Midnight Research Labs

SEAT Version 0.3 and Backtrack 4
iphelix posted in hacking, pentest, project updates, tools on February 16th, 2009
comments:0

It is with great excitement that we bring you the latest version of SEAT!. SEAT (Search Engine Assessment Tool) is the next generation information digging application geared toward the needs of security professionals. SEAT uses information stored in search engine databases, cache repositories, and other public resources to scan web sites for potential vulnerabilities. Version 0.3 includes the much needed Search Engine XML signature update, several performance enhancements, and the fix for the dreaded GUI “segmentation error”.

You can download the latest version of SEAT here. Detailed documentation is available in documentation.pdf. Also, if you are a big fan of Backtrack like me, you can get SEAT preinstalled with the upcoming final release of Backtrack 4.

TACACS+ password cracking^w auditing
sth posted in passwords on January 22nd, 2009
comments:0

If you’re using the tac_plus implementation of Cisco’s TACACS+ server and want to do password auditing, I’ve written a quick script that will take the config file with all of its users and output a john the ripper compatible password file. You can run john directly against this generated file.

Here’s an abbreviated example:

$ ./tacacs-passwd-dump.py
usage: ./tacacs-passwd-dump.py <input tacacs file> <output passwd file>

$ ./tacacs-passwd-dump.py tac_plus.cfg tacacs.passwd
[*] Got user [john] [john smith]
[*] Got user [fred] [fred smith]
[*] Imported [2] accounts
[*] Done.

$ john tacacs.passwd
Loaded 2 password hashes with 2 different salts (Traditional DES [128/128 BS SSE2])
lamepassword (foo1)

Lots of new conference videos online
sth posted in Uncategorized on January 20th, 2009
comments:0

Here are a few sets of conference videos that are now online:

– Hack in the box - Malaysia videos. Day1 — Day 2. Even though it’s a pirate bay link, the videos were linked from the main HITB page, so I’m assuming it’s legit, :).

– Microsoft’s BlueHat 8 videos. Day 1 — Day 2.

– Dojosec videos.

– (edited to add) 25C3 videos are also now online. Awesome.

Happy torrenting.

Wifi Theremin
sth posted in most unnecessary, wifi on January 19th, 2009
comments:5

A theremin, for those who don’t already know, is a musical instrument that varies the pitch based on your proximity to an antenna, and varies the volume based on your proximity to another antenna. It’s a touch-less device, and you’d probably recognize the sound from old sci-fi movies (listen to the vibrato whistling sound in the background).

Here’s an example of a theremin:


So what does this have to do with anything? I wrote up a script that has the same functionality that uses a wifi device and its signal strength to control the frequency and volume. Yeah, pretty useless, but yet here it is. We actually did this a couple years ago at MRL, but that version was even more of a hack. This version will actually interpolate the pitch as the signal strength jumps around and is threaded so the sound is a little smoother. This version also allows for a second control (wifi interface) that corresponds with the volume so it is a little bit more like a real theremin. There’s still a decent amount of latency though, so you can’t really use it to create useful music.

Here’s a short sample of what it sounds like when you run it from my system. Now isn’t that a beautiful sound, .

I started creating this on my mac book pro, but after realizing the embedded antenna is pretty difficult to control the signal strength from, I added support for linux. It’s not doing anything fancy for reading signal strength (just parsing CLI utils), so I’m not sure how portable it really is. Also, it does have a couple dependencies on audio libraries, but they’re pretty easy to install (in case you really care).

Anyway, Have fun!

Kenshoto stepping down?
sth posted in Uncategorized on January 16th, 2009
comments:0

It looks like kenshoto is stepping down as the organizer for one of the largest hacking competitions in the world. An announcement has been made on the defcon forums for new organizers.

From the announcement:

WANTED:
An evil large multinational corporation, or…
An nefarious group of genius autonomous hackers, or…
A shadowy government organization from somewhere in the world
TO:
Host, recreate, and innovate the worlds most (in)famous hacking contest.

Kenshoto has always done an amazing job at both the pre-qualification rounds as well as the main competition. They really stepped up the game as more of an art than just a competition. Their efforts will be missed as we look forward to who will carry the torch next.

