4li3n’s after midnight useless news and links – 2011.02.01 (*4cid r3f1ux* edition)

[NEWS] Intel Develops Hardware-Based Antivirus -> http://goo.gl/4z7mC
[POST] Evil Packaging on OSX with Xcode and Metasploit -> http://goo.gl/sQHy6
[PAPER] Exploitability: 94 pages about exploiting Windows and Linux -> http://goo.gl/6AqRE
[INFO] Chef: systems integration framework -> http://goo.gl/KcS5u
[POST] Smartphone botnet C&C over SMS (Shmoocon 2011 – slides & code) -> http://goo.gl/qw6dK
[POST] An introduction to oclHashcat+ & cudaHashcat+ -> http://goo.gl/LLNot
[INFO] Re2: an efficient, principled regular expression C++ library -> http://goo.gl/5s5zF
[POST] ATM Skimmers That Never Touch the ATM -> http://goo.gl/a46B0
[SCRIPT] pdnstool: queries several passive dns databases -> http://goo.gl/hOZnb
[VIDEO] Exploiting BlogEngine.NET 1.6.x (cloud enhanced exploit) -> http://goo.gl/6N6Fe
[NEWS] Yet another Android Browser exploit that affects the new Android =< 2.3 -> http://goo.gl/4ERNJ
[NEWS] Pod2g Discovers New Untethered Jailbreak Vulnerability -> http://goo.gl/azSxG
[TOOL] NIELD: Network Interface Events Logging Daemon v0.1 released -> http://goo.gl/DbVmq
[SCRIPT] Knock v1.4.4: enumerate subdomains on a target domain through a wordlist -> http://goo.gl/5GLil
[PAPER] Antivirus Firewall Evasion Techniques Evolution of Download Deploy Shellcode (PDF) -> http://goo.gl/V7tzA
[PAPER] Effectiveness of Antivirus in Detecting Web Application Backdoors (PDF) -> http://goo.gl/FC084
[TOOL] Mausezahn v0.40: free and fast traffic generator -> http://goo.gl/qlgwh
[TOOL] Java Cisco Group Password Decrypter -> http://goo.gl/WebjA
[PAPER] Vulnerability discloses PIN used in Microsoft Excel secure printing (PDF) -> http://goo.gl/fjLlW
[NEWS] Stop Cross-Site Scripting Errors Now: Veracode Launches Free Detection Service -> http://goo.gl/1HJ5K
[VIDEO] Ubertooth One: an open source Bluetooth test tool -> http://goo.gl/fsR4e
[POST] How Does Cross-Site Scripting Become Arbitrary Code Execution? An Ode to the Oft-Maligned Referer Header -> http://goo.gl/jWZJn
[POST] The Cases of the Blue Screens: Finding Clues in a Crash Dump and on the Web -> http://goo.gl/64iBn
[ADVISORY] Cisco WebEx .atp and .wrf Overflow Vulnerabilities -> http://goo.gl/vFJb2


An introduction to oclHashcat+ & cudaHashcat+ (by d3ad0ne via ob-security.info)


Lets face it, when it comes to passwords humans are predictable. Time and time again we see this when a site gets compromised. After the hashes have been sorted the top password are nearly always the same. It’s usually some variation of 1-9, password, iloveyou, princess, abc123, qwerty, 111111, secret, etc. Many of these passwords are unoriginal, and people use these same passwords across all of their accounts. Then their are the individuals that think they are being unique, and will change one of these common passwords to something slightly different for example [password –> Password123]. A dictionary tool with a rule engine can easily find these types of passwords. Up until now all these dictionary based/ rule engine tools have mostly CPU based (hashcat & JTR for example). Using a dictionary with 14 million passwords and a rule file with only 3000 rules could take as long as 15 – 20 minutes with a CPU based tool. That same 14 million password wordlist can take about 2 hours using my custom 23k rule set(preloaded in the /rules folder). This is where oclHashcat+/cudaHashcat+ come in.


oclHashcat+/cudaHashcat+ which I will call “oclHashcat+” for the sake of simplicity in this article is a completely new tool, separate from regular oclHashcat. oclHashcat+ is a dictionary based tool with a full featured rule engine that all run completely on the GPU. In our above example a 23k rule file combined with a 14 million word dictionary would take about 2 hours running on a modern CPU at about 50M password attempts /sec. With oclHashcat+ this same same rule set and dictionary file takes as little as 3.5 minutes using a dual GTX 480 system running at about 2B password attempts /sec. That’s right folks 50M for the CPU vs 2000M on the GPU. But that’s not all, oclHashcat+ offers us a couple of new features which I’ll be going over here.

