What I Got for Christmas: Polymorphic Blog Spam Comment Vomited on My Site

by Ed Skoudis

Hope you had a great holiday!  I got an unexpected nice gift for the holidays on one of my blogs.  Below, you’ll see a comment that was submitted to the SANS Pen Test Blog, which I run.  As you can see, it is one of those lame pseudo-comments sent in as link-bait for Search Engines and other nefarious purposes.  I get a few of this kind of thing a week, and our anti-blog-spam filter catches most of them.

What makes this one special is that the automated tool that barfed it into my blog didn’t choose from each grouping of different options; instead, it shot up ALL options for every variation of this blog spam.  You can see, by selecting at random from each grouping, untold thousands of combinations are possible.  But, with this errant blog spam shot, I’ve got all potential combinations here.  It’s almost silly how many different combinations there are, and how each one tries to be super polite.  You gotta read through them for a little chuckle.

It’s a gift for the guy who has everything, I suppose.  Why, it is even {terrific|wonderful|lame|ridiculous}.  Merry Christmas indeed!

–Ed Skoudis.

 

{
{I have|I've} been {surfing|browsing} online more than
{three|3|2|4} hours today, yet I never found any interesting article like yours.
{It's|It is} pretty worth enough for me. {In my opinion|Personally|In my view}, if all {webmasters|site owners|website owners|web owners} and bloggers
made good content as you did, the {internet|net|web} will be {much
more|a lot more} useful than ever before.|
I {couldn't|could not} {resist|refrain from} commenting. {Very well|Perfectly|Well|Exceptionally well} written!|
{I will|I'll} {right away|immediately} {take hold of|grab|clutch|grasp|seize|snatch} your {rss|rss
feed} as I {can not|can't} {in finding|find|to find} your {email|e-mail} subscription {link|hyperlink} or {newsletter|e-newsletter} service.
Do {you have|you've} any? {Please|Kindly} {allow|permit|let} me {realize|recognize|understand|recognise|know} {so that|in order that} I {may just|may|could} subscribe.
Thanks.|
{It is|It's} {appropriate|perfect|the best} time to make some plans for
the future and {it is|it's} time to be happy.
{I have|I've} read this post and if I could I {want to|wish to|desire to}
suggest you {few|some} interesting things or {advice|suggestions|tips}.
{Perhaps|Maybe} you {could|can} write next articles referring to this article.
I {want to|wish to|desire to} read {more|even more} things about it!|
{It is|It's} {appropriate|perfect|the best} time to make {a few|some} plans for {the future|the longer term|the long run} and
{it is|it's} time to be happy. {I have|I've} {read|learn}
this {post|submit|publish|put up} and if I {may just|may|could} I {want to|wish to|desire to} {suggest|recommend|counsel} you {few|some} {interesting|fascinating|attention-grabbing}
{things|issues} or {advice|suggestions|tips}.
{Perhaps|Maybe} you {could|can} write {next|subsequent} articles {relating to|referring to|regarding} this
article. I {want to|wish to|desire to} {read|learn} {more|even more} {things|issues} {approximately|about} it!|
{I have|I've} been {surfing|browsing} {online|on-line} {more than|greater than} {three|3}
hours {these days|nowadays|today|lately|as of
late}, {yet|but} I {never|by no means} {found|discovered} any {interesting|fascinating|attention-grabbing} article like yours.

{It's|It is} {lovely|pretty|beautiful} {worth|value|price} {enough|sufficient}
for me. {In my opinion|Personally|In my view}, if all {webmasters|site owners|website owners|web owners} and bloggers made
{just right|good|excellent} {content|content material} as {you did|you
probably did}, the {internet|net|web} {will be|shall be|might
be|will probably be|can be|will likely be} {much
more|a lot more} {useful|helpful} than ever before.|
Ahaa, its {nice|pleasant|good|fastidious} {discussion|conversation|dialogue} {regarding|concerning|about|on the topic of} this {article|post|piece of writing|paragraph} {here|at this place}
at this {blog|weblog|webpage|website|web site},
I have read all that, so {now|at this time} me
also commenting {here|at this place}.|
I am sure this {article|post|piece of writing|paragraph} has touched all
the internet {users|people|viewers|visitors}, its really really {nice|pleasant|good|fastidious}
{article|post|piece of writing|paragraph} on building up new {blog|weblog|webpage|website|web site}.|
Wow, this {article|post|piece of writing|paragraph} is {nice|pleasant|good|fastidious}, my {sister|younger sister} is analyzing {such|these|these kinds of} things, {so|thus|therefore}
I am going to {tell|inform|let know|convey} her.|
{Saved as a favorite|bookmarked!!}, {I really like|I like|I love} {your
blog|your site|your web site|your website}!|
Way cool! Some {very|extremely} valid points!

I appreciate you {writing this|penning this} {article|post|write-up} {and the|and also the|plus the} rest
of the {site is|website is} {also very|extremely|very|also really|really}
good.|
Hi, {I do believe|I do think} {this is an excellent|this is a great} {blog|website|web site|site}.
I stumbledupon it ;) {I will|I am going to|I'm going to|I may} {come back|return|revisit}
{once again|yet again} {since I|since i have} {bookmarked|book marked|book-marked|saved
as a favorite} it. Money and freedom {is the best|is the greatest} way to change, may you be rich and continue to {help|guide} {other
people|others}.|
Woah! I'm really {loving|enjoying|digging} the
template/theme of this {site|website|blog}. It's simple,
yet effective. A lot of times it's {very hard|very difficult|challenging|tough|difficult|hard} to
get that "perfect balance" between {superb usability|user friendliness|usability} and {visual appearance|visual
appeal|appearance}. I must say {that you've|you have|you've} done a {awesome|amazing|very good|superb|fantastic|excellent|great} job with this.

