RSSGates

TEMPEST, Conspiracy Theories and Tinfoil Dreams

| March 23, 2007

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

signsBy Chris Gates, CISSP, CPTS, CEH 

Ok prepare to strap that tinfoil hat on two notches below excruciating, we’re going to talk about TEMPEST. What is TEMPEST?  It’s defined in NSTISSI-7000 as:

Electronic and electromechanical information-processing equipment can produce unintentional intelligence-bearing emanations, commonly known as TEMPEST. If intercepted and analyzed, these emanations may disclose information transmitted, received, handled, or otherwise processed by the equipment. (1)

and in NSTISSI 7003 (TEMPEST GLOSSARY) as:

“A short name referring to investigations and studies of compromising emanations. It is often used synonymously for the term "compromising emanations"; e.g., TEMPEST tests, TEMPEST inspections.” (2)

Compromising Emanations (CE) are defined as:

“Unintentional intelligence-bearing signals, which, if intercepted and analyzed, disclose the national security information transmitted, received, handled or otherwise processed by any information-processing equipment.” (3)

Clear as mud?  What this means is that your computer, your computer monitor, your CAT5 cable going into your router from your computer, your coax cable into your cable modem, and even your power cord going into the wall can carry electronic and electromechanical signals distances away from your computer and could possibly be intercepted either off the wires or through the air.  Ok, maybe one more notch on that hat.

Continue Reading

Tutorial: MS Terminal Server Cracking

| January 4, 2007

 

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

By Chris Gates, CISSP, CPTS, CEH 

If you want to do any MS Terminal Server cracking you basically have your choice of three tools that can do it for you; TSgrinder, TScrack, and a patched version of RDesktop. This article and its companion Video: Terminal Server / RDP Password Cracking, takes you step-by-step through the concepts, tools and usage.

TSGrinder is readily available from http://www.hammerofgod.com/download.html.
TSCrack you’ll have to google for as it is not readily available anymore.
Rdesktop v1.41 can be downloaded from http://www.rdesktop.org/ and you’ll need the patch from foofus.net http://www.foofus.net/jmk/rdesktop.html.

Continue Reading

Video: Terminal Server / RDP Password Cracking

| January 3, 2007

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

MS Terminal Services for Windows Server, Remote Assistance for Windows XP and RDP allow for remote interactive connections to Windows Servers and Windows XP machines.  Just like Telnet and SSH, these can be powerful connections that in most cases are only protected with a username and password.  There are several publicly available tools that will perform dictionary and bruteforce attacks against Terminal Services and Remote Assistance services.  These tools include TSGrinder and TScrack for Windows and Rdesktop (with a patch) for *nix.  In this video we will see some example attacks using these tools.

For further details and references on all technology and concepts seen in the video, please read its companion article, Tutorial: MS Terminal Server Cracking.

Enjoy and keep an eye out for future videos. Feel free to post comments and suggestions for future videos.

Thanks,
Chris Gates

Continue Reading

Video: Metasploit, RRAS and VNC

| November 25, 2006

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

A more detailed intro is on the way. 

Follow along as we perform the following hack:

  • MSF 2.6 Web Interface
  • RRAS Exploit
  • VNC Payload

Enjoy and keep an eye out for future videos. Feel free to post comments and suggestions for future videos.

Thanks,
Chris Gates

Continue Reading

Video: RainbowCrack after MS-SQL/Pwdump Hack

| November 24, 2006

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

Although this does not follow the exact steps of the article, this video is a companion to Chris Gates highly popular, definitive work entitled Tutorial: Rainbow Tables and RainbowCrack

Follow along as we perform the following hack:

  • Hack an MS SQL box.
  • Dump the password hashes with Pwdump.
  • Crack the hashes utilizing rainbow tables.

Enjoy and keep an eye out for future videos. Feel free to post comments and suggestions for future videos.

Thanks,
Chris Gates

Continue Reading

Tutorial: Rainbow Tables and RainbowCrack

| November 5, 2006

Rainbow tables reduce the difficulty in brute force cracking a single password by creating a large pre-generated data set of hashes from nearly every possible password.  Rainbow Tables and RainbowCrack come from the work and subsequent paper by Philippe Oechslin [1]. The method, known as the Faster Time-Memory Trade-Off Technique, is based on research by Martin Hellman & Ronald Rivest done in the early 1980’s on the performance trade-offs between processing time and the memory needed for cryptanalysis. In his paper published in 2003, Oechslin refined the techniques and showed that the attack could reduce the time to attack 99.9% of Microsoft’s LAN Manager passwords (alpha characters only) to 13.6 seconds from 101 seconds. Further algorithm refinements also reduced the number of false positives produced by the system.

Caution: With tools such as these, we do not condone their use for anything but testing networks for which you have the authority and for implementing defensive measures. Have fun!

Continue Reading

Video: DCOM Attack with Metasploit’s Meterpreter

| October 4, 2006

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

Follow along as we perform the following hack:

  • Use the MSF 2.6 Web Interface to exploit a host with the DCOM exploit.
  • Explore the Meterpreter payload and its various options.
  • Upload Pwdump2 to dump the SAM hashes then delete the evidence. Alternatively we could have loaded the SAM module and used that to dump the hashes.

From the Metasploit Project:

The Meterpreter is an advanced multi-function payload that can be dynamically extended at run-time. In normal terms, this means that it provides you with a basic shell and allows you to add new features to it as needed. Please refer to the Meterpreter documentation for an in-depth description of how it works and what you can do with it. The Meterpreter Manual can be found in the "docs" subdirectory of the Framework as well as online. 

Enjoy and keep an eye out for future videos. Feel free to post comments and suggestions for future videos.

Thanks,
Chris Gates

Continue Reading

Video: MS SQL Preauth Attack, Pwdump and John the Ripper

| September 1, 2006

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

Follow along as we perform the following hack: 

  • Exploit of the MSSQL 2000 Hello Buffer Overflow using the C port of the MSF module mssql2000_preauthentication.pm (thanks MC!)
  • Add a user to the local administrators group
  • Use pwdump3e to connect to the host with our administrative level credentials
  • Dump the SAM hashes
  • Crack them using John the Ripper

Enjoy and keep an eye out for future videos. Feel free to post comments and suggestions for future videos.

Thanks,
Chris Gates

Continue Reading