SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Shameless Plugs & General Announcements
PaulDotCom Security Weekly - Episode 182 - For Thursday January 7th, 2010
- Upcoming webcasts - In January we will be doing two webcasts. Core Security will be sponsoring one, and Cenzic will be sponsoring the other. John Strand and myself will be speaking about client side exploitation for the Core webcast, and tips to be a better web application penetration tester for the Cenzic one. Register TODAY!!! http://pauldotcom.com/2009/12/practical-kung-fu-webcast-seri.html
- Defensive Intuition - We are also sponsored by Defensive Intuition. Defensive Intuition is the provider of many security consulting services: penetration testing, physical assessments, and social engineering. Defensive Intuition: Owning your boxes, 7 ways to Sunday!
- Community SANS: Sec 542 Web Application Penetration Testing - SANS is pleased to announce Community SANS Providence, starting March 28th. Larry will teach Security 542: Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University.
- Shmoocon - This will be the next big conference that we will all be attending. We will have t-shirts and other special things to give away and sell. No, we are not selling the interns (who will both be there, btw). So come find us at the booth for all things PaulDotCom including free stickers, and PaulDotCom complete works DVDs!
Bruce Potter: Defense in Depth is dead
Bruce Potter is the chief technologist and a cofounder of Ponte Technologies. Prior to founding Ponte Technologies, Bruce served as a Senior Associate at Booz Allen Hamilton and also has managed network and security operations for Network Solutions. He has coauthored a number of books including ” 802.11 Security” and “Mastering FreeBSD and OpenBSD Security” published through O’Reilly. Bruce is the founder of The Shmoo Group and helps put on the ShmooCon security conference held in Washington, DC.
- How did you get your start in information security?
- What is The Shmoo Group, and how did it get started?
- What made you decide to create the Shmoo Group?
- Defense in Depth is a mantra at PaulDotCom. What's wrong with Defense In Depth?
- In your career, you've dealt with wireless security. What has changed over the years with respects to wireless security?
- Please tell us a fun story about lard!
- Have people given up on wireless security, or are hackers just not using this as a medium for breaches?
- why should we bow to your firewall? Is there STILL an over confidence in perimeter security?
- why should people analyze flow data? Aren't most attacks web-based now anyway?
- What is google-caja ?
- Who is doing the best job at 'Professionalizing' Info-Sec?
- Is Full Disclosure dead?
- Other than Larry n' Mick's talk, what talks are you looking forward to at Shmoocon?
- Which book are you most proud of?
Sneaky web crawling & recon: a tech segment by Mick
TOR & wget FTW! Right off the bat I want to say there are plenty of legit reasons to use TOR. Say you're doing incident response and you need to crawl a site without tipping the bad guys off? If you use normal web scraping/crawling techniques, you're practically shouting that you're aware of what's happened. So use of something like TOR is a *must*. Fortunately doing a sneaky crawl of a site isn't that hard. It's really a three step process; setup, crawl, and finally investigation.
Step one: The Setup Install TOR
Once you have TOR running and working, fire up your favorite crawler. I'm partial to wget. Whatever tool you use has to be proxy aware and configured to use the TOR proxy that you've setup. For wget, all you need to do is setup the proxy.
Step two: The Crawl Gentlemen start your crawlers!
To do this in wget, all you need to do is this:
wget -r -t10 http://site.to.crawl.com/ -o crawl.log
Some notes about wget:
1) Sometimes TOR isn't 100% reliable. You might need to use the "-tX" or "--tries=X" option. Look at the sample command above, it will attempt ten times to download something!
2) The "-r" is very handy because we're trying to recreate any directory structures that exist on the server. Be aware that some dynamic sites or HTTP rewrite engines can cause trouble with "-r"
3) If your URL/URI includes special characters like "&" you need to escape it! So a site with URI arguments like this:
would have to get changed to this:
Step three: Investigation Look at the site locally? Why not look at the original site?
Remember, stealth above all else is the goal here. Also, you can now do searches (grep, perl, or other regex) *much* faster on a local copy!
Before you even look at this data, you need to make a copy for safe keeping.
cp crawl crawl.readonly
And then make it read only for you and your group
chmod -R 440 crawl.readonly
At this point, you can now do all sorts of searches and checks against the data. For some really great ideas, check out regular-expressions.info! They have all sorts of ideas for checking at specific HTML tags (this is a site we just crawled after all!), looking for email addresses, or even finding credit card numbers!
- ByteBucket was kind enough to point out that this method isn't suitable for courtroom evidence. And while neither of us are lawyers, I think he's right. You're not going to be getting "evidence grade" materials by these methods. The payoff though is that you've got a site scrape on the sly!
- TOR isn't fast. Think of it this way, you don't ever get something for nothing. In this case, you're going to be spending time.
- Make sure you have written permission to do a TOR crawl *before* you start! Many companies take a dim view on anonymous web surfing at work. These techniques could land you in HOT water!
- One of the listeners, aricon, pointed out that the "-m" option is nice to use... and it is. But you should read the wget manual to ensure it (and any of the other options) work for you and your crawling needs. Remember wget is extremely flexible. Just as there's no one single way to setup a web site, there's no single one way to do a crawl.