{In addition|Additionally|Also}, the blog loads {very|extremely|super} {fast|quick}
for me on {Safari|Internet explorer|Chrome|Opera|Firefox}.
{Superb|Exceptional|Outstanding|Excellent} Blog!|
These are {really|actually|in fact|truly|genuinely}
{great|enormous|impressive|wonderful|fantastic} ideas
in {regarding|concerning|about|on the topic of} blogging. You have touched some {nice|pleasant|good|fastidious} {points|factors|things} here.
Any way keep up wrinting.|
{I love|I really like|I enjoy|I like|Everyone loves} what you
guys {are|are usually|tend to be} up too. {This sort of|This type of|Such|This kind of} clever work and {exposure|coverage|reporting}!

Keep up the {superb|terrific|very good|great|good|awesome|fantastic|excellent|amazing|wonderful} works guys I've {incorporated||added|included} you guys to {|my|our||my personal|my own} blogroll.|
{Howdy|Hi there|Hey there|Hi|Hello|Hey}!
Someone in my {Myspace|Facebook} group shared this {site|website} with us so I came to {give it a look|look it over|take a look|check it out}.
I'm definitely {enjoying|loving} the information.
I'm {book-marking|bookmarking} and will be tweeting this to my followers!
{Terrific|Wonderful|Great|Fantastic|Outstanding|Exceptional|Superb|Excellent} blog and {wonderful|terrific|brilliant|amazing|great|excellent|fantastic|outstanding|superb} {style and design|design and
style|design}.|
{I love|I really like|I enjoy|I like|Everyone loves} what you guys {are|are usually|tend to be} up too.
{This sort of|This type of|Such|This kind of} clever work and {exposure|coverage|reporting}!
Keep up the {superb|terrific|very good|great|good|awesome|fantastic|excellent|amazing|wonderful} works
guys I've {incorporated|added|included} you guys to {|my|our|my personal|my own} blogroll.|
{Howdy|Hi there|Hey there|Hi|Hello|Hey} would you mind {stating|sharing} which blog platform you're {working with|using}?
I'm {looking|planning|going} to start my own blog {in the near future|soon} but I'm having a {tough|difficult|hard} time {making a decision|selecting|choosing|deciding}
between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your {design and style|design|layout} seems different then most blogs and I'm looking for something {completely unique|unique}.
P.S {My apologies|Apologies|Sorry} for {getting|being}
off-topic but I had to ask!|
{Howdy|Hi there|Hi|Hey there|Hello|Hey} would you mind letting me know which {webhost|hosting company|web host} you're {utilizing|working with|using}?

I've loaded your blog in 3 {completely different|different} {internet browsers|web browsers|browsers}
and I must say this blog loads a lot {quicker|faster}
then most. Can you {suggest|recommend} a good {internet hosting|web hosting|hosting} provider at a {honest|reasonable|fair} price?
{Thanks a lot|Kudos|Cheers|Thank you|Many thanks|Thanks}, I appreciate it!|
{I love|I really like|I like|Everyone loves} it {when people|when individuals|when folks|whenever people} {come together|get together} and share {opinions|thoughts|views|ideas}.
Great {blog|website|site}, {keep it up|continue the
good work|stick with it}!|
Thank you for the {auspicious|good} writeup. It in
fact was a amusement account it. Look advanced to
{far|more} added agreeable from you! {By the way|However}, how {can|could} we communicate?|
{Howdy|Hi there|Hey there|Hello|Hey} just wanted to give you a quick heads up.

The {text|words} in your {content|post|article}
seem to be running off the screen in {Ie|Internet explorer|Chrome|Firefox|Safari|Opera}.
I'm not sure if this is a {format|formatting} issue
or something to do with {web browser|internet browser|browser} compatibility but I {thought|figured}
I'd post to let you know. The {style and design|design and style|layout|design} look great though!
Hope you get the {problem|issue} {solved|resolved|fixed} soon.
{Kudos|Cheers|Many thanks|Thanks}|
This is a topic {that is|that's|which is} {close to|near to} my
heart... {Cheers|Many thanks|Best wishes|Take care|Thank you}!
{Where|Exactly where} are your contact details though?|
It's very {easy|simple|trouble-free|straightforward|effortless} to find out
any {topic|matter} on {net|web} as compared to {books|textbooks}, as I found this {article|post|piece of
writing|paragraph} at this {website|web site|site|web page}.|
Does your {site|website|blog} have a contact page? I'm having {a tough time|problems|trouble} locating
it but, I'd like to {send|shoot} you an {e-mail|email}.
I've got some {creative ideas|recommendations|suggestions|ideas} for your blog you might
be interested in hearing. Either way, great {site|website|blog} and I look forward
to seeing it {develop|improve|expand|grow} over time.|
{Hola|Hey there|Hi|Hello|Greetings}! I've been {following|reading} your {site|web site|website|weblog|blog} for {a long time|a while|some time} now and finally got the {bravery|courage} to go ahead and give you a shout
out from {New Caney|Kingwood|Huffman|Porter|Houston|Dallas|Austin|Lubbock|Humble|Atascocita} {Tx|Texas}!
Just wanted to {tell you|mention|say} keep up the {fantastic|excellent|great|good} {job|work}!|
Greetings from {Idaho|Carolina|Ohio|Colorado|Florida|Los angeles|California}!
I'm {bored to tears|bored to death|bored} at work so I decided to
{check out|browse} your {site|website|blog} on my iphone during lunch break.

