Don’t Wait, and DON’T CLICK!

If you browse or are redirected to a website or click a link and see a screen like the one below, do not wait, simply close the browser. That “Wait Please” is static text, however if you look at the page source there are several malicious javascripts (second picture) attempting to send you to a URL that usually has some malware or drive by download (FakeAV most of the time).

mal2

jscriptmal

I’ve seen quite a bit of this the last few weeks, and most of it has been the result of someone clicking on a link from within a spam email. Here’s a protip (pass on to your friends, family, colleagues and anyone who will listen): If you get an email that is concerning, don’t just blindly click the link. In the below case, if you simply hover your mouse over the links you’ll see they point to pages that have nothing to do with the company that the email is claiming to be from.

badverizon

If you must follow the link use a browser sandbox like sandboxIE.

Advertisements

Mobile Malware via a FAX

This is a new school twist to an old school scam, fax machine spam.  Miscreants would send out bogus faxes with scam numbers many times just trying to hawk “dealz” or, in some cases try to phish info from the caller.  But, for the most part fax machine spam has subsided (i think, i have no real data, just a hunch).

A friend, who wishes to remain anonymous, said that several of these faxes appeared at her office over the last two days.  She forwarded me a scan of one to review.

You can see that this is all sorts of wrong, even the QR codes look like they were psychically  pasted (after the fact) on this fax.  What was interesting is that the QR code leads to a site that wants you to download an app (link for both Andoird and Apple devices) to install on your phone.  I’ve redacted the QR codes and numbers to protect the innocent (and inept).

Looking into it further these are bogus premium rate SMS apps that send text messages to numbers the scammers control, then you get charged for premium SMS messages and they make cash.  Be warned, don’t just scan QR codes everywhere.  I wonder how many people at my friends company used their neato smart phone to follow those codes and installed those apps?  Maybe it’s not a bad idea to protect your main corporate fax number a bit, too.

Home Network Users Be Ware

You can reset the router password of most stock setups of Verizon’s FiOS Internet service without authorization, and without physical access.  That is a bold statement, but one that I have found to be true every single time I test it out.  And if I’ve found this out, chances are good that plenty of others have as well.  I have called and emailed Verizon several times about this issue and have gotten a mix of “I didn’t know that was possible”, to “Yeah, that’s a value add feature for our customers”.  Either way the big V has not addressed the problem.  My hope is that someone brings this up to the President of Verizon Security Awesomeness  and says “Uhh, we may need to rethink this one!”.

For brevity’s sake I’ll sum it up here: You can download the Verizon In Home Agent and reset the router password of any FiOS router. The only requirement is you be on the same network as the router. No authentication required (See picture, note it doesn’t ask for old password!).

For the long version expand the box below.

[learn_more caption=”Click to Expand The Long Story”] I found this issue out by accident, after I moved. I had Verizon come out and transfer my FiOS service to my new address. The tech was doing the usual stuff, then said “Now I have to verify connectivity. Do you have a computer we can use to test it out?”. I ambled up and set my laptop in front of him, which was running Ubuntu. The tech instantly stated, “Uh, we don’t officially support machines unless they’re a Windows PC.” I browsed the Internet and was satisfied. He said, “We have to run a program to test connectivity or I don’t get credit for the install”. The “program” in question was an exe. ~Sigh~ Ok, fine, so I booted up my Windows 7 VM. He plugged in a thumb drive and fired off some exe. Now, I won’t even go in to the fact that I would usually NEVER let anyone plug in a random thumb drive to my PC and run some exe, but this was a VM and I wanted him to finish, so I held my tongue. The exe launched some apps that looked like they were testing different aspects of my FiOS service. But for I’ll I know I was being enrolled in a botnet. But that’s neither here nor there.

When all the colors on the screen showed green he said “Now I’m going to show you about Verizon’s In Home Agent”. I didn’t feel like dealing with it, but he was in full on canned speech mode. “It let’s you diagnose issues, collect log info for support and do some other neat stuff, like reset the router password.” Fine, fine, get out thank you, enjoy your life tech-guy. When he left I went to log in to the router with the password he had left me (Password1). Of course wireless security was set to what Verizon always sets it to: WEP. I went in changed to WPA2 PSK, and changed the passphrase, then I went to change the password but accidentally closed the window before I did. Shucks… but wait… the In Home Agent screen was up and the option “Change Password” was sitting right there. Ok, I’ll bite. So i clicked it. It asked for a new password. It DID NOT ask for an old one. Hmm, so i typed in a new password. Then I tried to log into the router. My new password worked. Interesting. Well, maybe since the application was running earlier it cached the first password when i logged into the site… I dunno how, but maybe. So, I reboot and used the In Home Agent and changed the password to something new, without being prompted for the old one. Fascinating. I went to my neighbor later and asked if I could test something out. They owe me since I have fixed their computers for free, so they let me tinker. They let me connect to their network (which was WEP) and I ran the In Home Agent. I then preceded to change their router password without being asked for the original. Yikes.
[/learn_more]

My first call to Verizon, I explained how most times Verizon techs come out for a FiOS move or install they set wifi security to WEP.  I was told this was because not all customers’ computers support WPAWPA2, and they want to ensure that their customers can use their wifi.  Ok, but WEP can be cracked in minutes.  There have been dozens of articles published on how to do it.  But, that’s not the worst part.  If i get on to a network (crack their WEP or am allowed in) all I have to do is run the In Home Agent and I can reset their router password.  I dont have to MiTM them, nor find vulns in their PC’s to exploit, I can just own them at their gateway.  Redirect DNS where I want, set new routes.  “Hmm, I’ll inform my manager about your concerns”.  That’s all I got the first call.  Several other calls, and several emails later there has been no update to the In Home Agent.

