Skip to main content


Showing posts from 2008

Welcome to Mark Baggett - In Depth Defense

I am the course Author of SANS SEC573 Automating Information Security with Python. Check back frequently for updated tools and articles related to course material.

Senior SANS Instructor
GSE #15
Internet Storm Center Handler
Penetration Testing and Incident Response Consultant
Technical Advisor to DoD for The SANS Institute
Founding President of the Greater Augusta ISSA
Cofounder of BSidesAugusta Security Conference

FREQ SERVER - Tool and technique for detecting Malware Command and Control domains
DOMAIN_STATES - Tool for detecting "Baby Domains" used for phishing and Malware distribution
SRUM_DUMP - Forensics tool for extracting System Resource Utilization Monitoring artifacts
LIAM_NEESON - Proof of Concept Linux Hash Protection
HONEY_HASHES - Certainly Honey Tokens have been around since 2003 but I created a cool technique for creating fake SATs in memory that was turned into Dell Secure Works DCEPT framework.
VSSOWN - Tool & Technique for Using Microsoft Volume Shadow Copies for hiding malware and extracting artifacts
SDB Hacking - Using Application Compatibility in unexpected ways.
SET-KBLED - Utility for Managing Clevo and Sager Laptop LED Backlit Keyboards - Scapy based fragement reassembly engine - A password cracker for the EAP protocol

and more. Most of these tools are available on my github page. Follow me on twitter @markbaggett

Jing - OS X Screen Capture & Metasploit Route

I was trying out jing over the weekend and I like it. Its free screen capture software for your Macintosh. It allows you to capture a movie from your desktop and give it a voice over. Then you can save the contents as an adobe flash movie. It integrates with and allows you to upload and share files with the world. All for free as long as you stay beneath 2 GB per month. One draw back is it doesn't come with editing software. So unless you use a separate tool you need to get it right in one take. Check it out here..
To try it out I made a video (one take) of using Metasploit's route statement to accomplish a true pivot. Route is a command that can be run from within the Metasploit console. It routes attacks through an existing meterpreter session. The route statement is not altering the routing tables on the attacking host. This is also different that the route statement which alters the client host when your are i…

msfencoding tips and SANS CDI presentation

UPDATE 1-21-2009:  HD Moore delivered this patched on Christmas Eve.   I don't want to start any rumors, but has anyone ever seen HD Moore and Santa Claus in the room at the same time?   Google certainly seems to indicate some type of relationship..Hmm
Original Post: On Dec 15th I am giving a presentation at SANS CDI on my whitepaper on the Effectiveness of Antivirus detecting Metasploit payloads. Metasploit changes CONSTANTLY and I want to be sure my presentation is up to date. So I've been spending some time updating my reasearch. Here is what I learned.
First, when I wrote my paper, msfencode wouldn't produce an EXE. In my paper I described three techniques for creating an EXE. Since then, metasploit added the ability to create an EXE, but it still has a few kinks. First, msfencode doesn't actually encode the payload. Today it just changes the base address and adds a 0x0A to the end of the payload. I've reported the bug to the development team tod…

Worst cognitive password?

Cognitive passwords are those questions your bank and other accounts have you setup so that you can reset your password or verify your identity if you have forgotten your password.   I personally am not a big fan of these.   If forced to implement a solution based on these I would go with several "In the Wallet" questions.   Questions that would require the individual pull something from there wallet to answer the question.   Things like:"What are the last 6 digits of your library card number?"  "What is the last name of the issuer of your fitness club card?"  "What is the last 6 digits on your favorite Shopping club card?" If you use these types of questions you have to give the user many choices.   Not everyone has a shopping club card  or a library card, so a broad set of questions works best.   The goal of coming up with the questions should be to have answers that can not be easily guessed or looked up on the internet.   Here are some examples…

Metasploit updates to msfencode and exe template

HD Moore and the team at Metasploits are constantly updating the framework.    The programs, scripts and approaches I document In my  SANS paper on the Effectiveness of Antivirus in Detecting Metasploit Payloads have changed significantly.     If you haven't read my paper you may find it interesting.  Its here
In the document I showed how an attacker can create standalone executable payloads of any of the available payloads in the framework.  I showed how to you can use msfencode to alter the payload to avoid detection by antivirus.   One difficulty at the time was that msfencode didn't make an executable.   That all changed on 9-26!  HDM make the some changes to both the template that is used by msfpayload and msfencode (among other things).  It now much easier to avoid antivirus.  Now msfencode will create an EXE!   It doesn't show up in the options when you do msfencode -h but it works! So the following:
./msfpayload windows/meterpreter/bind_tcp R | ./msfencode -t exe

Symantec Detects Symantec as virus

I love incidents caused by false positives in antivirus products. Its frustrating enough that they don't detect legitimate threats, but when they delete legitimate files its just a waste of time and energy.

