Tech Segment - Favorite Windows Security Tools in my Windows XP VM
Just as an FYI, I am using VMware Fusion on OS X (Currently Tiger). It works great, and I find its a little faster than Parallels and integrates nicer when switching between a VM and OS X.
- Cain & Abel - This is a fanstastic all around tool, useful for so many hacking tasks. It works great to intercept VoIP calls (RTP streams), decrupt Cisco VPN group passwords, and MITM RDP sessions. It can also crack a whole bunch of passwords, such as LANMAN, NTLM and even has support for rainbow tables online.
- Suru - I've been using this tool on all of my web application assessments lately and am really learning to like it. It acts as a proxy, allowing you to modify any or all of the variable values being sent to the web server. You can alsofuzz any of those values. For example, if you have a field for an account number that you know is 3 digits long, you can use the Numeric option and have it run through all values 0-999. It then associated a score with each one jus as the other tools do as well. While you are testing it will automatically crawl the target site to find more pages. Best of all its only $200 US.
- BiDiBLAH - Okay, yes, most of the tools are from sensepost. This is the ultimate Google hacking tool that we talked about on the show. It helps to automate the research that you'd normally do by hand. It works great for finding the customer's address space given the domain name.
- Wikto - This is the Windows version of Nikto, which some nice features. It will brute force the directories and files on a remote web server, which is nice for finding some of those "hidden" URLs.
- Aura - This is a proxy for Google API. You run this tool, then edit your hosts file in Windows, and add an entry to send "api.google.com" to localhost. Aura then translates scraping for Google results and sends back API results.
- Core IMPACT - We talk about this tool a lot, I know. But my favorite features are the ability to export an agent to an executable, automatically discover email address from Google and the target web site, and now the ability to deploy an agent via a SQL injection or RFI.
- Radmin - Face it, RDP is weak. Its vulnerable to MITM attacks, usernames are sent in the clear, and the passwords can be brute forced. So respectful security professional should use RDP to manage any system of any importance. This is where Radmin comes in, its fast and secure, with bonus features like file transfer. Not like the insecure file transfer in RDP.
- SiVuS - This is a great tool for auditing VoIP networks, its beast feature is that ability to construct and send SIP packets. Too much fun to be had here registering yourself as other people's phonese :)
- netcat - No operating system is complete without its copy of netcat, truly the swiss army knife of TCP/IP networking. Here is a great little netcat cheatsheet.
Tech Segment - Using Nikto 2.01
Nikto has undergone some huge changes, and I'm liking it. So I thought I would highlight some of the commands and features:
To run nikto against a site, using the defaults (port 80, HTTP only) do the following:
nikto.pl -h www.adomainihavepermissiontoscan.com
This will run all of the tests against the site, below is an example of the results:
--------------------------------------------------------------------------- - Nikto 2.01/2.01 - cirt.net + Target IP: 188.8.131.52 + Target Hostname: www.adomainihavepermissiontoscan.com + Target Port: 80 + Start Time: 2007-12-29 16:18:47 --------------------------------------------------------------------------- + Server: Microsoft-IIS/6.0 - Retrieved X-Powered-By header: ASP.NET + OSVDB-630: IIS may reveal its internal IP in the Content-Location header via a request to the root file. The value is "http://10.10.4.253/Default.htm". CAN-2000-0649. + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST. + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + OSVDB-877: HTTP method ('Public' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST. + OSVDB-0: GET /trace.axd : The .NET IIS server has application tracing enabled. This could allow an attacker to view the last 50 web requests.
Next try to scan the same site, but use the SSL options for nikto:
nikto.pl -h 192.168.1.45 -p 443 -ssl
You must tell nikto both the port and to force ssl with the "-ssl" parameter. Now lets take a look at some results:
--------------------------------------------------------------------------- - Nikto 2.01/2.01 - cirt.net + Target IP: 192.168.1.45 + Target Hostname: bud.adomainiamauthorizedtotest.com + Target Port: 443 --------------------------------------------------------------------------- + SSL Info: Ciphers: AES256-SHA Info: /C=US/ST=Rhode Island/L=Coventry/O=PigVomit, LLC/OU=Security/CN=bud.adomainiamauthorizedtotest.com/emailAddressemail@example.com Subject: /C=US/ST=Rhode Island/L=Coventry/O=PigVomit, LLC/OU=Security/CN=bud.adomainiamauthorizedtotest.com/emailAddressfirstname.lastname@example.org + Start Time: 2007-12-29 16:24:23 --------------------------------------------------------------------------- + Server: Apache/1.3.34 Ben-SSL/1.55 (Debian) mod_perl/1.29 + Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE + OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST. + Apache/1.3.34 appears to be outdated (current is at least Apache/2.2.6). Apache 1.3.39 and 2.0.61 are also current. + Ben-SSL/1.55 appears to be outdated (current is at least 1.57) + mod_perl/1.29 appears to be outdated (current is at least 5.8.0) + OSVDB-877: TRACK / : TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details + OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details + OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons + 4343 items checked: 8 item(s) reported on remote host + End Time: 2007-12-29 16:25:14 (51 seconds) ---------------------------------------------------------------------------
Its also useful to export your results to a file, especially when scanning larger sites:
nikto.pl -h 192.168.1.45 -p 443 -ssl -o report.html -Format html
nikto will also export csv (great for scripting) or txt (the default). To get more information about Nikto run "nikto.pl -Help" to get the extended help page. Also, don't forget to run "nikto.pl -update" to get the latest database files containing all the test to be run!
