Mark Russonovich demonstration of Stuxnet, Flame, & more.

In between troubleshooting Windows Server 2008 SysVol Replication errors this week, I remember wanting to mention Mark Russonovich’s videos on Technet from when he demonstrated Stuxnet and Flame in Virtual Machines last year. I think I forgot to post the link so here it is, it was pretty entertaining. You can watch the video from June 11,2012 at TechEd here:

I solved a pretty annoying problem today when I finally found the solution to my SYSVOL replication error on a 2008 Server Domain Controller that was being improperly labeled with a \?C:WindowsSysVolSysvolDomainname.
The solution was simple but took me awhile to find it. All you have to do is go into ADSIEdit on the 2008 Domain Controller and maneuver to the msDFSR root path then edit the path that has the question mark and delete the first three characters. For the exact steps just check out the link at the end… Here is one of the technet articles that helped me get to the bottom of this.

Here is a link to the workaround which enables you to remove the bloody questionmark that was causing me grief.

HackInTheBox Security Conference Slides (PDFs)

Here is the Schedule And Presentation Calendar
D1T1 – Barisani and Bianco – Practical Exploitation of Embedded Systems.pdf
D1T1 – Chris Wysopal – Data Mining a Mountain of Vulnerabilities.pdf
D1T1 – Lucas Adamski – Firefox OS and You.pdf
D1T1 – Petko Petkov – History of the JavaScript Security Arsenal.pdf
D1T1 – Philippe Langlois and Emmanuel Gadaix – 6000 Ways and More.pdf
D1T1 – The Pirate Bay – Data is Political – NO SHOW
D1T2 – Don Bailey – Hackers, The Movie – A Retrospective.pdf
D1T2 – Haroon Meer – You and Your Research.pdf
D1T2 – Marc Heuse – IPv6 Insecurity Revolutions.pdf
D1T2 – Mark Dowd & Tarjei Mandt – iOS6 Security.pdf
D1T2 – Meder Kydyraliev – Defibrilating Web Security.pdf
D1T2 – Wes Brown – Supercomputing, Malware and Correlation.pdf
D1T3 – Charlie Miller – Attacking NFC.pdf
D1T3 – F Raynal & G Campana – An Attack Path to Jailbreaking Your Home Router.pdf
D1T3 – John Draper – A Historical Look at the Personal Computer and Phreaking.pdf
D1T3 – Jose Nazario – Tracking Large Scale Botnets.pdf
D1T3 – Paul Sebastian Ziegler – Hacking in the Far East.pdf
D1T3 – The Grugq – OPSEC – Because jail is for wuftpd.pdf
D2T1 – Chris Evans – Element 1337 in the Periodic Table – Pwnium.pdf
D2T1 – Katie Moussouris – How to Get Along with Vendors Without Really Trying.pdf
D2T1 – Ollie Whitehouse – Finding the Weak Link in Binaries.pdf
D2T1 – Paul Vixie – Silo Busting in Information Security – NO SLIDES
D2T1 – Rodrigo Branco – A Scientific Study of Malware Obfuscation
D2T1 – Shreeraj Shah – XSS and CSRF Strike Back Powered by HTML5.pdf
D2T2 – Fyodor Yarochkin and Vladimir – Messing up the Kids Playground.pdf
D2T2 – Jeremiah Grossman – Why Web Security is Fundamentally Broken.pdf
D2T2 – Raoul Chiesa – Information Warfare and Cyberwar.pdf
D2T2 – Saumil Shah – Innovative Approaches to Exploit Delivery.pdf
D2T3 – Emmanuel Gadaix – Something MEGA.pdf
D2T3 – Felix FX Lindner – Hacking Huawei VRP.pdf
D2T3 – Mikko Hypponen – Behind Enemy Lines.pdf
D2T3 – Stefano Zanero – Behaviour-Based Methods for Automated Scalable Malware Analysis.pdf

Thank YOU to Security Monkey’s Chief Monkey for the links…

Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8 and Windows Server 2012.

The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10. Here is the Microsoft Security Advisory Page: However, in Internet Explorer 10, the Windows 8-style UI will only play Flash content from sites listed on the Compatibility View (CV) list, therefore an attacker who created a malicious Flash object would have to compromise a website already listed in the CV list. Microsoft also warns users that “By default, all supported versions of Microsoft Outlook and Windows Live Mail open HTML email messages in the Restricted sites zone.” Which means that even if the user does not use Internet Explorer, just opening an email in Outlook or a document in Word that invokes an action to a webpage involving Flash Player could be enough to exploit the users. They go on to publish a registry edit that will prevent ActiveX from automatically invoking Flash:

Prevent Adobe Flash Player from running
You can disable attempts to instantiate Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010, by setting the kill bit for the control in the registry.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To set the kill bit for the control in the registry, perform the following steps:

Paste the following into a text file and save it with the .reg file extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftInternet ExplorerActiveX Compatibility{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

Double-click the .reg file to apply it to an individual system.

