From Security Weekly Wiki
Jump to navigationJump to search


  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

Security Weekly - Episode 155 - June 11, 2009

  • 2009 South Florida ISSA Conference and Exhibition - June 24th Learn more!
  • SANS Denver 560 - July 8th - 13th 2009!!!: SEC560 SANS Network Penetration Testing - John Strand, Colorado, Beer and SANS... Could it get any better?
  • SANS Raleigh Durham - June 22 thru 27th: SEC 401 SANS Security Essentials Bootcamp - The first step in the path to Enlightenment! Taught by Mark Baggett!
  • DEFCON - Look for our "vendor table" where we will be selling t-shirts in all colors and sizes for $10. Carlos will be giving a presentation on Meterpreter, and Larry will participate in Defcon Poetry jam talking about FAIL. We will also be having an invite only party, so stay tuned!

Episode Media


Interview: Peter Kleissner

Peter Kleissner is employed at Ikarus Security Software as a core developer in Vienna, Austria.

Peter's main site

Peter will be giving us a brief introduction to his Stoned Bootkit.

Stoned Bootkit is a brand new Windows bootkit. It is loaded before Windows starts and is memory resident up to the Windows Kernel. Thus Stoned is executed beside the Windows Kernel and has full access to the entire system. You can use it to create your own boot software (diagnostic tools, boot manager, etc). It gives the user back the control to the system and has exciting features like integrated FAT and NTFS drivers, automated Windows pwning, plugins and boot applications, and much much more. It finally goes back to the roots - so in this way, your PC is now Stoned! ...again


- is a Master Boot Record, with the target to be memory resident up to the Windows Kernel
- attacks Windows XP, Server 2003, Vista, Server 2008, 7
- supports the IA32, AT Architecture (IBM-conforming)
- has rich API support
- supports the following boot methods: Floppy, Hard Disk, CD/DVD/Blu Ray, Network (PXE), USB flash drives, and others

The project name was inspired by "Stoned", which was one of the first boot viruses, http://en.wikipedia.org/wiki/Stoned_(computer_virus), but even able to attack Windows Vista.

The full name is "Stoned-Vienna", the virus name (for future signatures) is "Stoned.Vienna.A". He notes that the bootkit is going to be polymorphic and metamorphic. The target of Stoned is to be the most sophisticated and most widespread used bootkit in 2010 - "For fun 'n' profit".

Very recently, Peter decided to close the source for the Project as he felt the code could cause too much damage in the hands of the wrong people.

His briefing has now been accepted to Black Hat USA 2009. There are new plans for an open Stoned Bootkit framework. If you want to become a beta reader of the Stoned paper, please send a mail to Peter@Kleissner.at.

Peter has reverse engineering and tracked Sinowal since October 2008, after he received an infected notebook from an Austrian bank. Since then he reverse engineered the Sinowal code to follow its improvements. The newest developments (since April 2009) are multi-platform support for Windows XP and Vista. There is no public information available about the new versions as the internal Sinowal Working Group decided NOT TO RELEASE ANY INFO to public, until the "bad people" would just change the algorithms, implementations and everything would begin from new. However, after looking at Sinowal, Peter describes the code as "quite sophisticated, very much like an intelligence service (very well organized, real-time handling of new threats and movements etc.)".

Beside that development, he used parts of Mebroot (that is the startup code of Sinowal) for his own purposes in his new Stoned Bootkit which will be presented at Black Hat USA 2009. Stoned Bootkit was created out of the Hibernation File Attack, another previous project by Peter. Stoned basically has full access to the system and is able to bypass any security check done by Windows. One reason he initially made it open source (released a framework) was that he felt Microsoft was underestimating bootkits. Peter was frustrated by the thinking that bootkits need "physical access" and that "Bitlocker" would make bootkits unusable. He will present the opposite at Black Hat, and his briefing will show that bootkits can bypass TrueCrypts full volume encryption!

Questions for Peter:

  1. How did you get started in Information Security?
  2. How did you get started in malware analysis?
  3. How do you balance your research with your school schedule?
  4. What are the most interesting malware packages to examine?
  5. Do you worry your reports will make it easier for the "bad guys" to make better malware?
  6. What trends do you see happening in malware development?
  7. Which of these trends are most troubling to you?
  8. Do you think anti-virus products will ever be effective?
  9. Give us a sample of what you'll be covering at Black Hat
  10. What countemeasures can our listeners use?
  11. Is there a safe(r) Windows version?

