Episode360

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

MP3 pt1

MP3 pt2

Announcements

Paul's Security Weekly - Episode 360 for Thursday January 30th, 2014

  • New webcast next Tuesday 1PM EST called "Build A Security Program From The Ground Up: Crawl, Walk, Run" Go to http://securityweekly.com/webcasts for registration information!
  • Security Weekly will be at the SANS ICS Summit from March 12-18th, doing a live podcast on Sunday night, covering the courses and attending the 2-day summit. Security Weekly subscribers can now enjoy a 20% off discount code! Use SecurityWeekly20 on checkout to get that discount applied. This conference will be held in Orlando at the Contemporary Resort & Convention Center in sunny Orlando, FL REGISTER NOW!
  • We are looking for sponsors for our weekly webcasts and shows. Contact paul -at- hacknaked.tv for details, there are still a few slots available!

Guest Interview: Jared DeMott


Biography:

Jared DeMott is a principal security researcher at Bromium and has spoken at security conferences such as Black Hat, Defcon, ToorCon, Shakacon, DakotaCon, GRRCon, and DerbyCon. He is active in the security community by teaching his Application Security course.

  1. How has auditing code for application security changed over the years?
  2. What are the most common errors when it comes to security that you see?
  3. Can you share any awesome war stories with us?
  4. In your opinion, what is needed to fix the current state of application security?
  5. What are your feelings on, strcpy, sprintf, strncpy & malloc. Is the problem the functions, or the developer not fully understanding what is happening?
  6. Do you use any fuzzing framework for your applications, or strictly code analysis?
  7. What are some of the winning strategies for the Defcon CTF?
  8. What are the 3 most important things you can teach a software developer about security?
  9. What is the exploitation technique called ROP? How can you defend against it?
  10. Do you believe you find more bugs in fuzzing or static analysis, or is it just different bugs? Does it depend on the type of application?
  11. Which software implementations are the easiest to fuzz? The most difficult?
  12. Are there techniques and "things" you can do to your application to make it harder to fuzz?


Five Questions

  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of Ass Grabby Grabby do you prefer to go first or second?
  5. Stranded in a desert island, which tablet would you bring along: a) iPad b) Surface c) Android d) All of the above e) None of the above?




Tech Segment: Carlos Perez

  • Larry teaching SANS classes: Check out his SANS page for the details" 617 in Orlando in March, Also 571 at RSA
  • SEC504 in Mentor format in Downtown Boston coming up in April! Use the discount code "SecOrg" when registering for 10% off the class. Register at http://tinyurl.com/SEC504-Boston Email mike@hacknaked.tv for more info or for a special discount code if you prefer to get the GCIH attempt for free instead.

Windows Meterpreter recently got some new capabilities thru the Extended API module by OJ Reeves also known as TheColonial. He added support for:

  • Interacting with the Clipboard
  • Query services
  • Window enumeration
  • Executing ADSI Queries

We will cover in this Technical Segment the ADSI interface since it gives us a capacity in enterprise environments not available previously in meterpreter other than a module from Meatballs called enum_ad_computers.

To query ADSI we need to fist load the Extended API extension, for this like with any other extension we use the Load command:

meterpreter > load extapi 
Loading extension extapi...success.

If we use the **help** command or its alias **?** we can see the commands are now available inside of the Meterpreter session:

meterpreter > ?

....

Extapi: Window Management Commands
==================================

    Command       Description
    -------       -----------
    window_enum   Enumerate all current open windows


Extapi: Service Management Commands
===================================

    Command        Description
    -------        -----------
    service_enum   Enumerate all registered Windows services
    service_query  Query more detail about a specific Windows service


Extapi: Clipboard Management Commands
=====================================

    Command             Description
    -------             -----------
    clipboard_get_data  Read the victim's current clipboard (text, files, images)
    clipboard_set_text  Write text to the victim's clipboard


Extapi: ADSI Management Commands
================================

    Command             Description
    -------             -----------
    adsi_computer_enum  Enumerate all computers on the specified domain.
    adsi_domain_query   Enumerate all objects on the specified domain that match a filter.
    adsi_user_enum      Enumerate all users on the specified domain.


2 of the ADSI commands simplify the process of enumeration using it, these are:

  • adsi_computer_enum - does basic computer account enumeration.
  • adsi_user_enum - this one does basic user enumeration.

If we look at the help options for one of the commands we will see they all have a Page Size and a Maximun number of results to get, this is becase AD can be very big and it can overwhelm Meterpreter.

meterpreter > adsi_computer_enum -h

Usage: adsi_computer_enum <domain> [-h] [-m maxresults] [-p pagesize]

Enumerate the computers on the target domain.

Enumeration returns information such as the computer name, desc, and comment.

OPTIONS:

    -h        Help banner
    -m <opt>  Maximum results to return.
    -p <opt>  Result set page size.

Lets enumerate computer account:

meterpreter > adsi_computer_enum acmelab1

acmelab1 Objects
================

name       distinguishedname                                                        description  comment
----       -----------------                                                        -----------  -------
CLIEN01    CN=CLIEN01,CN=Computers,DC=acmelab1,DC=com                                            
COLLECTOR  CN=COLLECTOR,OU=International Marketing,OU=Marketing,DC=acmelab1,DC=com               
DC1        CN=DC1,OU=Domain Controllers,DC=acmelab1,DC=com                                       
DC2        CN=DC2,OU=Domain Controllers,DC=acmelab1,DC=com                                       
DC3        CN=DC3,OU=Domain Controllers,DC=acmelab1,DC=com                                       

Total objects: 5

In the domain field we can also provide a LDAP Distinguished name also to control the scope of the query:

meterpreter > adsi_computer_enum 'OU=Domain Controllers,DC=acmelab1,DC=com'

OU=Domain Controllers,DC=acmelab1,DC=com Objects
================================================

name  distinguishedname                                description  comment
----  -----------------                                -----------  -------
DC1   CN=DC1,OU=Domain Controllers,DC=acmelab1,DC=com               
DC2   CN=DC2,OU=Domain Controllers,DC=acmelab1,DC=com               
DC3   CN=DC3,OU=Domain Controllers,DC=acmelab1,DC=com               

Total objects: 3

For user accounts it functions in the same manner:

meterpreter > adsi_user_enum acmelab1 -m 10 -p 10

acmelab1 Objects
================

samaccountname  name           distinguishedname                                description                                                              comment
--------------  ----           -----------------                                -----------                                                              -------
Administrator   Administrator  CN=Administrator,CN=Users,DC=acmelab1,DC=com     Built-in account for administering the computer/domain                   
CLIEN01$        CLIEN01        CN=CLIEN01,CN=Computers,DC=acmelab1,DC=com                                                                                
DC1$            DC1            CN=DC1,OU=Domain Controllers,DC=acmelab1,DC=com                                                                           
DC2$            DC2            CN=DC2,OU=Domain Controllers,DC=acmelab1,DC=com                                                                           
DC3$            DC3            CN=DC3,OU=Domain Controllers,DC=acmelab1,DC=com                                                                           
Guest           Guest          CN=Guest,CN=Users,DC=acmelab1,DC=com             Built-in account for guest access to the computer/domain                 
cperez          carlos Perez   CN=carlos Perez,CN=Users,DC=acmelab1,DC=com                                                                               
helpdesk        IT Helpdesk    CN=IT Helpdesk,CN=Users,DC=acmelab1,DC=com                                                                                
krbtgt          krbtgt         CN=krbtgt,CN=Users,DC=acmelab1,DC=com            Key Distribution Center Service Account                                  
krbtgt_28732    krbtgt_28732   CN=krbtgt_28732,CN=Users,DC=acmelab1,DC=com      Key Distribution Center service account for read-only domain controller  

Total objects: 10

Now the command that provides the greatest flexibility is the the **adsi_domain_query** command since this one lets you craft your own queries and specify what fields you want. For these we need to use the LDAP Filtering Syntax, one of the best resources I have found for this is the SelfADSI page <http://www.selfadsi.org/ldap-filter.htm> The command differs from the rest in that it lets you build your query and you can specify the fields. This can get tricky if you have no previous experience with LDAP and AD. You can check in MSDN, user PowerShell [adsisearcher] accelerator or use ADSI Edit on a lab Domain to figure the fields.

Lets look for disabled accounts, get their name, disguishedname and description:

meterpreter > adsi_domain_query acmelab1 (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)) name distinguishedname description

acmelab1 Objects
================

name          distinguishedname                            description
----          -----------------                            -----------
Guest         CN=Guest,CN=Users,DC=acmelab1,DC=com         Built-in account for guest access to the computer/domain
User15        CN=User15,CN=Users,DC=acmelab1,DC=com        
User28        CN=User28,CN=Users,DC=acmelab1,DC=com        
User36        CN=User36,CN=Users,DC=acmelab1,DC=com        
krbtgt        CN=krbtgt,CN=Users,DC=acmelab1,DC=com        Key Distribution Center Service Account
krbtgt_28732  CN=krbtgt_28732,CN=Users,DC=acmelab1,DC=com  Key Distribution Center service account for read-only domain controller

Total objects: 6

Lets find all OUs in the Domain:

meterpreter > adsi_domain_query acmelab1 (objectclass=organizationalunit) name distinguishedname 

acmelab1 Objects
================

name                     distinguishedname
----                     -----------------
Domain Controllers       OU=Domain Controllers,DC=acmelab1,DC=com
ITS                      OU=ITS,DC=acmelab1,DC=com
International Marketing  OU=International Marketing,OU=Marketing,DC=acmelab1,DC=com
Local Marketing          OU=Local Marketing,OU=Marketing,DC=acmelab1,DC=com
Marketing                OU=Marketing,DC=acmelab1,DC=com
Sales                    OU=Sales,DC=acmelab1,DC=com

Total objects: 6

Stories

Paul's Stories

  1. Anyone Using POS Is At Risk - So, malware that infects POS systems has been for sale in the underground for a while. The thing that get me is, attackers need access to the system, either via credentials or vuln/exploit. So, to me, this is nothing new. The fact remains that people will re-use credentials, use weak passwords, and not patch their systems. So, defense against this new malware is the same! We've got PCI, and a lot of good its doing now. I think the real failure here is security implementations, credentials and patches, and then being able to monitor effectively. Now before you jump around and yell, yes I know, the Target breach came from a partner credential or something. This is a problem, how do you get your partners and vendors to maintain a strict security policy like you do?
  2. Target traces security breach to stolen vendor credentials - See my question above, interesting. Attackers, get this, used a system not related to payment systems. Go figure, and this is one of my main problems with PCI, people as a result only focus on the payment systems. If you are not enforcing a security policy that restricts which systems can talk to some other systems, then everything needs to be at the same, higher, security model. Even if you try to segment, the problem is stuff needs to communicate, and those channels will be exploited. After years of pen testing, the strategy remains the same, gain a foothold and work you're way through. One of the keys to defense? Try to detect this early on and make it harder to jump from segment to segment.
  3. Toy Maker Hasbro’s Site Serving Drive-By Download Attacks - And knowing is half the battle. If you have a popular web site, you are under attack.
  4. "High-Volume DDoS Attacks Top Operational Threat to Businesses - Lots of new about DDOS, I refer to Allison for exper opinion, but I gotta imagine there are security folks working on this problem. My question is how much time and effort should you put into DDOS defense? Guess it depends on what you have at stake.
  5. Would NFC smartphones have helped at Target? - I fail to see how this solves the problem. A Google wallet? Are you kidding me? Why would I trust the security of 1) NFC 2) My Smartphone and 3) Google with payment information?
  6. Remote code execution bug in Yahoo servers leads to root access - With so many properties, this is bound to happen.
  7. Use MediaWiki and hate malware? This patch is for you - Time to update!
  8. Multi-platform Java bot marshals ZOMBIE FORCE against spammers - Love the multi-platform.
  9. "Red or Blue - Interesting article, I agree we need to encourage everyone, of all sexes and race, to join our great field. Though, I don't see us only marketing to a certain crowd, nor do I feel like the security community is a "boys club". In fact, out of all the professions and such, I believe security is the most accepting and diverse. However, 13% are women, not sure why this is!

Larry's Stories

  1. Multi-platform ZOMBIE - [Larry] - uhhhh, yes. Written in java. of course it is multi platform. However it is targeting a specific vulnerability, so it might not present it self in all platforms, such as android…
  2. Stolen @N - [Larry] - How a little social engineering compromises some domains, almost nails paypal, and results in domain for a twitter handle ransom.
  3. Scumbag Pentester - [Larry] - I really want to know who the company was that issued this report. The read is hilarious.
  4. Targeting vendor credentials. - [Larry] - A vendor password, eh? Not a lot of details here, but I'm hoping that we can discuss. BMC's bladeLogic was mentioned in some of the reports, but was a "ruse". Let's dicuss a hypothetical around that.

Allison's Stories

  1. More Spyeye guilty pleas In its heyday, Spyeye was a financial theft malware that required little to no technical skill to build and deploy. It also had a rivalry with Zeus, including "zeus killing" features in its bots.
  2. Punish careless employees to reduce security breaches, vendor says This might be cathartic in the short term but reigns of terror in the workplace are generally not so helpful.
  3. The Only Thing Scarier Than Self-Driving Cars Are the Hackers Waiting to Attack Them For software defects that can be fatal, I don't think the status quo of "patch, and if you get hacked it's your fault" is acceptable here.

Carlos Stories

  1. First Android bootkit malware spotted; reportedly found on over 350,000 mobile devices, most in China - [Carlos] First ever Windows Malware to infect Android Phones, so now we see a new way for malware writers to jump in to Mobile devices, in this case the device needs to be left with USB Debugging enabled.
  2. First ever Windows Malware that can hack your Android Mobile - [Carlos] Wow no we are seeing root kits on mobile devices and yet most MDM solutions fail and many still say they is not enough data to worry.

Jack's Stories

  1. In this old post CSO Andy asks and answers the question "Why don't websites default to SSL/TLS?" Still timely, possibly moreso now.

Joff's Stories

http://www.securitytracker.com/id/1029699 - Cisco Identity Services Engine Input Validation vulnerability.


http://www.computerworld.com/s/article/9245816/Evan_Schuman_App_testing_and_sins_of_omission?source=rss_security&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fs%2Ffeed%2Ftopic%2F17+%28Computerworld+Security+News%29

This story is a reminder of how much we need organizations to integrate security early in the development planing process.


http://owasp.blogspot.com/2014/01/owasp-statement-on-security-of-internet.html - OWASP stating their strong preference for the importance of application security. Application security awareness is not at a stage of general public awareness but the basic principles and issues at hand need to be communicated.