Google Calendar for Security Professionals
Google calender is a great tool collaboration tool for maintaining a personal, world accessible calendar, but also a calendar for group collaboration. With group collaboration, you can set your calendar to allow certain individuals to access it, or you cah set it to world readable. With World readable, you can just set free/busy information, or allow "backstage access", effectively making a public calendar. Public calendar you say? Oh goodie!
So, in order to make Google calendar useful to us as a security professional (for performing audits, pentests, etc), we actually need to have a google accoutn, and a google calendar of our own. Really simple to get, just go to http://www.google.com/calendar and sign up - free and easy. Once signed up, we can begin searching...
When we're signed in, the left hand tool bar has a seach pane - search Other Calendars! This search will obtain some interesting items only on public calendars - you'd be surprised what is out there. Information disclosure for a potential attacker, you bet. So, what to search for? Here are some of my favorites:
- passcode = how about joining a conference call or two? Get there early, and don;t record your name. put it on mute, hang out and listen.
- passcode security = See the last one. But, likeley they'll be talking about security goodies.
- passcode [email,network,ip,] = see above. :-)
- [firewall,network,server] upgrade = see when they are scheduled. What do you want to bet there will be outages, and configuration issues? good time to exploit those weakneses, or social engineer the help desk...
- [pen, penetration] test - when is a good time to sneak in some attacks, blending in with the IDS IPS issues? you guessed it.
- vacation = more social engineering attempts. Hello helpdesk? My VPN doesn't seem to be working.....
- vacation [company name] = even more detailed information
- LOA = same as vacation.
- conference call = Sometimes they list the dialin number...sit back and listen to all sorts of info.
- Company name = certainly a good one for your own organization. Don't forget any internal abbreviations!
- Guys, thinking of any more while we're discussing these?
So, thinking about more of these searches, I'm sure that you can think of all sorts of keywords for possible information disclosure for an organization. It is a good idea to audit this and other places of information disclosure....like employee blogs? Ouch.
How do you protect? Policy, block google calendar, audit.
LORCON+USB Wireless Cards+Linux+Ruby = Fun
So, here is a short guide to getting LORCON going with USB wireless Cards and Linux. Here is what you will need:
- Linux (I used a laptop): I used Xubuntu with kernel version 2.6.18-28 (I think, my test system had a hard drive failure!)
- USB Wireless Card: D-Link DWL-G122 (802.11b/g) New Version with rt2570 (NOTE: I also tested the Belkin FD5D7050 with a zd1211 chipset)
- SerialMonkey Drivers: http://rt2x00.serialmonkey.com/rt2570-cvs-daily.tar.gz - USB Monitor mode injection, w00t!
- LORCON: http://802.11ninja.net/lorcon/ (svn co http://802.11ninja.net/svn/lorcon/trunk)
- Metasploit: http://metasploit.com/ (svn co http://metasploit.com/svn/framework3/trunk/)
- Kismet: Just for fun, I got Kismet-newcore going. (svn co http://svn.kismetwireless.net/code/branch/kismet-newcore kismet-newcore) Documentation is HERE. You need newcore in order to use the serialmonkey drivers.
Step 1 - Download and compile the Serialmonkey drivers. A good tutorial is here. You will also need the Linux src/headers. If you are doing it manually, be certain to copy your existing config (typically in /boot/) then compile your kernel.
Step 2 - Plug in your USB serial deivce. If all went well you should see it when you do an iwconfig.
Step 3 - Download, compile, and install LORCON, Metasploit, and Kismet. They should compile cleanly in most versions of Linux. You may need to add libraries and headers for ruby and lippcap.
Step 4 - Go into the LORON directory and type "make tx". This will make a small little program that will inject some frames. It will test your card and tells you is LORCON works properly.
Step 5 - Test injection with ruby-lorcon in the metasploit directory. You will also have to make the ruby-lorcon library, instructions are in the README.
Kismet: Edit your /usr/local/etc/kismet.conf file and change the source to "source=rt2570,rausb0,Dlink-2570". Now fire up kismet and enjoy the new fancy GUI complete with menus! The rt2570 chipset will support channel hopping and works great as far as I can tell.
These tools are *the* foundation for security testing, monitoring, and security tools. Use them. Know them. Write good stuff to expand them. And go PWN some stuff. You might also want to substitute USB drivers for Madwifi + an Atheros card, they offer much better support and are more stable. Make certain you are on the latest version.
- Complete Serial Monkey Supported Hardware List
- Extensible 802.11 Packet Flinging - Josh and Mike's presentation from Shmoo.
Stories For Discussion
Mods for Karma - [Larry] to allow for Ad-Hoc mode... Airport anyone?
Capture-HPC - [Larry] - A Client Honeypot for finding malicious web servers, from the New Zealand honeynet alliance. It engages the web server (with interaction), and checks for client changes in the VM. Look for some upcoming info on this from the PDC crew.
Quit your whining already! - [Larry] - Waaaah! Evil hackers can spend all this time finding exploits in OSes, etc, and can disclose and exploit them at will. Save us! Instead of complaining, how about code audits, and employing divisions to test your stuff before hand... Sounds like the want some legislation? When exploits become criminal, only criminals will have exploits...
Orcale to be selective about patches - [Larry] - What? So, you have to request a patch it you are running some od combination of server version on some hardware...etc. How will i know if I am vulnerable, to request the patch...why wouldn't I request the patch...If you know I'm going to ask...just develop it and not make we wait another 6 months for it whil my shorts are around my ankles.
McAffee Viruscan Overflow - [Larry] This possibly allows form remote code execution as SYSTEM. One slight snag - the target system must have East Asia language files installed and the default Unicode codepage is set to a language which contains multi-byte characters such as Chinese for the exploit to work. Time to hack those Chinese hackers/spammers back? Thoughts on hacking back?
ClamAV buffer overflow - [Larry] details are light on this one - from what I can tell. but for free AV, you get what you pay for.
IRS PWNable through wireless? - [Larry] - According to an internal audit, outof 20 IRS facillitites, 10 could be potentially compromised through wireless. (Even in Denver - Andy, get to Denver and get me a refund, will ya?)
SMS Phishing - [Paul] - F-Secure is so cool, when they get SMS phishing , they call the phone number in the SMS message, then post the conversation to the blog.
An Easy Way to decrapify a PC - [Paul] - one word, FORMAT!!!!! and re-install...
Panic in Kabul - [Paul] - Viruses spread through cell phones you know, and you could get very sick.
Awesome Comments From Thomas Ptacek - [Paul] - I agree with all the statements, for the most part..
RPC DNS - Patch Now! - [Paul] - Don't wait for the next patch tuesday, patch now!
Blackberry dies, oh my! - [Paul] - Crackberry users everywhere panic, widespread histeria, ppl are forced to use computers to check email, the horror!!
Two Factor Authentication? - [Paul] - A username and password is NOT two-factor auth!
Vulnerabilities In Security Tools:
http://milw0rm.com/exploits/3757 - OllyDbg 1.10 Local Format String Exploit
http://milw0rm.com/exploits/3724 - aircrack/airodump-ng (0.7) remote exploit
http://milw0rm.com/exploits/3609 - Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit (linux)