The first thing to point out is that there are now four separate .bin/.exe files. This is to cover the various different system combinations that people may be running. The switches and syntax for all of these different versions are the same, however depending on your GPU, OS and OS architecture your running will depend on which one you’ll be using. For example someone with Ubuntu 64 running a Nvidia card would use cudaHashcat+64.bin while someone running a Windows 32 bit system with an ATI card would run oclHashcat+32.exe. I find the easiest way to get rid of the clutter in your folder is to delete those extra .bin/.exe files. Since I’m running Ubuntu with nvidia cards I delete all the exe files, and ocl prefixed bin files. Just in case your complete baffled by this here is a simple cross reference table:

  Windows system Linux system
ATI w/ 32bit OS oclHashcat+32.exe oclHashcat+32.bin
ATI w/ 64bit OS oclHashcat+64.exe oclHashcat+64.bin
nVidia w/ 32bit OS cudaHashcat+32.exe cudaHashcat+32.bin
nVidia w/ 64bit OS cudaHashcat+64.exe cudaHashcat+64.bin

The only exception being that 64bit OS’s can run the 32bit versions (oh though I don’t know why you’d want to). The reason for the forking of the project into separate CUDA and OCL variations comes from a programming standpoint, certain optimizations can only be done using vendor specific code. This gives us a nice performance increase because the code is better optimized to support that architecture.


oclHashcat+ uses a lot of similar switches and syntax as the other Hashcat tools. The attack mode numbers such as 0 for MD5, 1000 for NTLM, 1100 for DCC are all the same. If you run the –help switch it will list all the various switches.

  • One thing you may notice is that a few more attack modes are supported now that have only been supported on the CPU version. The attack modes -m 400 covers MD5(wordpress and phpBB3) and -m 500 covers MD5(unix). These algorithms are generally difficult hash types to attack due to the high iteration counts that a plaintext goes through while getting hashed. High iteration algorithms may reduce the overall attacking speed of a hash but it doesn’t do anything to protect those passwords that users always tend to use, even if those passwords are only slightly different from the norm.
  • Support for standard in – For those that have already built special scripts or have various other ways to mangle or generate wordlist this is a way to continue to use those. In addition since oclHashcat+ doesn’t support bruteforce style attacks directly you can use the maskprocessor from hashcat-utilities to generate a bruteforce character set and pipe it to stdin.
  • GPU based rule engine – oclHashcat+ supports nearly all of the same rules that hashcat supports except for the @ modifier. That means any of the rule list you may have built before to use in Hashcat will also work. You can also generate random rules using the -g switch. -g 1000 would generate 1000 random rules.

Usage & Conclusion:

Here is an example usage and output:
./cudaHashcat+64.bin -r rules/d3ad0ne_23.8K.rule -n160 -o found.out example0.hash /root/dict/rockyou.txt
Rules: 22656
Platform: NVidia compatible platform found
Device #1: GeForce GTX 480, 1535MB, 1520Mhz, 15MCU
Device #2: GeForce GTX 480, 1535MB, 1520Mhz, 15MCU
Device #1: Kernel ./kernels/4318/m0000.sm_20.64.cubin
Device #2: Kernel ./kernels/4318/m0000.sm_20.64.cubin

Starting attack in wordlist_mode...

p: 553/6494, cs: 1, cr: 1920, cl: 8, rt: 1546.73ms, s:1627030.75k/s
p: 657/6494, cs: 1, cr: 3968, cl: 8, rt: 1200.40ms, s:2096458.25k/s
p: 708/6494, cs: 1, cr: 6016, cl: 8, rt: 1214.36ms, s:2072357.88k/s
p: 740/6494, cs: 1, cr: 8064, cl: 8, rt: 1224.98ms, s:2054383.12k/s

Here we can see that I used the -r switch to specify a rule file, I set the workload to 160 using -n, saved the found hashes in the found.out file using the -o, example0.hash is our hashlist and rockyou.txt is the dictionary file. One thing to note you may have seen a lot of “Skipping invalid or unsupported rule in line ###” This is typical, as oclHashcat+ does not support all of the same rules as regular hashcat. It simply skips the rules but will use all the ones that it does support.

The status output means the following – p:progress, cs:current salt, cr:current rule, cl:current (plain) length, rt:runtime, s:speed.

