Episode123

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

Core Security

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

Tenable Network Security

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Astaro

Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.

One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.

Announcements & Shameless Plugs

Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 123 for September 18th, 2008

Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals.

  • PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
  • ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas! - Interview in this episode!
  • NS2008! Paul giving keynote: Things That Go Bump In The Network: Embedded Device (In)Security and teaching SEC535, Network Security Projects Using Hacked Wireless Routers! Don't forget our live podcast immediately following!
  • ChicagoCon - October 27 - November 1, Talks by Ed Skoudis, Gregory Conti West Point, Author of "Security Data Visualization", Daniel V. Hoffman CTO SMobile Systems, EH-Net Columnist, Billy Rios/John Walton Microsoft Pen Testers (Blue Hat)

Episode Media

mp3 pt 1

mp3 pt 2

Interview - Gordon "Fyodor" Lyon (you know, that Nmap dude!)

Fyodor is the primary author and maintainer of the most popular security tool on the planet, Nmap, the world's best portscanner. The first release of Nmap was in "Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 11 of 17" and was written in C and barely 2000 lines of code which only compiled on Linux. It now runs on every major platform, has over 100 command line options, features its very own scripting language, and includes fingerprints for over 1500 different operating system versions. It has been featured in several movies, including "The Matrix Reloaded", "The Borne Ultimatum", and my personal favorite "Battle Royal". Fyodor maintains such sites has insecure.org, seclists.org, and sectools.org, has spoken at popular security conferences such as blackhat and defcon, and been the dreamy man covetted by sexy hacker chicks everywhere (all 3 of them). He has written a book titled "Nmap Network Scanning", I'm sure that was a stretch, (he wrote it using GNU Emacs, but we won't hold it against him).

  • The softball questions: "So, how did you get your start in computer security?"
  • How did you get the name Fyodor?
  • Tell us about the (un) healthy obsession that the Sexy Hacking girls have with you.
  • I hear that there is an awesome new book form NoStarch on Nmap. Tell us more! When is it due out? Contents? Where can we pre-order copies? (This question comes up on a daily basis in the IRC channel)
  • What prompted you to write Nmap?
  • While we know you are not a lawyer, and most likely did not stay at a Holiday Inn express last night, but is portstanning legal? Should portscanning be illegal? Why or why not?
  • What have been some of the biggest challenges and wins with the OS fingerprinting module?
  • Why is Nmap always the security tool featured in movies, and not more sexy ones that have GUI interfaces?
  • So, what are some of the most common mistakes people make when usign Nmap?
  • You've spoken a lot about performance tuning, what are some of the common mistakes and how can we make our scans go faster?
  • Some may say, "Nmap is a great tool, but we're a huge corporation and need a commercially supported solution". How do you respond to comments such as this?
  • Is is true that Dan Kaminsky used Nmap to find the DNS bug?
  • Tell us about LUA, why you chose it, and some of the neat and powerful things that people can use it for?
  • Tell us about the new mapping feature (it is the network mapper after all). How does it work, and why is it valuable to a user?
  • What is the most useful, but most underutilized Nmap command line parameter?
  • For a long time, many Nmap command line parameters were undocumented. More recent versions and documentation have fixed this, but are there still some hidden options? Come one, you can tell us :)
  • There have been many tools written to extend and compliment Nmap, what are some that you recommend?
  • Is there a way to run Nmap as just a simple banner grabber? So, without using service fingerprinting, just return the banner that the port sends back?
  • There are few brave enough to take on the challenge of scanning the Internet, but who other than the mighty Fyodor! What were some of the challenges with this project? How did you ISP feel about this?
  • Nmap has been known to crash certain devices (esp. embedded devices). What has been done in the Nmap codebase to avoid these situations, and what tips do have in order to avoid crashing things? Or maybe we want to crash things, what tips then?
  • While many use Nmap for good, many use Nmap for evil. If you could say something to those who use Nmap for illegal activities, well, what would you say? (They might even be listening)
  • It states in your Bio that you are the President (Fyodor for President?) of the Computer Professionals for Social Responsibility, can you tell us more about that?
  • Why has Nmap been such a successful Open-Source project?
  • Tell us about the Summer of code project!
  • Without giving too much away, what's in store for the future of Nmap?

