a Yahoo crawler, but you can change the variable to anything you like.