Stories Of Interest
24 CCC in progress! - [Larry] - Looks like some neat and humorous workshops in addition to all of the talks. My favorite workshop (which may also be the quote of the day):
Geek lifestyling Saturday, 29.12.2007, 2-4 PM Do's and don'ts for geeks who want to make a serious effort in being accepted by the girls. How to dress, what to say, what not to say. Personal advise on body hair, odour, hygiene, confident behaviour. On-the spot hair- and beardcuts.
MSN Messenger Built in "AV"? - [Larry] While sniffing his MSN traffic, Robert Graham noted that an XML file was being transferred in clear text, that happened to contain a list of items that were blocked from transfer to/from the server to the client. It appears to be a pseudo-AV type of signature matching, that is apparently updated quite frequently by microsoft. While I applaud their efforts to block, signature based matching is easy to avoid. Why don't they just fix the problem, and or apply the rules at the server, instead of passing them all to the client?
emergingthreats.net = bleedingthreats.org - [Larry] - New repository for Community Snort rules. apparently the bleeding threats folks haven't updated anything in a while, and the site stopped responding. emergig threats picked up the torch with a mirror of the last ruleset. Emerging Threats Comes Online - [Paul Asadoorian] - So Matt Jonkman's new project hit the web! He will be comeing on the show in January to talk in detail about it, but it appears to be similar to bleeding threats, but with more depth, offering the community "Network and Electronic Security related intelligence gathering, analysis, research and resulting data distribution.". They are currently hosting the bleeding threats rules as well due to some issues.
Check that Digital Picture frame - [Larry] - Some gift recipients this holiday season got more than they bargained for on their ADS Digital Photo Frame - 8 devices - MALWARE on the built in storage! And on a semi-related note beware that toaster!
VT Courts and PGP passphrases - [Larry] - While this battle is far from over, a VT judge has ruled that a defendant does not have to turn over his PGP passphrase to his whole disk encryption on his laptop...
Facebook and PGP - [Larry] - Well, Facebook is doing something right. They have developed an app that allows you to add your public PGP key to your profile. This is (in my mind) an essential thing for a social networking site.
Wireless Routers can get viruses? - [Larry] - Looks to be a POC from MIT about virus distribution on wireless APs. the article is light on details because it is a preview, and you have to pay for the whole article. If anyone has any more info on the story, I'd love to hear about it.
Tiger Team on CourtTV - [Larry] - I finally watched this show, and I have to say that it rocked. Not too over dramatized. It reminded me of "It Takes a Thief", but for businesses. The guys all wear typical hacker t-shirts, and use awesome tools (including Core Impact, LadyAda's wavebubble, and a HID card cloner). The only things I can remark is, when do I get to go work with them, and why didn't Paul and I get this TV show deal? [Paul Asadoorian] - Tip for people to defend against social engineering: Call to verify appointments made by consultants, and check their ID. Tip for pentesters: bring plenty of cables :)
Mogul and Hoff - [Larry] The attack was a Hoax used to illustrate a point.
Backtrack 3.0 out - [Larry] - Continued updates, and of course, more tools.
Adult Web Sites Pwn3d - [Paul Asadoorian] - Well, not really, the service that many of the adult web sites use " the breach affects anyone who has purchased a membership to an adult site that uses the NATS software to manage or track its sales as well as adult webmasters who promote the pay sites". While the details of this incident seem to be all over the map, lets just say that if you information resides on a vendor's web site or server, then you better trust that vendor to secure it. Yikes! Did I say trust a vendor?
RF Jammers are neat - [Paul Asadoorian] - This is a neat little project that looks pretty simple. So, this is against FCC regulations, however if you are relying on radio communications for emergency response, video feeds, or operation of physical seucurity measures, keep in mind it not hard to disrupt RF signals.