Tech Segment: Discovering Rogue Access Points With Nmap

There are lots of ways to skin this cat. This came up and piqued my interest because I was looking at the Nessus plugin to do this. This is a neat concept, but relies on some really old information from Nmap 3.50 OS fingerprints. I decided that using Nmap directly is probably best to perform this task. Luckily, my handy Nmap Book has a section devoted to this called "8.8 SOLUTION: Detect Rogue Wireless Access Points on an Enterprise Network", which can be found in the OS Detection Chapter. Now, there is an example Nmap command in the book, but I came up with the following Nmap command on my own to do this on my home network:

nmap -PN -n -pT:80,443,23,21,22,U:161,1900,5353 -sU -sV -sS -oA osfinger -O -T4 192.168.69.0/24

The above Nmap command scans the network with no ping options set (-PN), and no name resolution (-n). It only scans selected TCP and UDP ports, which I find is a really neat feature to be able to specify independent lists of UDP and TCP ports using the syntax above. I chose the ports listed because they are most frequently found listening on embedded devices. I want to know if those ports are open (-sU and -sS), and I want to fingerprint them if they are open (-sV). I also want all of the result types (nmap, grepable, and xml) so I can work with the results on XML and if a scan dies, resume with the csv file. I also want an OS fingerprint and use aggressive timing.

This is great, but for use in an enterprise I want to run this on a cron job and have it email me the results every day. So I extended using Nmap Parser (a perl library for accessing Nmap results and running Nmap scans) and came up with:

http://pauldotcom.com/rogueapdetect.pl


NOTE: Nmap Parser was also featured in Episode 55 where Paul shows you how to use it to find vulnerable hosts on the network in conjunction with nbtscan.

I installed the latest version of Nmap Parser, version 1.13. I had to change the object names to be compatible with the new version, but it works like a champ. Example results look like this:

rogueapdetect.pl v0.001 - ( paul@pauldotcom.com )
--------------------------------------------------

Scan Information:
Number of services scanned: 7
Start Time: 1221793134
Scan Types: syn udp

Hosts scanned:

Address   : 192.168.69.95
OS match  : OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34)
Device Type: WAP
Address   : 192.168.69.92
OS match  : OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34)
Device Type: WAP

Oh look, a couple of devices running OpenWrt, go figure :)

Stories For Discussion

Student Facing "Hacking" Charges - Uhm, always get permission, it's an easy thing to comprehend, just ask before you hack, otherwise don't get caught (j/k).

A truce? - [Larry] - Rsnake and Jeremiah Grossman voluntarily pull their talk on 'clickjacking' from the OWASP USA conference, after speaking with Adobe. Microsoft and others have not responded, but Adobe asked for them to pull the talk in order to issue a patch.

Protecting Wordpress with SSL - [PaulDotCom] - Along the lines of, "Why don't most sites use more SSL", this is a good example. You can now use SSL to admin your wordpress blog, wait, you mean you couldn't up until now! WTF! I've always had to push major providers to use SSL and SSH. For example, most hosting services still use FTP to upload your files. Why? When it comes to protecting information, we should protect our usernames and passwords to everything, esp. the end user's credentials. They love to re-use...

We don't talk politics - [Larry] - Palin e-mail compromise? Good time to talk about data ex-filtration and incident response plans.

Disable access? Nah. - [Larry] - Intel employee steals IP, then goes to work for AMD. He does it by logging in via VPN 2 weeks after he left. See, even more ways to ex-filtrate data. Oh, and don;t forget those accounts too. What about those privileged users who give notice? Do you terminate the access immediately, or let them work You did trust them all this time already.

Network safety - at home - [Larry] - Yep, your employees take their laptops home. How about educating them on good practices for safe computing when they aren't on your campus - VPN, hardware firewall, secure wireless (if any), don't let the kids use, ever... What about securing them like they would at home as they would in a coffee shop - cable locks, etc.

Not an evil USB drive - [Larry] - Good candidate for the hacker keychain - it has a bottle opener! Updates on the hacker keychain coming soon.

TSA no fly list = signature based IPS - [Larry] - It just goes to show that the defensive action is only as good as your signatures. Want to avoid the hassle after you're on the no fly list? Legally change your name, and their is no longer a signature match. Create a false positive? Change your name to that of someone on the list.

iPhone Safari JavaScript DoS - [Larry] - I jsut wanted to include this because allegedly this is a flaw with WebKit, which if I recall is also the basis for Safari and Chrome.