If you are writing some Ring0 (or privileged mode code), say something like device drivers in Windows you’d probably be better served with a separate development machine and a deployment machine. This helps you to write poor code and still not lose hair because your development machine blue screens! 🙂

My setup was using a Windows 8.1 development machine and a Hyper-V based Windows 7 machine for debugging. You will need to execute different tasks on the “guest” (Hyper-V based Windows 7 virtual machine) and some other tasks on the development machine.  I followed many of the things from the MSDN blog post here

On your guest machine you would want to setup a named pipe and setup debug settings. To do that this is what you need to do:

Setup a virtual com port in the Hyper-V Settings (File -> Settings) , this port will be used to communicate from the host machine to the guest to communicate the Kernel debugging commands.

Now make sure that your target guest machine is configured to “listen” those commands.  Inside the guest VM, start a command shell (cmd.exe -> Run as Administrator).

Configure the bcdedit commands so that the machine can now be debugged.  Right after the 2nd command, reboot your Virtual Machine.

With the VM now configured to listen the debug commands via the COM1 port, and the debug mode on in the bootup settings, now start the WinDbg x64 on the host (using “Run as administrator”; you need administrative privileges for communication via Serial port).  In your kernel debugger on the host or the development machine (I’m assuming that these are both on the same physical hardware here).  Click on File -> Kernel Debug and you should see the following screen in the WinDbg window:

Hit Ctrl+Break or Debug -> Break and you will see something like this:

Just remember that when you break in the debugger, your guest in Hyper-V should become “unresponsive”.  The only thing is that it is not really unresponsive, its just being debugged.  Just to make sure, that you have the symbols package that is quite useful for debugging run the following command:

!process 0 0

If you see something like the following screen show up:

The following error means that the symbols are not defined.  Symbols help the debugger give more information about the commands that you are going to execute in the debugger.

**** NT ACTIVE PROCESS DUMP ****
NT symbols are incorrect, please fix symbols

To fix this, use the following commands:

kd> .sympath SRV*c:\symcache*http://msdl.microsoft.com/download/symbols
kd> .symfix
kd> .symfix c:\symcache
kd> !sym noisy
kd> .reload /o

Then again try the command: !process 0 0 and see if you get a good response.  A good response looks like the following:

With this you should be good to go! Happy debugging and writing cool Ring0 code.

The world of Artificial Intelligence (AI) seems to be exploding with the release of ChatGPT. But as soon as the the chat bot came into the hands of public people started finding self-sabotaging queries at worst (exploitable issues) and some weird interactions whereby people could write malware that could stay undetected by Endpoint Detection and Response (EDR) bypasses.

What is AI?

Very simply, Artificial Intelligence (per Wikipedia) is intelligence demonstrated by machines. But technically, it is a set of algorithms that can make do things that a human does by making an inference, similar to humans, on the basis of data that was historically provided as “reference” to make the decisions. This reference data is called as training data. And the data which is used to test the effectiveness of the algorithm to arrive at a decision on the basis of that reference, is called as test data. Any good machine learning course teaches how do you design data and how much data to use for training and how much to use for testing and metrics of performance but that is not relevant to our discussion here – however, what’s important is that it is the data that you provide that controls the decision-making in an artificially intelligent algorithm. This is a key difference between typical algorithms (where the code is more or less static and makes decisions on certain states in the program) whereas in an artificially intelligent system you can have the program arrive at different decisions depending on how one decides to “train” the algorithms.

What is ML?

Machine Learning (ML) is a subset of Artificial Intelligence (AI) where the artificial intelligent algorithms evolve their decision-making on the basis of data that has been processed and tagged as training data. ML systems have been used in classifying spam or anomaly detection in computer security. These systems tend to use statistical inference to establish a baseline and highlight situations where the input data does not fall within the norm. When operational data is being used to train ML-based system one has to be careful that we are not incrementally altering the baselines of what’s normal and what’s not. Such “tilting” may happen over time and its important to protect against drift of such systems. Some “drift” is ok but “bad drift” is not – which is hard to predict. E.g., let’s say you classify some data inaccurately and accidentally/maliciously end up using it for training your ML-models but if it inherently alters the behavior of the ML model, then the model becomes unreliable.

What is Adversarial AI?

Adversarial Artificial Intelligence (AI) based threats are ones where malicious actors design the inputs to make models predict erroneously. There are a couple of different types of attack here – poisoning attack (where you train models with bad data controlled by adversaries) or an evasion attack (where you make the artificial intelligence system make a bad inference with a security implication). The way to understand these attacks is that the poisoning attack is basically “Garbage-in-garbage-out” but its this really “special” garbage. This is garbage that changes the behavior of the algorithm in a way that the algorithms returns an incorrect result when it has to make a decision. The inferential attacks are different in that the decision made is wrong because the input is such that it appears differently to the ML algorithm than it does to humans. E.g., Gaussian noise being classified as a human or a fingerprint being matched incorrectly.

Can we attack these systems in other ways?

In a paper presented by Google researchers created a tool (TensorFuzz) that they were able to demonstrate finding a few varieties of bugs in Deep Neural Networks (DNNs). So typical software attack techniques do work against the deep neural networks too. Fuzzing has been used for decades and has caused faults in code forever. At its core, fuzzing is simple, send garbage input that causes a failure in the program. It’s just that the failures in DNN are different and you want to ensure the software relying on the DNN to make a decision handles such failures appropriately and do not cause a security failure with secure defaults.

