Episode131

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

Welcome to Security Weekly, Episode 130 for November 13th, 2008. A show for security professionals, by security professionals.

Episode Media

mp3

Interview and Special Guest: Josh Wright

We asked these questions last time:

  • How did you get started in Security?
  • How did you get started in Wireless research?

These are new:

  • Tell us all about the new WPA/TKIP issue.
  • If this new WPA/TKIP issue is jsut the beginning, what do you see as the future?
  • From a mailing list? question. Sniffing wireless for control and management frames AND in promiscuous mode. What are the differences, waht are the ussues, and how can we do both? your recommended hardware, software, and drivers for this example.
  • We have our recommendations for wireless gear, but what is your favorite? A, B, G, N? Bluetooth? Injection? Antennas? Other neat stuff (Zigbee, USRP...)?

Tech Segment: EXIFtool, It's not just for JPEGs any more!

In the past we've talked about a number of tools for document metadata gathering and how we can use them for gathering good information.

I've talked about EXIFtool for examining and deleting metadata from JPEGs. This was helpful for some info, but only on images.

I've covered Metagoofil, where we use it to download all sorts of common data and word processing type documents and analyze them for interesting information. Unfortunatley, Metagoofil only will produce download from the web and process. we have no ability to process from our store on disk.

By accident I discovered that we can get much of the same information by using EXIFtool not on JPEGs, but on Word, Excel and PowerPoint documents! EXIFtool has the ability to parse metadata as defined by the FlashPix standard, introduced in 1996 developed by Kodak, Hewlett-Packard and Microsoft. Microsoft still uses the format for documents and storing data. We can use EXIFtool to gather usernames from the documents.

We can start down and dirty with getting the information on Office documents. In the directory that contains our supported office documents, we can execute the following commmand:

$ exiftool -r -h -a -u -g1 * >output.html

This will execute EXIFtool to extract all EXIF metadata recursively in the current directory (-r), with all output including duplicates (-a), organizing by EXIF tag category (–g1), for all files, with HTML friendly formatting (-h), into a file named output.html in the current directory (>output.html). With this we get a handy little report HTML report!

But, we may only want just the info on usernames/authors. We can trim the output information down to jsut the appropriate data elements:

exiftool -r -a -u -Author -LastSavedBy * >users.txt

We've removed the HTML and sorting options, as they will only serve to make any additional processing difficult. I've also only grabbed the Author and LastSavedBy tags, as these are the most common places for usernames. Now we can take our users.txt, and remove all of the extra information with some unix text processing:

strings users.txt | cut -d":" -f2 | grep -v "\=" | grep -v "\image files read" | tr '[:space:]' '\n' | sort | uniq  >cleanusers.txt

Now All we are left with is a list of potential user names one per line. This will introduce some need for a manual culling, as sometimes the author is listed as "Firstname Lastname", and they get kept as each name individually.

Stories For Discussion

Sniffing Serial - [Paul] - mmmmm, smells like captain crunch? Wait a minute, isn't he an old smelly hacker? In any case "spuerman" has posed the following question:

"We have a certain type of windows machine that has a serial input device which is claimed and managed from a specific application. The application claims the device on boot-up, and doesn't let go of it until it shuts down. What I need to show is that an attacker who gained administrator access to the box would be able to either a)intercept the serial communications and thus the data, or b)grab the data from memory as it's being processed."

Thoughts? My thinking is that if you can pwn the box, you can grab the keystrokes. Taking snapshots of memory is only going to provide snapshots of what is happening. One solution would be to develop a custom payload extention to Metasploit/CANVAS/Core IMPACT that just dumps everything going through the serial port, but you would have to know what format the data is in to read it (if its just ASCII its easy). This should be an easy Ruby/Python script.

Automated Web App Testing Limitations - [Paul] - This is a great little article that talks about some of these limitations, specifically privilege escalation, authentication weaknesses, weakness in “token generation”, to a lesser extent SQL injection. An automated tool helps automate some tasks, and I agree with the assessment of about 30% savings. This means for a thorough web application test to occur, you can expect to spend 70% of it doing manual testing with a web app proxy and web browser.