Today I handled an incident where 10% of an organizations machines detected ESUGRemoteSvc.exe as a Trojan..

2008-09-19 17:13:48;2008-09-19 17:23:42;Real Time Scan;LOGGER_Real_Time;1;Virus found;Trojan Horse;1;"C:/WINDOWS/system32/ESUG/ESUGRemoteSvc.exe";Quarantined;

Fire up the IRT engine. Gather samples, run it in a isolated machine to watch it behavior, submit it to and Normans Sandbox, pull it apart with Immunity Debugger, but the thing looks legit. No machines are scanning the network or making TCP connections to an unusual number of hosts, but it appeared to be spreading. So what is this evil program? ITS SYMANTECS OWN ADMIN TOOL!!! ESUG stands for "Enterprise Support Utilities Group"

A call to Symantec confirmed it was a false pos…

PCI - The gaping hole in your IDS/IPS

I’ve come to learn PCI requires business leave their network unmonitored and open to attack!!!   Specifically  on page 4 item  #13 of this document.

It reads:
13. Arrangements must be made to configure the intrusion detection  system/intrusion prevention system (IDS/IPS) to accept the originating IP address of the ASV. If this is not possible, the scan should be originated in a location that prevents IDS/IPS interference.

I understand what the intention of this requirement is.  If your IPS is blacklisting the scanner IP's then ASVs don't get a full assessment because they are a loud and proud scan rather than a targeted attack.    For example,  Lets say I have 1000 host on my network.   If during the assessment of host 1 of 1000 the IPS blocks the source IP of the scanner, then serious threats will remain undetected on hosts 2-1000 and portions of host 1.   An attacker who is not nearly as noisy as a scan…


I recently had the no so pleasurable task of dissecting an 0wn3d host to determine what happened.  The attacker did the system owner a favor and tagged the site with a defacement image making detection pretty easy.  The image appeared in small title frame on the top of the page.   My initial guess was they had a directory traversal vulnerability in the image upload engine and some weak permissions on a folder structure.   We took a look at the date/time of the defaced pic and it showed the image had change the previous evening.    "find / -mtime 0" showed a few other files that had changed around the same time.   One of them was a new PHP file.   vi revealed it was a variant of the c99 PHP Shell.    So we go to the apache logs and find the attackers IP and try to figure out how he got in.     There are two interesting entries:
[14/Aug/2008:22:18:42 - - [14/Aug/2008:22:18:42 -0400] "POST /index.php?option=com_user&task=completereset HTTP/1.1" 301 - […

Controlling iPhones in your enterprise

iPhone 2.0 is really cool and it will, like all other Microsoft Mobile devices, allow the user to synchronize their email to the device unless you take action to prevent it.   Whether you plan to support the iphone or not you will need to take some steps if you want any control of the devices in your enterprise.   See these arguments in support of the iPhone.  And this organization that suggests not supporting it.  
If your not supporting iPhones you have a couple of options.   You can block the requestes based on their User-Agent by using isapirewrite as I suggested in an earlier blog.   The iPhones USER-AGENT string is  Apple-iPhone/501.347 so your new isapi filters begin to look like this..
RewriteEngine  on#Block Blackberry, iphones and other smartphonesRewriteCond %{HTTP:User-Agent}  (?:BWC.Worker.*|BWC.Engine.*|MSFT-SPhone.*|PalmOne-TreoAce.*|AvantGO.*|Apple-iPhone.*) [NC]  RewriteRule .? -  [F,L]  
This is a good approach for handling any devices that use WEBDAV or OWA Screen scra…

Security is Risk Management

I just came across this picture.   It is a great reminder to security professionals to set priorities and focus on the high risk items.    Don't focus your attention on reducing your screen saver time-outs from 30 minutes to 15 minutes if your using telnet on your financial systems.   Remember, calculate your SLE (Single Loss Expectancy) based upon the value of the assets and the vulnerability.  Calculate your ALE (Annual Loss Expectancy) based upon the likelihood the threat will manifest itself.   Then address the issues that really pose the greatest threat to your organization.   Don't focus on the Jackhammer noise and overlook the cigarette in your mouth.   

