Server Remote Control iLO Boards Found on Shodan

I’ve been spending way too much time with Shodan (the computer search engine) lately. But what really bothers me is, every time I put time into searching for new things, I find them. And many times what I find boggles the mind.

Recently I found several search terms that bring up built in Server remote control iLO boards.

Integrated Lights Out, or iLO boards are installed on many servers. They are remote support solutions that allow an administrator to  log into the computer and manage it from afar. Most allow complete control of the server including remote keyboard and mouse, the ability to power cycle the system and mount and access additional media remotely.

So far, I have found eight unique search strings on Shodan (like this) that reveal iLO boards for Dell, HP, Fujitsu and Sun servers.

When I was a server team guy for a large corporation, we regularly used these to completely set up and configure heavy duty servers that were located in different states. The local IT techs would unbox the server and plug it into a network jack. We would then log in to the iLO and install the Operating System, web apps, or whatever else was needed, remotely, without ever physically touching the box.

We also used them for trouble shooting. If a remote server had locked up and not responding at all, we would log in remotely to the iLO board and be able to service the system. Again without ever physically touching the system.

The fact that iLO boards can be found online is rather concerning. Granted many are there purposefully (so they can be remotely managed!) and are protected by a strong password. But several appeared to be using the default password.

If your company uses iLO boards on your servers, check them and make sure you are not using the default passwords! Change iLO passwords to long complex strings that you would use on any important system that is publicly available online. Disable or remove iLO boards (check your documentation) if they are not needed.

A little security can go a long way in protecting your servers from online threats.

Obad is the Baddest Android Trojan on the Block

obad_android_trojan

There is a new Android Trojan in town and this is one bad dude. Backdoor.AndroidOS.Obad or “Obad” as it is known on the street, is the most sophisticated Trojan ever seen, rivaling the capabilities of Windows based malware.

Yesterday a Malware Analysts Expert from Kapersky Labs released an announcement on a new Trojan that seemed like it was written for Windows and not an Android Device.

Earning it the dubious title “The Most Sophisticated Android Trojan“.

Sure it sends SMS messages to high rate numbers like many other Android malware apps, but there are several new features that really set this one apart. According to the report, Obad also has the following capabilities:

  • Downloads and installs other malware programs
  • Propagates malware to other devices via Bluetooth
  • Fully functional remote Command & Control

The ability to download other malware programs has been a Windows Trojan staple feature for a long time. But being able to use Bluetooth as a springboard to infect other devices is pretty concerning.

Obad_android_trojan01

Obad’s Command & Control features allow cyber criminals to send commands via SMS messaging, use a remote shell, download remote files, pull application & personal data from the phone, and attack other devices by using Bluetooth.

Another unique feature is that Obad can also freeze the display for up to 10 seconds to hide what it is doing from the device owner.

Using obfuscated code and several new vulnerabilities, Obad definitely raises the stakes in the mobile malware department. Thankfully it is not very well wide spread at the moment.

For more information check out the Kapersky Team’s complete analysis.

Securing your Network with Alien “Powers”

Have you ever wished for some supernatural powers to secure your organization? Perhaps longing for some extraterrestrial abilities to defend your sensitive data, or hoped to get help from outer space to get you through that compliance project?

Meet John Powers, the CISO so good at securing his network that co-worker Clint knows that there is something else going on.

Something out of this world…

Great video from our friends at Tripwire. A lot of companies, especially in the IT world, overlook one very important feature – HUMOR!

Anonymous government sources are predicting additional encounters later this summer. Check out the John Powers webpage for the latest intelligence, and track his every move with other true believers on Twitter.

Nice job guys!

Creating Remote Shells that Bypass Anti-Virus with “Veil”

Many people think that if they are running an Anti-Virus and a firewall, that they are generally safe from hacker attacks. But the truth is far from that. Meet “Veil” a remote shell payload generator that can bypass most current Anti-Virus programs.

Many Anti-Virus programs work by pattern or signature matching. If a program looks like malware that it has been programed to look for it catches it. If the malicious file has a signature that AV has not seen before, many will dutifully say that the file is clean and not a threat.

If you can change or mask the signature of malware, or a remote shell in this case, then most likely AV will allow it to run and the attacker gets a remote connection to the system.

Veil, a new payload generator created by security expert and Blackhat USA class instructor Chris Truncer, does just that. It takes a standard Metasploit payload and through a menu driven program allows you to create 21 different payloads that most likely will bypass anti-virus.

But how well does it work?

Following the directions on Chris’s page, I downloaded and installed Veil on my Kali (Backtrack) system.

Simply pick what payload you want:

Veil Payload Generator Menu

Then you can choose to use Metasploit’s standard msvenom shellcode or choose your own. I just chose the default, msfvenom:

Veil Options

Next choose the type of payload, I just chose reverse TCP. Then enter the IP address of the Kali system and the port you want to use:

Veil setting remote address

Veil will then create the payload and present you with two options. You can feed the payload into Pyinstaller or Py2Exe to create a Windows executable file.

This is where I got a bit stuck. For some reason Pyinstaller did not want to co-operate on my Kali machine. Fussed with it for a while, then just followed Chris’s instructions for creating the .exe file on a Windows machine and it worked without a hitch.

Basically install Python, Py2exe, and PyCrypto on Windows (all in the same directory). Then just copy over your created payload.py file, the RunMe.bat file and setup.py (found in your Kali Veil directory), into your Windows Python Directory.

Run the Bat file and sit back and watch the magic. When it is done you will have a payload.exe file. Any Windows system that runs it will try to connect out to the Kali system.

Finally start a Metasploit payload handler on your Kali system so the remote shell can connect to you. In Kali at a terminal prompt, type “msfconsole” and then:

Veil Running

Make sure you use the same IP address as LHOST and port as LPORT that you used in creating the payload.

Now, when a Windows system runs the payload.exe file we get this:

Veil Session

A remote session.

Then if we type “shell”:

Veil Shell

This was a fully updated Windows 7 system with a very good Anti-Virus installed and updated with an intrusion detection system running. It didn’t see a thing.

This should prove that you can not trust in your Firewall and AV alone to protect you from online threats. Unfortunately many times your network security depends on your users and what they allow to run. Instruct your users to never run any programs or open any files that they get in an unsolicited e-mail.

Blocking certain file types from entering or leaving your network is also a good idea.

And finally, using a Network Security Monitoring system will help track down what happened and what was compromised if the worst does happen.

For more information on Veil, and other pentesting topics, check out Chris’s training session at Blackhat USA 2013!