Episode129

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

Core Security

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

Tenable Network Security

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Astaro

Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.

One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.

Announcements & Shameless Plugs

Welcome to PaulDotCom Security Weekly, Episode 128 for November 6th, 2008. A show for security professionals, by security professionals.

  • PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
  • This week we have a Book Giveaway from No Starch Press, a copy of Silence on the Wire. E-mail the answer to our question to psw@pauldotcom.com. First correct answer, with supporting documentation to that address wins! The question from last week still is out there for claiming.  :-)

Episode Media

mp3 pt 1

mp3 pt 2

Tech Segment: Creating Custom Wordlists For Password Brute Forcing

This is a nice, easy way, to build a custom dictionary for your target. I got some of the original code from SANS Security 560 by Ed Skoudis. With his permission, I've published some of my enhancements. The first step is to grap the entire web site:

wget -r -l 2 www.<targetwebsite>.com

I'm going two levels deep here, you can adjust that with the "-l" flag. How many levels deep depends on how big of a dictionary you want and how big your target site is. Next, we replace the spaces with new line characters and produce a uniq list:

grep -hr "" www.<targetwebsite>.com/ | tr '[:space:]' '\n' | sort | uniq > wordlist.lst

Next step is to remove the weird characters, don't worry, we can put them back. This primarily removes the HTML tags and such:

egrep -v '('\,'|'\;'|'\}'|'\{'|'\<'|'\>'|'\:'|'\='|'\"'|'\/'|'\/'|'\['|'\]')' wordlist.lst | sort -u > wordlist.clean.lst

Note: I do not remove the "()", we probably need to move to perl regex or something similar to do that. I get a syntax error when I try to remove the "(" or ")". Also, different versions of grep (and wget) will behave differently, so you might have to tweak. Below, we append the default John the ripper password list to our custom list:

cat password.lst >> wordlist.clean.lst

But now we might have duplicates, and since we removed all special characters (Well, most of them anyhow) we need to put them back. Below we run John to re-generate our unique wordlist, apply some rules, and output to standard out:

john --wordlist=wordlist.clean.lst --rules --stdout | uniq > final.wordlist.lst

For bonus points you can modify the rules so that it does a better job of adding in special characters (such as replacing all "i" with "1"). Passwords are, well, just so easy to abuse...

Interview: Bill Brenner - Selling Security and Penetration Tests to Upper Management

Stories For Discussion

WPA dead? - [Larry] - A few researchers (including the author of Aircrack) have allegedly found a way to crack WPA utilizing TKIP. Normally you'd use a dictionary attack, but Tews and Beck found a way to get more traffic (a la the WEP traffic generation for weak IVs), as well as a mathematical shortcut to break TKIP. Total time, 12 to 15 minutes. Again, the actual results need to be seen. We've told everyone to move to WPA from WEP, so now what? WPA2 is not affected by the attack. What about WPA with AES [PaulDotCom] - This is not affected as it uses AES+CCMP as the keying protocol, not TKIP. Shoddy TKIP implementation? [PaulDotCom] - Our special wireless correspondant Josh Wright (From www.willhackforsushi.com) sent us information via email:



This new attack against WPA and WPA2 affects the use of TKIP deployments, against both PSK and Dot1X authentication. It is only applicable to TKIP networks using QoS, and does not affect AES-CCMP networks.

The bottom line is that an attacker can exploit a QoS TKIP client, recovering not more than one byte of plaintext data per minute. TKIP rotates keys every 65K packets, so the number of bytes the attacker canrecover is variable, depending on how busy the victim is. I think it's reasonable to say the attacker will be able to recover partial content of one encrypted packet during each client key rotation session.

Some exploit code has been checked into the Aircrack-ng SVN repository, though I haven't had a chance to verify it yet.

I believe this attack is only the beginning, and we'll see more devastating attacks against TKIP soon. People should watch for logging messages indicating Michael MIC failures or excessive Integrity Check Value (ICV) errors from SNMP MIB's as an intrusion detection technique. Client vendors need to make changes that may break QoS and TKIP together to fix the flaw, but that will take a while. Disabling QoS support on the AP or moving to AES-CCMP will fix the flaw.

Thanks Paul!

--Josh



New Adobe Reader Vulnerability - [PaulDotCom] - This one is interesting for a few reasons, first this vulnerability was disclosed to Adobe back in May 2008 and they have been doing the dance with Core since. Second, sending PDFs is still very much a valid attack vector that seems to bypass most network perimeter defenses (and end users are so willing to click on PDFs, and client software is very accommodating to open PDF documents). Third, this was based on research from a previous vulnerability in FoxIT, so the bad guys could very easily do what Core Labs has published and have been exploiting this in the wild. It only affects Adobe Version 8, not 9, but who the heck upgrades? Folks, you HAVE to keep your client software up-to-date, its just as important as patching remotes in your Windows boxes in my oh so humble opinion.