Wepawet: analyzing web-based malware
sth posted in Uncategorized on January 15th, 2009
comments:0

This is a pretty cool looking website/service from the Computer Security Group at UC Santa Barbara that will analyze flash and javascript for malicious content. It will actually de-obfuscate javascript and pull out the active exploits that it uses. I’m guessing that it’s also doing some dynamic analysis because it is able to see the exact request/responses that it’s making. Here is a sample report that shows multiple exploit attempts and the actual malware. The website says that it’s currently in alpha and it will have the ability to submit URLs (instead of javascript/flash files) soon.

Via www.offensivecomputing.net

0day in WowWee Rovio Robot
sth posted in Uncategorized on January 14th, 2009
comments:1

You can’t use it in your plot to take over the world with remote control robots yet, but there’s a new 0day in the WowWee Rovio that will allow remote snooping of the audio/video data that comes from the robot. Other things you can do remotely are get configuration data, update the firmware, and send things to the speaker. It looks like the Rovio is a fancy robotic pseudo-telepresence toy for your dog.

From the advisory text:

Unfortunately, Rovio’s access control mechanisms (username/password) are not
completely utilized across the platform even when enabled. Certain URLs and
RTSP Streaming capabilities of the device are accessible with no
authentication. Furthermore, deployment of the device in the default
configuration attempts to use UPnP to automatically configure your firewall to
allow external access to the mobile webcam platform.

Happy 2008^H9!
sth posted in Uncategorized on January 14th, 2009
comments:0

I don’t want to bore anyone with arbitrary end of year statements/predictions, but I did want to acknowledge the milestone. 2008 was a pretty good year, and we’ve managed to get back into an regular schedule again with meetings twice a month. We’re looking forward to an exciting 2009, and have a couple new projects that we’re working on that we can hopefully start posting about soon. More fun stuff on the horizon.

LDAP password audit and general hackery
sth posted in tools on November 17th, 2008
comments:0

I have a few smaller tools/scripts I’m going to be posting in the near future on a new hackery page. Some of these are random things that don’t quite deserve a whole project page, but I still wanted to put a general reference together.

The first thing I’m putting up is a small tool that will dump out a unix-like password file given a LDAP database dump in LDIF format. The point of this is so that you can audit your LDAP passwords with something like john the ripper. Here’s an example usage:

./ldap-passwd-dump.py 

usage: ./ldap-passwd-dump.py <ldif file> <output password file> [<user matchString>]
       example: ./ldap-passwd-dump.py ldif.out passwd.txt "^ou: MyGroup"
       (matchString default is "objectClass: posixAccount")

 # Dump the initial database with slapcat
 $ slapcat > ldap.out
 $ ./ldap-passwd-dump.py ldap.out pw.out
 [*] Adding new user [New User, newuser] to results
 [*] Adding new user [A User, auser] to results
 [*] newuser:$1$xxxxxx$xxxxxxxxxxxxxxxxxxxxxx:::New User
 [*] auser:$1$xxxxxx$xxxxxxxxxxxxxxxxxxxxxx:::A User
 [*] Wrote [2] password lines to [pw.out]
 [*] Done

$ john pw.out

Anyway, hopefully it’s mildly useful to a couple people. Since the standard PAM modules for password policy enforcement are a little harder to use with LDAP, sometimes it seems like weak LDAP accounts can linger around for a longer than intended. Let me know if you have any problems running it, I know there are several different possible password encoding and hashing types, and posixAccount setup schemas, so YMMV

Look for some more things to be posted to the hackery page in the coming days.

BotHunter LiveCD and new releases
sth posted in Uncategorized on November 12th, 2008
comments:0

It looks like BotHunter has been busy since the last time I was looking at them. They have a new Live CD to test out the software, and some new releases with some new features (including a GUI) that are worth checking out. Here’s the blurb on what bothunter does:

BotHunter is a passive network monitoring tool designed to recognize the communication patterns of malware-infected computers within your network perimeter. Using an advanced infection-dialog-based event correlation engine (patent pending), BotHunter represents the most in-depth network-based malware infection diagnosis system available today.

Last time I tried them out, the installation was a bit clunky, but overall it was a very valuable tool. Having the correlation between the different major points in the bot life cycle really helps with a much more accurate detection. In tests it was doing a way better job at reducing false positives to come up with some usable results than a traditional IDS.

If you’re interested in the subject, this is a good white paper on their design, how they do the correlation between different points in the life cycle, and some of the anomaly detection features they’ve added among other things. I thought it was well worth the read.