Episode329

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

MP3 pt 1

MP3 pt 2

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 329 for Thursday April 25th, 2013

  • Register for our free webcast Hacking Embedded Systems (No Axe Required) on Tuesday, April 23, 2013 at 2:00 PM EDT to hear Paul talk about hacking embedded systems on the fly, on the cheap no soldering iron required! (we are also looking for sponsors for this webcast so please contact paul -at- hacknaked.tv for details!)
  • Come to Security BSides Rhode Island Two-Day Conference on June 14th and 15th tickets are NOW ON SALE at WePay.com. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire PaulDotCom crew!
  • If you are in the Boston area, check out BSides Boston on Saturday May 18th! Keynotes by Dan Geer and Josh Corman and presentations from Alissa Torres, Andrew Case and our very own Allison Nixon.
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Sunday nights at 8:30PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here! (Web site experiencing problems, will update link when it comes back)

Interview: Brad Bowers

Brad Bowers is Security Operations Manager for a large financial institution with over 10 years of experience in security engineering, system forensics and incident response. Brad is a frequent writer and presenter on topics of emerging threats and threat intelligence. For the last couple years Brad has been working on projects focusing on hardware and RF security.


Brad's site

Bowers brad c.jpg

Tech Segment: Sumit Siddharth "The Art of Exploiting Injection Flaws"

Sumit "sid" Siddharth works as a Head of Penetration testing for 7Safe Limited in the UK. He specializes in application and database security and Pen Testing. He runs the popular IT security blog notsosecure.com. Sid is also a contributor to the book SQL Injection: Attacks and Defence (2nd edition).

Sid head shot.jpg

The Art of Exploiting Injection Flaws@ Black Hat Vegas

So, you found a SQL Injection in Oracle Database. How will you execute OS code against it from web application? Is there a xp_cmdshell equivalent in Oracle? What if the SQL Injection is not privileged. That is, the query you inject is not running as DBA. Surely you should be able to pipe your user to DBA role and then execute OS command. Do you check for 2nd order injection, double encoding/decoding, order-by, group-by clause etc?

We all love Burp Professional and it's a great tool for web application security. I don't know a single web application security guy who do not use this tool. But, because it's a great tool, do we all rely a bit too heavily on it, and what happens when at times it misses a SQL Injection? Ohh, btw, do you find a particular check in which it execute "select 1 " and then "select 1,2" a bit annoying, and comes back with false positive all the time. What if this one time this check is actually not a false positive, will you be able to distinguish?

Do you know how different LDAP servers (e.g. open LDAP, ADAM) behave when you send crafted LDAP query. XPath injection when API supports XPath2.0 , allows extraction of not just current XML document but any arbitrary xml file. And what if I tell you, that it's not just arbitrary xml files, you can actually extract any file. Do you think commercial tools do a good job in identifying these? May be you should be read more here....


OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project. http://www.owasp.org/index.php/Top_10_2010-A1

even the 2013 Release candidate, has retained injection flaw as still the top threat.

https://www.owasp.org/index.php/Top_10_2013-T10

In my course we talk about Injection Flaws (A1) and only Injection Flaws. That is no XSS, no CSRF, no CRLF etc. We cover the injection flaws inside-out and provide an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are:

SQL Injection XPATH Injection LDAP Injection Hibernate Query Language Injection Direct OS Code Injection XML Entity Injection

During the 2 days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Of-course we cover the mitigation part as well.

I am disclosing some content from the course:

XPath 2.0 Injection: Last year at Black hat Europe, me and my colleague Tom Forbes did a talk on XPath Injection when the API supports XPath 2.0 (http://media.blackhat.com/bh-eu-12/Siddharth/bh-eu-12-Siddharth-Xpath-WP.pdf). 2.0 is the latest addition to the XPath API and the additions brings loads of function. This means a XPath 2.0 injection allows quicker extraction of data. So, if you found a XPath 2.0 injection you can extract the entire xml file and you can do it far quicker because it supports ascii functions. Further, the 2.0 API supports a function called doc() function which lets you parse and process xml files outside the current xml document. This is where fun starts. In the talk, we showed attack vectors by which an attacker can make use of this doc function to achieve the following:

read not just current xml file but any arbitrary xml file on file system

use the doc function as a web client and make the back-end application issue HTTP/DNS request and thus extract the back-end xml files far quickly. In-fact, we showed 1 request to dump it all, because we thought it was cool..

