Spoofed.org Needs Comments

Over at at spoofed.org my friend Jon Hart's written two good posts. His first post is about how a user can abuse SSH Agent Forwarding. Although not a new thing I'd have to say that it really isn't common knowledge. Plus he has code to prove his point. His second article points out that a security practicioner's job doesn't stop for the holidays. Since Spoofed.org doesn't have any form of comment system I'm leaving my thoughts here.

My only concern with the first article about abusing ssh agent forwarding is that doing this a yet another userland process isn't the stealthiest. So my brain still says hide this functionality in some sort of rootkit. Possibly extend it so that waits for a ssh agent unix sockets to open up in /tmp automatically does some sort of hack back. But really this is just toying around with extending the ideas he's already written up.

As to the second article, I think the holidays actually see a significant increase in incidents and malicous behavior because in addition to vacation, the events and tradditions of the holidays facilitate phishing. In otherwords users expect to get mail from other users regarding xmas or happy new years etc. The F-Secure blog has already reported this behavior many times before major holidays. Since xmas has such a strong commercial component I would argue that banking phishing probably would work better in the holidays as well however.

Also on a completely separate note I read The Art of Software Security Testing by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin. I have to say I was impressed. I can't say that I learned a whole lot but the organization and the tone made it an excellent book that I think deserves it's own post.

Next up is finishing the rootkit book again (I put it down so that I could get a working windows dev environment in parallels and actually follow along with code). Followed by The Art of Software Security Assessment and a few novels. In there.

Earthquake

So I was just awoken by what felt like someone shaking me. Turns out it was an earthquake. My east coast roots aren't used to this. It's weird.

Also bloglines says that I now have over 40 subscribers. All I can say is thanks. It feels good to know that what you write gets to other people even if I don't know who you are (most of my bloglines subscribers are non-public).

Anyway happy holidays.

Pydot: A Graphviz Wrapper

If you haven't played with any of Ero Carrera's python modules you should start. His wrappers for libdasm and graphviz are a lot of fun to mess around with. A few weeks back before I'd messed up my blog, I posted a few quick pictures made by my linkgraph.py. linkgraph.py in the form posted only graphs hrefs but does not follow the links. While writing linkgraph I noticed that the usage examples were a little sparse so here's a few pointers on how to use the module.

For really simple graphs use the graph from edges method as shown in Ero's usage docs.

import pydot

edges=[(1,2), (1,3), (1,4), (3,4)]
g=pydot.graph_from_edges(edges)
g.write_jpeg('graph_from_edges_dot.jpg', prog='dot')

If you want to label edges or add extra attributes to nodes and edges. Try the following.

import pydot

g = pydot.Dot(type='digraph')
g.add_node(pydot.Node('A',shape='ellipse',color='blue')) # add a node
g.add_node(pydot.Node('B'))
g.add_edge(pydot.Edge('A','B',label='A TO B'))
g.write_jpg('test.jpg')

This yields:

Notice the outline's changed and that my label appears on the edge

The important, yet kinda obvious thing to remember is that you add nodes to a graph and edges linking each node by name (the string value you gave each node) to a graph. Okay so I didn't add that much more but I think Ero's API docs may make more sense now :).

I Need An Editor

If you've been reading any of my posts, one thing you'll notice is that my spelling and grammar on this site are attrocious. I've just never really gotten into writing a large corpus of text before. Now I need to actually learn the language I use daily in a more formal way. Oh public school how you've failed me, hehe. Anyway if you know of some good resources for grammar etc. Especially if they're online leave a comment.

Also I think I'm gonna pick up a copy of Strunk and White.

ISC / Tom Liston Get Over Yourself

As part of my daily ritual I start the work day with a cup of coffee, a multi-vitamin, and sit down to read a bunch of blogs and respond to email that's come in since my commute. Among the pile of blogs I subscribe to with bloglines, is the SANS Internet Storm Center Handler's Diary. . The article today called Climb a Small Mountain by Tom Liston was to be blunt, awful.

The gist of the article is that there's a piece of javascript malware that's using some basic obfuscation, and Tom goes describes the motions neccessary to decode the strings or more accurately to redirect output to his textarea. So what made the article so annoying? For starters Tom sets the tone of an arrogant twerp by decrying javascript as a language, bemoaning being bothered for such trivialities as decoding some dumb javascript. Additionally he both fails to give a full explanation of the encoding (granted it's simple string hex value -> ascii as done with a table) and gets a few things wrong.

I think that he's missed a few things. As pointed out in the PHP Security Blog javascript strings can't be accessed via subscript ( [ ] ) notation in Internet Explorer but can in other browsers interpreter. Also writing off this kind of obfuscation is stupid for yet another reason, it can be used to bypass signature based mechanisms such as IDS and AV. It may not be meant to keep you from taking it apart but it sure as hell could avoid an alert and keep an admin from taking action to clean up this crap. Furthermore, It is more interesting to note that the adversary is using this technique for something this simple it means that as far as web based malware is concerned that we may have more sophisticated threats on our hands. I'm probably being paranoid but it is interesting to consider.