I {enjoy|really like|love} the {knowledge|info|information} you {present|provide} here and can't wait to take a look when I
get home. I'm {shocked|amazed|surprised} at how {quick|fast} your blog loaded on my {mobile|cell phone|phone} ..
I'm not even using WIFI, just 3G .. {Anyhow|Anyways},
{awesome|amazing|very good|superb|good|wonderful|fantastic|excellent|great}
{site|blog}!|
Its {like you|such as you} {read|learn} my {mind|thoughts}!
You {seem|appear} {to understand|to know|to grasp} {so much|a lot} {approximately|about}
this, {like you|such as you} wrote the {book|e-book|guide|ebook|e book} in it or something.
{I think|I feel|I believe} {that you|that you simply|that
you just} {could|can} do with {some|a few} {%|p.c.|percent} to {force|pressure|drive|power} the
message {house|home} {a bit|a little bit}, {however|but} {other than|instead of} that, {this is|that is} {great|wonderful|fantastic|magnificent|excellent} blog.
{A great|An excellent|A fantastic} read. {I'll|I will} {definitely|certainly} be back.|
I visited {multiple|many|several|various} {websites|sites|web
sites|web pages|blogs} {but|except|however} the audio {quality|feature} for audio songs {current|present|existing} at this {website|web site|site|web page} is {really|actually|in fact|truly|genuinely} {marvelous|wonderful|excellent|fabulous|superb}.|
{Howdy|Hi there|Hi|Hello}, i read your blog {occasionally|from time to time} and i own a similar one and i was just {wondering|curious} if you
get a lot of spam {comments|responses|feedback|remarks}?

If so how do you {prevent|reduce|stop|protect against} it, any plugin or anything you can {advise|suggest|recommend}?
I get so much lately it's driving me {mad|insane|crazy} so any {assistance|help|support} is very much appreciated.|
Greetings! {Very helpful|Very useful} advice {within this|in this particular} {article|post}!

Pen Test Tips, Tricks, and Tools – Pulling it All Together

[Editor’s Note: Here is our final installment of tips from the SANS Pen Test Poster, this time focussed on Pulling It All Together in your pen tests.  If you are interested in this type of information, you should know that I’m going to be teaching my SANS SEC 560 course on  network penetration testing & ethical hacking in New Orleans  in January 2014.  From January 20 to 25, we’ll cover in-depth technical approaches for penetration testing, plus tons of tips for maximizing your effectiveness as a pen tester.  If you are looking to take a SANS course where the student-to-instructor ratio is fairly low so we can have more detailed and personalized discussions, this is a great one to register for.  Plus, New Orleans is a fantastic town, with lotsa wonderful restaurants and fascinating history.  It’s gonna be a GREAT time.  Registration details are  here. –Ed.]

By Ed Skoudis

Tips for maximizing the value you provide during a penetration test

  • Write your report while you conduct the test.  Don’t wait until the very end. Writing while testing will allow you to provide analytic depth, clarity of explanations, and good screenshots that you might otherwise miss.
  • Focus on the potential business impact of your findings, especially in the executive summary of your report. For example, to some of your target audience, saying you got Domain Admin access, by itself, isn’t enough to justify resources to fix the situation. Explaining what a malicious actor could do to impact the business and its mission with that domain admin access much more likely could.
  • Try to include client-side exploitation in your project scope, given its dominance as an attack vector today. But, carefully structure the test to limit your activities to only allowed clients by checking IP addresses, MAC addresses (where possible), and other aspects to ensure you remain in scope.
  • Don’t simply regurgitate vuln scanner output. Instead, analyze the output, validating findings by performing false-positive reduction. Then, prioritize findings and recommendations in light of the business risks of the target organization.
  • Pivot mercilessly, jumping between machines when possible, always staying within scope and following the rules of engagement.
  • Augment High/Medium/Low risk descriptions by also including a likelihood of occurrence. These two measures will help target system personnel determine where to focus remediation resources. Additional measures of discovered vulnerabilities worth considering in assigning risk ratings are available from the Common Vulnerability Scoring System (CVSS) project at www.first.org/cvss.
  • Remember that your ultimate goal is typically to help improve security operations. Instead of writing your reports to impress other penetration testers, focus on practical advice that system and network operations teams can apply that would undermine the techniques you applied during the project.
  • To provide even more value, include practical steps for target personnel to ensure remediation is in place. In order to help target personnel verify that a given fix or patch is in place, provide in your report a brief step-by-step description of how to verify that the flaw you’ve discovered has been mitigated.

Repositories for pen test information storage, analysis, and collaboration

  • Wiki (such as MediaWiki at www.mediawiki.org): Wikis provide an easily editable information repository for text and files, acting as a scratchpad for pen tester notes. You can easily set up remote access to a Wiki across an SSH tunnel for penetration testers to collaborate.
  • Armitage (www.fastandeasyhacking.com) by Raphael Mudge:  This fantastic GUI and front-end analysis tool for Metasploit provides flexible access to Metasploit’s features, as well as its back-end data store. Furthermore, the red team collaboration features of Armitage allow pen testers to share sessions and data from target environments in real time.
  • Metasploit Database (www.metasploit.com) by the Metasploit Development Team: Metasploit databases can hold plentiful information about target environments, including lists of hosts, services, vulnerabilities, credentials, and more.
  • Dradis Framework (http://dradisframework.org) by the Dradis Development Team: This information gathering and analysis tool pulls results from over a dozen other tools (including Nessus, NeXpose, Burp scanner, Nmap, and more), as well as vulnerability sources such as OSVDB into a central repository. Pen testers can then analyze the details via the Dradis GUI and automate some aspects of report writing using the tool.
  • MagicTree (www.gremwell.com) by Gremwell: This tool imports test results from Nmap, Nessus, and a variety of other tools, and allows for detailed searches, analysis, and automated report generation.

–Ed Skoudis
Counter Hack
@edskoudis 

Web App Tips, Tricks and Resources

[Editor’s Note: Here is the fifth in our series of penetrating testing tips drawn from the Ultimate SANS Pen Test Poster.  This time, our focus is on specific recommendations from Kevin Johnson about web app pen test tips, tools, resources, and other recommendations.  Really helpful stuff.  Thanks, Kevin!