I did get one tech who said “Well, I mean you know, if you’re on the network we figure you’re allowed to be… so you can reset the password I guess”.  Ok, but if i crack the WEP I got on without being allowed to be…  or if I’m a parent and I want to set parental controls or filters all my kid has to do is reset my router password and log in… ~sigh~ it doesn’t get through.

I guess a bullet point here is (obviously) don’t use WEP, and even if you use WPA2, be careful who you allow on your network.  Any guest on your network can reset your router password.  And, how often do you log in and check that, anyways?

Hopefully having this on the Interwebs will get them to wake up.  Because a concerned customer’s harassment apparently can’t.

Remote Pentest Setup – Multiple Default Gateways

Sometimes I’ll have an internal security assessment lined up and the client is amenable to having a remote testing device sent to them.  The goal being to be able to perform an internal penetration testsecurity assessment without having to physically be there.  This setup is win-win in my opinion: cuts down on travel costs which is good for everyone.  If you think about it, you don’t really need to be there, you just have to get access to the network.  You can even perform wifi pen testing, as long as your remote setup is near an AP.

I like to have a dedicated interface for ONLY remote access (sshnx serverfreenx or openvpn reverse back to me), when I’m doing 100% remote assessments.  Then I have a second interface for attackingscanning etc.  If wireless is in scope I’ll have my third interface (wlan obviously).

When I first started setting the remote machines up I experimented quite a bit.  I found that the setup was “flaky” if you simply assigned IP’s to the interfaces and hoped it worked.  I messed around with trying to manually set multiple default gateways, but that didn’t work very well.  I also found that a lot of tools (even the ones that allow you to choose an interface) will not sendreceive ALL traffic over the one you specify.

The solution that I chose was using IP ROUTE and IP RULE to ensure that any traffic sent to or from an interfaceIP would use the default gateway that i assigned it.

Example:

eth0 will be DHCP – It’s the interface the client can plug into their internal network.  You’ll get an IP from DHCP (with the default gateway).

eth1 will be statically set, and will be for your remote access (either reverse of bind).

First we need to create a special routing table:

 echo "1 pentest" >> /etc/iproute2/rt_tables 

Next, we set the routes:

ip route add 10.1.1.0/24 dev eth1 src 10.1.1.2 table pentest

ip route add default via 10.1.1.1 dev eth1 table pentest

Notice above we added the information to populate the “pentest” routing table.  It has a route and a default gateway now.

Below we set the rules to send all the traffic to and from an IP address to the pentest routing table.

ip rule add from 10.1.1.2/32 table pentest

ip rule add to 10.1.1.2/32 table pentest

Now, no matter what happens to eth0 your remote access interface is solid.  You can do the same thing for a wlan interface as well.  Simply create a second routing table and add the routes and rules.

I pulled most of this technique from this site.  Works like a champ for my purposes!

M$ Screencap Application For Troubleshooting… And Sleuthy Spying

I was recently made aware by an infosec colleague of mine DMFH (aka Donny Harris) about an M$ utility called the Problem Step Recorder, aka psr.exe.  It comes standard on Windows 7 machines.  In a nutshell it’s used to provide a step-by-step breakdown of user activity to provide to tech support after a user has re-created a problem, complete with screen captures!  NOTE: it does NOT capture keystrokes.  So, thankfully M$ did not embed a keylogger into Windows 7.  It shows a script of sorts of user’s activity in windows, info about PIDs, what mouse buttons are clicked and different hooks and internal system calls.  What got me was the screen captures… I know there are metasploit modules (screenspy and screenshot) and AutoIT apps, and that every keylogger on earth has a screencap ability.  DMFH made a good point tho: psr.exe would not be caught by most AV’s being that it is a signed and trusted system utility.  And, if a user sees psr.exe in their taskmgr and google it, they’ll see its an M$ troubleshooting tool, so they may be less concerned with it.

I realize that if you’re on a box and can run psr.exe you’ve already owned it, or are close to doing so; this is not the next l33t h@x0r attack, but another tool in your arsenal.  One use case could be you have shell access to machine (no meterpreter) and you can’t figure out a way to get tools onto the box for some reason.  If it’s a Windows 7 (didn’t find it on server 2k8 r2) you can grab screencaps and save them somewhere you can hopefully access.  Also, to reiterate my point, it’s an M$ utility so you don’t have to bring in another app that could trigger AV.

Below are a few pictures showing what the web archive (.mht) file contained.

Here are the commands to run psr.exe from the cli.  I did try it from a shell gained via metasploit and it worked like  a champ.  The key is migrate (if you’re not already running as them) into a PID of a user to capture that users’ session.

 psr.exe /start /output c:Usersusernametest.zip /sc 1 /gui 0

You need to issue (or schedule task) the below command to stop psr.exe from runningrecording.

psr.exe /stop

Here’s a blog post I found that details some of the switches of psr.exe.