nbsniff – Abusing the Netbios Name Lookup Service

This is a very short post, basically pointing you at someone elses site for something awesome, however, seeing as it is kind of a hot topic, I may as well write SOMETHING about it.

Recently there was a massive stir about the “FLAME” malware (which I am working on an article about) using a MITM attack to propegate, by hijacking Microsoft Update(s).

Pretty cool, no?

Well, first off, lets look at how it went about it.
First off, it used the NetBIOS hijacking technique (wherin, any netbios name lookup was answered with “ME”) to give victims a bogus WPAD.dat file.

Ok. When your computer is looking up another computer, it first tries DNS to see can it resolve the domain to an IP. Hijacking someones DNS is trivial, but requires a full on ARP poisoning, or rerouting, attack, which is pretty involved. So. If the domain DOESN’T resolve, the computer broadcasts a “NetBIOS Name Lookup” to EVERYONE, and in theory, only a computer with a matching name will reply.

This is where we come in. We reply with “Yeah, thats us!” to their request, and they then “trust” that we are who they are looking for.

So. When their computer automatically checks is there a WPAD server (Web Proxy Auto Discovery – a server on the network that tells computers what proxy settings to use) – we tell them “yo, thats me”. And serve up a malicious WPAD.dat file. Which, could make them simply route all their traffic through a logging proxy on our box, but in this case, simply tells them that we are their Windows Update providers.

When they then request updates, we go “here” and give them their Windows Updates (actually malware).

A fairly trivial attack really… Though Ron over at SkullSecurity can provide you with software to do this kind of thing, and likely explains it better :)

So without further ado, here be links to some software and stuff for you to play with :)
SkullSecurity – Pwning Hotel Guests

Malware.lu vs Herpesnet Botnet

Recently, a group of malware researchers, at Malware.lu – have seemingly taken the fight back against botnets another step.

Now, first off, let’s get my position on this straight for those watching me who are just waiting for me to break some kind of law or ethical barrier: While I wholeheartedly support these researchers actions, and believe that their approach to “dealing with botmasters” is the way forward, I will NOT be participating in it without cooperation of some sort from Law Enforcement, or legal permission to do so. The ice under my feet is too fucking thin to go popping C&C servers, though I wish I could.

The reason why we should take the fight back to the botnet masters is simple: They have the upper hand here. We do not. They can simply keep changing their C&C servers, keep doing DNS switcharoos, and keep spreading their malware, targeting innocent bystanders and making off with reams of personal data, while us researchers can do shag all except report to the authorities and pray to god they do something. It is not until someone like Microsoft gets involved that shit ACTUALLY gets done.

If the relevant authorities would issue “carte blanche”, or even a “carte gris” to take down botnets if the opportunity arises, the internet would be a far safer place. Until PROACTIVE measures are taken to make the cost of operating and owning these things too damn high for the amateurs, the smaller botnets will proliferate undetected for infinite time.

Anyways, on to the story.

So, the guys at malware.lu (I believe it was r00tBSD) got a sample in, of the HerpesNet botnet. I had been investigating Herpesnet for a while, after seeing it offered up as a “botnet as a service” type thing. You simply infect people, the botmaster/owner handles the C&C and backend server, along with writing the malware.

Fascinating system, and it is criminal economies like these that need to be stamped out. This particular sample was proliferating on Skript Kiddie forums predominantly, however, it is simply showing how *Fast* this kind of service offering has become common place.

Upon analysing the unpacked (non obfusticated) binary, and decrypting the few strings that were obscured, they were able to locate its C&C server.

They were also able to uncover what it sent to the server in HTTP POST requests, which seemingly, was sent in plaintext, and therefore offered them insights into what kind of data this thing was stealing, etc.

The researchers then decided to see could they perhaps use SQL injection attacks to own the command and control server, and in the end, they succeeded, gaining access to the administrator (botmasters) account on the C&C.

Taking things further, they actually uploaded a Meterpreter payload to the server and ran it, remotely hijacking the C&C. They took a screenshot of the C&C through the Meterpreter shell, and it LOOKS to me like it was the malware authors own box they had owned.

Pretty stupid, hosting a multi user botnet on your own box… But… Criminals are rarely the most intelligent it seems.

Now for the REALLY fun part: They then dumped the bots source code, etc. onto their box for more analysis, and subsequently the botmaster severed the box’s internet connection.

Not only this… They doxed the botmaster! Revealing his true identity for all to see (and for all to arrest…).