You can also apply it across domains by using Group Policy. For more information about Group Policy, see the TechNet article, Group Policy collection.
Note You must restart Internet Explorer for your changes to take effect.
Today, (October 9th) is Microsoft's Infamous Patch Tuesday and there are a total of 7 bulletins that are patching about 20 vulnerabilities.

Once you update however, you will not need to apply this ActiveX killbit, so it is only here for those who are not planning on updating their systems right away with Windows Update.

Protect yourself from Flash and Java exploits!

When you enter my page, you may or may not hear a song start playing.

Many people say you should never have a song play automatically when someone hits your website, but don’t be alarmed, I have decided to do this because I want to show how easy it is to have your browser hijacked. I find that most people do not take me seriously when I explain to them how easy it is to have your computer(or device) compromised. (If you don’t hear the song, then you are safe from Flash attacks).

When you go to a page that automatically plays Flash video or audio, you are in danger of being hacked. You really should protect yourself against this. Just because you only go to “safe” sites does not mean you are safe. Often hackers will place malicious code into a well-known site, or embed it in an ad or an iframe.

There are many ways to protect yourselves, here are three:

  1. Google Chrome lets you go into the settings and choose “Click to Play,”, or
  2. you may use many browser plugins that will stop Flash or Java from playing automatically when you visit a page. The best protection is Noscript for Firefox,
  3. or ScriptNo for Chrome. I use both.
  4. If you use Internet Explorer, I recommend using an application called Sandboxie.

The reason this is important is because a large number of hacks occur when someone visits a “malicious page” which has been configured to automatically exploit Flash player or Java by taking advantage of the many vulnerabilities in Adobe Flash and Oracle’s Java. If you always keep your plugins up-to-date you are Saf-er, but there are new zero-day exploits discovered all the time. Don’t worry, you are safe on my site, but one day in the future when you click on a search result and see your browser redirect itself to a compromised website, make sure that you are protected from drive-by downloads exploiting Flash and Java. If the music bothers you you can press pause in the sidebar on the right.

Here’s All You Need to Know about Apples UDID Mess…

In the words of the Anonymous post on Pastebin …

Update: Anonymous post more info on Pastebin here:
Ip addresses given as another clue: “for the moment we think its quite safe to mention these clues:
3 IPs were involved, 2 of them were like:



“In July 2012 NSA’s General Keith Alexander (alias the Bilderberg Biddy) spoke
at Defcon, the hacker conference in Las Vegas, wearing jeans and a cool EFF
t-shirt (LOL. Wtf was that?). He was trying to seduce hackers into improving
Internet security and colonoscopy systems, and to recruit them, ofc, for his
future cyberwars. It was an amusing hypocritical attempt made by the system to
flatter hackers into becoming tools for the state, while his so-righteous
employer hunts any who doesn’t bow to them like fucking dogs.

We got the message.
We decided we’d help out Internet security by auditing FBI first. We all know
by now they make Internet insecure on purpose to help their bottom line. But
it’s a shitty job, especially since they decided to hunt us down and jail our

It’s the old double standard that has been around since the 80’s. Govt Agencies
are obsessed with witchhunts against hackers worldwide, whilst they also
recruit hackers to carry out their own political agendas.

You are forbidden to outsmart the system, to defy it, to work around it. In
short, while you may hack for the status quo, you are forbidden to hack the
status quo. Just do what you’re told. Don’t worry about dirty geopolitical
games, that’s business for the elite. They’re the ones that give dancing orders
to our favorite general, Keith, while he happily puts on a ballet tutu. Just
dance along, hackers. Otherwise… well…

In 1989 hagbard (23yrs old) was murdered after being involved into cold war spy
games related to KGB and US. Tron, another hacker, was
murdered in 1998 (aged 26) after messing around with a myriad of cryptographic
stuff (yeah, it’s usually a hot item) and after making cryptophon easily
accesible for the masses. And then you have Gareth Williams (31), the GCHQ
hacker murdered and “bagged” inside a MI6’s “safe” house (we’d hate to see what
the unsafe ones look like) in August of 2010 after talking about being curious
about leaking something to Wikileaks with fellow hackers on irc. And the list
goes on. It’s easy to cover up when they want to, hackers often have complex
personalities, so faking their suicide fits well.