For earlier posts in this series, feel free to check out:
John Strand’s tips for network pen testing.
Steve Sims’ tips for exploit development.
Josh Wright’s tips for mobile device pen testing.
Larry Pesce’s tips for wireless pen testing. 

–Ed.]

By Kevin Johnson

Methodology Tips

  • Recon – During recon, the tester is looking to see what information has leaked onto the Internet about the application or organization being tested. This information can range from potential user names to source code from the application being posted to a help forum. It is imperative that this step of the methodology is not skipped. Some of the best information is found during this step.
  • Mapping – During the mapping phase, the pen testers actually use the application being tested, interacting with its various components. This phase provides them an understanding of the functionality and transactions available within the web application. This understanding allows them to focus in the next step on finding the flaws and vulnerabilities within the application. Use of the built-in tools of Burp and other proxies to automatically scan for the low-hanging fruit allow the tester to spend more time on the more difficult but critical flaws.
  • Exploitation – Exploitation comes in many forms depending on the vulnerability you have. In many cases, the goal is to retrieve data or gain full access to the systems. Using a tool like Laudanum to get a shell on a system and then add local users is a great window of opportunity. Don’t forget Metasploit, as it is key in many exploitations. This step builds upon the previous two so that we are able to validate the flaws within the application. This helps the organization understand the risk the flaw exposes them too.
  • Post-Exploitation – Now we are able to pivot through the flaws exploited to gain even more information or access. Leveraging the flaw you found, such as XSS to take control of a victim browser to gain further access into the application or network using a tool like BeEF, the browser exploitation framework. This JavaScript based attack connects the victim browser to a ruby framework to deliver a variety of payloads.
  • Misc (reporting) – Contrary to popular belief, reporting is actually a huge part of a penetration test. It is one thing to be able to pwn the system, and another to be able to explain the security flaw and recommendations to the client. Lots of time is spent writing the final report so the information is actually useful.

Must-Have Tools

  • Burp Suite – Burp Suite is a web proxy that comes in both a free and commercial version. In addition to the proxy functionality, Burp also includes Repeater, Intruder, Decoder, Comparer, and scanning (commercial version only) tools built in. Repeater and Intruder are instrumental when it comes to web testing. This is the swiss army knife of web pen testing. By Dafydd Stuttard – http://www.portswigger.net
  • DirBuster – DirBuster is a tool designed to enumerate web directories and files. It works off of a set of pre-defined dictionaries or it can be used in fuzzer mode. By James Fisher – http://sourceforge.net/projects/dirbuster
  • Zed Attack Proxy – Zed Attack Proxy is an easy to use penetration testing tool used to identify flaws in web applications. It includes many different tools, such as a brute forcer, scanner, fuzzier, and decoder. By Simon Bennetts  http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
  • SqlMap – SqlMap is an open source penetration testing tool to automate the process of detecting and exploiting SQL Injection vulnerabilities. Using simple commands, it is easy to quickly identify and then exploit SQL injections. By Bernardo Damele A. G. and Miroslav Stampar – http://sqlmap.org
  • Nikto – Nikto is an open source web server scanning tool that can identify web server versions, mis- configurations, and a large list of vulnerable files. By Chris Sullo – http://www.cirt.net/nikto2
  • SamuraiWTF – No need in spending time building a testing system when this one is built for you. By Kevin Johnson and Justin Searle – http://sourceforge.net/projects/samurai
  • FireFox Add-ins – The FireFox web browser is a must-have tool because there are so many great add-ins available. Add-ins like HackBar, User Agent Switcher, Web Developer, Tamper Data, and Firebug are all excellent tools when performing a web penetration test. That is just a small example of the add-ins that can be used. By Mozilla – http://www.mozilla.org/en-US/firefox/fx
  • Laudanum – Laudanum is a collection of web scripts that can be deployed to a vulnerable server to provide file browsing and shell functionality on the affected system. These scripts come in many languages, including ASP.Net, Java, and PHP. By Kevin Johnson, Tim Medin, and James Jardine http://sourceforge.net/projects/laudanum
  • BeEF – The Browser Exploitation Framework (BeEF) is an excellent tool while performing a web pen test. The framework makes it really easy to exploit the browser using identified cross-site scripting flaws. Once exploited, it may be possible to pivot from the outside to the inside of a network. http://beefproject.com 

Great Resources for Staying Current

Associated SANS Courses

SEC542: Web App Penetration Testing and Ethical Hacking www.sans.org/sec542 

SEC642: Advanced Web App Penetration Testing and Ethical Hacking www.sans.org/sec642

–Kevin Johnson

Removing the Android Device Lock from any Mobile App

[Editor’s note: In this blog post, Raul Siles goes in-depth exploring how to attack a vulnerability in the way Android device lock works.  Although a patch was released last week for this flaw, the slow (or nonexistent) update cycle for many users means this attack mechanism will be valid for quite some time to come.  The best part of Raul’s write-up is his use of both static and dynamic analysis techniques and a variety of tools to tease apart the flaw.  Raul ends by showing how you can test that the newly released fixes for Android block exploitation of the flaw.  Nice stuff!  –Ed.]

By Raul Siles

Shameless plug: I will be teaching the 6-day SANS SEC 575: Mobile Device Security and Ethical Hacking course in Abu Dhabi, UAE (Apr 26, 2014 – May 1, 2014) and Berlin, Germany (Jun 16-21, 2014).