Since, then we learnt a new attack vector by which we can make our vulnerable XPath application return not just arbitrary xml file but any file (ala /etc/passwd or c:\boot.ini). The way, the attack works is as following:

1. We make the vulnerable XPath application read the attacker controlled xml file

2. The attacker's file defines an external entity which refers to the arbitrary file you want to read (like /etc/passwd)

3. The vulnerable application reads our attacker controlled xml file and process the local resource (i.e. vulnerable server's /etc/passwd) which we read again using the doc method.

4. And to speed this all up, we can use OOB extraction again by calling the doc function in a different way.

All in all, this dumps any arbitrary file from vulnerable server. Tom wrote a tool to automate it and it actually works like a charm. Tool can be found here

So, that's just a small insight into XPath Injection. If you do web application security pentest, then this course is ideal for you and dives deep into examples where the modern web app scanners (Burp Professional, WEB-I****** etc) miss these issues. Examples, 2nd order injection, double encoding/decoding, HQLI, ORM Injection etc.

That's all I am prepared to give away at this stage :)

The registration page can be found here

Hope to see some of the fellow ethical-hackers at Black Hat Vegas.

Cheers

Sid

www.notsosecure.com

Tech Segment: Free Amazon Socks Proxy by Allison

Setting up a Free SOCKS Proxy to Tunnel to Freedom

This is a guide to setting up your own personal free SOCKS proxy. Amazon AWS offers “free teir” instances that are free for a year. You get root on them, and they come with the operating system of your choice. I will also show you how to set up PuTTY, a Windows program that is useful for port forwarding and bypassing your work network restrictions


Standing up your instance:

First you’ll want to head over to http://aws.amazon.com/ and sign up for an account. They do ask you for credit card info to sign up an account, but you won’t be charged until after your year is up. After your account is created&verified, log into your AWS management console. Here’s a picture of mine:

1st.png



Amazon offers a lot of services but the one we’re interested in is EC2. Once we get to the EC2 Dashboard you’ll want to click on Instances. Here’s what it looks like once you have an instance running:

2nd.png


To set up your first instance, click Launch Instance and follow the guide.

3rd.png


You can have your pick of operating system- just be aware the first choice “Amazon Linux AMI” runs on CentOS and isn’t for the faint of heart. And stick with the options with a star

4th.png

You will be prompted to generate or upload a key pair. Amazon instances authenticate over SSH via keys rather than passwords by default. You’ll also need to configure the firewall rules. Leave port 22(SSH) open for now but don’t forget about the firewall because if you enable more services they might not work unless you open up more ports.

Setting up PuTTY

You’ll need PuTTY and PuTTYgen which can both be downloaded here: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Load up the .pem key you just downloaded in PuTTYgen. Click save private key to save it in the PuTTY compatible .ppk format. Now you need to set up PuTTY.

In the session category:

Amazon provides you with a DNS name for your instance. Right click on your running instance in your dashboard and click Connect to get your public DNS and username. You get root on your own instance, so this is not a shared hosting situation, and that IP address is yours and yours alone(until you reboot).

5th.png

  • In the Session category, fill out the hostname with the one Amazon provided, and the port is 22 for now. Make sure to put a name in for saved sessions so you can save it later.
  • In the window category, change the lines of scrollback to 9999
  • In the Connection category, set seconds between keepalives to 30(most of the time this does nothing, but if you are on a restrictive network, it may matter)
  • In the Connection > Data category, change your auto-login username to the username Amazon provided for you. If you chose the Ubuntu server it would be “Ubuntu”. If you chose that centos based “Amazon Linux AMI”, it would be “ec2-user”
  • In the Connection > Proxy category, you can set up PuTTY to traverse the same proxies you would normally use for web browsing. If you are on a corporate network it might not work without these settings. Check your browser settings and find out what it uses to connect to the Internet, and fill in those same details in the Proxy settings for PuTTY. Depending on the proxy type, you may need to authenticate first in your normal web browsing application before connecting with PuTTY.
  • In the Connection > SSH > Auth category, supply the location of that .ppk file that you generated using PuTTYgen
  • in the Connection > SSH > Tunnels category, this is where the magic happens. When you set up port forwarding with PuTTY, your machine is able to use the remote Amazon machine as a SOCKS proxy. For source port, enter an arbitrary number for your port(I’m going to use 9876) and click the Dynamic radio button.
  • Finally, go back to the Session category and REMEMBER TO CLICK SAVE BEFORE CONNECTING. Otherwise you will have to enter them in all over again.
  • After you have saved, click Open. Click yes to accept the key and it should connect you and bring you to a terminal. If you’re having problems at this point, try connecting first in a network environment without proxies, and ensure the details are all put in right and everything is up and running.
  • Once you’re connected, you can change your port forwarding settings by right clicking the top of the PuTTY window and selecting “Change Settings”. It’ll bring you to a window similar to your initial connection settings window. The port forwarding should look like this:

6th.png

Configuring your browser

After you have PuTTY set up, configure your browser to connect to a SOCKS proxy at 127.0.0.1 and port 9876.

In Firefox you can configure your connection settings at Tools>Options>Advanced>Network then click Settings next to “Configure how Firefox connects to the Internet”. Make it look like this:

7th.png

In Chrome and IE, when you configure proxy settings it’ll bring you to the Internet Properties window. Go over to the Connections tab, click Lan Settings, click Advanced, and enter in the SOCKS proxy information like so:

8th.png


Bypassing Corporate Firewalls and Tunneling to Freedom

“Well that’s great!” You say. “Now I’m using a different IP address. But I still can’t connect when I’m at work!” You’re in luck my friend, because many content filtering schemes can be bypassed entirely due to the magic of SSH tunneling. This might not be easy to do, but with a little experimentation you can set up your own tunnel to freedom and learn a lot about networks in the process.

Here are some techniques to try:

  • You’re going to want to make sure PuTTY is using the same proxy settings your browser uses when you connect.
  • A lot of corporate networks require you to use a proxy to connect to the Internet, so go back into that Internet Properties window noted in the above screenshot and see if it’s already populated with proxy settings.
  • If you’re using an automatic configuration script, you can visit that location in your browser to check out the code and see which proxy you’re truly connecting to.
  • If all the settings in PuTTY are identical to those in your browser, make sure you are actually authenticated to your proxy.
  • There are many different possible proxy setups don’t be afraid to poke around.
  • You may also want to try connecting over a nonstandard port.
  • You’ll want to make SSH listen on a different port on your Amazon box by changing the ssh configuration file. On Ubuntu it’s located at /etc/ssh/sshd_config – here’s the first few lines of my configuration file:
   
        # Package generated configuration file
	# See the sshd_config(5) manpage for details	
	# What ports, IPs and protocols we listen for
	Port 22
	Port 443
	# Use these options to restrict which interfaces/protocols sshd will bind to
	#ListenAddress ::
  • While port 22 is known for SSH, port 443 is known for HTTPS and may be open at the firewall. If that doesn’t work, try port 80(HTTP) or various high ports between 2000-65535. YMMV depending on the firewall and content filtering rules you’re trying to circumvent.
  • After you’ve chosen some ports to try, go back to your Amazon AWS dashboard and change your security group settings to open that port to your Amazon box so it can receive incoming connections.
  • If all of the above don’t work, there are programs you can use to tunnel over other protocols like icmp(ptunnel), or dns tunneling


Conclusion

If everything worked, you should have an encrypted tunnel free from the prying eyes of your corporate overlords or fellow coffeeshop patrons. With the free Amazon boxes you won’t have much bandwidth to stream video, but you can just follow the same method with a paid instance if you want to do that. Also, if you find yourself IP banned from any websites (which you will because the A in Amazon AWS actually stands for abuse), just reboot your instance and you get a new IP.

Announcement

  • Larry teaching SANS SEC617 all over and coming to a city near you in 2013. It isn't too Late to sign up for my class in San Diego this May!
  • If you are interested in hosting SANS Training in the Boston area via the mentor format, please send us an email at mike -at - hacknaked.tv! We're looking for a location that can host 2 hours in the evening, 1 night a week, for 10 weeks.

Stories

Paul's Stories

  1. Serial threat on the internet - At first I was like, "Attackers are using Cocoa Puffs?". Oh, not that kind of serial. Yea, so terminal servers. Right, Ethernet on one side, serial port on the other. These are awesome little devices. We used to use them to manage 50+ Solaris servers. If something goes wrong, just connect to the terminal server. The software was a little wonky, but it got the job done. This is the same thing basically that is built into most Dell and HP servers, a small embedded device that provides a backdoor to the system. HD finds that there are 100k of these connected to the Internet, many with no passwords. I mean, why notlet the Internet just log into your systems? What's the worst that could happen?
  2. Federal Magistrate Rules That Fifth Amendment Applies To Encryption Keys - Slashdot - Judge rules that basically you need a warrant to force someone to decrypt their hard drive. Scary stuff, 5th Amendment is important, as are all of the Amendments. Lets not let technology take away our rights, just because its a "virtual" thing, doesn't mean we have to give up our rights.
  3. Out of Your Password Minder - YouTube - Ellen, yes, Ellen, has a fantastic segment on the password book. I really still can't believe this is a real thing.
  4. Verizon Fingers China - What is going on this week? Something about the "stinky dinky". Anyhow, yea, China.
  5. TSA Tables Plan To Allow Knives On Planes - So, we still have to take our shoes off, get grouped, be exposed to unknown amounts of radiation, have our hands swabbed with unknown chemicals, but hey knives are a-okay now. I heard they based this one user feedback. So, don't bother basing this on real threat intellience or facts, just see what people are complaining about, then lower your security standards. Cuz that always works.
  6. US Air Force beats off competition in NSA hacking fight • The Register - Title speaks for itself. What is going on at these hacking challenges? 30 seconds of funny comments on this article: I guess it was a hard competition, thats one way to make sure the hackers blow it, who let Monica Lewinski play defense?, the air force shows us how to avoid penetration but still come out on top, our new defensive plans now include free lube and tissues, and finally we'll teach those hackers to come on our systems.
  7. Twitter may introduce two-step authentication after recent hacking incidents - So, we had to wait until a big Twitter account got hacked which had real reprcussions. When a Hollywood star gets there account stolen, its so what. But, leak fake news of a White House bombing and make the stock market dip, oh I guess we really should implement two-factor authentication.
  8. Adobe's first CSO sets security of hosted services as top priority - Nevermind the gaping holes in all of our products, our real mission in security is cloud-based security products. Great...

Larry’s Stories

Jack’s Stories

Allison's Stories

  1. Hacked Twitter Account Moved Stock Market $136B A fake tweet from the Associated Press account said the White House was bombed, sending stock markets into a nosedive before people realized it was fake.
  2. Phishing the phisher This is amazing.
  3. Virus total now takes pcaps Also you may now search by domain name and IP address and see which samples phone home to it.
  4. Honeypot treasures Honeypots are amusing to me. Here's some malware a guy found on his.
  5. What a bored hacker did on a plane? This blog post is quite amusing. Those USB don't just provide power... they are actually connected to the entertainment system.
  6. How criminals are exploiting Bitcoin and other virtual currencies You probably heard me mention how bitcoin is one way that criminals can profit from a compromised machine. This blog post sheds more light on the matter and is worth reading if you are interested.
  7. How not to install an ATM skimmer Caught in the act!