Episode202

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

"Thanks to our sponsors Tenable network security, the developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more."

"Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool. "

"and Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."

Now, Pull up a packet capture, pour a beer, and give the intern control of your botnet...."

Shameless Plugs & General Announcements

Security Weekly - Episode 202 - For Thursday July 15, 2010.

  • Click here to register for an exclusive webcast from John & Paul titled For the Last Time: The Internet is Evil. This webcast will help you understand the attacks that are being launched against you and offer some advice to stop them. Can they be stopped? Most likely not, but we'll offer up some ideas to help you deal with it which include redefining your policies, and drinking, heavy, heavy, drinking.
  • It is finished... The Official Metasploit class from John Strand and Ed Skoudis is now complete. Two full days of Metasploit insanity. Want 25% off? Use MET25 when you register for Boston on August 8th and 9th.
  • John Strand will be teaching SANS 560: Network Penetration Testing at SANS Virginia Beach August 29th - Sept 3. Come get shell and crabs with strandjs.
  • The Kansas City FBI InfraGard program is looking for some penetration testers to participate on the "Red Team" for an upcoming mock Cyber Warfare exercise. The event pits systems and security professionals from the community against each other in a live cyber attack on a replicated commercial network. We are looking participants with Pen-test experience, or someone who has some "daemons" they need to get out in a controlled environment. This is a community event, and all skill levels are welcome, please see http://cyber-raid.com for more info.

Episode Media

mp3 pt 1

mp3 pt 2

Interview: Command Line Kung-fu Hosts

Ed Skoudis Hal Pomeranz Tim Medin

  1. What keeps you going?
  2. Why did you add power shell?
  3. Where is Microsoft going with respects to command line management?
  4. Why does UNIX always kick Windows ass?
  1. What is your favorite episode?
  1. Does the IRC channel or Twitter have questions for the Command Line Kung Fu folks?

Tech Segment: Fuzzy HTTP Directories

by Paul Asadoorian
Recently I was attempting to find all of the available directories on a particular web site. I knew it was running Apache Tomcat and wanted to use the exploits in Metasploit for vulnerabilities associated with the admin interface. Problem was, I couldn't find the admin interface, which was annoying. So, I set out to brute force the crap out of it, unfortunately I still came up empty, but tried a few different tools for brute forcing: I think this one is my favorite. Its command line based and very fast. It contains a whole bunch of test strings, even ones that look for vulnerabilities, not just directories:

wfuzz

./wfuzz.py -c -z file -f wordlist/general/megabeast.txt --hc 404 --html http://10.10.10.10:8080/FUZZ 2> results

*************************************
* Wfuzz  1.4c - The Web Bruteforcer *
* Coded by:                         *
* Christian Martorella              *
*   - cmartorella@edge-security.com *
* Carlos del ojo                    *
*   - deepbit@gmail.com             *
*************************************

Target: http://10.10.10.10:8080/FUZZ
Payload type: file

Total requests: 45463
==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================

00024:  C=302      0 L	       0 W	      0 Ch	  "images"
07879:  C=302      0 L	       0 W	      0 Ch	  "charts"
13623:  C=302      0 L	       0 W	      0 Ch	  "download"
19880:  C=302      0 L	       0 W	      0 Ch	  "help"
20802:  C=302      0 L	       0 W	      0 Ch	  "icons"
20927:  C=302      0 L	       0 W	      0 Ch	  "images"

Don't forget to try different word lists!

./wfuzz.py -c -z file -f wordlist/stress/alphanum_case_extra.txt --hc 404 --html http://10.10.10.10:8080/FUZZ 2> results

*************************************
* Wfuzz  1.4c - The Web Bruteforcer *
* Coded by:                         *
* Christian Martorella              *
*   - cmartorella@edge-security.com *
* Carlos del ojo                    *
*   - deepbit@gmail.com             *
*************************************

Target: http://10.10.10.10:8080/FUZZ
Payload type: file

Total requests: 95
==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================

00003:  C=302      0 L	       0 W	      0 Ch	  "#"
00005:  C=200      0 L	       0 W	      0 Ch	  "%"
00014:  C=302      0 L	       0 W	      0 Ch	  "."
00031:  C=302      0 L	       0 W	      0 Ch	  "?"
00018:  C=302      0 L	       0 W	      0 Ch	  "/"
00026:  C=302      0 L	       0 W	      0 Ch	  ";"
00059:  C=302      0 L	       0 W	      0 Ch	  "\"
00077:  C=302      0 L	       0 W	      0 Ch	  "m"
00095:  C=302      0 L	       0 W	      0 Ch	  ""


We also covered wfuzz on Episode 104

nikto

For whatever reason, I still love to run Nikto against my target web sites. It always seems to find something interesting that other tools don't find. Also, its low impact and very fast (kinda like me in the bedroom ;)