Tech Segment: Carlos "Dark0perator" Perez on Running wmic in shell

WMIC is one of those Windows command that you just love do to it's flexibility but sadly when you have a shell you are not able to run it because it breaks the shell losing possible hours of work to achieve the shell and possibly by running the attack again one might bring down the target server. When WMIC (Windows Management Instrumentation Command-line) is ran on a shell it will execute several Terminal commands that are not handled properly by a command shell and it will break it, I have seen just issuing the command without any options breaks Meterpreter, Core Agent, Netcat and simple bind shells. I have found out of the need of needing the flexilibility of WMIC ways to work around the limitations imposed by running a command shell, lets start with running WMIC in Meteroreter, the best way is to issue in the Meterpreter console to invoke the command in the following maner:

execute -H -f cmd.exe  -a "/c wmic /append:c:\\windows\\temp\\34des34.txt process get name,processid,commandline"

As you can see to be able to run the command we invoke it by running it hidden with the -H option, we execute cmd.exe passing it as a value to the -f option and using -a option to pass the options to cmd.exe where we tell cmd.exe to execute the command wmic with the append option so as to write the output to a text file witch we can later download or open to retrieve the content.

To be able to achieve the same in a command shell we take advantage of the Windows Scripting Host environment to be able to execute WMIC as a hidden process and we tell WSH not to wait for the output this will mitigate the shell failing. We first from shell we create our vbs script for executing the command by running the following:

echo CreateObject("Wscript.Shell").Run Wscript.Arguments(0), 0, False > execcmd.vbs

Now that we have created the script we can use it from shell to execute our WMIC command:

cscript //nologo execcmd.vbs "wmic /append:c:\windows\temp\34des34.txt process get name,processid,commandline"

once we have ran the command we use the type command in the windows shell to be able to see the contents of the file:

type c:\windows\temp\34des34.txt

we can even script out entire enumeration by doing something like this:

echo wmic /append:c:\windows\temp\34des34.txt computersystem list >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt useraccount list >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt group list >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt service list brief >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt volume list brief >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt process list brief >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt startup list full >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt rdtoggle list >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt qfe >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt logicaldisk get description,filesystem,name,size >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt logicaldisk get description,name,freespace,size >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt volume get label,freespace,filesystem,capacity,driveletter >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt netlogin get name,lastlogon >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt netlogin get name,badpasswordcount >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt desktop get screensaversecure,screensavertimeout >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt logon get authenticationpackage >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt netclient get name >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt netuse get name,username,connectiontype,localname >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt nteventlog get path,filename,writeable >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt os get name,servicepackmajorversion >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt service get name,startmode,state,status >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt product get name,version >> c:\windows\temp\sdcx.cmd

once the script is generated we execute the script by running:

cscript //nologo execcmd.vbs "cmd /c c:\windows\temp\sdcx.cmd"

WMIC is an extremely flexible command that can even be used to even execute command on remote hosts and get information from them. For more reference please take a look a Mick Douglas excellent WMIC tech segment on Episode 141