New BotHunter - [Larry] - Bothunter is an application that sniffs networks for Botnet related traffic (as determined by signatures from the project). Part of the issue with the project before was that there was no update mechanism for the signatures. Sure this is likeley something that you could do with snort. Check out the Ubuntu based ISO, for quick deployment in incident response and remediation scenarios..or just to try it out.

Linux Kernel Remote Overflow via ndiswrapper - [PaulDotCom] The discussion by the gentoo team is kinda funny "Note that the Ubuntu advisory [1] talks about "arbitrary code [execution] with root privileges", so maybe we need to reclassify this.". My guess is that ndiswrapper would give you the same level of privs (ring 0) as exploiting a wireless driver, so its even beyond root privs. ndiswrapper is just aweful, but the only option for some wireless cards. My recommendation is, if you can, use a different, natively supported, wireless adapter. In some laptops (I used to have a Dell that had this) you could take out the mini-pci card and put a new one in. This is the best option, as you can put in an atheros 802.11a/b/g/n card and use madwifi, not that madwifi is all that more stable sometimes :)

PDF Fuzzing - [Larry] - WhooHoo! Buzzwords! No, seriously, in doing research for my metadata paper I came across a whole bunch of neat tools. I ket thinking about how I, as an analyst could get compromised while doing the research (see EXIF blog post), and now have the same concerns about PDFs. Neat tool for fuzzing all of the different portions of PDF creation, and how each tool handles them... The author also has a whole bunch of other fuzzing tools!

Felon Spy - LOLZ - [PaulDotCom] - So one of my family members received this site while I was at their house. It was fun for like a minute, then we all realized it was a hoax. A few commands later (it was an OS X system) and I uncovered the real reason behind the site. The felon spy site is owned by Frank from GA, and Frank's address leads back to USCSFF, an organization that has since been taken down (At least its web sites) that promotes dog fighting. All that in just one little whois command and a Google search :) Educate your family and friends not to fall for this crap...

Barcode insecurity - [Larry] - I've talked about Barcodes being used as the only barrier to security in the past, so not a lot to re-hash here. The big thing is that barcodes are easily reproducible by an average consumer. Stores use these as a single factor method of security for item checkout. This individual admitted to forging barcodes and checking stuff out at a cheaper price - stealing 1 million in products.

View Private Photos on MySpace, Again - [PaulDotCom] - Its being reported that there is in fact a whole new way to do this on MySpace, w00t. Nothing you post online is private, we all know that, too bad its not to easy to get everyone else to understand that. I've personally seen pictures of people face down in the bathroom, now is that someone that I want to hire as a PaulDotCom intern? Okay, bad example...

WebSlayer! - [Larry] - Based on the command line wfuzz as an engine this new OWASP project looks to be a great URL/paramater fuzzer. The gui has all sorts of new features.

Bypassing TSA - [PaulDotCom] - Its one thing if you deliberately want to bypass TSA filtering of things like knifes, but I hear stories such as this all the time. You don't mean to, but that 12" hunting knife was in your bag from your Elk hunting trip and you forgot about it. No worries, TSA doesn't seem to care. BUT, bring 10oz of shampoo and your are detained with a cavaity search for you and everyone traveling with you. Great, I guess there will always be a certain amount of attacks that slip through the perimter, so what protections do we have on the plane? Oh, thats right, a couple of flights have an air marshal who is sleeping in the back ready to strike like a ninja at the first sign of trouble. I feel so much better now...

Secure your keys! - [Larry] - No, not your encryption keys, the physical ones! These researchers have devised a reliable way to automatically duplicate keys from high resolution photographs taken from up to 195 feet away, and even ones closer up with cellphone pictures. Want to steal a car? Take a picture of the valet key box. RFID keys you say? I was able to confirm with a friend (who is a repo man) locally that you can even override that with a certain set or actions in the car. The researchers will not be releasing the software, but did state that anyone with a little MatLab foo should be able to recreate their work.

PHP Backdoor Goodness - [PaulDotCom] - This is a really powerful PHP backdoor with a whole host of features. This is the back orifice of the 21st century :) I've seen it on many systems during incident response, its nice, high five!

Stupid Phishers, stupid people - [Larry] - Thanks Ben! In a recent phishing education session at the Auburn University at Montgomery, the CIO sent an e-mail to all students with an example of a username and password phish attempt, with a warning about how to handle and so forth. He had to send another message, because some students fell for the example phish, and sent the CIO their usernames and passwords....A pen tester's dream!

Other Stories Of Interest

Hack your motion sensor - [PaulDotCom] - Something for you to think about from last week :)

Insecure Mag 18 is out