The “SANS SEC575: Mobile Device Security and Ethical Hacking” training is one of the most entertaining and challenging courses I have ever taught, with enhanced coverage of Android, iOS, Windows Phone, and BlackBerry. The last couple of times I taught it this year, I travelled around the world with six different mobile devices including; Android 2.x & 4.x plus iOS 4.x, 5.x, 6.x & 7.x, my other production mobile devices, two laptops, Wi-Fi access points plus multiple USB cards and antennas, a Wifi Pineapple, a portable stand camera, and a few other gadgets. This makes crossing airport security quite challenging almost creating a kind of extra social engineering exercise for a pen tester. Yes, I get stares.  :-)

Last week, a new Android vulnerability was disclosed: “CVE-2013-6271: Remove Device Locks from Android Phone”. It affects Android Jelly Bean (JB) 4.3 devices, as well as earlier version based on my own testing, such as Android Ice Cream Sandwich (ICS) version 4.0.3.  The flaw allows any mobile application (from now on referred to as an “app”) to remove the passcode or lock protection of Android mobile devices, no matter the lock mechanism in place: PIN code, password or passphrase, dot pattern or gesture, or face unlock.  That’s pretty huge.

Android implements an Inter Process Communication (IPC) mechanism through messages, called Intents. About a year ago, we started covering this feature in Day 3 of the SEC575 class, focusing our Android Intents analysis using the Mercury framework,  developed by MWR InfoSecurity.  You can read all about Mercury in Chris Crowley’s previous article on the SANS Pen-Testing blog, “Intentional Evil: A Pen Tester’s Overview of Android Intents”.  The SEC575 training has been recently updated with its replacement tool, called Drozer. As the Drozer framework is explicitly mentioned in the PoC section of the CVE-2013-6271 vulnerability, I thought this vulnerability was a great opportunity to show on this blog how to dissect an Android app, and offer a quick step-by-step overview of the methods and tools we can use as pen-testers and security researchers to discover and analyze, in depth, this kind of still very common Android app weakness.

A more detailed analysis of the various Android app components (Activities, Services, Receivers, etc.) and their relationships, app attack opportunities, and components exposure are covered in Day 3 of SEC575, including live demos, hands-on exercises  and details of real vulnerabilities, such as a similar vulnerability affecting the Android Facebook app, v.1.8.1. (I was not aware of my artistic skills until after Björn took a picture of my screen during SANS London 2013 after going through the vulnerability details :-):

The attack vector that can be leveraged to take advantage of the CVE-2013-6271 vulnerability is based on having an offending app installed on the victim mobile device, previously installed by the user or installed by exploiting any other vulnerability in the Android platform. In order to send an intent to a public Activity, the offending app does not require any special permission in the Android platform. This increases the device exposure, as the most benign looking apps, or even future app updates, could be used now to unlock the Android device…even those apps requesting no permissions at all.  BTW, these are the ones that are really suspicious to me! :-)

The SEC575 Android static analysis section mainly focuses on the evaluation of third-party mobile apps from a corporate perspective, such as the ones you can get from Google Play (the official Android app store) or any other source or third-party store. When you need to analyze a default system Android app, such as the Settings app in the case of the CVE-2013-6271 vulnerability, there are a couple of differences that influence the analysis process.

NOTE: The analysis process described uses Windows 7 as the host operating system and the Android emulator as the target mobile environment, although the same steps apply when using a real Android mobile device or a different host operating system.

Android App Static Analysis

In order to analyze any Android app, the first requirement is to get a copy of the corresponding Android package (.apk file) from Google Play or from within an Android device. An Android package is a compressed ZIP file, so it can be easily inspected. Inside you can find resources and certificate information, as well as the two most relevant files for Android apps: AndroidManifest.xml (which includes the permissions required by the app and the components publicly exported by it, among others) and classes.dex (the app binary in Dalvik Executable, or DEX, format):

However, the default system Android apps are optimized to speed up their performance when loading and running, and as a result, the corresponding .apk file does not contain a classes.dex file. Instead, the binary has been extracted out of the .apk file and has been converted to an .odex file (Optimized DEX file).

The CVE-2013-6271 vulnerability affects the default system Settings app (identified as “com.android.settings”). The Settings app is located in the “/system/app/” directory of Android devices, split in two files: Settings.apk and Settings.odex. The adb tool available in the Android SDK can be used to extract these two files:

As the .apk file does not contain the app binary, our analysis will focus on the .odex file. The .odex file has to be deoptimized and disassembled for inspection, a process known as deodexing. The baksmali tool helps to deodex the file and requires four arguments; the Android API level (-a), the target .odex file (-x), a directory containing all the framework libraries (-d), and an output directory to save the disassembled Smali code from the app (-o).

C:\> baksmali -a 18 -x Settings.odex -d framework -o Settings

The API level is based on the Android version and can be easily obtained from the Android  “Codenames, Tags, and Build Numbers” webpage. As we are using an Android 4.3 target device, the corresponding API level is 18.

The directory containing all the framework libraries can be created by checking the value of the BOOTCLASSPATH environment variable from the Android 4.3 device. Again, adb can be used to retrieve its value:

You can copy and paste the BOOTCLASSPATH variable contents in a single line into a text file (“BOOTCLASSPATH-jar.txt”) and process that file in Windows to obtain (via adb pull) all the Android framework libraries from the device, plus the associated .odex files. The following commands will streamline the process (see the “Additional Resources” section below to get the “BOOTCLASSPATH.bat” script) :

C:\> set /p BCPJAR= < BOOTCLASSPATH-jar.txt

C:\> echo %BCPJAR:.jar=.odex% > BOOTCLASSPATH-odex.txt

C:\> set /p BCPODEX= < BOOTCLASSPATH-odex.txt

C:\> echo %BCPJAR% && echo %BCPODEX%

C:\> FOR %a in (%BCPJAR::= %) do @echo %a >> BOOTCLASSPATH-jar-lines.txt

C:\> FOR %a in (%BCPODEX::= %) do @echo %a >> BOOTCLASSPATH-odex-lines.txt

C:\> mkdir framework

C:\> cd framework

C:\> FOR /F %i in (..\BOOTCLASSPATH-jar-lines.txt) DO adb pull %i

C:\> FOR /F %i in (..\BOOTCLASSPATH-odex-lines.txt) DO adb pull %i

The “framework” directory can now be used as the input for the baksmali “-d” argument.

