- 1 Security Weekly was nominated for the 2015 Best Security Podcast! Please vote for our show here: Security Blogger Awards
- 2 Sponsors
- 3 Announcements, Shameless Plugs & a Note from a listener
- 4 Episode Media
- 5 Tech Segment: WMIC rocks my world!
- 6 Stories For Discussion
- 7 Other Stories of Interest
Security Weekly was nominated for the 2015 Best Security Podcast! Please vote for our show here: Security Blogger Awards
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Announcements, Shameless Plugs & a Note from a listener
Welcome to Security Weekly, Episode 141, recorded Saturday February 21st, 2009
- Security Weekly SANS Click-Through - Go there, register for convenient and informative training! Go now or we park the Shmoobus at your front door!
- SANS Orlando, podcast, Metadata presentation and WIDS workshop.
- 20% Off the Metasploit class via SANS@ Home!!!!
- Register for SANS Security 560: Network Penetration Testing and Ethical Hacking
- SANS Saskatechewan - Larry is teaching the 6 day wireless track (SEC 617) in Regina on March 23 - 28, 2009. Come warm up his Shmooball cannon!
You can find out about all of our events at http://securityweekly.com/events/
- Don't forget LBCAV on February 25th 2:00PM EST with Larry Pesce
- From one of our valued listeners (Thank you for the encouragement!):
"Hey I just wanted to say thanks for an awesome podcast. I just recently discovered Security Weekly and immediately downloaded all the previous episodes and have been going through them. Im about halfway through 2006 so I still have lots to catch up on but I cant get enough. Just wanted to say thanks and keep up the great work!"
Tech Segment: WMIC rocks my world!
By Mick Douglas
How I Learned to Stop Worrying and Love Windows. Sure, you have seen Ed Skoudis's WMIC insanity... But how much further can it go?
What is it?
WMIC is a command line interface to WMI -- Windows Management Instrumentation. It's an API which allows low level access to a wide variety of information about systems (both hardware and software). The really neat thing about WMIC is that it allows you to poll info about a system *without* having to write scripts or applications! Best of all, it comes with the OS, so you don't have to buy anything else!
Why I love WMIC
I work at a fairly large not-for-profit. Our budget for automation and discovery tools is so low that during our yearly funding discussions, I look up to see the bellies of snakes. (Finance committee, I'm just kidding. I still love you guys. Please look kindly on my department's future requests.) WMIC provides a very low cost -- only labor -- method of rapidly pulling needed info from our Windows servers. I've been using WMIC now for a little over a year, and I am continually struck by just how all encompassing WMI is and how much work using WMIC saves us. Also I'd be remiss if I didn't mention that WMIC is the perfect enabler for my incessant curiosity.
Secrets? Cover ups? Conspiracies?
Microsoft did something right with WMIC, but kept it really secret. Conspiracy theorists may gossip about the "true reason" it's not being more actively promoted, I believe the reason is fairly benign. My guess/hope is that it's still a work in progress. While WMIC is very powerful, it also is barely documented, the syntax isn't always consistent, several of the functions overlap, and some don't work in a way that makes much sense to mere mortals. I can only hope that WMIC gets the care and attention it so richly deserves. (warning: me liking a particular bit of technology is a great way to jinx it. Please refer to Amega, OS/2 Warp, BeOS, and NextStep for some examples of what happens when I like something.)
Is WMIC right for me?
A final note before I you give the sample commands: you need to understand and accept this isn't for everyone. Regardless of what the naysayers will (nay)say about Microsoft, one thing they did a great job on was selling the idea of computing made "easy". WMIC isn't rocket science, yet it is a sharp turn away from your GUIs & MMCs. If you've only had limited exposure the command line, and it makes you queasy, just relax and breathe deeply. The extreme lack of documentation about WMIC means you're going to be banging your head into a wall at times. Don't worry about this... you're taking the road less traveled. In a way it's a perfect excuse to lighten-up -- remember we're all fumbling in this together! And now here's some sample commands and scenarios where they might be helpful. Happy hacking!
