Cuckoo Virtualization

I had been doing some reading on the Cuckoo Sandbox and wanted to take it for a test drive and after reading a bit of the documentation from the project homepage didn't immediately see a reason why I should have to rearrange my home network.

The basic plan is to make use of a virtual machine to install the Cuckoo Sandbox host and have it contain VirtualBox along with a target machine which will initially be XP. I'm writing this down to take notes for myself and have a record of the experience kept online in case someone happens to stumble upon this post down the road.

 If all goes well, my test instance will look like this:
Windows 7->VMware Workstation->Ubuntu->VirtualBox->XP

The host machine has 24GB of ram and I have given over 8GB to the Ubuntu VM. Install Ubuntu I went through a default install of Ubuntu 12.04.1 and initially forgot to install the Desktop which may or may not be required but would make things easier when it comes to VirtualBox which I have not spent much time using on a Linux host. Reran tasksel and selected the Ubuntu Desktop option and go from there.

Installing VirtualBox
Download the Oracle apt key and install with the following command found at https://www.virtualbox.org/wiki/Linux_Downloads

• wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -
• apt-get update apt-get install virtualbox 

Launch VirtualBox and install a default install of XP Proceed with installation of Cuckoo sandbox as per directions on docs.cuckoosandbox.org

The cuckoo installation was very straightforward with the only minor issues being the yara and pydeep installations which the instructions intentionally do not cover.  Was only a matter of find the right dependencies for the packages but required a little bit of digging all the same.

I may go back through the installation again to document the full requirements but here are a few notes
pydeep required ssdeep from sourceforge and also required that python2.7-dev was installed via apt-get install python2.7-dev.

Other packages required included git.  Git clone the pydeep site and run the python setup.py build and sudo python setup.py install commands once all dependencies were met.  Any time a package installation failed required a google search to see what the cause was.

Yara-python requires yara.  Download both packages from the yara google code project site and install yara first then yara python.

Dark Clouds...

Recently Amazon's EC2 service has experienced a bit of a hiccup (to put it mildly) and as I've been reading through samples of the coverage a few thoughts have been occurring to me. Judging by the articles I've read to date, it would appear that there's something in there for everyone with a thought/stake/opinion on cloud services.

The naysayers now have a new example to point to when they look for a reason to reject moving any operations into the cloud and those in support of cloud have a new hurdle to overcome. I've got a feeling a whole new series of negative ads will be following from cloud service providers that want to let us all know exactly why this could never happen to them.

The likely reality is that availability and uptime that can be achieved through a cloud service provider would still far outpace anything the majority of those pointing at the current incident as reassurance that keeping all services in house has been the right thing to do.

Any service interruption at the provider level is going to reveal its fair share of overly enthusiastic adopters who have pushed the limits of what would should reasonably be entrusted fully and completely into the cloud. In response, expect an upcoming series of soapbox articles to come out of the security geek peanut gallery pointing out the series of #fail.

As always, blindly dismissing or trusting any solution without performing your own due diligence seems silly. Learn to make the most of the information that is being released but also try to filter out the noise and the hype and consider the real implications to your specific situation.

Search Remote Machines for Specific File

I know I have heard of utilities that provide remote search functionality but I was unable to remember the exact name of the utility. My google-foo was insufficiently strong to find a utility to do exactly what I am trying to do so this is the result:

This is a compilation of a few code snippets that I have cobbled together to meet my immediate requirements. To run the script and get useful results, the requirements are:
1. Must be run as a user that already has WMI access to remote machines.
2. Input file consists of a series of hosts one per line that will be iterated through
3. Will only check files on the default system drive to my knowledge (suspect minor modification would allow searching other drives)
4. Must change the variable strInputFile strFileName and strFileExt to correspond with source input file and what you are looking for

Happy searching....

