Episode372

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

Announcements

Paul's Security Weekly - Episode 372 for Thursday May 8th, 2014

And now, from the dark corners of the Internet, where exploits run wild, packets aren’t the only things getting sniffed, and the beer flows steady its Paul’s Security Weekly!

  • This segment is sponsored by Palo Alto Networks creators of THE next-generation firewalls, helping you enforce network security policies based on applications, users, and content. Visit them on the web at www.paloaltonetworks.com
  • and by Tenable Network Security, the creators of Nessus, the worlds best vulnerability scanner. Check out Tenable's other cool products such as the passive vulnerability scanner and SecurityCenter Continuous View. Visit them on the web at www.tenable.com

"Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet..."

"Here's your host, he's got a 0-day for gopher, and has parts of his anatomy that taste like chocloate, sexual chocolate if you know what I mean..., Paul Asadoorian!"

Guest Interview: Eddie Mize (@EddietheYeti)

Biography:

- y3t1​


31 years in the Computer Industry . Over 18 years in InfoSec Recognized Industry Leader and Innovator - Imaginative Red Team Attacker Phys Sec and Social Engineering Specialist

Cisco's Enterprise Technical Advisory Board for Information Security Cisco Live Speaker - Red Team Cloud provider security architect for over 53 million end customers

Security Evangelist – Keynote Speaker to several major conferences and events Information Security Author published in Network World, Hakin9 Magazine, Pentest Magazine, and Silicon Angle DEFCON Staff - Art for EFF and Art for Charity Former CISO for Healthcare with 11 hospitals and hundreds of clinics

Real World Red Team/Penetration Tester Real World Security and Compliance Assessor Embedded systems hacker for leading automotive manufacturer in Detroit

HIPAA / ARRA / HiTech ​​ – ISO-27002 – NIST – PCI / DSS Assessments Drawer of things on people and people on things Thought Provoking art with weird mediums

http://eddietheyeti.deviantart.com/ ​@EddieTheYeti​

Creative attacks!


I know you have some interesting hobbies...Art? You have interesting meduims. How mych soy sauce to you go through? Art as threapy? non-tech hobbies as general therapy? Tell us about the faces of defcon?


Five Questions

  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of Ass Grabby Grabby do you prefer to go first or second?
  5. If you could have dinner with one celebrity, who would it be?

Tech Segment: Larry Rocks the Vote with Burp

  • This segment is brought to you by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
  • CircleCityCon is the first hacker con in Indianapolis.It is in a small to medium sized venue located in the heart of Indianapolis. general admission ticket: Jan 1, 2014 - until sold out, when: June 13-15, 2014.

For a long time I've been fascinated with online polls, contests and forms in which one can vote to win something (for either you or your friends). The fun ones, I think are the ones where no captcha or e-mail addresses required, or those in which you can vote multiple times. I used one of these many years ago to vote for the "cutest baby". No we didn't win, because someone beat me to my own game.

Enter http://www.johnstrandvsjohnstrand.com! Now this is a vote I can rock...

So to start, I fired up burp, set the browser proxy and went to the site and voted for my favorite "model". Once I had that captured, I looked to see what I could see.



Jvjnopost.png

Now there were no post request for the site, but I did note one for "pollmill.com". A little inspection found that yes, this was the actual vote cast for my favorite "model".



Pollmillpost.png

My first instinct was to right click on the request, and "send to repeater". Once there, I used repeater to re-submit my vote; sure enough I was returned a page and it had accepted my vote AGAIN using all os the same tokens. No uniqueness tracking here! This is good.

I clicked on the repeater submit again. And again. And again. Woohoo, 5 votes! This is going to take a long time. Click faster! Then I noticed that some of my responses included the phrase "You are voting too quickly...". Nuts, this is no good, how will I rock the vote?

I started exploring other options. Ooh, how about the "Generate script" option from the original post request?



Generatescript.png

This looks promising! It needs to have the extender installed, and only works in the Pro version. Hmm, python, ruby, perl and PHP? Yes please! However with all of these options (except for PHP) I could not get them to work for me. I didn't spend a lot of time troubleshooting either.

I posed the question of scripting a POST request to my co-workers. John Sawyer came back with leveraging the "copy to curl command".



Curlcommand.png

Oooh, this could be promising! So, I copied the original post request to the clipboard and wrote a little shell script with a loop, and pasted the request in the loop.

I quickly noted that I was getting responses back that I was voting too quickly. So I implemented a sleep function in the loop. With a little trail and error, found that about one request a minute was good. This is the script I ended up with.