Denouncing javascript as a toy langauage is dumb for many reasons. For starters large applications, such as Google Maps, are making significant use of the language. The whole web 2.0 thing which hype or not is based around the idea of the light weight refresh and use of javascript. Second, the browser is the interface of the masses, and every browser contains a javascript interpreter. Browsers aren't the only software with javascript, Adobe acrobat for one allows javascript in PDFs, as well as quicktime movies in the href tracks. A majority of the business conducted via computers will be through the web. Thus the large deployment of javascript interpreters plus the business ramifications make the toy language extremely important, such that to call it a toy is to trivialize it's role in the world. Third, the language has more programming language features than many of the popular scripting languages closures, and higher order functions.

All in all, I must say I'm quite disappointed.

What's With All The Reposts?

I was able to pull large portions of my blog out of the google cache. As such I'm starting to go through posts past and extract all that's worth saving. Expect to see more reposts over the next week.

Repost: dpkt notes

If you've ever found yourself using python's struct module to extract network data from network traffic captured with one of the pcap bindings stop now. dpkt is a packet parsing / creation library. Really this means that it's a collection of classes that have already done the struct module packing and unpacking for you. This includes turning fields into native python types, meaning that things like tcp destination ports are a native integer type rather than a string or byte field that you have to manipulate. In a twisted sort of way it can be thought of as like an ORM for the layers of the stack.

As an added benefit, dpkt works recursively meaning that when you capture a frame and parse it with dpkt the data field of the ethernet object is already parsed into an IP object and the data of the IP packet is parsed as well. This unfortunately does not work endlessly (for obvious reasons) and stops at the application layer. So everything up to and including the transport layer is automagically parsed into easy to use objects for you. To get at data in the application layer dpkt also contains numerous classes for application protocols that can be used manually.

So enough chatter attached is a simple example

import dpkt
import pcap
from socket import inet_ntoa
if __name__ == '__main__":
  pc = pcap.pcap()
  for timestamp, packet in pc:
    eth = dpkt.ethernet.Ethernet(pkt)
    #skip the frame if it doesn't contain IPv4 traffic
    if eth.type != 2048:
      continue
    ip = eth.data
    #let's only deal with udp
    if ip.p != 17:
      continue
    print "SRC IP: %s DST IP: %s" \
             % (inet_ntoa(ip.src), inet_ntoa(ip.dst))
    udp = ip.data
    #here I'm only looking for DNS so I choose
    #to discard any udp packet that's not going to port 53
    if udp.dport != 53:
      continue
    dns = dpkt.dns.DNS(udp.data)
    #for those of you who don't remember what ` does in
    #python it calls the __repr__ method of the class to
    #get a string representation
    print `dns` 

Happy hacking!

Thoughts on Traffic Analysis for Detecting DNS Covert Tunnels

Over at Infosec Potpourri Hanashi conjectures that a good way to catch DNS tunnels would be to keep a ratio of the number of bytes sent via a dns request vs the number of bytes in the response over time for the psuedo-session. If this ratio surpasses a given threshold say 2:1 then you need to investigate the host. I use the term psuedo-session as it is how SANCP the session tool from the Sguil suite of tools would group the data and Hanashi used the term first :).

The resulting equation looks like: (bytes in request / bytes in response) or vice versa depending upon if you're searching for data entering your network.

Off the top of my head there are two points that need to be addressed by this analysis.

1. You can use multiple upstream resolvers


2. The ratio is easily avoided by using CNAME records

CLNT Host 1                                     SVR Host 2
    |        DNS A record request                   |
    |------------------------------------------------->|
    |        SVR DNS RESPONSE (1 ANSWER) |
    |<-------------------------------------------------|
    |                                                         |

The response is discarded as only the dns name before the subdomain.domain.tld in the A record request is data to be sent upstream. This is wasteful as you could use the response to squeeze out a few bytes but is done to keep the code simple.

Since all we care about to send data upstream is the part of the dns name before subdomain.domain.tld we can use any time of record including a CNAME. The CNAME can have multiple A records associated with this thus we can create more data in the downstream response then what we sent outbound.

Sending data up stream modified

CLNT Host 1                                       SVR Host 2
    |        DNS A record request                      |
    |-------------------------------------------------->  |
    |        SVR DNS RESPONSE (N ANSWERS)  |
    |<--------------------------------------------------  |
    |                                                |

Traffic analysis does show some promise though for detection. However one has to make sure that analysis is done at the one point that cannot be changed by the attacker their client endpoint. More to come on this topic in the future.