Tool Spotlight: Finding Vulnerable Hosts with Custom Scripting
In this section I'd like to cover a method I have been developing for quickly finding vulnerable hosts on your network.
Nmap::Parser (Lots of deps, like XML::Parser)
nbtscan (emerge nmap, apt-get install nbtscan)
Address : 192.168.9.21
SMB Name : WOPR
MAC Address : 00:12:53:1d:4d:7d
Service : 139 (netbios-ssn)
Service : 445 (microsoft-ds)
Address : 192.168.3.13
SMB Name : GIBSON
MAC Address : 00:06:5b:4b:d6:72
Service : 2967 ()
Address : 192.168.4.24
SMB Name : WHISTLER
MAC Address : 00:07:5b:c2:98:a7
Service : 139 (netbios-ssn)
Service : 445 (microsoft-ds) Microsoft Windows XP microsoft-ds
- Autoexploit targets - Tie into metasploit to auto exploit
Stories for Discussion
Windows XP/Vista/2003 0Day Published: MessageBox() Memory Corruption - [Paul] - Looks like just a DoS at the moment, the source code is ridiculous. See also BugTraq Posting.
MONTH OF APPLE BUGS LOL - [Nick] - January 2007 will be the month of apple bugs courtesy of LMH. LMH says, "Taking security arguments apart, I have to say that Mac OS X is a pretty well integrated system. It's tightly packaged [...] and nice looking. I'm an OS X user myself and I certainly feel like Apple has invested long time on tweaking the little details. Now they just have to invest a little more on security matters, but not hiring a 'turnover security firm' to do the consulting that leaves the job half done. That's what failed, IMHO"
A fanboy's reaction: "As a Mac user, I take great offense to this. By no means am I an Apple fanboy, this is just asshole behavior. I mean come on, this might put all of my schools computers out of commission; along with my home Macs to... As a student that would have huge ramifications. Am I supposed to abandon the internet for the month of January? How would I send files from school to home? Think about mac based businesses that depend on the internet; what are they supposed to do? Really, there's no reason for someone to do this, other than to cause harm. Some people actually payed money to get the added security of a Mac because they NEEDED it." - lol!
[Larry] - Now the Mac users will know what it is like to be a Windows user - in fear of their PC safety! This one ties to the Word vulnerabilities too - one of them is for the Mac as well. What, amd I supposed to stop using Word too? Now, with an educated "public", and a robust security posture can eliminate the majority of these type of threats - there will always be some threat, but it can be reduced. That said, I'm all for the MOMB (Month of Mac Bugs).
HP JetDirect & HP Printer DoS - [Paul] - "Take care trying it because two of my printers were crashed completely (you will need to make use of your warranty ;] )" So, I really want to find out if an FTP buffer overflow (in the LIST and NLIST commands) really can render a printer useless. Couple this exploit with the above script and you could really cripple an organizations ability to print. Would make for a really sucky day in that IT department....
Underground Auction Sells Vista Exploit for $20,000 - [Paul] - Why would you pay that much for an exploit for an OS that is not yet widely deployed? I'd value an unpatched remote exploit for Windows XP far more than this, and much higher if it can get around the firewall. If ROI is the goal, not certain why a vista exploit would be the most valued. Trend Micro leaked this, and had a hacker in the chat room. Nice going, now they know...
Computers learn to parse natural human language - [Joe] - "A company in Israel claims to have solved the problem of enabling computers to parse natural human language. Linguistic Agents says its "NanoSyntax" technology translates normative human language into a formal computer language, potentially improving search interfaces, application interfaces, text-message-based network APIs, and phone trees." www.linguisticagents.com - whenever greater abstraction becomes involved, security issues follow. What can go wrong here?
2027 Predictions - [Paul] - I hate predictions, but this one was funny...
Another Word 0-Day - [Joe, submitted by firstname.lastname@example.org] - This is the second recent Word exploit and according to a US-CERT advisory "the latest bug is a memory corruption issue that occurs when a Word file is rigged with malformed data structures." Word is this works in OpenOffice too
How Skype and Other P2P Apps Get by Firewalls - [Joe] - This was posted on slashdot.. The article talks about the methods Skype and other P2P apps use in order to establish connections in spite of NATing. If you admin a firewall and aren't aware of how those pesky voip connections are made, it might be time to audit your setup. The article shows some clever ways to test and protect your firewall from these connections.
Logic Bomb "backfires" - [Larry] - I wanted to point out this article, strictly because of the trust that we put into the system administrators, and how difficult it can be at times to mitigate the inside threat. I bet an environment where even the admins don't use root (but use something like sudo) would provide better tracking for these type of changes...
Intel 2200BG wireless driver exploits - [Larry] - This one was available on Milw0rm too. In C. Hot. Looks like a pretty trivial attack, and from my understanding, was not just for Linux.
WiMax security? - [Larry] - Looks like many of the same issues that plauge some of the other wilress issues...MITM, etc. Fuzz it! Thanks Josh!
Nessus and SCADA - [Larry] - In the last listener feedback Episode, we talked a little about SCADA networks, and about that time, Nessus release 31 tests for SCADA networks. This seems good, and scary - testing networks that must have 100% uptime - how many times have you crashed something with just Nmap, let alone nessus?
Skype Worm? - [Larry] - This one has been back and forth....I just wanted to note that it was called a worm, when in fact it requires user intervention - to me, that is not a worm. In either case, it just indicates about the need for appropriate layered defenses, and appropriate policies and enforcment - do you even need skype in your corporate environment?
Vulnerability Tools Get Teeth - [Paul] - Nesus and other VA tools produce so many false positives, and this article talks about automation and integration with NAC. It just doesn't sit well with me. Its a three-step process, 1) identify the port/service 2) Check for possible vulnerability 3) Exploit to be certain. You can eliminate step 2 entirely and still be wildly successful. I still like to do VA, because you don't always get a reliable exploit.
MS Silently fixes wireless issues - [Larry] - This patch fixes windows from broadcasting the preferred networks list whch can be helpful in partially mitigating against Karma.
Stories of Interest
Apple May Be Carrier for IPod Phone - [Nick, Joe] - "Apple may partner with Cingular Wireless LLC to provide wireless service for a so-called iPhone, Benjamin Reitzes, a UBS analyst in New York, said today in a note." [Larry] Note [Paul] - No offense, but we care why?
CHOP - Millitary Satelite Hackers - [Larry] - Using readily available off the shelf parts (such as wire and pvc tubing), these military employed hackers, are able to disrupt Military satelites with only a few milliwats of power.
The ultimate Facebook privacy paper - [Joe] - Wget is a powerful tool, heres a good way to put it to work :)
Fugitive Caught After Logging into MySpace - [Joe] - I guess MySpace isn't all that bad...
SIP testing proxy - [Larry] - I've been looking at some SIP stiff recently, so I wanted to be sure I looked at this tool in the future. Looks like a tool, such as Parosproxy but for SIP.