VLC fixes a few more bugs - [Paul Asadoorian] - Its nice to see that security people are actively finding and exploiting bugs in VLC. Hopefully most are sharing them with the VLC project team, who seems eager to fix them and grateful for people who find them. Companies take notice, if you are nice to the people who find bugs, everyone will be more eager to tell you about them. The recent uncovering of many bugs in one piece of software may shy people away from using it. However, I am even more confident in it, because how many people have found bugs in Quicktime and Windows Media Player but not told anyone due to the way the respective companies handle disclosure? Now, I'm not saying they do it wrong, but they are much larger organizations that most open-source projects, so its just more difficult in general. Furthermore I think large companies are more apt to blow off vulnerabilities as "low risk", depends on your perspective.
Anti-Virus Software As an Attack Vector - [Paul Asadoorian] - This is a great article that covers the research done by Sergio Alvarez and Thierry Zoller at Hack.Lu in 2007. Think about it this way, you have anti-virus software running on all of your desktops to protect them, it runs on all your file servers to prevent viruses centrally, and it runs on your mail servers to stop viruses from coming in via email. What if the anti-virus software, which takes unknown input and processes it, has a vulnerability? Look at all of the problems that Snort and Wireshark have taking all that unkown input and then trying to analyze it. Anti-virus vendors are also under the gun, rushing out signatures and unpackers to keep up with the latest malware. As a note, I don't run AV software on my pen test VM. When I do run AV, I run clamwin or freeavg, who both appear to be on the bad AV vendor lists. Remember, the more software you add, the more attack vectors are added.
XSS Cheat Sheet - [Paul Asadoorian] - We may have mentioned this before, but this is a great resource if you are hunting for XSS vulnerabilities in a web site. Some sites have gotten smart and filtered things like "<" and ">" so you can't make the web server render script, however there are many tricks to get around this and the web site does a good job of outlining them. I'd like to see an automated script take all of these techniques and wrap them into a tool that you can run against a sites parameters. I know the commercial tools do similar things....
Emerging Threats Comes Online - [Paul Asadoorian] - So Matt Jonkman's new project hit the web! He will be comeing on the show in January to talk in detail about it, but it appears to be similar to bleeding threats, but with more depth, offering the community "Network and Electronic Security related intelligence gathering, analysis, research and resulting data distribution.". They are currently hosting the bleeding threats rules as well due to some issues.
Other Stories Of Interest
Microsoft's Dirty Santa IM Bot Talks Oral Sex [byte_bucket] - The link says it all (transcript included).
Listener Submitted Stories
Microsoft in the NSA's back pocket? [mmiller] - Bruce Schneier posted in his blog that Microsoft is adding "he random-number generator Dual_EC-DRBG to Windows Vista". via Vista SP1. Read this link for more information.
Strange Xbox signal suspected of jamming wireless LANs [byte_bucket] - "Microsoft's popular Xbox 360 game console can create a strong and strange signal on wireless LANs, according to IT staff at Morrisville State College." ... anyone have an XBox 360 and a WiSpy ???
Samba "send_mailslot()" Buffer Overflow Vulnerability [byte_bucket] - "A remote attacker could send a specially crafted "SAMLOGON" domain logon packet, possibly leading to the execution of arbitrary code with elevated privileges. Note that this vulnerability is exploitable only when domain logon support is enabled in Samba." ... the PoC can be found here.
The Top 10 Data Breaches of 2007 [byte_bucket] - list from CSO Magazine ... "Some breaches on our list are serious. Some are funny. And some are just plain sad. But all of them were probably preventable."
Two students suspended after hacking teacher's computer [byte_bucket] - "Two students at Louisville’s top public high school are facing suspensions after at least one hacked into a teacher’s computer to boost grades and erase absences, while another posted coming quizzes and tests on a Web site. At least one of the pair of DuPont Manual high seniors, who were not named by Jefferson County Public Schools, installed software on their teacher’s computer that recorded each keystroke to help determine passwords, district officials said."
Apple Security Update 2007-009 [byte_bucket] - this update includes patches for Core Foundation, CUPS, Flash Player Plug-in, Launch Services, perl, python, Quick Look, ruby, Safari, Samba, Shockwave Plug-in, Spin Tracer and more ...
Mac versus Windows vulnerability stats for 2007 [byte_bycket] - George Ou (ZD Net) blogs about vulnerability statistics for Windows and OS X in 2007. From the article ... "I’ve compiled all the security flaws in Mac OS X and Windows XP and Vista and placed them side by side. This is significant because it shows a trend that can give us a good estimate for how many flaws we can expect to find in the coming months. The more monthly flaws there are in the historical trend, the more likely it is that someone will find a hole to exploit in the future. ... So this shows that Apple had more than 5 times the number of flaws per month than Windows XP and Vista in 2007, and most of these flaws are serious.".
When will these analysts stop counting/comparing the number of vulnerabilities and start looking at more important statistics like how long end-users were vulnerable to attack (or a serious threat) as a result of these vulnerabilities. An analysis of the "attack windows" (the amount of time from initial discovery to the time when a patch is available) would be far more useful IMHO -- byte_bucket. For another take on this article, see Joel Esler's (guest host from Episode #91) assessment here.