You are welcome to hack what the system wants you to hack. If not, you will be

Jeremy Hammond faces the rest of his productive life in prison for being an
ideological motivated political dissident. He was twice jailed for following
his own beliefs. He worked until the end to uncover corruption and the
connivance between the state and big corporations. He denounces the abuses and
bribes of the US prison system, and he’s again facing that abuse and torture at
the hands of authorities.

Last year, Bradley Manning was tortured after allegedly giving WikiLeaks
confidential data belonging to US govt… oh shit. The world shouldn’t know how
some soldiers enjoy killing people and even less when they kill journalists. Of
course, the common housewife doesn’t deserve to know the truth about the
hypocrisy in the international diplomacy or how world dictators spend money in
luxury whilst their own people starve. Yep, the truth belongs only to the
elite, and if you are not part of them (forget it, that won’t happen), fuck

People are frustrated, they feel the system manipulating them more than ever.
Never underestimate the power of frustrated people.
For the last few years we have broke into systems belonging to Governments and
Big corporations just to find out they are spending millions of tax dollars to
spy on their citizens. They work to discredit dissenting voices. They pay their
friends for overpriced and insecure networks and services.

We showed how former govt and military officials were making new businesses
using their government relationships.
They funnel public money to their own interests for overpriced contracts for
crap level services. They use those
relationships to extra-officially resolve affairs involving their businesses.

We exposed a criminal System eliminating those who think different;
criminalizing them. This System won’t tolerate those who dig for the truth, it
can’t. So no one has the right to question anything coming from this system. if
you buy a piece of hardware or software you just need to use it as it was
supposed to be used: anything else is forbidden.
No tinkering allowed.

If you buy a Playstation, you are not allowed to use it as you want to — you
can only use it the Sony wants you to. If you have found a way to improve
something, just shut up. You are not allowed to share this info with anyone
else and let them make improvements, too. We are not the real owners of
anything anymore. We just borrow things from the System. Shiny, colorful
things, we agree to play with for a fee. A fee for life.
Because this system works only if you keep working to buy new things.
Not important if they are good things, just buy new crap, even better like that.
So everything gets outdated soon.

You home, stuff, car and computer, you will pay for everything you have for all
of your life. All the time: a monthly fee, forever until you die. That’s the
future; nothing is really yours. LAAS – Life As A Service.
You will rent your life.

And better hurry up and work all day if you want to stay alive. Work ’til
you’re exhausted and don’t think. No — thinking is bad. Play games instead, do
drugs too, why not? Or go to the movies. The Entertainment Industry is here to
resolve all your philosophical and trascendental problems. Shiny colorful crap.
but please don’t think too much.
Thinking is dangerous.

Accept the offer, it’s the perfect deal.
You get all those amazing shiny colorful beads.
It will only cost you freedom…and your life.
Indians did it with Manhattan.
There’s nothing to worry about it, is there?

And what if you are a lone wolf who quietly outside the system, doing your own
thing, without saying a word? They will be mad as hell. They will try to find
you. You will be fucked up anyway, sooner or later. Because the system wants
you clearly identified, with all your personal details well packed into a
government database so it can make its watchdogs’ lives easier.

Security researchers are often questioned and their movements tracked by Secret
Service, FBI and other shits. They are asked about their projects, who their
clients are, who they are talking to, what they know about other hackers, etc..
So be a good monkey, follow the rules, head down and you’ll get some coins
that let you keep renting your life.

But hey! Wait…
We are hackers…
We are supposed to look beyond the rules, to find things others don’t see. And
THE SYSTEM, yeah the whole fucking system, it’s just another system.
…and we do that.
we hack systems.

This is our next challenge: to decide whether to become tools for the system,
or for ourselves. The system plans to use us to hold the next in their endless
wars, their cyberwars.
Hackers vs. hackers, slaves vs slaves.

We are trapped.

Jack Henry Abbott, a writer who was incarcerated almost his whole life for his
crimes, wrote before hanging himself: “As long as I am nothing but a ghost of
the civil dead, I can do nothing…”, the ‘civil dead’ are those, like himself,
who had their autonomy systematically destroyed by the state. Now his words
extend to cover all of us. We have seen our own autonomy being systematically
destroyed by the State. We are becoming ghosts of our dead civil rights.

