Episode292

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

MP3 pt.1

MP3 pt.2

Announcements & Shameless Plugs

Security Weekly - Episode 292 for Thursday June 14th, 2012

  • Episode 300 of Security Weekly will be recorded and streamed live on Friday August 31st in support of of a cure for Breast Cancer. We will broadcast live from 10am until 6PM Eastern time and the show will feature tech segments, round table discussions and special guests. Mark it on your calendars today!

Interview: Thomas H. Ptacek

(It is pronounced "TAH-check" or, listen to the first 5 seconds of this video)

Thomas is Principal at Matasano Security, which he cofounded Matasano with Dave Goldsmith and Jeremy Rauch in 2005. He is a self described Software Abuser.

  1. How did you get your start in Information Security?
  2. Tell us about your patents and what must assuredly be the lucrative royalties you are receiving.
  3. What is the difference between a cryptographic hash and a password hash?
  4. What can big name sites, like LinkedIn, do to protect users passwords?
  5. Where do many pen testers go wrong when it comes to crypto?
  6. What can we as pen testers do better with respects to crypto?
  7. The age old question, what can we do to improve the state of software security?
  8. How pervasive is malware that embeds itself in hardware? Will this become commonplace?
  9. How has bypassing IDS and IPS changed since 2003?
  10. What is some of the most difficult software to break?
  11. What is more successful to improve security, penetration testing, source code review or architecture review?
  12. When you're digging deep into an application or some software, what are your favorite tools to use?
  13. What are some of the most common problems you've found with respect to embedded device security?
  14. Why can't we seem to come up with a solid and secure embedded platform? Or, do we have this, and people choose not to use it?

Tech Segment: Tying It All Together

Tying it all together

So, you ran Nessus, or really any tool that discovers web services. These can be SSL, they can not be SSL. HTTP services can be on any port. Make sure you are looking for HTTP on all ports, especially when you are doing a pen test. The applications you don't know exist are the ones you're not testing. I had some Nessus results and wanted to grab all the URL which represented web services, because, well, they are interesting! Here's what I came up with:

awk -F, /10107/'{if ($7 == "443") printf "https://" $5 ","; else printf "http://" $5 ":" $7  ","}' nessus.csv

Let's break it down:

-F, - Use , as the field separator

/10107/ - Search for all lines containing this string, which is the Nessus plugin ID used for finding any port which has an HTTP service

(if $7 == "443") - If the port was 443, print https in the URL

$5 ":" $7 "," - Print the IP address, a colon and port. So "http://10.10.10.10:8080" then a comma

printf - This will print all the lines together, where print was printing new lines

nessus.csv - Your Nessus CSV export file

See our previous two tech segments on ksipfish and webscour which will take this input and do stuff with it.


Teasers & Plugs

  • Larry will be delivering the Keynote at Hack3rcon^3 Doomsday Eve. Hackers and prepping, what could be better?

Tim will give us a live demonstration of his post on handy techniques for remote malware distribution and, in some cases, antivirus bypass.

Tech Segment: Raphael Mudge: Special Announcement

Direct from Raphael's personal site:

Cobalt Strike is a penetration testing suite built for threat emulation. I say suite, because it’s not just software. It’s documentation, online training, and a set of tools to help you execute an adaptive penetration test.

Cobalt Strike adds client-side reconnaissance, spear phishing, web drive-by attacks, and reporting to Armitage’s red team collaboration and post-exploitation capabilities.

Now that you’ve met Cobalt Strike, here are the next steps:

1. Watch the Cobalt Strike trailer to get a taste of Cobalt Strike

2. Visit the Cobalt Strike website and request a trial to try Cobalt Strike

3. Get Cobalt Strike into your organization: buy online or request a quote.


Teasers & Plugs

  • DerbyCon Call for Papers and Ticket Registration is: available online. If you have not yet registered or submitted a talk, please do so now.
  • Episode 292 will feature a special guest to be announced later, and a tech segment which will tie together the webscour and skipfish techniques!