#!/bin/bash
COUNTER=0
while [ $COUNTER -lt 1000 ]; do
	sleep 60
	curl -i -s -k  -X 'POST' \
    -H 'Origin: http://pollmill.com' -H 'X-CSRF-Token: oE8RUleEzT3UCiLD5L0Q0TrrYOZzVG0gMD+Bka0wcZs=' -H 'X-Requested-With: XMLHttpRequest'\
 -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'Referer: http://pollmill.com/f/who-is-the-sexiest-hacker-on-the-planet-ghqn2aw/answers/new.fullpage' \
    -b 'respondents_uuid=7177cb1de8dc5844a7e2bb826f99257f; _session_id=ff6e43123a4e62c89faf24438b85c178; __utma=201964816.1687400874.1397497341.1398352538.1399483676.10; \
__utmb=201964816.1.10.1399483676; __utmc=201964816; __utmz=201964816.1399483676.10.7.utmcsr=johnstrandvsjohnstrand.com|utmccn=(referral)|utmcmd=referral|utmcct=/' \
    --data-binary $'utf8=%E2%9C%93&authenticity_token=oE8RUleEzT3UCiLD5L0Q0TrrYOZzVG0gMD%2BBka0wcZs%3D&_format=fullpage&update_entries%5B%5D=207231&answer%5B207231%5D%5Bvalue%5D%5B%5D=1309284&commit=Submit' \
    'http://pollmill.com/f/who-is-the-sexiest-hacker-on-the-planet-ghqn2aw/answers.js'
	let COUNTER=COUNTER+1
done

It has been formatted to fit your screen try removing "\"'s if it doesn't work...

I let this script run for about 10 hours, pointed the mic skyward and dropped it. Vote rocked.

Now, I know this isn't anything super technical about burp but sometimes the simple elegant solutions wins. It was something I didn't know about and turned out to be lots of fun. I could even imagine how I might be able to use similar request and other loops with a shell script for fun too. Or, there is always burp sequencer...

But that is a story for another day.



Stories

  • This segment is brought to you by http://www.blacksquirrel.io/ - Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.
  • and by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
  • and by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at pwnieexpress.com

Paul's Stories

  1. Is that Twitter account a bot? Researchers make app to find out
  2. Don't let hackers know Mandiant founder checks his email on an iPad. Oh.
  3. Deactivated User Accounts Die Hard
  4. Dropbox finally fixes security vulnerability
  5. "SHA-2 Takes Off
  6. Why Threat Intelligence Is Like Teenage Sex
  7. "Your Android phone viewed illegal porn. To unlock it - Scams such as this one are popular as money-making schemes. Everything from this to sextortion.
  8. Google acquires restaurant website builder Appetas - Please tell me they can make them not use Flash. It should be banned form all resturant sites. I won't eat there if they use Flash, yea right, then I would have no place to eat.
  9. "Serious security flaw in OAuth - OAuth is used by many large sites, including the OpenID service. Authentication is great, it should be shared and open and everyone should use the same protocol, except when that protocol has a flaw, then we are screwed.
  10. McAfee accused of McSlurping Open Source Vulnerability Database - OSVD is a great resource, and if you are using it for commercial purposes, give them some money. Except if you are McAfee, then apparently you can just spider the entire site instead. Tisk tisk.
  11. Unix ‘find’ Cheat Sheet - I love cheat sheets. Post-exploitation goodness here.
  12. 300k servers vulnerable to Heartbleed one month later - Fact is there are a billion sites on the Internet, so 300k is still a small percentage, but it depends on how you count. How many are using SSL? In any case, anytime there is a widespread vulnerability, people won't patch. The more widespread, the more sites that will remain vulnerable. What are we doing wrong that people aren't paying attention to security? Or maybe they are and are just accepting the risk.
  13. New iPhone lock screen flaw gives hackers full access to contact list data - I mean really, who cares? If you lose your phone, or it is stolen, little can be done to protect your information. I think remote wipe is your best bet in terms of personal security. Phones are lost or stolen all the time, though I am guessing here, but usually the theif cares little about your email or pictures. Still, its Apple's responsibility to provide a more secure platform as this is not the first time this problem has come up, and likely not the last. Thought they do make available the fingerprint reader, but as a user, this is more annoying than anything else. In fact, many don't use it because its annoying. Dear Apple, I want a bigger phone, so in the mean time I have a Note III until you can make a phablet.

Larry's Stories

Jack's Stories

I'm looking forward to seeing folks at BSides in Boston, San Antonio, and Nashville.

  1. Jeanne Friedman's departing thoughts. Jeanne is a friend to many, and has been a driving force in steering content and community engagement at the RSA Conference.
  2. Deep thoughts from Dan Geer, oh, wait- "deep thoughts from Dan Geer" is redundant.
  3. My personal rant on some of the frustrations of presenting at many conferences

Joff's Stories