- DarkOperator reminded me about the need to modify user agents. PLEASE DO THIS to ensure you don't give yourself away with an easy user agent string. Set your user agent via this option "--user-agent=foo-browser" (just change foo-browser to what you want to spoof). By the way, pick your agent wisely! I do like DarkOperator's idea to use a known web spider or crawler.
- In the IRC channel I got a bit of flack for going over where the "\" key is. I mess this up all the time and refer to "/" as "lower case question mark" and "\" as "lower case pipe" call me lame or whatever, but I just avoid ambiguity when I can.
- A final caution from Ben|Home, know that TOR will send requests from exit points that are all over the world. This might be a problem if the site maintainers start seeing requests from countries they don't deal with on a regular basis.
How to get into Paul's new Humidor... where are the good smokes kept.
Stories For Discussion
- Body scanners break child porn laws - [Darren] - So when going through security because of my baby sized penis do I get to skip the screening??
- Are the Feds and Banks hiding the truth? - [Darren] - Probably its in their best interest to keep you out of the branches and using online services. So why not out right lie and hide the truth so that you keep using it and help protect profits from not having to have B&M branches and hire humans to work there.
- The GSM crack Practical GSM crypto cracking - [Mick] - 26th CCC lived up to the hype! Your GSM isn't quite as strong as it used to be! Can you hear me now? - [Larry] - GSM A5/1 cracked. Yes, it is illegal. Yes, it is now possible with CUDA, a USRP, and some free software implementations. One can set up their own provider and hack away at that. It has been done, and not there appear to be a number of GSM protocol implementation issues.
- The Schneier Speaks! - [Mick] - Sometimes the "fix" isn't the best thing. Preach on!
- Great Command tips for analyzing apache logs - [PaulDotCom] - These are some great scripts to help analyze your logs. Keep them on hand and when you smell something suspicious break them out. Even better, run them on a cron job and have the results emailed to you.
- Encryption code for DECT mobile phones cracked - [PaulDotCom] - Lets face it, any communications medium that we use today has PISS POOR security. The protocols suck at security, because they are made to work,a nd work easily and cheaply. Security? We've forgetten about it completely. More info: "The action by the encryption expert, Karsten Nohl, aimed to question the effectiveness of the 21-year-old G.S.M. algorithm, a code developed in 1988 and still used to protect the privacy of 80 percent of mobile calls worldwide."
- Bejtlich's Best Books of 2009 - [PaulDotCOm] - Richard reads A LOT of books. I bought his best one, a SQL book from Syngress.
- Samy knows where you live - [Larry] - Couple a default password, with XSS, and Google geolocation and now if you have FIOS, we can figure out where you live. Cross Site Scripting on your home router == knowing where you live! - [Mick] - XSS attacks on home routers aren't new, but this angle is. XSS + MAC address = location
- Secure USB? - [Larry] yes, even FIPS approved encryption devices can have vulnerabilities. Of course the key is not to attack the encryption but the implementation. In this case it looks like the random number generation wasn't that random. gotta love in memory patching! One may also consider attacking the device and snooping at the hardware level. Decrypting USB FLash Drives is Easy - [PaulDotCom] - rgraham makes a good point, attackers don't break encryption, they find ways around it. This is so true, unless its LANMAN ;) USB thumbdrive crypto cracked - [Mick] - I'm in your thumbdrive reading your files! Just adding another link - [Darren] - This affects 3 major makers of drives. Verbantim, Kingston, SanDisk. Long story short the same password string is used in all 3 devices to decrypt the data regardless of what your password is... I have to say this is my vote for FOTW.
- Look ma, pr0n - [Larry] - Ahhh, good fun with framechannel enabled Kodak picture frames. Pwning others' digital picture frames - [Mick] - Cool writeup on how to place images of *your* choice on someone else's Kodak EasyShare picture frame. Please don't tell IronGeek about this! o.O All you need to to to view remote content is the mac address and the url. Enumerate MAC addresses, and fun can be had. Looks like they started to address for specific models, such as the kodak, but they started with just filtering on user agent string. Hah, from the Frame channel FAQ:
- Wireless Geo-location Hack- [strandjs] - Nice little XSS in Verizon FiOS Routers... Watch this one it will come back..
- Bypassing AV for a fee - [strandjs] - Wait... I thought PolyPack did this for free. I got to looking around the site and there is some very cool stuff there.
- Peeping Tom Captured on tape - [strandjs] - Added this story because it happened to me. No, I was the victim. Looks like I will be sharing another painful story on-air.
Who can see the pictures in my account? Unless you add pictures to a public or group channel, or share them with your invited friends, you are the only one who will see images in your account. No other FrameChannel user will ever see images you upload or add to your account unless specifically approved by you (such as in the case of a public user generated or group channel, or as a contributor to your friends' accounts).
Other Stories Of Interest
- http://www.cnn.com/2010/POLITICS/01/05/afghanistan.intel.report/ - "The American intelligence community is "ignorant of local economics and landowners, hazy about who the powerbrokers are and how they might be influenced, incurious about the correlations between various development projects and levels of cooperation among villagers, and disengaged from people in the best position to find answers," Maj. Gen. Michael Flynn wrote in a report published Monday." Sounds like they need to do better intelligence gathering, just as we do on a pen test. Understand the culture, people, stakeholders, and you have a much better chance of infiltration.