' filecheck.vbs
' VBScript program written to check for the file on a list of remote servers
' currently hard coded to exist in text file named servers.txt in same directory
' as this script
' 
' This script assumes currently logged on account has access to WMI service
' on remote machines.  Each instance of a matching file on the remote system
' results in an output of hostname, filename including full patch to be displayed
'
' Small modifications would be required to search drives other than C:
'
'
' Based off sample script by:
' ----------------------------------------------------------------------
' Copyright (c) 2007-2010 Richard L. Mueller
' Hilltop Lab web site - http://www.rlmueller.net
' Version 1.0 - January 2, 2007
' Version 1.1 - November 6, 2010 - No need to set objects to Nothing.
'
' You have a royalty-free right to use, modify, reproduce, and
' distribute this script file in any way you find useful, provided that
' you agree that the copyright owner above has no warranty, obligations,
' or liability for such use.

Option Explicit

Dim strComputer, locobjWMIService

Dim remobjWMIService
Dim listFile, fso, hname,colItems,objItem, driveItems, driveLetter
Dim strInputFile
Dim strFileName
Dim strFileExt

strInputFile = "servers.txt"
strFileName = "desktop"
strFileExt = "ini"

Set fso = CreateObject("Scripting.FileSystemObject")
Set listFile = fso.OpenTextFile(strInputFile)

do while not listFile.AtEndOfStream
on error resume next  
hName =  listFile.ReadLine()   

' Connect to WMI service on the local computer.
Set locobjWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& ".\root\cimv2")

' Ping remote computer to see if online.
If (PingMachine(strComputer) = True) Then
colItems = ""
remobjWMIService = ""

  Set remobjWMIService = GetObject("winmgmts:" & _
    "{impersonationLevel=Impersonate}!\\" & _
    hname & "\root\cimv2")

' WMI Query to retrieve list of local drives
  set driveItems = remobjWMIService.ExecQuery _
  (Select * from Win32_LogicalDisk where DriveType = 3")

  For Each driveLetter in DriveItems
  Wscript.Echo "Drive Letter " & driveLetter.DeviceID & " is Present"

' WMI Query to retrieve list of files
  Set colItems = remobjWMIService.ExecQuery _
  ("Select * from CIM_DataFile where Drive = '" & driveLetter.DeviceID & "' and _ 
  FileName = '" & strFileName & "' and Extension = '" & strFileExt & "'")

' For Each... In Loop (Next at the very end)
  For Each objItem in colItems

  
       WScript.Echo hname & "," & objItem.name
  

Next


Else
  Wscript.Echo "Computer " & hname & ", NOT available"
End If

loop

Function PingMachine(ByVal strHost)
  ' Returns True if strHost can be pinged.
  ' Variable objWMIService has global scope
  ' and must be declared in the main program.


  Dim colPings, objPing

  Set colPings = locobjWMIService.ExecQuery _
      ("SELECT * FROM Win32_PingStatus " _
          & "WHERE Address = '" & strHost & "'")
  For Each objPing In colPings
      If objPing.StatusCode = 0 Then
          ' Computer responded to ping.
          PingMachine = True
          Exit Function
      Else
          ' No reponse.
          PingMachine = False
      End If
  Next

End Function

MS11-020 and Criticality ratings

Another good lesson in watching for patch criticality occurred this week. On Tuesday Microsoft released their load of 17 bulletins covering 64 separate issues and we were all left with the task of attempting to prioritize. At the best of times this isn't an easy task and while it would be really nice if we simply state 'patch them all now', the reality is that there are a finite number of staff and resources available to run through QA of these patches so being able to offer some form of prioritization will realistically ensure that the most important patches are rolled out as soon as practical.

I have become a big fan of the additional guidance the Microsoft provides in terms of the exploitability index and additional technical detail. Likewise the folks at SANS provide a free resource at the Internet Storm Center. All these resources make our job of prioritizing a little easier but it's important to keep in mind a couple additional details. While the existence of an exploit in the wild is important, an exploit that requires a user to be tricked into opening a file or visiting a malicious site lessens the potential impact. On the other end of the spectrum, the potential for a vulnerability to be weaponized to become next big internet worm needs to be kept in mind despite assurances in advisories that suggest normal port filtering will prevent access to services such as SMB.

