SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Shameless Plugs & General Announcements
PaulDotCom Security Weekly - Episode 198 - For Thursday May 6th.
- Sign up for "Advanced Vulnerability Scanning Using Nessus" being offered at Brucon and Black Hat Las Vegas!
- Mark Baggett teaches SANS 504 during SANS Raleigh 2010 on June 21st for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling!
- Pen Test Summit! - June 14-15, 2010. The 2010 SANS What Works in Penetration Testing & Vulnerability Assessment Summit features an agenda loaded with brand-new talks from the best penetration testers and vulnerability assessment thought leaders in the world. This must-see event lets attendees interact directly with industry leaders, discussing tough technical and operational issues to get the most value from penetration testing and vulnerability assessment expenditures.
- Hacker Techniques and Incident Response with Ed Skoudis and John Strand, in your living room via SANS vLive! Pants are optional. IN504 gets you 25% off. http://www.vergenet.net/~conrad/scripts/pants.html
Guest Interview: Matt Jonkman & Will Metcalf
Matt Jonkman is the founder of Emerging Threats, and spent five years in the Army as an Air Traffic Control RADAR and Communications Tech. He currently works for Metaflows under NSF grant funding as well as leading Emerging Threats and the OISF.
Will Metcalf is the QA lead for OISF. He's both breaker and producer of code for the Suricata IDS and has worked on the snort_inline project.
- How is Emerging Threats going?
- What kind of new rules are you coming up with and how do they work?
- What do they emerging threats firewall rules do?
- What is Suricata?
- Most organizations I encounter that run IPS do so in "log only" mode, what can we do to change this? Does Suricata help with this problem and if so how?
- No question that open source IDS and IPS tools are awesome, but there is a lot of maintenance required to run them and keep them updated, what do you recommend people do to ease this maintenance?
- There are many IDS/IPS evasion tactics out there, what can we do to prevent attacks from slipping past the IDS/IPS?
- What do you think of Tipping Points Zero day initiative and their customers receiving IDS updates for 0days?
- What can we do to push vendors to release details about vulnerabilities so that we can write IDS rules?
Tech Segment: Zone Transfers & Embedded Systems
Security FAIL Dot Com update:
One method of finding embedded systems is to brute force the subdomains as described in the following article from GNUCitizen:
They even have a handy tool they created to help you do it! Carlos also maintains the DNS Enum scripts in Metasploit, which also have the capability to do sub-domain brute forcing.
Zone transfers are even better, for example:
# time host -la ourlinksys.com 220.127.116.11 > ourlinksys.com.out real 0m2.564s user 0m0.456s sys 0m0.068s
The "host" command is great for doing zone transfers. And in this case we found a DDNS provider that happens to allow zone transfers from one of its DNS servers. Carlo's tool is better at finding these as you can point it at one domain and it will try to do a zone transfer for that domain from each DNS server listed. As for the results:
# wc -l ourlinksys.com.out 120815 ourlinksys.com.out
Sweet! Here are some easy ways to find all those DDNS providers:
You can put them in a list and do something like these:
for i in `cat ddlist.txt`; do ./msfcli auxiliary/gather/dns_enum DOMAIN=$i E; done ~/msf3/msfcli auxiliary/gather/dns_enum DOMAIN=ourlinksys.com ENUM_AXFER=true ENUM_BRT=false ENUM_RVL=false ENUM_SRV=false
I find that calling Carlos's script in this way is really slow. I've already made the request for Carlos to build in a way to read from a list of domains, which shouldn't be that hard of a feature to implement. Speaking of Carlos's script, here are the options:
msf > use gather/dns_enum msf auxiliary(dns_enum) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- DOMAIN yes The target domain name ENUM_AXFR true yes Initiate a zone Transfer against each NS record ENUM_BRT false yes Brute force subdomains and hostnames via wordlist ENUM_RVL false yes Reverse lookup a range of IP addresses ENUM_SRV true yes Enumerate the most common SRV records ENUM_STD true yes Enumerate standard record types (A,MX,NS,TXT and SOA) ENUM_TLD false yes Perform a top-level domain expansion by replacing TLD and testing against IANA TLD list IPRANGE no The target address range or CIDR identifier NS no Specify the nameserver to use for queries, otherwise use the system DNS STOP_WLDCRD false yes Stops Brute Force Enumeration if wildcard resolution is detected WORDLIST /home/paulda/msf3/data/wordlists/namelist.txt no Wordlist file for domain name brute force.
Credits: Thanks to Mark Baggett for providing me with help on the zone transfer information and DDNS providers!
Stories For Discussion
- Is Barnaby Jack back at it? - [Larry] - Last year after a gagged attempt on revealing flaws in a popular ATM machine, it looks like he's back on for BlackHat this year. Because a year has passed, he's been given another year to research, this time to demonstrate a rootkit, for not one, but two ATMs. Jeff moss is stated as saying "Jack has a living room full of ATMs."
- Silent patches - [Larry] - Core Security Technology reveals that Microsoft released two patches that patch for "secret" vulnerabilities. The information on these vulnerabilities were never disclosed, but were reversible form the patches. So, what do you think about silent patches and the disclosure? Not giving admins the correct information to choose deployment schedule? Providing info to an attacker?
- Chinese Wifinders - [Larry] - Wireless cracking and piggybacking has come to the masses. For about $25, you get a USB wireless card, antenna and an apparently customized Version of Backtrack, that will get you some wifi keys, and set up your windows install to use them.
- Getting phished can happen tot he best of us - [Larry] - It just goes to show that someone who is savvy can get owned. Of course they were able to realize that they had been phished, and what it meant, AND how to address it. How many of our grandmas would know?
- I can stalk you! - [Larry] - Hmm, how about stalking through twitter. This project is intended to raise awareness on inadvertent information sharing through social networks by harnessing teh power or metadata.
- Irongeek on the news! - [Pauldotcom] - "I always feel like somebody's watching me!". Pretty neat stuff, trying to figure out what payload he is using to activate the remote payload to snoop on the webcam. I always thought this was a neat payload.
- http://carnal0wnage.blogspot.com/2010/01/layer-four-traceroute.html Layer 4 Tracerout] - [PaulDotCom] - This is a really neat traceroute program because it finds ways to get around filters to make traceroute work. I find it interesting to see which ISP the target is using and be able to gather the IP address of their upstream router. If you can successfully attack the upstream router, its game over for the target.
- Cisco Router and Security Device Manager XSS - [PaulDotCom] - Anytime you can get an XSS on the software that manages the entire network, SCORE! This XSS attack lives on the SDM, software used to manage Cisco routers and firewalls. Let me make a guess, it yours called "sdm.yourinternaldomain.com"? Could I try to launch an attack against it by sending email? Sure can...
- Hacking ATMS - You do know Jack - [PaulDotCom] - Barnaby Jack does some really awesome research, primariy in embedded systems. This time he's targeting ATMs. His previous employer, Juniper networks, made him pull his talk on ATM security last year because the vendors complained. This year, he's just got a new job at IOActive and will deliver the talk, and talk about two different model ATMs from two different manufacturers and their software vulnerabilities. Jeff Moss is quoted as saying, "Apparently you can make all the money come out". Freaking sweet! And good for Barnaby Jack (BJ for short?) for leaving an doing whats right, rock on man!
- Fake Facebook Login - [Pauldotcom] - USB flash drive on public computer pops up Windows cmd.exe and prompts for Facebook login. Its LOLZY!