Episode208

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here



Sponsors & Announcements

"And now from the dark corners of the Internet, where the exploits run wild, packets get sniffed, and the beer flows steady its Security Weekly!"

"Sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable's Security Center extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable – Unified Security Monitoring!"

"Core Security Technologies, helping you penetrate your network. Now version 10.5 full of Jive! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool."

"Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."

"And Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!"


"Now, fire up your IRC client, pour a beer, and loan the intern your smartcard to restart the internet...."

"Here's your host, the cigar smoking, ninja fighting man-child, Paul Asadoorian!"

Security Weekly - Episode 208 - For Thursday August 26, 2010.

  • Ron Gula, Renaud Deraison and Marcus Ranum invite you to a Security Showcase on September 15, at the Embarcadero Center in San Francisco! You'll receive:
    • The current status of Nessus® and future development plans The advantages of pairing active and passive scanning
    • “How I learned to stop worrying and love regulatory compliance”
    • Free breakfast! Free lunch! :-)

More info from rstewart [AT] tenable.com

  • Shoecon - "ShoeCon is being held as a charity event for the Matthew Shoemaker Memorial Care Fund. Matthew or “Shoe” was a fellow security professional, DC404 member and InfoSec podcaster who left behind two children. Thanks to the generosity of DC404, this event will be held in conjunction with their September meeting at the Wellesley Inn-Atlanta Airport. This is a donation driven event where all the proceeds will go to the Shoemaker Memorial Care Fund."
  • Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.

Episode Media

mp3 pt 1

mp3 pt 2

Tech Segment: Carlos "Dark0perator" Perez Karmetasploit script for BT4

Carlos will discuss his Ruby script for launching Karmetasploit type attacks in Backtrack 4.

HD Moore showed an attack about a year or two ago called Karmetasploit witch is based on the integration of Dino Dai Zovi and Shane Macaulay attack where an attacker will respond to any discovery request by wireless clients and announce it self with the SSID of the request so as to trick the client to connect to this fake AP and does intercept and manipulate all traffic. HD more took this a bit further and integrated the browser autopwn module and several of the capture modules so as to when a user connects an opens a browser it will redirect any DNS name to the attacker IP where metasploit is waiting for a connection to fingerprint and attack thru a series of exploits the targets browser in addition to trying to collect credentials from such browser. I wrote a bash script back in 2008 to automate the building of this attack called kmsapng that is part of the Backtrack distribution. After working with John on the SANS Metasploit class it became apparent that the script was quite old and not up to date with changes in the framework and with the new behaviours of wireless clients, so I decided to re-write my script but this time in ruby and integrate the lessons learned from the first time I wrote the script.


root@bt:~# ./karmetasploit.rb -h

Karmetasploit Script by Carlos Perez (carlos_perez[at]darkoperator.com)

Version 0.1.1

Usage: karmetasploit [OPTION]

       --help, -h:

               show help

       --log <folder>, -l <folder>:

               Optional log folder where to save logs and temporary files.

       --interface <int>, -i <int>:

               Airbase-ng compatible wireless inteface

       --rc <file>, -r <file>:

               Optional Metasploit Resource file.

       --filter <file>, -f <file>:

               File with MAC Addresses to filter for connection.

       --ssid <ssid>, -s <ssid> x:

               SSID to start advertising, if none provided FreeWifi will be used.

       --mac,-s:

               Change addapter MAC Address.

       --rc_option options, -o options: Comma separated ptions to enable on the

                                       selfgenerated resource file:

                                       all : For all toptions.

                                       txt : Captures all clear text protocols Credentials

                                             for HTTP, FTP, and Telnet.

                                       eml : Captures all email credentials for IMAP, POP3

                                             and SMTP.

                                       smb : Capture all SMB cretials to a file.

 

                                       brw : Enable Browser Autopwn.

As it can be seen options are almost the same as the kmsapng script except for the addition of the --rc option for specifying what you want on the autogenerated rc file. I placed the most common options like:

  1. Credential capture for HTTP, FTP and Telnet
  2. Credential capture for IMAP, POP3 and SMTP
  3. Capture of SMB Hashes
  4. Browser Autopwn

In addition to this I also added Josh Wright SSID List module that will announce a list of common SSID’s to entice more modern OS’s that do not send discovery requests to connect to the fake AP.

The auto generated resource file sadly uses SQLite3 as the default DB since in BT4 right now there are some problems bringing postgressql up and the mysql gem is not install by default. But I do highly recommend that people do follow the README file in the archive of the script and use the sample file stead of the autogenerated one for best results. An example launch of the attack would be:


root@bt:~# ./karmetasploit.rb -i wlan0 -s freewifi -o all

[*] Running Karmetasploit Attack

[*] Checking if running as root

[*] Cleanup of processes that might interfeer

[*]     xterm: no process killed

[*]     dhclient3: no process killed

[*]     dhcpd3: no process killed

[*]     tcpdump: no process killed

[*]     airbase-ng: no process killed

[*] Setting wlan0 in monitor mode

[*]     Interface in monitor mode is set to wlan0

[*]     Driver is r8187

[*] Starting fake AP

[*]     Bringing at0 interface up

[*]     Setting the IP Address for at0 to 10.0.0.1

[*]     Setting Blackhole Routing to bypass cached DNS entries

[*] Creating temporary dhncpd.conf file

[*] Starting DHCP Server

[*] Starting packet capture

[*]     Saving to /tmp/karma.cap

[*] Starting Metasploit with resource file /tmp/20100826.1222_karma.rc


You will see that when the attack is ran 3 xterms will appear one for airbase-ng, the other for tcpump and a third that will be the msfconsole window so you can see as the ttack progreses.