After running the baksmali command, a new “Settings” directory will be created containing the Settings app Smali code. The smali tool can be used then to reassemble the Smali code into a Dalvik EXecutable file (.dex file). The tool simply requires two arguments, the previously created “Settings” directory and the output DEX filename (-o):

C:\> smali Settings -o Settings.dex

As a result, a new “Settings.dex” file will be created containing a deoptimized binary version of the Settings app. This file would be similar to the “classes.dex” file available in the APK file for third-party apps. At this point, the dex2jar tool can be run on this DEX file to decompile the Dalvik EXecutable and extract the corresponding Java bytecode (.class files):

C:\> dex2jar Settings.dex

The dex2jar tool will create a new “Settings_dex2jar.jar” file that contains the Java bytecode for the Settings app. Through a Java decompiler, such as JD-GUI, it is possible to open this .jar file and obtain the Java source code for the target app, or an approximate representation of it.

Android App Dynamic Analysis

The Drozer framework provides advanced capabilities to interact with Android apps and their different components. After installing the Drozer agent in the target Android device, which will act as the offensive app, it is possible to establish a communication between the Drozer console and the agent. From the Drozer console, all the packages associated with the “settings” term can be listed, trying to identify the target Android Settings app (“com.android.settings”):

Drozer provides multiple modules to perform a deeper inspection on the components exposed by the Settings app, and in particular, the potentially vulnerable Activity from the total 104 Activities exported by the app, named “com.android.settings.ChooseLockGeneric”:

At this point, the JD-GUI decompiler can be used to open the Settings app Java bytecode (.jar file) and inspect the specific class we are interested in, via the CVE-2013-6271 vulnerability details and the Activity name previously identified,  “com.android.settings.ChooseLockGeneric”. By inspecting this class source code, we can see how at the Activity creation time (inside the “onCreate()” function) the “confirm_credentials” extra boolean parameter, is extracted and evaluated from the Intent, trying to determine if a confirmation is required from the user:

Additionally, an extra “lockscreen.password_type” integer parameter is expected from the Intent associated to the Activity used to update the lock preferences:

The app will then call the “updateUnlockMethodAndFinish()” function that contains the final vulnerable code if the value of the previously mentioned parameter is equal to 0 (after going through the “upgradeQuality()” function and the associated code):

After inspecting the source code, it is possible to identify the two extra parameters required by the “com.android.settings.ChooseLockGeneric” Activity to be able to execute the vulnerable code. The Drozer frameworks facilitates the creation of a new Activity and the submission of the Intent with these two extra parameters against the target component:

If the target Android 4.3 device is protected with a passcode (e.g. PIN code), after sending the Intent with the appropriate extra parameters from the Drozer agent to the target Settings app, the vulnerable code previously mentioned will run and the lock protection will be immediately removed from the device as shown below:

When the lock is removed, it’s quite startling to see the open device.  The combination of both static and dynamic analysis techniques have allowed to identify the vulnerable code and to exploit it to remove the lock protection from the Android device.

Countermeasures Implemented in Android 4.4

When the same analysis is performed in Android 4.4, and Drozer is used to exploit the vulnerability, the behavior observed is the expected one for a non-vulnerable device. Before the user or an app can change or remove the lock or passcode protection, the mobile device prompts the user for confirmation by requesting the previous lock value (e.g. the user has to enter the previous PIN code):

An in depth analysis of the new Settings app in Android 4.4 reveals how the vulnerability was fixed in the latest Android version. The default system Settings app in Android 4.4 is stored in a different location, “/system/priv-app/”, the new default location for Privileged Apps (instead of the old default location for all System Apps in previous Android versions, “/system/app”):

The new APK location can be obtained, for example, through the package inspection capabilities available in the Drozer framework, that provide extensive information about any app:

The Settings.odex file can be inspected in-depth following the same analysis process previously described for Android 4.3. The main difference is the extended set of libraries used by the default Android 4.4 framework, as the BOOTCLASSPATH value denotes:

As a result, the following three main differences help to fix the vulnerability and make Android 4.4 not vulnerable to the same attack. The source code of the “com.android.settings.ChooseLockGeneric” class includes a new “InternalActivity” subclass at the bottom of the source code:

A quick comparison of the “ChooseLockGeneric” class source code between Android 4.4 and Android 4.3 exposes the new code introduced in version 4.4. The “onCreate()” function now verifies that the Activity is an instance of the new “InternalActivity” class, to limit its creation from other external apps:

Finally, the AndroidManifest.xml file for the Settings app has been changed from Android 4.3 to Android 4.4 in order not to publicly export the new “InternalActivity” Activity. This XML file is in binary format, so the AXMLPrinter2 tool can be used to convert it to text for in-depth inspection:

C:\> AXMLPrinter2 AndroidManifest.xml > AndroidManifest.txt

Again, the combination of both static and dynamic analysis techniques have allowed you to confirm that Android 4.4 is not vulnerable and identify the fixes introduced in the new code to ask for confirmation before removing the lock protection from the Android device.

Tool References

AXMLPRinter2: http://code.google.com/p/android4me/

dex2jar: https://code.google.com/p/dex2jar/

Drozer: https://labs.mwrinfosecurity.com/tools/drozer/

JD-GUI: http://jd.benow.ca/#jd-gui

smali/baksmali: https://bitbucket.org/JesusFreke/smali/

NOTE: The different tool commands used during the analysis process are Windows batch scripts that simply invoke the corresponding Java tool, such as baksmali, executing in reality the “java -jar baksmali-2.0.2.jar %*” command.