This kind of thing could be seen by some as vigilante justice, however, I see it as the future of the fight back against crimeware and online fraud. Even xylitol seems to get away with this, so my question to you all is as follows: What is the ethics/legality to this? CAN I legally start “assisting” LEO by dropping botnets and doxing their owners? I am FAIRLY sure I would be breaking anti-hacking laws, but, I also know the law pretty much requires me to do my duty as a citizen to PREVENT crime.

While I won’t be popping botnet C&C servers anytime soon, it is an interesting question to ask… And one I would love to know the answer to.

For more on this story, check out the article the guys wrote here:
Herpesnet Analysis and Ownage – Malware.lu

And also check out their main site: http://malware.lu

Massive props to the Malware.lu team, they are REAL internet superheros!

Nmap – FTP Bounce Scans

In part One and Two of this series I described various methods of evading IDS/IPS/Firewalls, sick and general methods of evading detection when port scanning your targets using nmap.
In this instalment I hope to give an overview of the technique called the “FTP Bounce” Scan technique, and various “interesting” uses I have had for it…
This, along with my other nmap articles, is all kind of my notes for the wiki article over at http://blackhatacademy.org – reopening soon – with lots of shiny new content and awesome stuff!

So, how does FTP Bounce work?
Well, the File Transfer Protocol, according to its RFC (RFC 959 according to nmap man pages), has a feature called the PORT command (now I may be messing up, but I THINK this is the command. Ping me if I am wrong :3 ). Basically it allows proxy FTP connections, where I can ask the FTP server I am connected to to send a file to a host/port I specify. Obviously, in order to send a file to another host/port, it has to CONNECT to said host/port. So, we can use this to get the FTP server to check is said host/port open… Seeing what I am getting at here?

We can make an arbritary FTP server port scan another server for us (IF said FTP server supports this “feature”… Which, according to nmaps man pages, many do not anymore… but still!).

Now, most of us are likely thinking “Right, so I an make random FTP servers act as “drones” during my port scans… AWESOME!”. Yes, yes you can. This puts another “hop” between you and your victim, meaning it is a shitload harder to trace it back to you! Using standard methods like -T0 and such are recommended here, to make things even sneaker. As the FTP server is not DESIGNED to be a port scanner, it is not exactly going to be stealthy… So we kind of have to rely on timing. Need I say this is TCP ports only also?

Now for the super fun part. Now the following idea, I thought was fairly original when I came up with it while walking my dog. However, upon reading the man pages for nmap (and you wondered why I was sleep deprived? I STILL AM!) I realized Fyodor had gotten there first. Years ago. Feck.
However, it is still a cool trick… So I will outline it.

Say you are scanning company.tld, and have found a FTP server on their network, but the rest of the bloody network is firewalled off. You wish to scan the inside of their network. So, you somehow have gained credentials to their FTP server (or it supports anonymous logins), and you are still wondering how to use this to scan out the insides.
Use the external FTP server as your bounce host, and ask it to scan various inside-network ranges (just use the default 10.x, 192.168.x, etc) for you until you figure out which addressing scheme they use. Then ask it to scan the whole bloody network for you! Now, you have mapped out their internal networks by simply leveraging the FTP Bounce bug in their FTP server! Awesome, no?

Using FTP Bounce (Assuming you have a vulnerable FTP that allows this, see the ftp-bounce NSE script for checking FTP servers…)

root@bha:~# nmap -T0 -b username:password@ftpserver.tld:21 victim.tld

This uses the username “username”, the password “password”, the FTP server “ftpserver.tld” and port 21 on said server to scan victim.tld.
If the FTP server supports anonymous logins, just forget about the username:password@ part and nmap will assume it allows-anonymous. You may omit :21 if the FTP port is 21, however, some people configure FTP on wierd ports as an attempt at “security”.

So, thought up of any “fun” uses for the FTP bounce scan technique? Tell us about them! And keep an eye out for the finished Wiki article over at http://blackhatacademy.org (if I ever finish it, that is :P )

// Yay! Still importing content with great success!


Quick update, cure Migration to WordPress is going fairly well.

The old content can still be accessed at http://insecurety.net/index.OLD.html for those that want it, advice however it will all be eventually assimilated into this WordPress blog.

The team is also expanding, with new people coming onboard to share their work and collaborate on new things. So there should be a lot of awesome research and development done!

I am currently finishing off some research into Denial of Service attacks and migitations by posting a series of articles about how they work. I am starting with SYN floods and then just moving along.

As this summer kicks off,  Blackhat Academy is going to be relaunching their site soon, with lots of awesome new content. Having started contributing to their wiki, I have seen the absolutely amazing content they have over there. Go check it out – it is relaunching in June!

The subpages are not yet finished, and this site is still a work in progress (as always), but yeah.  Hope you find something you like here :)