Intellectual Property and Common Sense - [Paul] - Great post from Richard on economics and security...

Pwn3d In Prison (Not what you think) - [Paul] - This is a complete nightmare, inmates broke into the central database at a corrections facility and distributed personal information (Name, address, SSN) of the employees (i.e. guards) at the prison. I can't stress enough how important it is to separate your systems, both on the network and applications side. In the case of a prison, all systems that inmates touch should be on a physically separate network. Don't read this the wrong way, but in University networks the trend has been more towards separation.

SecurityCerts.org - [Paul] - Ted! He's our man! He drinks beer, has meetings in pubs, and has a new site where he will be studying and reviewing security certifications. So check it out and send him some feedback.

Metasploit 3.2 Released! - [Paul] - For certain you will see more information and tutorials about the goodness included in this release. Everything from web application testing, token passing to gain domain admin credentials, anti-virus evasion, METASM integration (Metasm is a cross-architecture assembler, disassembler, compiler, linker and debugger.) which should make developing payloads for different architectures much easier. browser_autopwn sounds super sexy, as does reducing the DLL injection footprint with Reflective DLL injection, a technique just released on OCt 31, 2008, that states The main advantage of the library loading itself is that it is not registered in any way with the host system and as a result is largely undetectable at both a system and process level. Sounds like I will be testing that for the upcoming ICE games :)

One More Metasploit Thing I Am HUGELY Excited About - [Paul] - This is something that has been on my list for a while now. When I deploy a payload to a host, I want to just script, via an inline interpreter, a whole bunch of information gathering techniques. Well, thanks to HD we have just that (scraper.rb). That ruby script does things like dump registry all keys (wish it could be selective), run netstat -an/-rn, net use, net share, etc... This is great for internal penetration tests where you have found a common vulnerability and/or obtained administrator credentials. Now, if we could only write a ruby module that would go through the "My Documents" folder and find all of the sensative information we'd be golden...

Someone fell hard...and long - [Larry] - A woman falls for a 419 scammer, because they were convincing - using an accurate name of a relative. But, she didn't get scammed for $100 that she started with, she got nailed for a mortgage, car loan, and her husband's retirement account to the tune of $400,000. So, how does this happen? I'd definitely argue that user education would help in this situation. I think a robust safe computing program, that is simple enough for the average staffer to understand would work well. Although, some cases are extreme and some people just don't get it and never will.. Something about leading a horse to water.... Or an ounce of prevention being worth a pound of something.

Security training - [Larry] - I like some of Lenny's takes on security training, and some tools. Make it short. Make it sweet. Bring it home for the users.

Phone or WLAN DoS tool? - [Larry] - Josh, I want some of your input on this one. MIC failures can turn into a DoS situation real quick, so Cisco has an issue they don't know how to fix so they tell you to ignore MIC failures.

Sendmail Long Header DoS - [Larry] - Hrm. Not a lot of details, but from the title is seems that an improperly formatted mail header causes a DoS condition in Sendmail on tons of versions and platforms. I'm also surprised on the lack of information in the release, as it was originally published in August of 2006 - almost 2 years ago, but recently had an update.

Erasing your digital past - [Larry] - Don;t like that old blog comment? Something indexed by Google coming back to haunt you on a job interview? These companies can help. Now for the less tech savvy, they may be inexpensive, but for the tech savvy, and those with some time, much of this can be accomplished on your own. Unfortunately, in most cases the internet is like a tube of toothpaste - once squeezed, it is almost impossible to un-squeeze. I found this a lot with some of my metadata research. how do you go about getting some if this stuff removed?

MS Communicator DoS - [Larry] - 3 separate DoS conditions, but one of them was my favorite because it is so 1995. Send a whole ton of emoticons, and it creates the DoS. Emoticons. Yeah, I tested it, and it does do a DoS on both ends, but more so on the Originator than the recipient.

Other Stories Of Interest

SECURITY FAIL