Additional Resources

BOOTCLASSPATH.bat: Windows batch script that creates a ‘framework’ directory with all the Android framework libraries (both .jar & .odex files) specified in the local “BOOTCLASSPATH-jar.txt” file, extracted via “adb pull” from a local Android device or Android emulator (AVD).

BOOTCLASSPATH-jar_4.3.txt: Default Android 4.3 framework libraries.

BOOTCLASSPATH-jar_4.4.txt: Default Android 4.4 framework libraries.

–Raul Siles

Wireless Tips, Tricks and Resources

[Editor’s Note: We’re continuing our series on useful tips and tricks for different kinds of pen testing, based on the SANS Pen Test Poster.  In this installment, Mr. Larry “Hax0r the Matrix” Pesce covers some great tips, ideas, and resources for wireless penetration tests.  Great stuff!

Earlier in this series, we covered:

John Strand’s tips on network penetration testing
Steve Sims’ tips on exploit development
Josh Wright’s tips on mobile device penetration testing

–Ed.]

By Larry Pesce

Methodology Tips

  • Recon – Channel hopping with Kismet is your best friend while performing recon. It is passive (silent) and will cycle through all of the available wireless channels supported by the wireless driver. Be mindful that while the wireless card is channel hopping, it misses all of the activity on the channels where it is not tuned.
  • Scanning – Channel hopping is great for discovery, as it will eventually tell us about every wireless network in the environment but sometimes we need to just focus on one channel to gain more information about the network. Locking your wireless card to a specific channel can be helpful in uncloaking a hidden network, capturing WPA-PSK 4-way handshake or more packets for further exploitation (such as WEP). Having TWO (or more) wireless cards allow one to channel hop and perform discovery, while the locked cards can gather more information for additional attacks in a more directed manner.
  • Exploitation – Exploitation comes in many forms in wireless networks; weak enterprise encryption, mis-configured authentication configuration, direct client attacks through ad-hoc connections. The best place for exploitation occurs at the weakest link; often the places where corporate assets go when outside of the enterprise environment: a local coffee shop, hotel, or even employee homes where open wireless networks may be de rigueur. These are great places to attack clients directly and observe plaintext traffic that can be leveraged for additional attacks against the enterprise.
  • Post-Exploitation – While exploitation often relies on leveraging a wireless vulnerability or mis-configuration, one can leverage compromised systems to gain information about additional wireless networks, and perhaps even participate in those already in the system’s preferred network list; use what you’ve gained access to in order to push further!
  • Misc (Reporting) – How do you get all of that information from the test into a format that makes sense as part of a vulnerability report? This will take some massaging, but output from tools (such as Kismet capture files and XML output) can often be leveraged within other standard tools to help illustrate risk. One example would be to utilize Kismet’s XML output to generate graphs based on observed wireless network configurations. One could also leverage other tools in new ways, such as leveraging the GISKismet database to query discovered network configurations.  (http://www.haxorthematrix.com/2012/ 12/how-i-use-giskismet-for-more-than- mapping.html) GISKismet, Joshua D. Abraham – http://giskismet.org 

Must-Have Tools

Software

  • Kismet – The best passive wireless discovery and analysis tool that will find all of the Wifi networks supported by the selected adapter (even cloaked/hidden networks). It is extensible through a plug-in architecture to support attacks, and additional wireless discovery, such as Bluetooth, Zigbee, DECT and others. Linux and OSX only. By Kismet, Mike Kershaw http://www.kismetwireless.net
  • Wireshark – A packet capture and analysis tool that is continually updated to improve protocol dissectors to translate the raw captures to human-readable format. Supports 802.11, 802.15.4, DECT and many other common wireless protocols. Supported on Linux, Windows and OSX. By Wireshark, Riverbed Technology, & Gerald Combs http://www.wireshark.org
  • Aircrack-ng suite – A “swiss-army” collection of tools from WEP and WPA cracking, packet capture decrypting, packet capture relationship analysis, and tunnel building tools supported under Linux, Windows and OSX. By Aircrack-ng, Thomas d’Otreppe http://www.aircrack-ng.org
  • Netmon – If you absolutely must capture in monitor mode under Windows, this is your huckleberry. In fact, it is the only huckleberry in town under Vista/7/8. By Netmon, Microsoft Corporation http://www.microsoft.com/en-us/download/details.aspx?id=4865
  • Kali Linux – Need some other wireless or other penetration testing tool? Chances are that the developers of Kali Linux (the successor to Backtrack 5) have gone through the trouble of making it work for you in this preconfigured penetration testing LiveCD/VM. By Kali Linux, Offensive Security http://www.kali.org/downloads
  • Scapy – Want to take your wireless testing to the next level by fuzzing all manner of protocols? Use Scapy with python to craft your own packets from scratch. Linux only. By Scapy, Philippe Biond http://www.secdev.org/projects/scapy

Hardware

*These tools are available on a commercial (cost) basis.

Great Resources for Staying Current

Associated SANS Courses

SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses www.sans.org/sec617

–Larry Pesce

Mobile Device Tips, Tricks and Resources

By Josh Wright

[In this third installation of tips originally included in the Ultimate SANS Pen Test Poster, we’ll turn to Josh Wright’s tips for mobile device penetration testing.  Josh shares some really useful insights here, as well as recommendations for tools (software and hardware) and resources for keeping current.  Nice stuff!

Click these links for the first two articles in this series:
John Strand’s tips on network penetration testing
Steve Sims’ tips on exploit development
–Ed.]

