A follow up on the Indian embassy issue

It’s been a busy two weeks trying to put together the training material I’ll be using to teach Incident Response and Computer Forensics to some of my colleagues in other geographies across Europe, Asia and Australia, and that will kick-off in Leiden in approximately 10 days. Meanwhile, the latest news about the Indian embassy reported earlier on this blog, spread quickly on the Internet.

Many sites reported on the issue, from antivirus vendors to security professional’s blogs and online magazines. Whilst most of them just echoed what others said, some shed more light on it posting some interesting notes and only a few did an in-depth analysis worth of mention, the most relevant being:

[Read more...]

Embassy of India in Spain found serving remote malware through iFrame attack

Hacking an embassy’s website to use it as malware distribution point is not something new, neither is the use of the iframe injection attack, but it’s still surprising the number of infected sites out there.

Earlier this morning I was alerted to this problem by a colleague who was trying to access www (dot) embajadaindia (dot) com to sort out some paperwork related to my employer’s offices in India. When tried to load the site, the Desktop Antivirus displayed the following pop-up alert:

Sophos Alert - www (dot) embajadaindia (dot) com

The alert description is fairly self-explanatory, [Read more...]

Password Cracking ‘Pass The Hash’ style

One of the most time consuming tasks a penetration tester has to face is password attacks. Traditional password attacks involve password guessing, password cracking or a combination of both. While the first can take anything from days to months, the latter can take from hours to days, depending on the quality of the password dictionary and the available CPU power among others. Tools that make use of Rainbow Tables, like Ophcrack, have significantly reduced those times to hours or even minutes, especially for systems that use weak password schemes like LM or NTLMv1.

All of the above describe how the password attack picture was before a new technique, called ‘Pass-The-Hash’ made its way into the hacking scene. Although someone may think this technique is quite new, it was actually back in 1997 when Paul Ashton posted on Bugtraq a Windows exploit named “NT Pass the Hash” along with the theory which the exploit was based on. This Unix-based tool implemented a modified version of a SMB client that allowed the use of captured LanMan hashes, without having to decrypt them first. However, it wasn’t before last year when Core Security finally took this concept to the next level and produced a much more powerful tool called ‘Pass-The-Hash Toolkit’, which now runs on Windows and works with NTLM hashes. Let’s see how this technique works in more detail.

[Read more...]