BGP bug bites Juniper software [byte_bucket] - "Bug lends itself to remote exploitation, could open way for denial-of-service attacks".
Need Spyware? Check eBay [byte_bucket] - from the PC World article ... "Mobile spyware products can be bought for as little as $3.99 on the popular online auction site."
Hacker convicted of stealing credit card information from hotel kisoks [byte_bucket] - from the article ... " A Lomita man admitted Tuesday in federal court that he hacked into computers inside business kiosks at hotels and stole users' credit card information. Hario Tandiwidjojo, 28, pleaded guilty in U.S. District Court in Los Angeles to one count of unauthorized access to a protected computer to conduct fraud. "
Facebook sues over alleged porn site hack attack [byte_bucket] - Facebook is suing a Canadian company that specialises in online pornography, alleging that it tried to steal user data
BitDefender Detects New Trojan that Hijacks Google Text Advertisements; Cuts into Google Revenues [byte_bucket] - " BUCHAREST, Romania – December 18, 2007 – BitDefender®, a global provider of award-winning antivirus software and data security solutions, announced today that BitDefender antivirus analysts have detected a new trojan, which hijacks Google text advertisements, replacing them with ads from a different provider. The threat, which is identified by BitDefender as Trojan.Qhost.WU, modifies the infected computers' Hosts file "
Google Orkut virus/worm [byte_bucket] - An Orkut based virus/worm appears to be on the loose, it propagates by posting notes on people’s scrapbook.
VoIP vulnerabilities increasing, but not exploits [byte_bucket] - according to the Network World article ... "The threats against VoIP are numerous and seem to be growing, but in 2008 the technology probably won't suffer crippling attacks."
Google Toolbar Dialog Spoofing Vulnerability [byte_bucket] - "Google Toolbar allows spoofing the information presented in the dialog which is being displayed when adding a new Google Toolbar button. This can allow an attacker to convince the users that his button comes from a trusted domain. This button can then be used to download malicious files or conduct phishing attacks (e.g. show a login form of a bank)."
domain. This button can then be used to download malicious files or conduct phishing attacks (e.g. show a login form of a bank)."
3.2 Billion Lost To Phishing in 2007 [mmiller] - Yes that's Billion with a B according to Gartner. I will wait for the the 4th quarter reports.
Police Web site back after hacker hits media database [byte_bucket] - from the article ... "The Tucson Police Department's Web site will be coming back online within the next 48 hours, Pat Johnson, TPD webmaster, said. The Web site went down about two weeks ago after a man calling himself "Hmei7" hacked into it, Johnson said. There was no danger to police data files during this time, Johnson explained, because Hmei7 hit only the media release database. Johnson said Hmei7 is from Indonesia and has hacked into hundreds of government Web sites internationally. "
Judge rules defendant can't be forced to divulge PGP passphrase [byte_bucket] - from the article "A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase." - While I don't think we want to be protecting pedophiles, this is a real win for privacy advocates. -- byte_bucket
Turn In A Software Pirate, Collect $500 [byte_bucket] - "Anyone who unwittingly buys fake software from an online fraudster can receive up to $500 if they report the scam to the Software & Information Industry Association."
Gartner Survey Shows Phishing Attacks Escalated in 2007; More than $3 Billion Lost to These Attacks [byte_bucket] - "Phishing attacks in the United States soared in 2007 as $3.2 billion was lost to these attacks, according to a survey by Gartner, Inc. The survey found that 3.6 million adults lost money in phishing attacks in the 12 months ending in August 2007, as compared with the 2.3 million who did so the year before."
D2 Exploitation Pack for Canvas [byte_bucket] - "The D2 Exploitation Pack is a bundle of more than 50 security modules, most of which are designed to be used with Immunity CANVAS software. This pack is composed of tools and exploits with several 0 days for Windows and UNIX software. Most of the exploits are unpublished and are reliable against new system protections like Data Execution Protection (DEP) on Windows or Execshield on Linux. These modules are created and tuned to help security professionals during their penetration tests."
Aruba and HP swim the OpenSEA [byte_bucket] - "Aruba Networks and the HP ProCurve division joined the OpenSEA Alliance, a group dedicated to the development and adoption of a robust and reliable open-source 802.1X supplicant for secure access to network and other computing resources. Aruba and HP join existing members including technology vendors Extreme Networks, Identity Engines, Infoblox, Symantec, TippingPoint, and Trapeze Networks. The OpenSEA Alliance also includes Janet, the U.K.'s education and research network boasting 18 million users."
Pushdo Trojan: Analysis of a Modern Malware Distribution System [Securethoughts] - Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software.
Storm Worm/Virus update [mmiller] - After not hearing much about the "Storm Worm" here is a nice update with subject line examples.