WMIC can work against three types of targets. Local, a single system, or multiple systems. Assuming you want to determine what services are on systems, here's how you run WMIC against each target type:
wmic service get name
Single remote target (you should use the quotes around the machine name -- WMIC and cmd.exe can exhibit odd behavior if you have dashes in the computer name):
wmic /node:"machine-FQDN" service get name
Multiple remote targets (again, please use the quotes around the target file name. Also your target file should be flat text and contain one machine name per line.)
wmic /node:"@server-targets.txt" service get name
You can also have WMIC automatically run a command repeatedly. This is *excellent* if you need to catch someone "in the act". Say you need to catch someone inserting a USB thumb drive. Here's one way to do that.
wmic diskdrive get interfacetype /every:30
Here's some sample commands that I use fairly often. What nics does this system have? good use: Did someone install VMWare workstation? (assuming that's against policy) evil use: does this system have multiple NICs? Can I bridge two networks?
wmic nic get name
What is your IP address and MAC? I believe this is neutral.
wmic nicconfig get ipaddress,macaddress
When did this system last boot? good use: are they rebooting daily per policy (so they can get patches and have the logon scripts run?) evil use: Is this a neglected system? If it's not been rebooted in over a month, it's probably not getting patches.
wmic nic get timeoflastreset
wmic os get lastbootuptime
Find systems with usb thumb drives good use: check to see who's using USB media (I'm a bit stumped how this can be used for evil.)
wmic diskdrive get interfacetype
Find disks that are of a certain size good use: see who needs an upgrade evil use: where can I stash my WaR3z?
wmic logicaldisk get description,filesystem,name,size
wmic logicaldisk get description,name,freespace,size
wmic volume get label,freespace,filesystem,capacity,driveletter
Who am i? good use: verify you're using the account you think you're using! evil use: my 'sploit just gave me a cmd.exe shell. What level of access do I have now?
wmic computersystem get username
What clock speed and how many cores? good use: See who needs an upgrade evil use: will this be a good system to run John the Ripper on?
wmic cpu get maxclockspeed
Who has logged onto this system & when? good use: audit account activity on sensitive systems. evil use: audit account activity
wmic netlogin get name,lastlogon
Are people brute forcing accounts? good use: check to see what guessing attempts are happening evil use: ensure you stay below the account lockout threshold
wmic netlogin get name,badpasswordcount
Are the screensavers password protected? What is the timeout? good use: see that all systems are complying with policy evil use: find systems to walk up and use (assuming physical access is an option)
wmic desktop get screensaversecure,screensavertimeout
Find what logon methods are supported on your domain good use: you better not see NTLM listed in here!! evil use: you're hoping to see NTLM used!
wmic logon get authenticationpackage
What services are running on network services good use: see what services are available to the network evil use: now that you're past the firewall, what *really* is running on this box?
wmic netclient get name
What shares are they connected to? good use: ensure users have access to the standard shares they are supposed to evil use: find systems that are connected to sensitive shares.
wmic netuse get name,username,connectiontype,localname
What shares are they sharing? good use: ensure users haven't "over shared" their system evil use: find systems where they are sharing too much or where they are sharing sensitive info
wmic share get name,path
Where are the event logs? good use: ensure all event logs are set and available evil use: has the blue team hidden the event logs? Find them!
wmic nteventlog get path,filename,writeable
What os am i dealing with? good use: inventory management or who needs an upgrade evil use: where are the softer targets?
wmic os get name,servicepackmajorversion
What services are running? good use: ensure security services like AV are running evil use: find systems where vulnerable services are running
wmic service get name,startmode,state,status
What software is installed and what version is it? good use: look for vulnerable software
wmic product get name,version
It is beginning to look like we could script this and generate a quick vulnerability assessment scanner using built in Windows commands..... Hummm... How many IDS alerts would that generate?
Additional WMIC resources
WMIC - Take Command-line Control over WMI - Microsoft Technet article about WMIC
List of WMIC Aliases - from ss64.com
Stories For Discussion
1) Twitter, Google and HotSpots! Oh my! - PSW - Bruce Schneier argues that following the latest logic, boats and cars should be banned too.
2) Facebook privacy tips - PSW - Some tips on Facebook privacy settings.
3) Monster.com hacked - PSW - Monster database owned.
4) Moxie Marlinspike's Black Hat 2009 Presentation: New Techniques for Defeating SSL in Practice PDF slides - PSW - Black Hat Presentation on HTTP MITM
5) FAA Hacked!! - John - IT seems like there has been a lot of different organizations getting nailed lately. This one makes me wonder if the attackers were watching 24...
6) Osixtyone, a nice SNMP Scanner - John - This scanner takes a different approach to SNMP scanning. It sends a large number of different SNMP requests and waits for any responses.
7) Automated scanning with Yaptest - John - I would like to keep the discussion of automation in pentests alive. This is a framework that runs commonly used tools automagicly and stores the results in an easy to use front end. While I like the fact that it is a nice way to store and view results, I am less excited about the automagic part. One of the tools it runs is Nikto. Nikto can be one of the coolest tools in your arsenal or it can suck hard. It has a lot to do with the level of customization that you do to your scan. Personally, I think that it is time to create a tool like yaptest that simply takes the results of commonly used tools and loads it into a database. Think Metasploit's DB feature, but on crack and ice cream. "Sweet! And Addicting!"
8) Backtrack 4 To The Rescue! (Paul's Blog Post on BT4) - [Paul] - Picture bikini clad ladies running down the beach, carrying copies of BT4 to save your life!
The BT team is awesome. Within 20 mins of the blog post ...
[2009-02-21 20:22] <jabra> I will make sure we add voiphopper
9) Air Force Blocks Internet Access - [Paul] - Wow, think about how much threat you can reduce by blocking Internet access. Think of all the thousands, if not millions, of dollars spent on trying to secure your connection to th eINternet. Now, don't go thinking you can walk into work on MOnday and unplug the INternet cable. Richard B. tells us we must remember to monitor the Internet so that we have proof bad things are happening, it cannot interfere with business operations so much that the business cannot function, you have to have a way to block it, and you must communicate your message to block it to all effected parties.
10) Major Malfunction - Sniffing Satalite TV - [Paul] - This is really cool stuff and while may not pose a direct threat to your network, it shows that anything in the airwaves is hackable with the appropriate amount of time and effort. Hardware has evolved, and open source hardware projects (like GNURadio) have opened up the possibilities for hackers, blackhat and whitehat alike. So, the next time you are evaluating the risk of that "proprietary" radio signal thats linking your two buildings and transmitting sensative information, pretend someone is listening and encrypt on top of it.
AND I DON'T MEAN XOR!!!! (Similar to the way we use Jabber then use OTR on top of it).
11) Flast Flux - Its okay to finish really fast - [Paul] - I noticed this was included with Backtrack 4 and have seen some buzz. I've also seen another tool called "Metascanner". Automation is cool, but be careful its usually noisy, may miss many of the good vulnerabilities, and can crash things pretty quickly.
Example: A default username and password on the web interface that provides your remote access (Like HP Insight manger), and when you login the administrator left root logged in on the console.
12) RFID Cloning - [Paul] - RFID is bad, I was reading a wired article and it talked about all sorts of uses for RFID that will be popular, like access to theme parks, nightclubs, animal tracking, etc... It is my assessment that there is little security surrounding RFID, and even attacks such DoS are effective (think about a system that tracks packages and then a DoS is used in conjuction with stealing goods). This video is an example of just how inseucure RFID can be, and how tools for breaking it will evolve, just as they did for 802.11.
13) Security For Cisco Linksys Routers? - [Paul] - The HND software sports safe web surfing capabilities, parental controls, antivirus capabilities, and user-activity reporting to help detect and neutralise web threats such as online fraud, scams and viruses before they enter the home network. So, how does this prevent the firmware, default passwords, and insecure protocols found on the devices themselves? Let me tell you how useless A/V is, we bypassed a major A/V vendor's product with UPX, and we didn't even modify the binary after the fact. Also, its an interest statistic just how many people actually notice when you try to bypass A/V and fail, with so many viruses, you are often just another threat in the noise.
14) New PLA Radio! [Paul] - *warning* NSFW - While NSFW, this is a good example of how "sex sells". Think of all of the SPAM that uses sex to sell it, frightening how successful most of these are most likely. This episode of PLA goes back to the 90s, when the jerky boys were popular. Now, I remember getting a real big kick out of the jerky boys and prank calling. "Bob" may have even done some prank calling in his day. However, all this really is: social enginnering at its finest. And you will be amazed how easy it was to convince male victims that they had just won 10 minutes of free phone sex, only to have a not-so-happy ending. Social engineering will be successful 99% of the time and continues to be very hard to protect against, no pun intended.
16) Confiker evolves - [Larry] - Sure while all of the malware does evolve over time, I think that one method that it uses to "evolve" is neat. Instead of using a predefined list of where to download instructions/code from, it utilizes an algorithm for determining the domain names to get the code from. Most of the domains are not registered, so they are harder to track.
17) MS09-002 Sneaky-ness - [Larry] - Deliver the attack in a Word doc? But that's not IE? As we have talked about in the Word 2007 metadata stuff, those documents are jsut XML, which word 2007 will render nicely, including grabbing bits from base64 encoded urls, that are rendered with the IE engine. This is why it is important to update all of the OS components, even if you don't use them...
18) SSL Strip - [Larry] - Breaking SSL is all the rage. Nothing like inserting a proxy that does the SSL interception, and redirects to a http session. Complete with lock favicon...
19) Enabling Windows RDP and Telnet from the command line - [Larry] - Nuff said. I'll say more anyways. Sometimes you find yourself on a machine, and need gui access. Yes, wmic totally rocks, but what if you want to prove that you can 0wn the phone system, turn up the heat, or manage the network with a tool on the compromised workstation. Yes, the tool you wan to use is only gui...
Other Stories of Interest
penetrationtests.com/ - Cool