Stories

Teasers & Plugs

  • Security BSides everywhere: Cleveland, Las Vegas, Los Angeles more. http://www.securitybsides.com/ - We have 5 BSides tickets (only 3 left) to give away! Listen to the instructions at the end of Episode 282 for complete details, or submit a technical segement!

Paul's Stories

  1. Security Advisory: IIS 6.0/7.5 Vulnerabilities [moderate risk - ISOWAREZ BDAY RELEASE - security vulnerabilities database] - An attacker can access PHP files in the password protected directory and execute them without supplying proper credentials. Example request (path to the file): /admin::$INDEX_ALLOCATION/index.php I can see this as being handy on pen tests, getting access to things you are not supposed to is what its all about. I guess you can consider this one of my pick for the From Low to Pwned series by CG :)
  2. BIG-IP network appliances remote access vulnerability - I love how F5 didn't release the details, yet they are presented here: https://www.trustmatta.com/advisories/MATTA-2012-002.txt No wonder, they put a static private key on all the devices!
  3. The Four Critical Security Flaws that Resulted in Last Friday's Hack - CloudFlare blog - Goes to show you that 3rd-parties contribute to your (in)security.
  4. Pentesting Web Services with Proprietary Formatted Input - Just some background: JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. . This article shows you how to fuzz even custom implementations of JSON, which I'm finding to become more popular.
  5. UPDATE: Metasploitable 2! - Not sure what the changes are, however, this is a must-have for your lab. Practicing is very important! This can be just general practicing, so pick something, like deploying a PHP Meterpreter shell. Then set out to do it in your lab. That way, when you see it in the wild you have an idea how it works and can tune/customize accordingly. Sometimes gaining shell on a system is like walking on egg shells, you have to tread lightly not to break anything, so having some practice really helps.
  6. UPDATE: PacketFence 3.4.0! - This is cool software, you might be able to use it on your network to protect certain pockets, like wireless.
  7. MySQL 1 Liner Hack Gives Root Access Without Password | Darknet - The Darkside - Love this flaw, like really, this works? This is truly the week of unbelievably stupid vulnerabilities.
  8. Teaching the Security Mindset - This is my favorite story of the week. Students were given a test that was really hard (first 100 digits in PI). They were encouraged to cheat. In fact, they only failed if they were caught cheating. Nicely done example of hacking!
  9. Why BYOD is the best problem IT departments ever faced - So, if you had to come up with a BYOD security plan, what would it be?
  10. What the Security Features of Apple’s Mountain Lion Mean for the Enterprise - Apple finally seeing the light and implementing security? No way!
  11. Cisco Zine: How to create self-signed certificates - Always nice to see guides on this topic.

Larry's Stories

  1. Grid Certificates - [Larry] - I looked at the title of this article thinking that this was going to be completely misguided rant about certificates being self signed etc for critical infrastructure. Turns out that is was, partially, but not misguided. The big concern is that the certificates for these devices are issued by a select few that claim that a 30 year expiry is perfectly fine; anything shorter would cause unreasonable business impact. I call bullshit. Of course right in the article they say something about these devices being connected to the internet. Well, there's your problem…
  2. BIG-IP, Big oops? - [Larry] - From the why wasn't this in metasploit 3 months ago while I was on an assessment department. BIG-IP devices by default allow for password-less authentication for root via SSH. Problem is that the default private/public key pair is readily available or extractable, and if you have the key, you can authenticate to any BIG-IP devices, as the keys are the same on EVERY device.
  3. YAY OPEN SOURCE - [Larry] - Some researcher are asking for the source for Stuxnet/Duqu/Flame in that parts of the malware reused open source (under various licenses) and the license required that they source be released under the GPL. Seems like a good tactic, but will likely fall upon deaf ears.

Jack's Tales of Fortitude

  1. The State of Risk Based Security Management A new report from Ponemon, underwritten by Tripwire. I haven't had a chance to fully digest this, but it looks promising. Really. I know, I'm still skeptical, too- but I think I Ponemon reports may be improving.