July 30th, 2014

Unclogging the tubes

D’oh. We had some problems with the MRL server over the last week, but things are slowly coming back to life. The wiki and CVS are still down, but most things should be back up for the meantime. We’ll probably be migrating again in a few weeks to a more permanent location, but hopefully that should be a more graceful move, :) .

Depant your network

MRL has a new tool we’re releasing that will check your network for services with default passwords. The tool is called depant ((DE)fault (PA)ssword (N)etwork (T)ool). Depant works by downloading a default password list, and then mapping out the local network to see what open services are available. Once it has a list of services, it will test each service for default passwords. Once it’s gone through each of the services, depant will determine the fastest service (as recorded in phase one) and use it to perform an optional second phase of tests with a larger (user-supplied) set of default users/passwords.

By default depant has a list of “safe” services to test. These are tested services that hydra seems to work well with. Currently it’s a small list as depant (and hydra) needs to be tested against more networks to see what are good default services to test for. Alternately a user can specify ‘-A’ to scan all ports that hydra knows services for. You can also specify only certain ports with ‘-o’ (it supports ranges, and comma separated lists). If any errors arise from running with extra services, please try to run depant with the ‘-d’ flag (debug), and send us the output.

User/Password combinations can be entered in one of two ways, either with separate files for usernames and passwords (this will test every combination of username/passwords), or with a “combined” file that has entries formatted like “username:password”. ‘-u’, and ‘-p’ (or ‘-U’, and ‘-P’ for the second phase) specify the individual username/password files, and ‘-c’ (or ‘-C’ for the second phase) specifies a “combined” username:password file. Only one of these methods is intended to be used at one time.

Here is the usage information, along with a couple examples:

usage: depant ( -H <host> | -f <hostList>) ( -c <userPassList> | -u <userList> -p <passList>) <options>
Options:
-H <host (or CIDR block) to scan>
-f <host list file> (each ip or CIDR block per line)
-e <exclude hosts list> (each ip or CIDR block per line)
-g <output file for default password list> (Gets list from Phenoelit site)
-c <combined user:password list> (not in conjunction with -u/-p)
-u <username list> (used in conjunction with password list)
-p <password list> (used in conjunction with username list)
-o <port list> (e.g. 21,22,137-139 default is “safe ports”)
-O <output file> (CSV log of any user/passwords we find)
-C <second phase combined user:password list> (not in conjunction with -U/-P)
-U <second phase user list>
-P <second phase password list>
-A (run all ports hydra knows about)
-D (Do a dry run only, map network, and output what things are going to be checked)
-h (help)
-d (debug)

Examples:
Downloads the default password list into dpl.txt:

./depant.py -g ./dpl.txt

Checks for the user:pass combinations in dpl.txt on all ports for ips in hosts.txt:

./depant.py -f ~/hosts.txt -d -A -c dpl.txt

Checks the network services anywhere in 192.168.1.1/24 (excluding hosts listed in exclude.txt)
with the users and passwords specified, and if nothing is found, it will check the
larger user and dictionary list against the fastest service:

./depant.py -A -H 192.168.1.1/24 -e exclude.txt -u users.txt -p passwd.txt -U more-users.txt -P big-dict.txt

And here’s a quick example of it running against a local system. This will check against a combined user/pasword file for the first phase, and then use the separated user and password files for the second phase. You can see that in the second phase it is able to find a username and password:

$ depant -c ./dpl -U ./user.txt -P ./pass.txt -H 127.0.0.1/30

-=[[ Depant v0.1a ]]=-
-=[[ Midnight Research Labs ]]=-

[*] Phase 2 scanning enabled
[*] Starting phase 1 nmap scan of [2] host(s)
[*] Adding host [127.0.0.1] port [22] to list of services to test
[*] Found [1] thing(s) to check for default passwords
[*] Starting phase 1 hydra scans
[*] Checking for default passwords on host [127.0.0.1] port [22]
[*] Fastest service to run second phase on is [127.0.0.1] port [22]
[*] We did not find results in phase one… going to second phase
[*] Starting phase 2
[*] Checking for default passwords on host [127.0.0.1] port [22]
[!!!] Found user [testuser] with pass [YourPasswordSucks] on [127.0.0.1] service/port [22]
[!!!] We found logins on [1] hosts
[*] Total runtime was [34] seconds
[*] Finished.

Thanks to the other resources that make something like this possible. Hydra does the password brute-forcing, and nmap does the actual scanning. Also thanks to Phenoelit for the default password list.

We’re very interested in getting feedback for this or anything else we’re up to. Let us know either way, whether you run into major problems, or if works well for you. You can try running the tool with “-d” (for debug) to get extra information during the run. If you submit any bugs, please include the debug output to help us troubleshoot the issue. You can email me at aaron {@t} midnightresearch.com if you have any feedback (which is greatly appreciated).

Happy Downloading, :) .

Update: Here’s an updated version that adds a couple extra options to optimize the nmap flags that are run.

“MIFARE Classic” report released

Researchers from the Institute for Computing and Information Sciences at Radboud University in The Netherlands have, at long last, published their report (PDF) on the security posture of the MIFARE Classic system. The report, simply and appropriately entitled “Dismantling MIFARE Classic”, was presented as part of the 13th European Symposium on Research in Computer Security (ESORICS 2008).

At a mere 18 pages, the report still provides good detail about the team’s findings, including hardware setup, crypto used by MIFARE Classic (including the oft ridiculed 48-bit CRYPTO1 cipher), and exploits that can be launched against the system. Additional information can be found at the homepage of Flavio D. Garcia, one of the researchers involved.

Hat tip to Security4all for the notification on this paper.

Clickjacking details released

It looks like some of the details on clickjacking have been finally released. There are tons of different variants of it that have different impact, and varying levels of remediation. Here’s a quote from RSnake on this:

First of all let me start by saying there are multiple variants of clickjacking. Some of it requires cross domain access, some doesn’t. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some requires JavaScript, some doesn’t. Some variants use CSRF to pre-load data in forms, some don’t.

There’s a proof of concept for camera hijacking along with a video of it. There’s also PoC of hijacking your microphone from RSnake. There’s supposed to be some clickjacking code released here, but I wasn’t able to download it when I tried last. (edited: code link should work now)

Here’s a couple of the bad ones:

Issue #2a STATUS: To be fixed in Flash 10 release. All prior versions of Flash on Firefox on MacOS are particularly vulnerable to camera and video monitoring due to security issues allowing the object to be turned opaque or covered up. This fix relies on all users upgrading, and since Flash users are notoriously slow at upgrading, this exploit is expected to persist. Turning off microphone access in the bios and unplugging/removing controls to the camera are an alternative. Here is the information directly from Adobe.

and

Issue #2b STATUS: Resolved. Flash security settings manager is also particularly vulnerable, allowing the attacker to turn off the security of Flash completely. This includes camera/microphone access as well as cross domain access.

RSnake is going to be releasing a full paper in the next day or two, and hopefully more patches will be rolling in. In the meantime maybe it’s time for an internet vacation, :) .

Update: Here’s a more informative video from Jeremiah Grossman on the webcam hijacking
Update 2: The link to the clickjacking code was fixed on the ha.ckers.org site.

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS