Episode296

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Episode Media

MP3

Announcements & Shameless Plugs

Security Weekly - Episode 296 for Thursday July 12th, 2012

  • Episode 300 of Security Weekly will be recorded and streamed live on Friday August 31st in support of of a cure for Breast Cancer. We will broadcast live from 10am until 6PM Eastern time and the show will feature tech segments, round table discussions and special guests. Mark it on your calendars today!
  • In other admin related news, we're leaving Ning and moving onwards. Ning was cool, but now its a haven for SPAM. I want to thank everyone for participating. In the meantime please follow us on Twitter (@securityweekly), Facebook (https://www.facebook.com/pages/Security-Weekly/56074056651), and add me on Google+ (Paul Asadoorian, I will have a good email account for that soon). Don't forget to join our mailing list http://mail.securityweekly.com and look for a newsletter in the not-too-distant future.

Interview: Ben and Lawrence from pentesticles

Lawrence Munro is a Hacker, Sprinter, Kickboxer, 6-Plate-Buffet-Smasher, Hater of People, Horrendous Pedant, and Motivator of the Welsh. Currently working for Hewlett-Packard, Lawrence really likes Web App security (mostly ASP.NET), Automation, Social Engineering (of young mums) and putting ginger kids in headlocks.


Ben Dewar-Powell works for Digital Assurance, a London-based outfit where his day-to-day shenanigans include ‘tinkering’, making Gin and trying to get Lawrence to allow him to break his new Samsung TV. Their blog, Pentesticles is a soapbox for his scripting and automation musings. If there were a way to make and drink Gin using only Ubuntu and a one-liner in BASH, Ben would be the one to do it.

Lawrence.jpg

Oh, and want 10% of for registration for 44con? Here's a PDC referral link.

Teasers & Plugs

Tech Segment: Ben Jackson

Claymore: Protecting your WiFi with some C4 and Balls of Steel

Paul originally planted this idea in my head with his “Sexy Defense” talk last year, but it really started to make me think when one of my pen testing friends starting going on about finding an open access point during an engagement and pillaging the target’s network from the parking lot. I’m a Blue Team guy. Always have, probably always will be. So, I started thinking about setting up an early warning system that would lure an attacker in and keep him or her occupied while I can possibly track them. At the very least, I wanted something that would let me someone was trying to snoop around.

My initial ideas included an open access point with Internet access off a sandboxed subnet on my network and record what the person did. However, I really didn’t want to start having an open access point on my network in which someone could start doing naughty things on the Internet, let along naughty things that could be traced back to my connection. Plus, there were the fun legal issues about wiretapping and whether or not I had the right to do so. So, I scrapped that idea. I then thought about deploying a BEEF server on the network and doing some IP tomfoolery with iptables to redirect any web request to the server. However, again, I was worried about the legal ramifications about doing so without proper disclaimers. I scrapped that idea too.

I was left with legally getting the most possible information about the attacker in the shortest window possible as they likely won’t stay connected long without a network connection. I went simple: I felt that running an nmap scan against anyone connecting was well within my legal rights and that, along with the DHCP information would give me some good information about the attacker.

So I set out creating a script that would scan anyone who connected to my network. After a few false starts and banging some questions against the illustrious Mr. Strand and along with the amazing LaNMaSteR53, I hacked out a script that monitored a dhcpd log, scanned every address that was assigned, and sent me a report via e-mail. I then set it up in my neighborhood hooked into a spare access point I had laying around, just to see if I could catch anyone poking around in my neighborhood. I figured I’d have something maybe in a week or so.

I got my first alert message within 12 hours. Bunch of savages in this town.

Setting up Claymore

My ghetto-tastic setup consists of a wireless access point at a high point in my house hooked up to a high gain antenna and a laptop associated with the access point and also plugged into it’s own firewalled off area on my LAN.

First, lets grab some libraries and install them, a typical python installation should have most of the modules Claymore needs by default, but there are two that you need to grab:

• setuptools – http://pypi.python.org/pypi/setuptools/ • daemon – http://pypi.python.org/pypi/python-daemon/ • nmap – http://xael.org/norman/python/python-nmap/

Both of these installations are straightforward are left as an exercise to the listener. Once these are installed, you are ready to grab the Claymore source on GitHub.

https://github.com/mayhemiclabs/claymore

The script expects to be installed in /opt/claymore and the configuration file is tailored as such, however, you can toss it wherever you want. This is assuming you’re in /opt/claymore.

Next, let’s tweak the claymore.ini file. This example is assuming you already have configured a DHCP server handing out addresses and logging to /var/log/syslog. Configure the file with the address you want to send reports to and the SMTP server you will be using.

[system] log_file = '/var/log/syslog'

[mail] server_address = your.server.name.here server_port = 25

to_name = your.name.here to_address = your.address.to.recieve.alerts.here

from_name = Claymore Daemon from_address = claymore@mayhemiclabs.com

server_login_user = mail.server.login.here server_login_password = mail.server.pass.here

Now…I’ve configured my DHCP server to hand out my host as the default gateway on the LAN. I can then enable certain protocols to be forwarded to a trusted server or directly to the server itself. Here I set up my server to forward DNS to google and HTTP to a local web server which always returns 404:

echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNAT --to-destination 8.8.4.4 iptables -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1 iptables -A FORWARD -s 192.168.0.0/16 -p tcp -m tcp --dport 80 –j ACCEPT iptables -A FORWARD -s 192.168.0.0/16 -p udp -m udp --dport 53 -j ACCEPT iptables -A FORWARD -s 192.168.0.0/16 -p tcp -j REJECT --reject-with tcp-reset iptables -A FORWARD -s 192.168.0.0/16 -j REJECT --reject-with icmp-port-unreachable

Finally, let’s start the script:

python claymored.py

Now, once someone has been snagged, the script will fire off nmap against the client and you get a nice report to the address you configured:


Nothing extremely special, but good enough and it’s very handy for letting you know when someone is poking at your network.

Stories

Teasers & Plugs

  • DerbyCon Call for Papers and Ticket Registration is: available online. If you have not yet registered or submitted a talk, please do so now.
  • Security BSides everywhere: Cleveland, Las Vegas, Los Angeles more. http://www.securitybsides.com/ - We have 5 BSides tickets (only 3 left) to give away! Listen to the instructions at the end of Episode 282 for complete details, or submit a technical segement!
  • We take 2 weeks off for DefCon and BlackHat - Episode 297 will be Thursday August 2nd with Kevin Finistiere

Paul's Stories

  1. Using Nmap to Screenshot Web Services Troubleshooting - Why couldn't I find this article yesterday! Great job, good to see the community posting publically about this issue, as I don't believe we yet have a great solution to web service discovery. Fact is everything has a web interface, they run on diferent ports, some implement SSL, some do not, and browsing different directories gives you different results and/or applications. This is a time saver, whether on an externally facing or internal network, would be awesome to have a script rock on through thousands of hosts and spit out screen grabs of all the web services.
  2. Your Uncle Wants Tech Support? Give Him This USB Stick - Neat USB stick for technical support.
  3. 450 - Password breach of the week. I don't associate Yahoo with security ever since the Sarah Palin incident.
  4. USB drives left in car park as corporate espionage attack vector - Really? I thought after all the press that this attack was essentially dead, that and Microsoft killing U3. Guess not.
  5. HackArmoury.com - A Pentesticles Project!
  6. 10 crazy IT security tricks that actually work | Security - InfoWorld - I'm not sure these are crazy. As Hoff said, they aren't really tricks. And then there's the fact that not all of them actually work. There are no crazy tricks that will actually secure your network, for that to happen, you need talent, processes, monitoring, users that care enough about security to follow at least some of the guidelines, a budget, and a robe, wizard hat and magic pixie dust doesn't hurt either.
  7. Children warned name of first pet should contain 8 characters and a digit | NewsBiscuit - This is just funny, like LOL or even ROFL level funny.
  8. SQL Injection Knowledge Base - Great resource.
  9. Well done Sanyo (a great use of social media to get an urgent message out to the masses)
  10. Use of infected Thumb Drives (USB Drives) is a major security weakness

Larry's Stories

  1. Multiplatform Backdoor - [Larry] - Nice, depending on the browser and OS used, it deploys a different version of the backdoor. Not that that is a huge deal, but the backdoor itself runs on multiple platforms. Seems like someone has done a good job of cross compiling for Linux, Windows and OSX. Hmm, one of the parameters is named "ILIKEHUGS".
  2. YAB: Formspring - [Larry] - Clearly our passwords are not safe. Formspring with Sha-256 passwords…and also Yahoo Voice in clear text. Where will the madness end?
  3. Social Engineering backfire - [Larry] - Attacker drops thumbdrives in parking lot, user finds them and instead of plugging them in, they bring them to IT. IT security folks at the victim analyze the contents in a safe environment and determine that there is a password stealing trojan that uploads contents to a specific website. Admins block website form corporate networks preventing some of the attack. End user training win?
  4. From the Assume everythign you post on the internet is public department - [Larry] - YAY Instagram! Remember all the buzz about instagram, the photo sharing service that allows you to be a hipster photographer? Yeah, now their is a bug in which you can add anyone as a friend and see their private photographs…No details, yet.
  5. "10 crazy IT security tricks that actually work" - [Larry] - this article fills me with so much rage that I want to step through the 10 things. All I can say is: F-NO. F-NO. F-NO. F-NO. F-NO. F-NO. F-NO. F-NO. F-NO. F-NO. …and how exactly are ANY of these "ingenious" as indicated by the byline?

Allison's Storiez

  1. Facebook scans chats for online predators The most interesting part of the article is that this exists
  2. Facebook doing virus scans? Maybe this will help with finding patterns in huge spam campaigns, but it probably won't help if Paul hacks my account. Paul can have all my beer and all my stuff. Paul 2012. Paul 0wns.
  3. DarkComet trojan author kills project DarkComet trojan author is surprised and horrified that his malware is used for evil, kills project.
  4. Small businesses are not confident about their security I think this comes down to a lack of overall security knowledge
  5. Symantec says large firms need to worry the most about targeted attacks My biggest issue with this is that I don't get any of the phishing e-mails full of interesting malware.
  6. Israeli Agents Steal Korean Tech for Chinese Customer Straight out of a spy novel
  7. NSA Chief Says Today's Cyber Attacks Amount to 'Greatest Transfer of Wealth in History' As someone who welcomes transfers of wealth in my direction, this article interests me. Does the figure include the hefty sums paid to companies to protect against said attacks?
  8. .Net Framework Tilde Character DoS My takeaway from this is that you can use a ~ to destroy Windows.

Jack's Totally Rad Stories

  1. Phandroid Android forum password breach I give up. Another million lost passwords.