Strict formulas are good to get a general sense of priorities but it's important to conduct a triage and take into consideration existing safeguards to lower these initial ratings and potential for a vulnerability that has no known exploit to be quickly turned into a serious threat to large portions of your infrastructure.

Today, MS11-020 was updated to a Patch Now criticality from SANS based upon notifications from Microsoft. For some who take the publicly available recommendations as gospel this could mean reprioritizing staff to put an extra rush on get MS11-020 out the door, for others who did a bit of homework and read through the technical details prior to making a determination, little has changed.

I'll be keeping my fingers crossed on MS11-020 and watching out for a couple additional patches from this last batch.

Walking a mile...

Working with computers on the defensive end of the spectrum does have its moments when you succeed in making the life of the attackers ever so slightly more difficult through the implementation of a new safeguard or by identifying and correcting weaknesses throughout a network. Playing on the defensive end also comes with its fair share of fail when your best efforts aren't good enough.

On the attacking end, probing, discovering and leveraging exposures in systems also provides its fair share of victory and defeat. However, I'm starting to discover that both sides of the industry can become a little stagnant if you don't take it upon yourself to liven it up from time to time.

For some, the spice will flow if they decide to take a deeper dive and blaze a new trail in a specific field of research where they push the boundaries of defensive or offensive tactics. Others decide that IT and playing these silly games are no longer how they want to spend their lives and leave their laptops and stress behind and pursue a different career.

Over the years, I have been fortunate enough to have had the chance to dabble in many different areas within the IT and security fields and have come to enjoy the wealth of new learning experiences that are out there waiting to be had. I can make no claim as to being particularly proficient in any one specific area but each time I get to tackle a new area I always gain an appreciation for those of us who spend our career working to develop a specialty and push those boundaries.

The security industry can be harsh. There's never a shortage of people out there looking for the next thing to criticize whether it's management who "have no clue and never listen to us", a security company who finds themselves under close public scrutiny for getting "pwned" or the developers who "don't have the slightest clue how to prevent "

Think we'd all be a lot better off if we spent a little less time complaining and a little more time walking a mile...

My next mile:
Over the past number of years I have done minimal coding during the course of my work. The closest I have managed to come is a rudimentary ability to cobble together a piece of quasi functional code in whichever scripting language is closest at hand. The intention of which is to provide automation of tasks that would otherwise become very monotonous.

Until the next shiny object distracts me, I've decided to start the process of learning how to develop applications for a mobile platform. My goal isn't to attack any of these apps but to gain an appreciation for the development community whose successes actual provide businesses value and whose failures keep giving all the negative dipshits in our community something to complain about.

Back Again

So after a few months experimenting with running my own blog software on a WordPress installation I have decided that the work and time required to track and maintain security updates is not something I am willing to commit. I have retired my WordPress before it gets taken over by spammers/attackers and will resume posting on this site instead.

Postings will likely continue to be sporadic and serve mainly as a repository for me to keep track of certain projects that temporarily catch my attention.

Battling nmap options

Finally starting my lab time for the Backtrack training and have been experience quite a bit of funstration as a result.

Access to the lab is via an openvpn connection and as a result there are a couple scanning switches that I'm gradually realizing are becoming my nmap friend. Using nmap 5.35 for nmap scripting goodness. Very quickly:

--send-ip
I haven't looked into this in great detail but without this option it appears that nmap may be assuming that another ip address in my subnet is close enough to default back to an ARP scan. As my connection has a high latency coupled with the VPN access I've been battling a number of my scans failing to detect an online host even with the -Pn option.

--host-timeout
Looks useful for scanning through the range while letting slow hosts not tie down the scanner. My initial attempt at letting a scan run through the entire range hung so this option should let the scan carry on and skip hosts that cannot complete in a given timeframe.