Wednesday, October 29, 2008

Instinctive threat modeling

A friend of mine sent me a link to a new site today, and, as tends to happen, my mind immediately turned to "how could this be broken?"

In this particular case, what interested me was a field that allowed an unauthenticated user to add an arbitrary subdomain to the site, as in <user input>

Depending on how the process occurs, something as simple and common as CRLF injection could potentially be a serious hole here.

It occurs to me that this ability to instinctively identify where the potential biggest holes are, before even beginning testing, is a fairly important skill for a security professional. I firmly believe that having a well-rounded technology background is the key to this. In the case of this particular site, I had to tap into experience with:
1. Web development
2. DNS protocol and software
3. Common web site security flaws

There are certain flaws that a security person with the right background can identify just by understanding the thought processes of a developer or a sysadmin, along with a solid grasp on "how it works". One great example is the DNS flaw discovered by Dan Kaminsky earlier this summer. Ultimately an incredibly simple flaw that, once revealed, seemed painstakingly obvious to anyone with an understanding of how DNS works. But it took someone like Dan with a very deep, practical knowledge of DNS along with an advanced security mindset to put all the pieces together.

Monday, October 6, 2008

WMI/DCOM from Linux

Don't know why this was so tough to Google for, but the solution for WMI queries to a Windows box from Linux is right here.

From the README:
DCOM/WMI client implementation for Linux., 2006-2007


This implementation of DCOM/WMI client is based on Samba4 sources.
It uses RPC/DCOM mechanism to interact with WMI services on
Windows 2000/XP/2003 machines.
It contains also winexe - program to remote execution Windows commands remotely from Linux box.
Additional info about winexe at

  bin/wmic - WMI simple client, it queries server using ExecQuery WMI method,
sample usage:
wmic -U domain/user%password //host "select Name from Win32_Process"
Program is at early stage of development and there are many bugs.
To retrieve more debug info use switch "-d number", where bigger number
corresponds to bigger output (I am using "-d 99" :) )
bin/wmis - WMI test suite. Currently it does only following things:
- Creates directory remotely using Win32_Process.Create("cmd.exe /C mkdir C:\wmi_test_dir_tmp").
- Executes ExecNotificationQuery for monitoring file create/delete events in this directory.
- Waits for 4 notifications and display their types.
wmi/ - Samba wrapper for python, together with wmi/ and ../pycom/* modules can be used
to run zenwin on Linux.
bin/winexe - Remote windows commands execution.
Sample usage:
winexe -U domain/user%password // "ipconfig /all"

WMIC, which is really what I was looking for, works great. There are also Python modules, which I haven't tried yet.