Something to keep in mind is that for non iterated hashes such as md5, ntlm, md4 you need to keep the GPU constantly busy. That is to say that if you were to try to crack MD5 with no rules using a standard dictionary oclHashcat+ speeds would be very low, this is because the GPU can calculate the MD5 sum of a dictionary word much faster than that word can be sent through the bus to the GPU to be processed. That’s why it’s suggested to use at least several hundred rules. The rules act like iterations, constatly keeping the GPU busy.

oclHashcat+ can be downloaded here
hashcat-utillites can be downloaded here

Check back soon as I’ll cover some helpful tips and techniques.

Original post: http://ob-security.info/?p=211

4li3n’s after midnight useless news and links – 2011.01.31 (*Shmoocon* edition)

Just a few links this time mainly because all researchers are at Shmoocon 2011!

[DISCLOSURE] More on Microsoft Internet Explorer MHTML Protocol Handler XSS -> http://goo.gl/AOfh1
[POST] Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 1) -> http://goo.gl/fckpV
[NEWS] More on Sourceforge.net attack -> http://goo.gl/mwXpP , http://goo.gl/1UXLt
[TOOL] Farebot: Read data from MIFARE public transit cards using your NFC-equipped Android phone -> http://goo.gl/AEnkW
[NEWS] Former Kaspersky Employee Responsible for Leaked Source Code -> http://goo.gl/YOdpf
[SCRIPT] pyOLEScanner 1.3: detect Malicious Office Files -> http://goo.gl/am9dG
[INFO] Carberp Trojan Removes Antivirus Scanners, Other Malware from Host -> http://goo.gl/cCYi6
[INFO] Exclusive interview with Linus Torvalds -> http://goo.gl/41xjq
[PAPER] Plug and Prey: Malicious USB Devices (Shmoocon 2011) -> http://goo.gl/mzmIm
[NEWS] Shmoocon 2011: Overview -> http://goo.gl/NpVJL
[NEWS] Shmoocon 2011: Printer to Pwnd -> http://goo.gl/WE43F
[NEWS] Shmoocon 2011: Printers gone wild! -> http://goo.gl/C34ep
[NEWS] Shmoocon 2011: TEAM JOCH vs. Android – The Ultimate Showdown -> http://goo.gl/DfLmj
[NEWS] Shmoocon 2011: Attacking 3G and 4G mobile telecommunications networks -> http://goo.gl/mbEUn
[NEWS] Shmoocon 2011: Defeating mTANs for profit -> http://goo.gl/eEu17
[NEWS] Shmoocon 2011: URL Enlargement – Is it for you? -> http://goo.gl/h2itx

Shmoocon 2011: Printers gone wild! (by Ben Smith via c22.cc)

Printers are everywhere… they are ubiquitous!

Everybody seems to ignore them. They get plugged in, and just work!

HP Basics

Listens on tcp/9100

Admin page on 80/443

Many have hard disks!

HP printers have 3 passwords

  • Web admin
  • Telnet (same as the wedadmin)
  • PJLPassword

PJLPassword can be used to lockout the console, make disks read-only etc…

PJLPassword is weak… no brute-force protections

PJL is unathenticated and widely supported, going away, but will be here for a while.

SNMP can be disabled through the Web Admin, however encoding them specially they will still answer SNMP requests over port 9100

Google search “PJL DMINFO ASCIIHEX” for more info


PJL (Printer Job Langauge)

Sets up printer for jobs

Created by HP, used in many other devices

Really old!

Fun PJL commands

  • FSUPLOAD (not an upload)
  • FSDOWNLOAD (not a download)

There’s een lots of research before (Hijetter etc…)

Bringing that into the modern environment with printFS


Python tool for covert file systems using HP printers

Distributes files over multiple printers

Uses the printer RAM disks or physical disks

Works on any supported printer via network or the internet!

All stored files are compressed/encrypted and saved using random filenames

All files are stored twice with different names and keys to improve redundancy (files in RAM disk are lost on restart)

Supports panic mode (panic) remotely reboots every device in the file table to destroy the data


multithreaded scanner

Scans printers to see if necessary commands are supported to use printFS

Scans are randomized in the order that functions are run and the timing between them

Test upload files are random data and given random names

Entire scan peppered with random sleeps


Main support lib

Used by all tools

Implements most of the documented PJL commands


A support tool for doing nasty funny things

User interface to the PJL password cracker

Mass control panel lock/unlock

Mass RamDisk/Disk Lock/Unlock

Pass printing (toner is cheap!)


