From Paul's Security Weekly
Jump to: navigation, search

Episode Media


Vulnerability Hunting With Nessus

1) Run Nessus against machines, computers, devices, and everything IP in your environment.

2) Do it in a controlled manner, notify people, so the notice when something crashes. Also, keep an eye on Nessus Plugin ID 10919. If it reports "This port was detected as being open by a port scanner but is now closed. This service might have been crashed by a port scanner or by a plugin" You might be on to something.

3) If you found that a service crashed, re-run the nessus scan against that host only and verify that the same service crashes.

4) Once you identify the service, run the nessus scan a third time and dump the packets to and from that port as follows:

tcpdump -X -s0 -i eth0 -nn -vv -w crashtest1.cap 'host <ip> and port <port>'

5) Review the packets and see if you can associate the payload to a plugin. But, what if nothing really matches? Try to match the behavior, such as sending a bunch of data to the port. Some useful commands:

hping -s 1337 -p 31337 -S -d 20

perl -e '{print "A"x"1028"}'

nc -vv -n 1337

6) Notify your vendor and provide all the appropriate information, packet dumps, command lines, scripts, etc... so they can reproduce the problem and generate a fix. If they don't? Well......cough..BUGTRAQ..cough

Stories for Discussion

Metasploit 3.0 - Automated Exploitation - [Paul] - Using the ruby framework with database integration, metasploit can do some really cool stuff, similar to Core IMPACT and CANVAS autohack and rapid penetration testing features.

Mmmm, fuzzy - [Larry] - Beginers guide to wireless testing and fuzzing by David Maynor.

Wireless "Hacking" Book online - Hardware hacking with wireless, almost entire book available online.

- OPENBSD 4.0 coming soon - Nicky D

Holy Security Podcasts Batman! - [Paul] - Quite the list of podcasts, we've got some listening to do. As far as security podcasts, I listen to Cyberspeak, Binrev, Sploitcast,Security Now! (I know), and PLA Radio like religiously, never miss an episode. I listen to many others, but those are the ones I keep coming back to.

ATM reprogramming made easy - [Larry] - Also the Mantasano blog had two posts post 1,post2 that video of the ATm was on youtube, and it was identified. Manuals were aquired legaly in 15 minutes that contained default paswords. Beware the dangers of default passwords!

Torpark - [Larry] - Hacktivismo released a modified firefox that uses tor for use on a usb keycahin. Anonymous browsing where ever you go for free! Beware, sometimes you get what you pay for.

YAIEV (Yet Another IE Vulnerability) - [Paul] - In related news, pr0n sites were the first to be sited distributing malware using the new flaw.

Talk Like A Pirate Day - [Paul]Even the fine folks at the ISC decided to jump in on talk like a pirate day (Sept 19th). I prefer Ninjas, cuz when its Ninjas vs. Pirates, Ninjas will always win. Always.

Upatched Flaw in IKE affects Cisco Products - [Paul] - "It is similar to the TCP SYN flood attack which caused so much concern in the early 1990s.". Great, good to see we learn from history. Cisco plans to release something in a year. Crap, IE patches will be out before then!

No more LURHQ? - [Larry] - Secureworks and LURHQ merge, to be named Secure works. Beijtlich: Now I won't have to figure out how to pronounce LURHQ any more. So where does that leave apple wireless? [Paul Asadoorian - Also found this in the dark reading room. Will they compete with ISS-IBM? Better question, do managed security services add value in all cases?

Schneier On University Security - [Paul] - In a nutshell, its not easy, but not impossible. Safeguard the sensative information that you can, enforce policies, and segment the network. I can expand.... Its sorta like trusted computing for humans.

Apple releases firmware updates for Mac Pro - [Larry] But no mention of wireless. I was originally thinking that Apple was typing to be sneaky and slip in wireless updates, but then I realized that this is for the desktops, not the laptops. Bad paranoia! BUT, later today they released the patch!. Go Digg the story!

Hacker In The House - [Paul] - Very cool detailing (packet captures) of what an attacker did once compromising a honeypot.

Differences in WPA vs WPA2 - [NOTE: You must copy and paste this link] [Larry] - In 500 words or less. Thanks Joshua Wright. [Paul Asadoorian - TKIP vs AES on WRT54G...FIGHT!]

Diebold voting machines defeated with cheap minibar key - [Larry] - The keys are readily available on e-bay. I wonder how pickable they are. Thise e-voting machines are a nightmare, and Diebold is clearly not listening to any or the research coming back to them. Just goes to prove that you need to look at all aspects of security for your sensitive info, from electronic to physical.

Adobe reader attack and seven Quicktime flaws - [Larry] - Despite the ranting tone of Twitchy's storytime last week, these are prime examples of what he was talking about.

Stories of Interest

Mount ISO images as a drive under Windows XP - [Larry] - A la Linux loop. I've been lookingto do this for a loooong time. Thanks RaDaJo!

Extra soda for twitchy - [Larry] - Get extra soda from Coke machines with the movable conveyor belt...what an easy hack.

Neuros Hardware Hacking - Why can't all hardware be open? Working with teh WRT54G, Larry and I are frustrated with binary drivers and other information that isn't available, even on the WRT54GL!