Microsoft disclosed a zero-day flaw on Windows Shell on Friday and Stuxnet (W32.Stuxnet) is already exploiting it to gain access to SCADA systems through its attack vector. Since SCADA systems are updated mainly by CDs or pen drives, the attack vector fits as a glove. The malware targets Siemens’ Simatic WinCC software and intends to steal information like projects schematics and upload them to an external website. From CNet: Once the malware locates the data it is looking for it encodes it and attempts to upload it to a remote server.
Ettercap is a great tool for MITM poisoning and sniffing. Everyone on Infosec should have played with it (or Cain) at least once. Man-In-The-Middle MITM attacks are pretty easy to perform on a local network but the tools tend to crash a LOT. Cain (Windows) is a little more stable than Ettercap but I prefer it over Cain because it doesn’t spoof SSL that I consider too loud depending on the attack.
Today a friend introduced me that great tool called Ninite. It’s a batch-installer which comes with the most popular Windows FOSS available in the wild and saves you from downloading and manually installing them. Ninite also skips installation screens (and their EULA) and it’s perfect when you must setup several stations or you have constantly some station setup to do. Although Ninite ISN’T a configuration management tool but it is a good time-saver for smaller environments.
The Center for Internet Security has some great papers on security benchmark for many OS (All flavours of Windows, Linux and Solaris) and applications (Apache, MSSQL, MySQL, Oracle etc). The papers are available to download at their CIS Resources Download. CIS has also a great audit tool called the “CIS-CAT (Configuration Audit Tool) Benchmark Tool” that is SCAP-Validated as a Federal Desktop Core Configuration (FDCC) scanner tool by NIST and is in its wonderful NCP low-level benchmark repository.
Just read it on Slashdot that FBI failed to break encryption of Daniel Dantas’s hard drives. Daniel Dantas is a brazillian banker involved in financial frauds caught by the federal police in July 2008. The 5 hard drives siezed by the Federal Police at his apartment were cyphered with the top-notch AES encryption algorithm with a 256-bit key. Two softwares were used to manage the encryption and one of them was the widely used and known open-source tool TrueCrypt.
Here’s a good online password generator from PcTools that generates passwords based on various parameters such as password length; letters, numbers, special characters inclusion; hability to exclude similar characters etc. Good to have bookmarked! There’s also desktop version (Windows) of the password generator in the “Password Utilities” software provided by PcTools.
One good practice is to disable your SSID broadcast so you don’t show up on the victims list. Although this doesn’t make you completely invisible, it does aid reducing ease of location. (Networks can still be located by BSSIDs). MDK3 was written by ASPj to bruteforce network SSIDs (even with wordlists). Tape has done some testings around and described it all on his blog post. It has some videos too of the attack in progress on a 3-character-lenght SSID.
ARP poisoning is a technique quite simple to be applied and allows traffic to be sniffer over a switched network. It can be used to sniff the connection on-the-fly and capture plain-text password or hashes. ARP poison also allows combination with other attacks such as DNS spoof and packet filters in order to deploy client side exploits transparently. This attack can only be performed from the local network because ARP packets aren’t routed so you can’t hop between LANs but it can be performed from any machine on the same network so it is a serious concern when dealing with unhappy employees, interns and industrial espionage.
These presentations from May 8th, 2010 performed on the Brown Hotel in Louisville, Kentucky. on exploiting with the Metasploit framework has an tremendous value. Its from this month, still fresh! Its 7 hours of presentations, it takes a while to finish (I took almost a week! phew!) but its totally worth it! It starts with Adrian “Irongeek” Crenshaw introducing Metasploit exploiting a Windows box via msfweb and msfconsole. Pretty neat.
One of the coolest attacks is forcing a downgrade between the client and server, making the server believe that client has support only for older and insecure versions of your protocol. This works with Windows’ NTLM authentication and with SSL, mostly.
How does ‘downgrade attack’ work?
Downgrade attacks are born from a misconfiguration and takes place within MITM attacks. Privilege is escalated by trapping the connection request and thus forcing the use of an older protocol version with known security issues by faking the client-side accepted protocol versions. Then the weak protocol is attacked and access is escalated.