Support class for printjack

Brute-forces all possible password combinations in about 2 hours (single thread)

So now it’s threaded to check multiple printers… all communicate together until one valid password is found (password reuse)

Other fun stuff to do to PJL

  • Mass reboot loop
  • Mass connect to port 9100 and remain connected (blocking)
  • Animated LCD messages
  • SE LCD messages (please call xxxxx)
  • Mass disk lock
  • Mass printing
  • Mass control panel locking


Can only upload files form the directory you are running printFS from

Known issue where some printers won’t respond to pfsScanner if they’re offline

To ensure that printers can still print when being scanned, dynamic class is used (generating huge traffic)

Code Release

Remote-exploit.org will receive it within the next week


  • Shmoocon Schedule –> HERE
  • Talk synopsis –> HERE
  • HP PML faq –> HERE

Original post: http://blog.c22.cc/2011/01/29/shmoocon-2011-printers-gone-wild/

Microsoft Attack Surface Analyzer – Review (by Mark Linton for TripleCheckConsulting)

As part of their involvement at the Black Hat security conference in virginia the microsoft security team has released a new beta of a tool to assist security analysts in understanding the security impacts and effects that result from installation of software that performs unknown installation features.

The Attack Surface Analyzer or ASA for short is based on a slightly dated, but still very relevant Carnegie Mellon paper on measuring attack surfaces – link.  The beta product implements a few of the methodologies discussed by creating baselines of system information before and after the installation of the target software, then analyzing the differences noted and providing an analysis based on a predefined set of security properties (set by Microsoft).

This approach is not new, however Microsoft’s product makes the work of baselining, analyzing and reporting extremely easy, with a easy to read browser readable report generated for the analyst.

I decided to test this tool out with software that I had not previously installed to see what kind of value this could bring to the average security analyst.  The Google Cloud Connect for Microsoft Office is a new product that allows Google Apps collaboration within the Microsoft Office product suite.  Shouldn’t be any security impacts from this combination right?


After installing the ASA tool itself and running it from the icon installed in the Windows 7 start menu.  The interface prompts the analyst to run the initial baseline scan and save the results to a .cab file.


The tool provides a progress report as it collects the information about your system.  This includes all of the expected types of data that this type of comparison would use.  It does take a few minutes as it includes scans of both the filesystem and registry.

With both baselines recorded now we generate a report by comparing the baseline scan with the post installation scan.  This is useful as you can create multiple scans with different installation options and compare them to each other and to the original baseline to determine what changes are made.

The resulting HTML (and javascript) report provides three tabs, the first summarizing the conditions of the analysis and tombstone information regarding the versions of tools, OS, etc.


There is a tab that summarizes the details of the security issues, and includes helpful explanations of each of the issues if you aren’t already familiar with them.  In Google Cloud Connect’s case, there were three security issues reported:
  • Directories With Weak ACLs – related to the use of NT SERVICETrustedInstaller (needs more investigation to see why this was reported)p.p1 { margin: 5px 0px; font: 12px ‘Times New Roman’; }
  • Processes With NX Disabled – GoogleCrashHandler.exe included in the software does not use DEP security options (why not?)
  • Services Vulnerable To Tampering – The Google Update service that was installed is also susceptible to tampering by the NT SERVICETrustedInstaller account.


The Attack Surface tab describes each of the areas assessed in which changes were introduced and details regarding what changed in each area.  This is the most valuable component to me as it describes the specific changes to the operating environment that resulted from the installation of the software.

In our case here is what the Google Cloud Connect software changed:
  • New Service – Google Update Service
  • New Running Processes – google crash handler and a .NET framework utility
  • 113 New Registered COM Controls – IE mostly but controls used within the software.
  • 3 New Internet Explorer Silent Elevation Entries / Preapproved controls – Google Update plugin – This is interesting as it looks like this gets added to the list of approved protected mode controls – more investigation needed here.
  • 1 New TCP Port – Established outbound TCP port on 49336.  This is likely the port used by the google update service and checks for updates during the install.  Not sure more investigation likely here as well.
  • 6 New Named Pipes


Overall this tool is extremely helpful in understanding the changes made to the Windows OS environment from the installation of software.  It will detect things like new services being installed, such as the google update service that you might not have realized was being installed.  I recommend using ASA to analyze software that you intend to install and make sure you know what you’re installing and what effect different installation options have.