So yes we are criminals, we are the criminals our dear system have created:
Argumentum ad Baculum

In a world where you fear the words you use to express yourself. Where you are
punished for choosing the wrong ones, we have just decided to follow our own
way. There’s no worst kind of slavery than one where you are afraid of your own

Governments around the globe are already in control of us in real life, and
they have now declared war on the people to take over the Internet.
It’s happening now. It’s not waiting for you to wake up.
So now my dear friends, it’s your turn to decide where you belong,
and what you are made of.

“When the people fear the government there is tyranny, when the government
fears the people there is liberty.”
― Thomas Jefferson”

Rotten Apple

Another Apple Mess

Note: An Apple UDID could be used in combination with other data to connect devices to their owners’ online user names, e-mail addresses, locations and even Facebook profiles. (Aldo Cortesi)

Here they gave links to an encrypted file with 1,000,001 Apple device UDIDs and accompanying user data.
The file must be unencrypted and instructions are given later in the pastebin post.

Apparently, the UDIDs have been taken from an FBI Special Agent Christopher Stangl, (rumor has it via a Java exploit earlier in the year). According to sources close to the matter… Among the data on his notebook was a file named NCFTA_iOS_devices_intel.csv which contained a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers and addresses.
Read more here

Here are some links from major internet sites covering the story…

Automation Scripts for Backtrack 5r3

I have been testing with an excellent set of publicly-available scripts to automate tasks in BackTrack 5R3. I first heard about them when I saw Lee Baird’s presentation at the Appalachian Institute of Digital Evidence (AIDE 2012). You can see the slides courtesy of at this link. Lee Baird had help from Jason Arnold with, and Jason Arnold was the main developer of sslcheck. There was a lot of time and effort put into this package, and I feel that anybody using Backtrack will benefit from using these scripts for automating many important parts of penetration tests. The package is on Google Code and it includes a set of aliases which enable you to update the subversion for the scripts and all of the scripts by simply typing update. Your first step is to download the package from google code from a backtrack shell:

svn co /opt/scripts
You can watch the video for a full demonstration here…

Or, if you don’t have the time to watch the video, just keep reading…

Ok after you download the scripts into the opt directory the next step is to change the permissions to make the scripts executable.

  chmod 755 /opt/scripts/ -R 

Next we will change into the scripts directory and then run the setup script.

cd /opt/scripts/ 

Now exit the terminal and open a new terminal and type update

Next we will run the main discover script...


(Discover is a script that allows you to choose to perform some open source intelligence gathering for the recon portion of your pentest, use Nmap to port scan an external or internal network, start a Metasploit listener, or even run other scripts such as my favorite,

Crack-wifi makes the whole process of using airmon-ng, airodump-ng, aireplay-ng, and aircrack-ng to crack a wireless network's key very simple and automated. When you run, a wireless interface is automatically searched for and tested to validate injection. You are then able to scan all your local wireless networks and choose a network to attack. If you have ever used Backtrack to crack a wireless network you know that it takes a few steps and commands to get it going successfully. Well, this script makes it very easy by automating everything. You can begin scanning the local networks for a WEP or WPA key to crack by pressing 1. When you find a network that you want to crack press Ctrl-C, and a window will pop up asking you to enter the Channel, ESSID, BSSID, and Station of the network which you want to attack. If your attack does not generate any data, or enough to crack the key, you can just close all the windows and start again, until the key is cracked. The code is updated on a regular basis, here is the additions that were made recently:

Aug 20 - Added jigsaw to
Aug 19 - Added goofile to the passive option for scrape.
July 29 - Added to framework.
July 27 - Niko now takes a list of nmap greppable output.
July 25 - Added color to update alias and framework.
July 5 - Updated alias and to reflect the new hosted location of sqlmap.
June 28 - Fixed passive recon problems with Whois-IP and LinkedIn returning job titles.
June 20 - After testing Metasploitable 2 by doing a full port scan, I noticed there were some ports missing from my default scan. The following TCP ports have been added: 1524, 6697, 8787, 41364, 48992, 49663, 59034.
June 11 - Scrape now contains passive and active options.
June 5 - Check 'notes' for a To-Do list
June 4 - Added new option - niktos

There are also some python scripts included by Saviour Emmanuel. For more information check out the googlecode wiki by going to the svn location:

They are available for download at

Hackers can steal new “keyless” BMW’s in 2 minutes

What did BMW think when they decided to allow for electronic keyless entry and ignition. Did they really think they could protect buyers from hackers? Don’t they know by now that if they are going to use computers inside their vehicles that they must hire a team of security experts. I feel bad for anyone who bought one of these “hackable rides”