To download the http://www.darkoperator.com/tools-and-scripts/karmetasploit.tar.gz

Guest Interview: Dan Kaminsky

Dan Kaminsky is currently the Chief Scientist for Recursion Ventures. He's worked for Cisco , Avaya, and IOActive, where he was the Director of Penetration Testing. He is known among computer security experts for his work on DNS cache poisoning (AKA "The Kaminsky Bug"), and for being one of the 7 folks who can restart the Internet.

On June 16, 2010, Dan was named by ICANN as one of the Trusted Community Representatives for the DNSSEC root.[7]

  1. How did you get your start in information security?
  2. You're one of the "7 Keymasters to the Internet". What does that mean? Do you have to wear your key in the shower or when you go swimming? Is the key waterproof?!!?
  3. Tell us about Interpolique (a beta framework for addressing injection attacks such as SQL Injection and Cross Site Scripting in a manner comfortable to developers).
  4. Lets hop into the Internet way back machine and talk about MD5 hash collisions! Is this still a valid attack vector? Could the Mcafee DAT file been caused due to an MD5 hash collision?
  5. Lets talk about scanrand, can you put this tool back up online? I still think its useful today, no?
  6. So DNS was broken, and then fixed?
  7. Can we fix the Internet, or are we just doomed to continue to break it?
  8. What is the single most challenging thing we deal with in information security today?
  9. Will the shift into more embedded systems present new challenges for security, or will old problems just continue as they have in the past?
  10. What are you working on now?

Stories For Discussion

  1. TANDBERG: Its embedded so we don't need security - [Paul] - Say it with me now, "static SSH host keys". Yes, that's right, each device comes with the same SSH key, which means I have your private key, which also means I 0wn you and your stinkin' video conference system! Typically video conference systems may be installed on the internal network, you know, for performance reasons or something. Most conference rooms are on the internal network, you know, for ease of use reasons. As if the SSH key isn't enough, there is an authentication bypass vulnerability as well (improper session management in the web interface).
  2. Smudge Attacks Against Cell Phones - [Paul] - The theory is that you can determine the user's password or pin by analyzing the smudge pattern on the touch screen. Sounds like science fiction, then again I thought the ATM hack in Terminator was too, now its reality.
  3. Insecurity: Its human nature - [Paul Asadoorian] - Ah yes Anton, the seat belt analogy as it relates to security and compliance (note how they are separate things). Here's the story, no one wore seat belts, even though it could save your life, no one wore them. Then there were laws passed, and you were fined if you didn't wear your seat belt. People now wear seat belts. Let me offer yet another analogy and potentially some insight into the our thinking. When I first started mountain biking I did not have a helmet. I never wore a helmet riding my bike growing up, ever. I think most of us grew up without wearing helmets when we rode our bikes. The real kicker is that you are more likely to sustain head injuries riding on the road than the trail, because people don't know how to drive. In any case, back to the story. So, there I am biking without a helmet, climbing a hill covered with leaves, my tires begin to slip, and I start falling backwards. "Wack", the back of my head hits the tree. I'm stunned for a minute (and maybe the head injury explains some things) but I continue on my ride. I went out and bought a helmet the next day and wear one every time I get on the bike. Its human nature, until we experience the "bad things" that can happen to us, we don't do anything about it. People can tell us (how many times did your parents tell you to do something, but you didn't until you fell out of the tree and hit your head, which was another head injury I suffered, see now we're getting down to explaining why I am, well, anyways). So, in terms of security and compliance, good luck fighting human nature. The most secure companies are ones that have detected and responded to breaches without it costing them the business. Why is that? They wear their helmets.
  4. Drunken Employee Shoots Server - [Paul Asadoorian] - Go beyond a firewall and give your servers a bullet proof vest! This story is just hilarious, not only did he shoot the server with his .45, he also was: "blaming the damage on an imagined assailant who: mugged him, assaulted him with his own weapon, drugged him, and then broke into his office to shoot said server." That could be an excuse for anything!
  5. Planes and malware - [Larry] one might also note second points of failure as well. So, the Spanair flight TOWS computer had a virus. Likeley the failure was something else, but without a warning system. How do you know if your safeguard is down when it fails open? How do you get malware on a system like that?
  6. Here come the Russians? - [Larry] - interesting anomaly detection going on here. How do you find the anomaly when the "long con" is over 20 years?
  7. LOLwhut.cram? - [Larry] - I'm still trying to wrap my head around this one. But, with OSX it is possible for someone who can obtain a domain similar to a legit one with differing trailing characters, can impersonate other domains…and execute code…
  8. Using embedded systems to compromise workstations - [Larry] - Remember theat teensy we talked about a while back, and how the possibilities for use were only limited by your imagination? Well, how about using it to force a download and execute a metasploit payload? No exploits needed.

Other Stories of Interest