Methodology Tips

  • Recon – Identify the types of mobile devices used in the target environment, and the applications used. Consider using social networking data (“Posted with Tweetie for iOS”), e-mail headers (“X-Mailer: iPhone Mail (10B143)”) or Satori fingerprints for insider or public network/hotspot attacks.
  • Scanning – For local mobile device attacks, identify the wireless networks sought by the mobile device by inspecting network probes. Commonly weak network names such as “attwifi” and “linksys” are easy targets to impersonate and lure a victim into a hostile network.
  • Exploitation – Use man-in-the-middle attacks to intercept and inspect network protocols. Use traffic insertion attacks to deliver client-side exploits to vulnerable devices, or manipulate captured traffic to exploit supporting back-end mobile application servers. If you have physical possession of a device, bypass device passcode use by physically connecting the device to an attack workstation to root or jailbreak the device, exposing the filesystem data.
  • Post-Exploitation – Inspect commonly sensitive data areas on mobile devices for information such as the Notes, SMS, and browser history databases. Look for stored passwords in third-party applications, and for opportunities to extract saved passwords from keychain storage. If it is within  scope, consider adding a backdoor to the mobile device and returning to the end-user, giving you remote access to trusted networks.

Must-Have Tools: Software

  • Android Emulator and SDK Tools – The Android Emulator is almost as good as having real Android hardware since it can be used to run and assess Android applications. Pen testers can install the Android Emulator and the associated SDK tools for use in evaluating Android applications, and for attacking “stolen” Android devices. By Google http://developer.android.com/sdk
  • Plist Editor for Windows – The Plist Editor for Windows makes it easy to view and search binary or ASCII preference list files from compromised Apple iOS devices. Pen testers can use the Plist Editor for Windows to extract data from iOS built-in or third-party applications and harvest credentials or other sensitive data from numerous weak applications. By VOWSoft, Ltd.
    http://www.icopybot.com/plist-editor.htm
  • SQLiteSpy – SQLiteSpy reads, searches, and converts SQLite database files used on iOS and Android devices. Pen Testers can inspect the compromised contact, GPS history, browser history, SMS messages and more with SQLiteSpy. By Ralf Junker http://www.yunqa.de/delphi/doku.php/products/sqlitespy/index
  • Elcomsoft Phone Password Breaker* – EPPB is used to brute- force passwords on Apple iTunes backups, BlackBerry backups, and to bypass BlackBerry lock screen passcodes. Pen testers can use EPPB to decrypt and extract Apple and BlackBerry backup data from compromised hosts, and to bypass the passcode selection on BlackBerry devices. By Elcomsoft http://www.elcomsoft.com/eppb.html
  • iPhone Data Protection Tools – The iDPT suite creates an alternate iOS boot environment, allowing pen testers to brute-force PIN- based passcodes on older iPhone, iPod Touch and iPad devices.  By Jonathan Zdziarski and a community of contributing developers http://code.google.com/p/iphone-dataprotection
  • Redsn0w – Redsn0w is an all-purpose iOS jailbreaking tool for iOS 5 devices. If device theft is in the scope of the mobile device pen test, the pen tester can jailbreak and access confidential data on stolen devices using Redsn0w. By iPhone Dev Team http://www.redsn0w.us
  • Satori – Satori is a multi-faceted passive operating system fingerprinting tool, combining results from over 25 different protocols for precise results. Pen testers can use Satori to monitor LAN or WLAN traffic and identify the mobile devices that are present to target. By Eric Kollmann  http://chatteronthewire.org 
  • Burp Suite* – Burp Suite is commonly used for web application assessments, but it also makes a powerful HTTP/S network manipulation tool when combined with a man-in-the-middle attack. Pen testers can use Burp Suite to exploit HTTP-based mobile applications with server-side and client- side injection attacks. By PortSwigger, Ltd. http://portswigger.net/burp
  • Ettercap – Ettercap is a powerful man-in-the-middle tool, adding powerful network traffic manipulation and plugin functionality to exploit downstream devices. Pen testers can use Ettercap to capture plaintext passwords, intercept SSL traffic, and manipulate DNS name resolution on mobile devices. By Alberto Ornaghi, Marco Valleri, Emilio Escobar, and Eric Milam  http://ettercap.github.com/ettercap
  • Mercury Framework – The Mercury Framework is an Android security testing platform using a client/server architecture with plugin support for dynamic exploit delivery. Pen testers can use Mercury to evaluate the threat of malware on an Android platform, developing or leveraging available exploits to take advantage of Android platform vulnerabilities.  By Daniel Bradberry https://github.com/mwrlabs/mercury
  • iPhone Configuration Utility – The iPCU tool from Apple provides a set of iOS device management features for small organizations, creating XML profiles that can be installed on iOS devices to specify wireless networks, platform settings, certificate trust, and more. Pen testers can use iPCU to create malicious profiles, adding the attacker as a new trusted root CA as part of a phishing assessment. By Apple Corporation http://www.apple.com/support/iphone/enterprise

Must-Have Tools: Hardware

  • Google Nexus* – The Google Nexus is the perfect hardware for experimenting with Android attacks with WiFi, Bluetooth, and NFC wireless capabilities. As a “Google Experience” device, the Nexus also receives software updates to stay current with new Android OS features.  By Google http://www.google.com/nexus
  • iPad Mini* – A lower-cost alternative to an iPad or an unsubsidized iPhone, the iPad Mini runs all iOS applications. After jailbreaking the iPad Mini, pen testers can install and target vulnerable applications, or test the impact of attacks before delivering them to the production target environment. By Apple Corporation http://www.apple.com/ipad-mini 

* These tools are available on a commercial (cost) basis.

Great Resources for Staying Current

Twitter@pod2g |@lookout| @pof | @pentesttips | @joswr1ght

Associated SANS Courses

SEC575: Mobile Device Security and Ethical Hacking   www.sans.org/sec575    
–Josh Wright
Counter Hack