Top
Search
Subscribe
Social Media - Mubix
Login
Archives

Entries in video (4)

Sunday
Dec052010

Offensive and Defensive SSH Patching at NoVA Hackers

DateSunday, December 5, 2010 at 1:58AM

This is definitely not my content, but I did want to highlight the talk Nicholas [1] gave at NoVA Hackers [2] this last November.

Nicholas B. gives a talk about SSH Patching for Offensive and Defense at NoVa Hackers November 2010

[1] http://twitter.com/nberthaume

[2] http://novahackers.blogspot.com/2010/10/november-meeting-monday-nov-15th-2010.html

AuthorRob Fuller | Comments Off |
tagged , ,
Tuesday
Nov162010

Silently uninstall SEP

DateTuesday, November 16, 2010 at 7:22PM

Uninstallation is not new

Deleting and removing things on a box you own isn't new

This method and how to do it remotely was posted in Feb 2007

But I didn't know how to do it, and I thought it was hilarious, so I made a video:

AuthorRob Fuller | Comments Off |
tagged , , ,
Friday
Sep242010

Revenge of the Bind Shell

DateFriday, September 24, 2010 at 11:20AM

 

Revenge of the Bind Shell from Practical Exploitation on Vimeo.

BACKGROUND

At the April 2010 NoVA Hackers meeting I discussed some of the offensive uses of IPv6 on current networks. Well, around that time Microsoft issued a patch to all of the supported versions of Windows that broke my methodology. Obviously I wasn’t the only one doing this ;-)

Before I get ahead of myself lets explain what Teredo is. Teredo is a tunneling service built in to Windows. It’s intent, as far as I can tell, was to allow anyone to have access to the IPv6 enabled internet, free, and dead simple, no infrastructure changes needed. You can get into much more detail on the Teredo TechNet article, but essentially an internal host is asking a Teredo server/relay for an IPv6 IP address. It does this over UDP and which by default in Windows points to teredo.ipv6.microsoft.com over port 3544 (UDP).

When the tunnel is established, the host is given a 2001::/32 address. This address is a public IP. Before April this essentially meant that your Windows shares and any other listening service was publically available, despite your NAT and Firewall. This isn’t as much of a problem as you might think as it’s virtually impossible to guess or scan for an IPv6 address. So, unless you displayed it publically by connecting to Freenode or posting it online somewhere (via a demonstration video). You’re pretty safe.

THE PATCH

Microsoft made this a certainty when they issued the patch. I was unable to locate the specific one, or even identify for certain that it was April 2010, but that’s when the initial article for IPV6_PROTECTION_LEVEL was published. This is a socket level option that says, unless this flag is set to "PROTECTION_LEVEL_UNRESTRICTED” on the binary that is doing the communication, deny all traffic from NAT Traversals (Teredo).  (Even Netcat6 doesn't have this flag set!)

Essentially, unless someone rebuilt their binary with the explicit intention to allow people to connect to it over NAT Traversals, the traffic was denied. You were still allowed to connect out, keeping in tact the initial idea for Teredo, but it broke my methodology damn it!

I used Teredo to connect to the SMB server so that I could psexec a shell back any time I wanted before (still possible on non-patched systems) but since Microsoft doesn’t want to add the PROTECTION_LEVEL_UNRESTRICTED flag to SMB you have to just upload and use a binary that does. Luckily, with the help of Stephen Fewer, the bind_ipv6_tcp payload in Metasploit does.

COMMANDS

The commands used in the video are below:

netsh interface ipv6 install

netsh interface ipv6 set teredo enterpriseclient

./mspfayload windows/meterpreter/bind_ipv6_tcp LPORT=9001 X > bind.exe

The only thing that was behind the scenes was giving my Metasploit host an IPv6 address. I used Miredo (Teredo for *nix/OSX):

#Install miredo
apt-get install miredo

#Remove it from starting automatically
update-rc.d miredo –f remove

PROTECTION

Yes, it’s that easy. Now, some of the mitigating suggestions I’ve seen on the net is to blackhole the Microsoft Teredo server, or block the UDP port 3544. However, Miredo can act as a Teredo server/relay just fine, and can listen on any port you wish (53?). So unless you block ALL UDP outbound traffic, you are not protecting against this threat.

AuthorRob Fuller | Comment6 Comments |
tagged ,
Tuesday
Feb232010

Practical Exploitation

DateTuesday, February 23, 2010 at 12:00PM

Practical Exploitation is going to be me, explaining things in the way that I see the world on the best medium for what I'm explaining, be it a short blog blurb, a video of me, a video of a desktop, or just audio. There is no schedule that I'll be sticking to, but I will guarantee you 3 things though:

  1. If you want it explained and it has to do with infosec or hacking (I'll do my best on the hardware side), it will be on the show. Be it a white paper that you don't have time or want to decrypt, a tool you can't figure out, or just something you want to learn more in-depth. That's what it's for.
  2. No fluff, I'll get straight to how you use it or can understand the topic.
  3. If your bullshit flag goes up for even an instant, call me on it, and I'll either explain why I said what I did, or apologize and correct myself. You can email, tweet, PM, IM, ask a question on the tumblr site, or just haul up and punch me at a con. Either way, please take the time to tell me I'm wrong and why.

It launches today. I'll start with topics that I know cold, I'll move on to white papers that I thought were interesting but haven't read yet, hopefully intermingling in anything you want to learn about.

http://www.practicalexploitation.com/

and email: questions at the same domain.

or call:  (503) 406-8249

-- mubix

P.S.  Room362.com and Mubix Links aren't going anywhere. If anything they will probably start getting updated more. Room362 with stuff I cook up, as always, and Mubix Links with anything I find interesting on the web. 

 

AuthorRob Fuller | Comment2 Comments |
tagged