Stories For Discussion

  1. T-Mobile hacked - [Mick] - Or are they? What's been compromised? Attackers clearly have server list... but is that all?
  2. Trojans for dollars - [Mick] - Duo of criminals use trojans to siphon funds to private accounts overseas. Allegedly, they made $112,000... well not really though. They got caught!
  3. Surf the web with Craftsman Brand malware - [Mick] - The US FTC slaps Sears' wrist. Sears will delete all data obtained via spyware, and promises to be good from now on.
  4. Have you considered a job with the US Govn't? - [Mick] - US Government needs 10,000 InfoSec profesionals. Full disclosure I helped a little bit on this project
  5. The tale of a MS vulnerability disclosure - [Larry] - Gotta love Core's disclosure documentation. Apparently, for a very interesting bug in several versions of IE, it takes MS more than months to patch. Also interesting to note, that while MS claims a once a month patch cycle, they admit to only doing IE once every other month...
  6. 100,000 sites fall to rm -rf - [Larry] - Rumors abound about this one, including 23 0-days in the virtual hosting tech, to alleged reused semi-weak passwords. regardless of the result, 100,000 hosted customers fell victim and the one who felt responsible allegedly committed suicide.
  7. See, effective recon does work - [Larry] - Main claims that he was robbed after he posted about being away from home and ties in his flickr stream with GPS tagged photos of his home.
  8. RFC 1918 address are not a security measure - [Larry] - We got to see RSnake talk about this at the pen-test summit last week, and I gotta tell you, this is indeed a neat attack vector. In a nutshell, put two identical RFC1918 address spaces on opposite sides of VPNS. With appropriate routing (maybe even source routing?), we can direct users to malicious sites on the wrong side of the VPN, break same origin policies, and even have some tasty BeEF.
  9. Astalavista.com "down" - [Larry] - and here is why...owned. Not only was all of the content removed in it's entirety, the story tells of compromise, and removal of the automatic online backups. A lesson to learn? Putting all of your eggs in one basket (the "cloud" if you will, loosely speaking) is never a good thing.
  10. This year will be easy to play spot the fed at DEFCON - [Larry] - That's because DEFCON's founder, Jeff Moss, was recently sworn in to the Homeland Security Council
  11. Hacking e-mail for $10K - [Larry] - Lets discuss the advantages, but mostly the disadvantages of this type of "contest".
  12. Verizon Stores Pre-0wned - [Paul Asadoorian] - John's adventures waiting in the Verizon stores and evaluating the security of the Kiosk, and well, lets just say that he had permission :) I remember impatiently waiting in verizon stores and messing with the kiosk and not getting anywhere because they seemed to have locked them down. However, there appears to be soem differences in the stores...
  13. Phrack 66 Released! - [Paul Asadoorian] - The most infamous e-zine ever, back with some cool articles.
  14. phpMyAdmin Remote Code Execution - [Paul Asadoorian] - This is a really neat vulnerability and includes a simple shell script to execute. Its neat because it doesn't require SQL injection or some kind of buffer overflow, but gives you remote command execution because you can inject script code into an existing PHP file. I don't know about you, but I love PHP :) You can find the original advisory here.
  15. Dangers Of "Cloud" Computing: 100,000 apps wiped out all at once - [Paul Asadoorian] - This is of course the infamous LxLabs disaster which culminated with their founder and CEO committing suicide. This is a prime example of why companies should *hire* people to pay attention to the security of their products. This is such a critical step you your success. Not, the real big problem is should these people be full-time employees or contractors. Companies tend to dismiss your recommendations when you work for them as an employees, and are often to cheap to hire consultants. This is how we end up with 100,000 web apps flushing down the cloud toilet.
  16. Whaaaaaaaaah Smack! - Another great edition of Command Line Kung Fu - [Paul Asadoorian] - This is one is really neat and something we can all use. Of course Ed picks up right away that my example is one that I use to find strings in NASL scripts. You can also use it to parse all kinds of results from Nmap, Nessus, and Metasploit. Don't be afraid of a little Foo and think you have to learn Perl to get what you want out of results from various tools. My command was:
    $ for f in *; do echo -n "$f "; grep -i xss $f | wc -l; done | awk '{t = t + $2; print $2 "\t" $1} END {print t "\tTOTAL"}' | egrep -v '^0' | sort -n 
    One thing I should mention, put that in a shell script for easy access :)
  17. T-Mobile Pwn3d? - [Paul Asadoorian] - A group is claiming to have pen t-mobile, and according to private sources this is legit. If so, they claim, "We have everything, their databases, confidental documents, scripts and programs from their servers, financial documents up to 2009." I'd say this is a pretty major deal, and if you are a T-Mobile customer maybe you want to make a bid :)
  18. Secret Plugin Tip: From bugbear - [Paul Asadoorian] - I think its neat how the Nessus developers put cool stuff in the nasl script. Home or Professional feed customers can view the source of the NASL, and if you are researching a particular vulnerability I find its important to read the NASL. For example, plugin id 38664 contains a line commented out "# cmd = "calc";". If you uncomment the line, calc.exe executes on the remote system, allowing you to eliminate it as a false positive.

Other Stories For Discussion

  1. fisherman caught a LIVE air-to-air missile - [Mick] - Maybe I need to take up fishing again... ;-)
  2. Waiting for Morro: Microsoft's free anti-virus software - [MikeP] - M$ announces free[!] anti-virus service for Windows; will you get your money's worth?
  3. Kaspersky Sells Mac AntiVirus Fear Using Charlie Miller… Mac AntiVirus Foe - [MikeP] - Kaspersky hearing only half the story.