Security Weekly - Episode 223 "Cigar Lounge soiree" - for Thursday December 9th, 2010.
- Trustwave is hiring! Check it out: "Would you like to work for a company with loose ties to a shadow government in a group responsible for covering up the existence of extraterrestrial life by hacking into systems from exotic locations all over the world? So would we. If you know where we can interview for a job
like that, please tell us. However, if you're passionate about application security, then we can help. Trustwave's SpiderLabs is looking for experienced application penetration testers. We have great benefits, a fun work environment, and sometimes encounter E.T.'s. Email email@example.com and reference SpiderLabs for more information."
- Tenable is hiring as well, check it out on the Tenable Careers Page.
Roundtable Discussion Topic:
Which cigars does the Security Weekly crew want in their stockings for Christmas?
Tech Segment: Gettin' down with Armitage
A new third party GUI for Metasploit. Looks really sexy. Sometimes you just need a pretty GUI… This one by the folks over at fastandeasyhacking.com.
Let's get it up and running! You need a database, mysql, postgres, or mysql. I chose mysql. I'll leave the Mysql setup for Metasploit as an exercise for the reader.
We'll need to make sure tht you have the ruby modiles installed.
# gem install mysql
Now we can start all of our services, such asstart the msf rpc set up and start armitage:
I put it all in a script:
# !/bin/sh sudo /opt/local/lib/mysql5/bin/mysqld_safe & ~/msf3/msfrpcd -f -U msf -P test -t Basic & ~/armitage/armitage.sh &
Now we get a GUI about connecting to the database and our Metasploit XMLRPC instance:
Put in the correct information and off we go. Yay, a GUI:
Once started, we need some targets. How about some targets from Nessus? We can import Targets into Armitage from all sorts of inputs…
From a scan completed Nessus scan, I select only the high severity results, then downlaod the report.
I picked the .nessus (XML) v1. I tried the v2 but had a crash on import. this works repeatedly. (of course we can use nmap, even direct from Armitage.)
Oooh, look, targets! Ok, so what do we attack with? Let's have Armitage find attacks with Attacks, find attacks by port.
Once done we get this nice attack menu now when we right click. We can go through them methodically, which can be good…
or we can go for the Hail Mary, otherwise known as db_autopwn.
It works, for sure, but I'm not convinced. I thin the by port works better (more tries) than by vulnerability…by vulnerability, I've had it try stuff that didn't work across the board and have them be vulnerable to other items. I think this stems form the fact that we haven;t really discovered much about the targets. Either way, it will fire off a whole bunch of attacks:
Once an attack is successful, we can interact directly with a meterpreter session, or continue to navigate the menus:
So, it works, it works well, but there are some issues in how I like to use it for legitimate purposes. For example:
- Output of meterpreter commands end up in a Java window, which can be a nightmare to copy and paste into something else. Sure, using the Gui equivalent can often dump stuff into a new tab that can be exported (such as hashdump), but then the output isn't in pwdump format, then not easily identifiable by machine.
- Screenshots, (and other output, best I can tell) are revealed in a tab, but NOT left on disk. I'm assuming this information is stored in the database somewhere, but there is no indication as to how to get it back - I have to use this stuff in the report!
- How the hack? Of course there is no record in the host definition what was used to compromise the system, either manually or via db_autopwn. I know that metasploit doesn't but if there are some addition things happening, maybe this can get captured. Without, I have to go back and manually re-exploit (if possible) to figure it out. Again, I need this stuff for a report!
Stories For Discussion
- Low Orbit Ion Cannon - [Larry] A quote I saw on twitter today, "Remember when your DDoS tools weren't on SourceForge?". So, this is the tool that Anonymous is using as part of the voluntary DDoS attacks against those that are "against" Wikileaks. Now the source is out there. I wonder if there is any special attack, an additional implementation of slowloris. At least now we have the source that we can learn from the code. After a quick look, it doesn't appear to be a terribly sophisticated attack, but apparently it doesn't need to be.
- Maintaining administrative access on the DL - [Larry] - Compromise a system and now create an account (or use ASPNET) for maintaining access. Hopefully a good admin will note that, if you make the user an admin in the admin group. So, how do you keep it under wraps? This issue with SAM allows for a user to be modified so that it looks like a regular user, but with admin privileges. Microsoft says that there is no investigation needed, as other vulnerabilities are required to compromise the system first.
- How do astronauts wipe? - [Larry] - Apparently not very well. NASA has been found to be disposing of a couple of machines that had not been properly sanitized. In addition to un-wiped hard drives, several machines were found to be marked externally with identifying information and ip addresses…
- Browser Exploitation With BeEF, Metasploit, and Samurai - They actually made some changes to the Metasploit reverse_https module to avoid port conflicts to make all this work together. I think this is one of the most important techniques out there that we need to bring to customers and raise awareness. It hits on so many points, such as internal vs. external, web app security, and client-side security.
- Schneier On Wikileaks - [Paul] - Bruce has a few good points for discussion, such as encryption not being the issue because the cables were only encrypted for transmission. Which has interesting parallels into many information security concepts and problems. He also drops a logic bomb on us, "Secrets are only as secure as the least trusted person who knows them.". Well, yea... He also goes on to say that the government is learning the hard way what the movie and music industries have learned, controlling something once its digital is impossible. So many people ask me why Wikileaks is doing this, and I've yet to come up with a really good answer.
- Best Predictions For 2011 - [Paul] - I like this one: "Most people will renew every security product currently in their environment no matter how well they works (or don't)." Its so true, people just renew stuff without measuring how it works. Also in there: "Someone will predict cloud computing will cause/fix all these other problems". I'm so sick and tired of hearing about the cloud. Cloud this, cloud that, "cloud security". Its all just computers and networks still, right?
- Topic: In The Clouds: Why do we make a big deal about "cloud computing" and "cloud security"? I think we need to make a big deal about "web computing" and "web app security" and "client computing" and "client security". Oh wait, we already do, nevermind.
- Fail Of The Week: Kansas City Residents Get "The Club" - [Paul] - Ha! Here's a club, now go use it and pretend that it stops someone from stealing your car.
- Oracle Password Enumeration - [Paul] - I've found that most people don't bother installing patches or securing Oracle. I think they believe that because its internal that no one is looking. And, its so complex, why would anyone bother? Or, they are running Oracle as part of some pre-packaged software and don't even know it. This tool, osscanner, is cool: when oscanner finds a valid default account with enough privileges, it will log in and do password guessing for all the accounts it finds in the user tables. Nice! Now all we need is a way to keep track of all these little utilities we use for stuff like this, there's even naming overlap to boot!
- utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+voltage%2FVDQg+%28Superconductor%29 - [Paul] - I think the Debian developers created the randomness for the SSN. Doh! a study by San Diego start-up ID Analytics indicates that there's a significant chance that your Social Security number is being used by someone else. And we're not talking stolen either!
Other Stories Of Interest
- Tactical Pens! - [Paul] - Yes, a tactical pen. Its either your signature or your brains on that paper, you choose.