/nikto.pl -C all -host 10.10.10.10 -port 8080 -output 10.10.10.10.8080.txt

- Nikto v2.03/2.04
---------------------------------------------------------------------------
+ No web server found on 10.10.10.10:Host: 10.10.10.10 (myserver)	Status: Up
---------------------------------------------------------------------------
+ Target IP:          10.10.10.10
+ Target Hostname:    myserver
+ Target Port:        8080
+ Start Time:         2010-07-13 21:26:24
---------------------------------------------------------------------------
+ Server: Apache Coyote/1.0
- Root page / redirects to: http://myserver:8080/index.html
- Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS 
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ OSVDB-0: GET /666%0a%0a<script>alert('Vulnerable');</script>666.jsp : Apache Tomcat 4.1 / Linux is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-3092: GET /download/ : This might be interesting...
+ OSVDB-3092: GET /img/ : This may be interesting...
+ OSVDB-3092: GET /lib/ : This might be interesting...
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons

Nessus

Okay, I'm biased here. Now that we're over that I still run Nessus against my targets. You are silly not to, its got over 40,000 plugins and knowing that your target has any number of those 40k issues is important. Nessus has a plugin that does some HTTP directory brute forcing:


NessusWebDirectoryEnum.png

Make sure you enable Thorough Tests when scanning web applications, it tells Nessus to try harder (especially when doing things like brute forcing, thorough tests will usually add more variables to fuzz).

Dirbuster

Still a neat little tool, probably has the best dictionaries:

I will probably steal the dirbuster dictionaries and use wfuzz.


Dirbuster2.png

Stories For Discussion

  1. New Windows USB vuln a.k.a. Look ma, no autorun.inf - New malware, discovered by Belarusian AV vendor VirusBlokAda, uses a previously unknown vulnerability to propagate itself using a shortcut (.lnk file) on USB storage device. Viewing the shortcut's icon in Windows Explorer (or other file managers) is all that is needed to trigger the malicious code.
  2. Hottie or Naughty? - [Larry] - Just goes to show that sex sells. Put a picture of an attractive woman on a fake facebook page and have some intelligence behind it and folks fall all over it. People have been doing this for years…Is this the Evil part of the Evil twin attack? Surprisingly, a number of security people (ahem…yes, I know most of them follow everyone), at least followed, if not fell for the game…
  3. Usb coffee warmer… - [Larry] - Now we have to be mindful of every device we plug in…because we could have a hardware trojan. This isn't just an add on function, this is rewriting the VID/PID to report as the original device, exploiting the ORIGINAL trust of the device. Now, anyone know where I can get a device with user programmable VID/PID?
  4. Wireless presenters - [Larry] Josh Wright has ben here (with a different device), and PHUKED is a similar project. A reverse engineer of the wireless presenter reveals that the receiver WILL take input of other keystrokes…and mouse input. Unplug your wireless presentation remote, or don't use one at all.
  5. Blind Elephant - [Larry] - A tool to be released at BlackHat for fingerprinting web application and plugin versions to determine their update status. Certainly this will be used by the bad guys to fingerprint for attacks, but how about using it in a repeatable fashion in your own environment, as most web apps don't have an auto update and notification feature…
  6. Firefox Security Test Add-on was Backdoored - A backdoor has bee discovered in the Mozilla Sniffer add-on that is/was included in the Web Application Security Penetration Testing add-on collection — whenever a login form was submitted, the add-on secretly sent a copy of the URL, password and other details to an IP address presumably controlled by the malicious author.
  7. Cisco SNMP Vulnerability - [Paul] - This is an intersting one, after a reboot your SNMP community strings go back to the default of private/public. I hate defaults, why should there evey be a default? The "default" should be blank, and if its blank, the service should not work. And another thing, how did the QA department miss this one? A reboot should be part of every QA script, regardless of what you are testing!
  8. Setting up the Teensy/Teensyduino Arduino Environment - [Paul] - I need to play around more with this one. (From Irongeek).
  9. Bots use "Chuck Norris" for SEO - [Paul] - All I have to say is that some people wear Superman pajamas. Superman wears Chuck Norris pajamas.
  10. Rootkit Signed with Realtek signature - [Paul] - I saw Josh Wright tweet and ask if this was MD5 collision or Realtek getting pwned. Not sure which, but I find the md5 collision theory to be the most interesting, so lets go with that one.
  11. Mozilla Add-on backdoored - [Paul] - The "Mozilla Sniffer" add-on contained a backdoor of some kind. This will be a growing trend, why bother finding vulnerabilities in a platform (phone, browser) when you can just write the malware into something the user will install? Much easier...
  12. Jack Daniel Sets Us Straight on "Robin Sage" - [Paul] - So, I'm not even important enough to get a friend request. I cried a little, drank some scotch, and sat in a dark room for a day, but I'm much better now. Secondly, she was way too hot to be in infosec and the military. Sorry, if you are hot, dig infosec, and are in the military or work for the Government, please contact us, I want to get you on the show. Also, Jack makes a good point, some people just accept friend requests as a policy and were not really socially engineered. People use social networks differently. He makes more points too, like growing beards is cool, which is also a very good point.

Other Stories of Interest