Protection mechanisms

There are a few simple ways to look at ML systems and security thereof. Microsoft released an excellent howto on how to threat model ML systems. Additionally, using adversarial training data is imperative to ensure that artificially intelligent algorithms performs as you expect them to in the presence of adversarial data. When you rely on ML-based systems, its all the more important that you test it appropriately and continue to do so against baselines. Unfortunately, for Deep Neural Networks transparency of decision making continues to be an issue and needs the AI/ML researchers to establish appropriate transparency measures.

I wanted to have a list of all the security conferences around the world for a quick reference so I compiled together a list.

I have been a subscriber to this magazine’s electronic edition since the past year. However, they’ve only sent me one copy of the magazine till date. The cost of the yearly subscription was $79 or something which makes it an extremely expensive magazine…1 issue for $79…that’s ridiculous!
All my efforts to contact monika.drygulska@hakin9.org or marta.ogonek@hakin9.org have been futile! I would like to discourage anyone who pays for this.
Has anyone else experienced this kind of sloppy service with Hakin9?
Update 06/23/2009:
Hakin9 finally contacted me, after I emailed them (again) based on Chris John Riley’s suggestion. They provided me with the missing issues. Better late than never Hakin9! Thanks!

If you’re like me and recently upgraded to Verizon FiOS and you have your PS3 on the wired segment and the Media Server (such as PS3 Media Server, TVersity, etc.) on the wireless segment, you’re in for a ride with the configuration.
By default, you can’t route the traffic between the wired and wireless segments over UDP! You can send ICMP echo packets (i.e., ping) but the PS3 just won’t detect the Media server. You may disable the Host-based firewall (e.g., Norton, Kaspersky, McAfee, etc.) but it still won’t work.

If you happen to read posts like these, you will see that you have to disable “IGMP proxy”. IGMP Proxy basically reduces the traffic on the multicast addresses to a bare minimum. Unfortunately for you, this causes the traffic between PS3 Media Server and PS3 to drop.

So you log into your FiOS router’s administration console typically located at 192.168.1.1. Click on Advanced -> Yes -> Firmware Upgrade and check the firmware version. You will see that it is an ActionTec router (based on the Auto-update URL). But nowhere do you see the option to update the “IGMP Proxy” settings. That’s because that feature is “hidden” in the latest firmwares.

So you just need to copy/paste the following URL into the browser address bar and you will see the option to disable “IGMP proxy”.
http://192.168.1.1/index.cgi?active_page=6059
Disable it and Voila! The PS3 Media Server and PS3 can now talk to each other.

So the other day I was on a pen test and I got hold of the hashes. Since my laptop got fried I needed a new version of SMBProxy. There were a few issues that I had with the compilation though. I got a few errors in the file crypto.c.
Moreover, SMBProxy ues crypto library libdes written by Eric Young available here.
I give here a guide to compiling SMBProxy that worked for me.

First, compile and install libdes

1. Download libdes 4.01
2. tar zxvf libdes-4.01.tar.gz
3. cd libdes
4. make gcc
5. sudo make install

Now, you’ll find that the file libdes.a is now in /usr/local/lib.
Second, compile and install SMBProxy. Now here there were a couple of compilation errors that I had to deal with.
Here’s the diff output for crypto.c

trance@z0n3:~/Desktop$ diff smbproxy/crypto.c smbproxy-orig-src/crypto.c
40,41c40
< #include
< #define MD4_SIGNATURE_SIZE 16 --- >
46c45
<> static u_char Get7Bits(UCHAR *input, int startBit) {
58c57
<> static void MakeKey(UCHAR *key, UCHAR *des_key) {
74c73
<> void DesEncrypt(UCHAR *clear, UCHAR *key, UCHAR *cipher) {
85c84
<> void mkResponse(UCHAR **ntlmhash, UCHAR hash[MD4_SIGNATURE_SIZE], UCHAR* challenge) {
88c87
<> UCHAR ntlm_response[24];

Having done this there were still a few issues with the make comand.
The Makefile can be generated by running the following command:

trance@z0n3:~/Desktop/smbproxy-orig-src$ ./configure

Here’s the diff output of the Makefile:

trance@z0n3:~/Desktop$ diff smbproxy/Makefile smbproxy-orig-src/Makefile
10,11c10,11
< smbbf_include =" -Iinclude">
< libs ="">
—
> SMBBF_INCLUDE = -Iinclude
> LIBS = des
31c31
< $(LIBDES) $(LIBS)
—
> $(LIBDES)

The following libraries are required: openssl, openssl-dev, libdes for successfully compiling SMBProxy.

apt-get install openssl openssl-dev

In metasploit there’s a plugin admin/backupexec/dump. This plugin uses the default credentials to login to Veritas backupexec agent and download an arbitrary file. The catch is it downloads it in the MTF (Microsoft Tape Format) file. You need a utility called NTBackup to restore this file. Metasploit authors have conveniently made this available for us at http://metasploit.com/tools/msbksrc.tar.gz.
However, if you compile this file you get an error:
msqic.c:814: error: conflicting types for ‘bques’
This happens because the function prototype is missing.
Goto line 169 of msqic.c file in the source code and add the following line:
int bques(char);
Once you add this, you should be able to make the client and should be able to extract the file from the .mtf file.