Author Archives: phocean

openSUSE and Windows samba share

By default, access from openSUSE or any Linux box,to a Windows Vista CIFS share is broken.
The cause is that Samba speaks NTLM while Vista speaks only NTLMv2.

Googling provided the solution, but it does not seems well known yet.

A workaround is to make Vista more flexible on client acceptation.

If you are running the Ultimate or Buisness version of Vista :

Run secpol.msc
Go to Local Policies / Security Options
Find Network Security : LAN Manager authentication level
Change the setting from Send NTLMv2 response only to Send LM & NTLM – use NTLMv2 session security if negotiated

If you are running the Home version, you will have to edit the registry manually :

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel

If it doesn’t already exist, create a DWORD value named LmCompatibilityLevel and set its value to 1.

Or in smb.conf :
client ntlmv2 auth = yes

More ressources there.

BNAT

BNAT stands for “Broken NAT“. In the scope of Jonathan Claudius work, a NAT is considered broken when the client receives a reply from a server behind a NAT with a different IP than the one it sent the request to.

It happens with bad implementations where the DNAT (destination NAT) and the SNAT (source NAT) use a different IP because of a wrong rule or because the outbound and inbound interfaces are separated.

As a result, the operating system of the client will discard right away such a reply (with a TCP RST), because it does not match an existing TCP session.

The idea is that a pentester auditing such an infrastructure with a classic scanner will miss some entry points. A typical scanner relies on the network stack of the system : it will not receive the reply and will consider the port as filtered.

So Jonathan came with a proof-of-concept to illustrate his purpose.

It is composed of a B-Router and a client. The B-Router will intercept the reply and maintain the session by sending an ACK. This way, it handles an asymetric routing scheme for the client. Just add a filtering rule to block your system’s RST (iptables -A OUTPUT -p tcp –tcp-flags RST RST -j DROP ), and you are good to go.

Simple but brilliant, isn’t it ? The great thing is that the code has now been included in Metasploit, so it is even more straightforward.

Check the slides of Jonathan at DEFCON for more info. You can download the source there (or just update your Metasploit and look for it in auxiliaries).

EMET, pretty weak ALSR

Didier Stevens “benchmarked” the efficiency of ALSR as implemented by the EMET tool.

The conclusion is that it is pretty weak, whereas I thought it was on pair with true ALSR (as advertised). Very instructive.

Security Mind Map

I recently attended to the 2011 edition of the SSTIC conference (a major security conference in France), where I had a good time and where the slides of Joanna Rutkowska somehow inspired me.

I shamelessly decided to reuse and extend her mind-map style diagram from a system security centric view into something more generic and operational on IT security.

Then, I came with this first version of the diagram:

A the moment it is probably quite incomplete and incoherent on some aspects, but I am quite satisfied of the shape it is taking. I will certainly update it quite often, as soon as I think about something new.

I find it convenient as a memo summarizing goals, steps and tools to achieve security. It may also help clarifying some points during a presentation.

Feel free to use it (as long as you keep the credit to this website). I am waiting for your comments and suggestions on how to improve it.

Vulnerabilities in software from Schneider Electric

I found multiple vulnerabilities in software from Schneider Electric, used to monitor industrial monitoring devices. It reveals a very poor security design.

The editor was informed and I am waiting for its acknowledgement. I will disclose more details once the issues are patched.

Phocean.net

Computer Security Blog