November 1st, 2014

SEAT Version 0.3 and Backtrack 4

It is with great excitement that we bring you the latest version of SEAT!. SEAT (Search Engine Assessment Tool) is the next generation information digging application geared toward the needs of security professionals. SEAT uses information stored in search engine databases, cache repositories, and other public resources to scan web sites for potential vulnerabilities. Version 0.3 includes the much needed Search Engine XML signature update, several performance enhancements, and the fix for the dreaded GUI “segmentation error”.

You can download the latest version of SEAT here. Detailed documentation is available in documentation.pdf. Also, if you are a big fan of Backtrack like me, you can get SEAT preinstalled with the upcoming final release of Backtrack 4.

SEAT v.0.3

Wireless keyboards

I ran across this comic recently, and thought it was pretty funny. There’s more research being done on the topic these days, and I think it would be pretty interesting to take a closer look at it. The Gnu Radio project seems to be pretty popular. I’ll put it on the queue of things to do, :) .

Wicrawl – Getip Plugin

There is a new plugin now available for Wicrawl. Getip Plugin obtains AP’s public IP address by injecting traffic destined to a public IP address on the Internet. This plugin will work for unencrypted and WEP encrypted (easside-ng) networks. A special tool was developed just for this plugin called norside which takes care of traffic injection on unencrypted networks. Norside is fully compatible with buddy-ng server provided by folks at aircrack.

You can obtain this plugin by downloading the latest cvs release of wicrawl here. Looking forward to your comments and bug reports.

We know what you typed last summer

An interesting advisory comes from guys at remote-exploit and dreamlab technologies dealing with (in)security of common non-bluetooth wireless keyboards sold by Microsoft (Wireless Optical Desktop 1000 and 2000). According to the white paper released on the subject (available here) only the actual key pressed is transmitted in encrypted form, all other communication such as keyboard identification, metakeys (Shift, Alt, etc.), and other data are all transmitted in clear text. Furthermore, the encryption scheme used for keystroke data consists of “a simple XOR mechanism with a single byte of random data generated during the association procedure”. What this means is that not only can you quickly brute force entire key space (256 combinations), but you can actually obtain the encryption key by intercepting the initial association of keyboard and receiver (as was demonstrated in this video ). Authors did not release the PoC tool to the public citing an ongoing research (meaning more goodies coming soon ;). As such we can only applaud at this effort and look forward to seeing this tool in the upcoming Backtrack 3.

Microsoft Optical Desktop 1000

Post-meeting

Thanks to everyone who showed up for the meeting. As promised, slides and a tarball have been posted:

Slides

Tarball

MacLockPick

This looks pretty cool. The MacLockPick is a commercial USB hardware product that you can just plug into a mac and grab all sorts of useful things like system, internet and general passwords as well as email, web history and preferences, etc. They say they require you to provide proof that you are licensed law enforcement, but I wonder how long it is until a open-source alternative comes along (maybe a MRL project?). No reason you couldn’t combine it with an external drive to suck down the entire image. I also wonder why they don’t have a similar windows product.

David Maynor talked about similar hacks a couple years ago and I’m guessing that they’re using similar techniques. I suppose it’s not too huge of an issue since physical proximity usually equates to full access in one way or another anyway, but this is a little more covert. I would think that if a law officer is required to use something like this that they would be able to command a full forensics investigation, but I suppose there are some circumstances that would require a more surreptitious approach.

Also, it looks like they are just down the road from where I used to live (and MRL meetings used to take place).

The solution is based on a USB Flash drive that can be inserted into a suspect’s Mac OS X computer that is running (or sleeping). Once the software is run it will extract data from the Apple Keychain and system settings in order to provide the examiner fast access to the suspect’s critical information with as little interaction or trace as possible.

MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep. It also makes use of the openly readable settings files used to keep track of your suspect’s contacts, activities and history. Once awakened a Mac will return it’s keychain access levels to the default state found when it was initially put to sleep. Suspects often (and usually) transport portable systems in this sleeping state.

MacLockPick is not for sale to the general public. Purchasers will be required to provide proof that they are a licensed law enforcement professional. Users are required to ensure that the use of this technology is legal on federal, state, and local level.

Also gotta love the sneaky logo:

via jwz

Update: ps. Yes, I know you could do a windows autorun USB stick, but I guess I assumed that this was a layer below this, getting this information through host-mode and DMA or something similar. Please let me know if I’m assuming too much, or if you know how this device actually works, :)

Pretty Pretty Pwnies

The latest month of bugs trend has started again with the Month of Apple Bugs. The first bug is a buffer overflow in Apple Quicktime rtsp URL Handler. Here is the description from the bug information on the MOAB site:

A vulnerability exists in the handling of the rtsp:// URL handler. By supplying a specially crafted string (rtsp:// [random] + semicolon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition.

Note that this affects the OSX and the Windows versions of Quicktime. It doesn’t look like there is a patch for this yet, but apparently you can disable the rtsp handler within Quicktime.

Here is the official MOAB mascot:

OMG! Pwnies!

“Mac bugs come in pink.” ™

Longest hacker prison term upheld

From wired magzine:

A federal appeals court upheld a nine-year prison term Monday for a hacker who tried and failed to steal customer credit-card numbers from the Lowe’s chain of home improvement stores.

I think what I find more stupefying (but not too surprising) is the fact that Lowes had allowed access to their internal network, including credit processing systems, from an unsecured wireless network. Frankly, given this glaring hole in their system, I’m a little surprised that they were actually able to not only track down the offenders, but determine what exactly they had done in that short a time.

Though there’s no evidence either man saw a single stolen credit-card number, and despite cooperating to help Lowe’s boost its security after his arrest, Salcedo was sentenced to what the government described at the time as the longest U.S. prison term for a hacker in history.

Defcon CTF pre-quals

Kenshoto just announced the pre-qualification rounds for Capture the Flag at Defcon. Looks like it will be an all weekend event again (weekend of June 9th). MRL will put its hand into the ring as a first year team this year as 0x00ff00 seems to be mostly dissolved. Let me know if you’re interested in competing (reversers welcome, ;)).

mac-ownability

According to the guy that cracked into the contest system “rm-my-box” in sub-30 Minutes, there are still lots of unpublished exploits left in Mac OS X. The host didn’t seem to set the bar too high though, he actually gave out accounts on the system to start with. I’d have to believe that there are tons of SUID binaries there since it comes with root disabled by default.
In related mac-insecurity gossip and stories, the host of the “rm-my-box” challenge alleges that this story about a security researcher getting owned though a Mac at Shmoocon was about Raven Adler. Can anyone confirm or deny? Entertaining nonetheless.

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS