Episode146

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!


Announcements & Shameless Plugs

Security Weekly - Episode 146 - March 26, 2008

IMPORTANT - For those who wish to listen to older episodes via iTunes and other RSS feed readers you may need to delete the feed and re-add it. We recently changed servers for our archives which can be found at http://archives.securityweekly.com. Again, this is important as the current hosting services will NOT extend past March of 2009.

  • Training event in Southern N. E.! SANS@Home - SEC517 Cutting-Edge Hacking Techniques - May 11 & 13th 7-10PM discounted (10%) class

<enclosure url="http://media.libsyn.com/media/pauldotcom/pauldotcom-SW-episode146.mp3" length="59473123" type="audio/mpeg" />

Episode Media

mp3

Special Guests: Hal Pomeranz & Ed Skoudis

Hal is an independent IT consultant with almost 20 years of experience in Unix systems, networking, and computer security.

Ed Skoudis is a founder and Senior Security Consultant with InGuardians as well as a SANS instructor.

Counter Hack... Reloaded - Ed's book, we all know Ed!

Dear Run Associates - Hal's Site

Hal Pomeranz is the founder and technical lead of Deer Run Associates, and has been active in the system and network management/security field for over twenty years. As a member of the Faculty for the SANS Institute, and is the primary instructor for the SANS/GIAC Unix Security Certification track (GCUX). Prior to founding Deer Run Associates, Hal has held Network and Systems Management positions at several organizations, including AT&T Bell Labs, NASA Ames Research Center, and the University of Pennsylvania. He has written or co-written dozens of technical articles and several books, including Solaris Security: Step-by-Step, the de facto standard guide for "hardening" the Solaris Operating System, and SANS Security Essentials.

  • How did the idea for CLKF start?
  • Why did we want to create a blog for this content? What are the motivations?
  • Why are we all so fascinated with the command line? I mean, we have a mouse and we can click stuff now, right?
  • What makes this blog different from the other resources on command line Kung Fu?
  • What specific operating systems are you targeting?
  • Why should people love the command line?
  • Vi or Emacs?
  • What is better, in your opinio, Bash or the Windows command line?
  • Do you cover Perl or Windows Power Shell?
  • How can people contribute to the CLKF blog?
  • What kind of posts do you have in the works?
  • Who is the best looking contributor to CLKF blog?
  • Is the content geared towards security folk? Let me ask another way, how can security professionals benefit from this site?
  • Can Hal really replace someone with a shell script?

Tech Segment: Feeding the "WMIC /node" monster

Summary

With this one script, you can be on your way to WMIC enterprise-y goodness!

Details

Have you tried to use WMIC on multiple hosts at once only to be stymied by arcane and cryptic error messages from the demon known as the "node" switch? Does it feel as effective as trying to knock down a brick wall with your head? Yeah! We have too, and man does it suck... but we have great news for you! Mick has knocked down the wall for you! (and boy does his head *hurt*) He's made a handy helper batch command so you don't have to sit scared and lonely at the forbidding wmic /node switch.

The Code

Copy the following into a batch file:

@ECHO OFF
:::::
:: 1_aib.bat -- by Mick Douglas
::
:: Audit in Batch!
::
:: Thanks to Ed Skoudis for revealing WMIC to me via SANS 504
:: Thanks John Strand & the rest of the Security Weekly crew for the help & support
::
:: Purpose:
:: this series of batch file is meant to allow pen testers to quickly audit windows domains
:: via the command line tool wmic and other cli tools.
:: 
:: ** Warning ** If you break any laws while using this tool, it's all *your* fault.
:::::

:: version 0.01
:: date 20090326

:: first we need to gather up all the members in the domain
echo gathering domain nodes... 
::net view > domain_manifest.txt
echo Done!  

:: now we have to take this data and make it valid "WMIC /node" format.

echo .  .
echo  - 
echo \__/

echo Now scrub domain_manifest.txt on your system -- like so!
echo ---
echo "cat domain_manifest.txt | awk '{sub(/\\\\/,""); print $1}' > targets.txt"
echo ---
echo note:
echo You might need to do the above on a *nix system!!
echo if so, no worries.  Copy the domain_manifest.txt to your *nix box
echo and then just re-enter the cat and awk command string from above

:: that all there is... for now (que scary music)

Stories For Discussion

1) http://ethackal.com/news/msfhell-and-screencap/ - [Paul] - Meterpreter screencap, works awesome, don't forget to edit the Ruby code to adjust the length of the video, default is 5 seconds. Requires a small windows screencap program, which works just awesome! Props to Ethackal for putting this together, you rock! I would actually use this on penetration tests, because this one time, on a pen test, at band camp, I deployed VNC and saw someone configuring the phone system. Now, if a picture speaks a thousand words, a video speaks millions!

2) Router Botnet - I won't say that I told.... - [Paul] - you so! The router is a nice platform for a botnet or evilness in general. No interactive user, nice Linux kernel to build upon, generally ignored when it comes to security, I could go on! The challenges are actually finding a common platform, but if you are good with an xcompiler you can find enough commonality. Also, for a botnet, I've seen bots implemented in languages like Perl. The astonishing thing is that when a machine was compromised behind a very large expensive firewall, it was brought down by a UDP port scanning Perl script.

3) - In your networkz, taking over your power gridz - [Paul] - Taking over power grids is scary (almost as cool as when they blow up in The Matrix).

4) Give your computer the finger - [Paul] - This is great, a man lost his finger in a motorcycle accident. He is a computer programmer, so he decided to re-construct his finger with a USB thumb drive. How handy! Okay, who is going to chop off their finger so we can do this on pen test?

5) Detecting Base64 Encoded Requests - [Paul] - Turns out detection of apps using this is pretty easy. It can be done with Snort, or really any other monitoring system. Blah, blah, we talked about this in previous episodes. However, I wrote a script for a Nessus audit file to find this configuration in your Apache. In short, use Digest mode authentication! (in Apache generate the password file with "htdigest" and use AuthType Digest in your Apache conf, if you must).

6) Interceptor - First off, this is a great little project. Robin did excellent work getting all this to run, espcially the openvpn config. However, I want to point out:

  • If you're going to try to trick a secratary to plug this in correctly your chances of success are slim. Chances are they don't know what an Ethernet cable is, let alone know how to plug one in to make this work (Even if it looks like a cute Teddy Bear)
  • If your only way to access the device is a WPA encrypted wireless connection, you will be easily detected by a WIDS (even Kismet can identify it).
  • You have to be physicall on-site in order to access the device, or at least in wireless range
  • If there are large amounts of network traffic, coupled with a WPA connection and OpenVPN, you will drop packets. There's just not enough RAM on the system.
  • All of your scanning through the remote network must be done using the device as a proxy (see note above). This may also cause performance problems.

This is a lot of work, and a lot of things to consider. Most, unless its critical to the test, should just let the pen tester plugin to the internal network and do an internal assessment and penetration test.

Other Stories Of Interest