First Stab at NSE Scripting

Over the weekend I decided to take my first look at the NMAP scripting engine.I’ve read about it, but had not really tried it until now.First, here is how to use the built in scripts.First make sure you have the latest scripts.Similar to NIKTO and other vulnerability scanning systems NMAP has the ability to update its detection scripts.To update your scripts type this;nmap --script-updatedbThis will download the latest .NSE scripts from the nmap site.The scripts (by default) are located in /usr/local/share/nmap/scripts.Here is the list of scripts as of today:You can run ALL of these scripts against a host like this…Macintosh:scripts mark.baggett$ nmap localhost -n --script allStarting Nmap 4.65 ( ) at 2008-06-20 10:44 EDTInteresting ports on SERVICE80/tcp openhttp|_ HTML title: Test Page for Apache InstallationNmap done: 1 IP address (1 host up) scanned in 42.216 seconds-n: says do not do an DNS query--script all : tells it to run all the scripts ag…


Here are some screen captures of the Meterpreter threads running inside the Symantec SEP 11 HIPS process and inside the McAfee TOPS HIPS process.   I guess DLL injection into the HIPS process isn't a malicious enough behavior.

Both HIPS seems to do a good job of blocking network based exploits, but its still game over if a client runs malicious code or the attacker knows a valid login and password for the box.  MAYBE all is not lost.  The verdict is still out on whether or not the HIPS config can be adjusted to block this type of backdoor.  


Over the weekend the Greater Augusta ISSA (Information Systems Security Association) had a Interactive Capture the flag event.   McAfee, ASU and Elliot Davis sponsored the event providing an IPS to monitor the event, facilities and computers for attendees to use.    McAfee also hosted a flag protected by McAfee HIPS and Intrushield which no one was able to get.   But McAfee still awarded the $100 dollar prize to the individual who did capture 7 of the 9 total flags.   Over the 4 hour period I walked attendees through tactics used by our enemies to break into the systems we are paid to protect.   The event was well attended and I think it was well received.   As promised, I am placing links to some of the tools used during the event on this blog.   We may do the event again some time so I am not including the PowerPoint with the "solutions".   The presentation material will be provided to individual attendees via email and by request only.  If you attended and want a copy of …

Update: Blocking Unauthorized Devices from accessing OWA

With the help of several coworkers we are blocking the troublesome User-Agents.   Here is a way to do it:
ISAPI Rewrite is a Mod Rewrite implementation for IIS.   There is a lite and a full version available here:

So with the configuration below you can block the unauthorized blackberries.   I will edit the original post to include the solution.  For full details see the April 2008 post on the subject on this blog.
RewriteEngine  on
#Block Blackberry and other smartphones
RewriteCond %{HTTP:User-Agent}  (?:BWC.Worker.*|BWC.Engine.*|MSFT-SPhone.*|PalmOne-TreoAce.*|AvantGO.*) [NC]  
RewriteRule .? -  [F,L]

Here is another approach for handling the blackberry devices which blocks it by IP address.

Googledork - Spidynamics customers

Here is a fun googledork.  It finds web pages which have been scanned with Spidynamics Webinspect with the default values.   Its an interesting customer list.  WorldBank, American Idol,  RSA Security Conference,  Oracle, NSA, etc.  

Shoveling windows shell over printer ports!?

Intrigued by the recent discussion of shoveling shells with native commands in linux, I wondered how you might do that in windows. However, I've found the lack of a /dev/tcp equivalent device makes IO redirection to the network a bit difficult to overcome. No answer yet, but here is an approach that may work. Good old COMMAND.COM might hold the answer. Lets take a look at the options.
C:\WINDOWS> /? Starts a new instance of the MS-DOS command interpreter.
COMMAND [[drive:]path] [device] [/E:nnnnn] [/P] [/C string] [/MSG]
[drive:]path Specifies the directory containing COMMAND.COM file. device Specifies the device to use for command input and output. /E:nnnnn Sets the initial environment size to nnnnn bytes. /P Makes the new command interpreter permanent (can't exit). /C string Carries out the command specified by string, and then stops. /MSG Specifies that all error messages be stored in memory. You …