Episode172

From Paul's Security Weekly
Revision as of 08:30, 27 June 2013 by Rkornmeyer (Talk | contribs)

Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

PaulDotCom Security Weekly - Episode 172 - For Thursday October 22nd, 2009

  • Syngress Publishing - Quench your thirst for knowledge at syngress.com and use the referral link or the discount code "PaulDotCom" at checkout to save 20% on all security book titles!
  • Defensive Intuition - We are also sponsored by Defensive Intuition. Defensive Intuition is the provider of many security consulting services: penetration testing, physical assessments, and social engineering. Defensive Intuition: Owning your boxes, 7 ways to Sunday!
  • Rochester Security Summit - Larry and Ed Skoudis to give Keynotes. What can get better than that? October 28 - 29 in Rochester NY!
  • Phreaknic 13 - Get your Phreak on! Oct. 30-31st in Nashville, TN! Billy Hoffman among others presenting...
  • 10 PRINT "GOTO DOJOCON November 6-7
  • GOTO 10
  • Hackfest Canada! - Mick will be speaking/ranting from the Great White North! November 7th, you'll want to be there! Quebec, Canada (This con is so cool it's happening in two languages!)
  • Community SANS: Sec 542 Web Application Penetration Testing - SANS is pleased to announce Community SANS Providence, running January 11 - 16. Larry will teach Security 542: Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University. Also coming up, 617 on Calgary sometime in March!

Episode Media

mp3 pt 1

mp3 pt 2

Interview: Prajakta Jagdale discusses HP's SWFScan (pronounced “SwiffScan”) tool

About

Prajakta Jagdale

Prajakta Jagdale is a Research Engineer with the HP Web Security Research Group. Prajakta focuses on automated discovery of Web application vulnerabilities and crawling technologies. Her current research efforts are concentrated towards identifying security risks associated with RIA technologies. This research involves developing innovative techniques to enable automated web assessment tools to crawl and analyze RIA applications through the use of both static source code analysis and dynamic runtime analysis

HP SWFScan tool

SWFScan is a free Flash security tool (download here), released by HP Software, which decompiles all versions of Flash and scans them for over 60 security vulnerabilities. The scan detects things like XSS, SQL inside of the Flash app, hard-coded authentication credentials, weak encryption, insecure function calls, cross-domain privilege escalation, and violations of Adobe's security recommendations.

Features

  • Decompiles SWF byte code and generates ActionScript source code
  • Performs Source-Sink analysis to understand the data flow
  • Checks for known security issues
    • Information disclosure
    • Cross-Site Scripting
    • Cross-Domain Privilege Escalation
  • Reports vulnerabilities found and highlights the source code block causing the vulnerability

Questions

Questions for Prajakta :

  • How did you get started in information security?
  • The FAQ page for the tool indicates: "Approximately 439.6 kilograms of caffeine were consumed" in making the tool. How much of that were you responsible for? and was it in one sitting?

HP SWFScan Resources

Tool download page

Tool community webpage

Black Hat presentation (PDF)

HP SWFScan FAQ

Additional info in article

Tech Segment: Larry and Darren promise "pwnage with Jaseger on the LaFonera, Part 1"

We talk a lot about embedded devices, hacking routers and pwnage via wireless. In this three part series, we'll take 3 great tastes that taste great together!

Segment 1: The Hardware

HOWTO on flashing the LaFonera 2100 and 2200+ Access points to install Open WRT and Jaseger.

Step 1: The Acquisition

Aquire a LaFonera access point either a 2100 or 2200+ model. You can find them from time to time on E-bay or other or from LaFonera itself. Next you need to open the darn thing. There are two screws that a small Philips head screwdriver can remove under the front feet. Just peel off the rubber feet. Then pull the lid towards you and up to reveal the juicy innards.

Step 2: The Cabling

Now you need to access the Redboot system to gain access to flash the memory of the devices with new firmware. To do this we need to get your favorite serial port connection program. I used Putty for this but you can use HyperTerm or Minicom. You want settings of 9600,8,N,1 with NO flow control. Now you will just need to line up the Tx Rx and Ground terminals on the insides of the LaFonera with your serial cable choice. I chose to use a USB to serial cable that has the conversion chip inside the cable and modified the end of the cable to hook up to the 2200+ and then made an adapter cable to connect to the 2100. The cable used was the FTDI TTL-232R 3.3V, available from Adafruit

Modified TTL-232R-3V3 cable so that the green, brown and red cables are pulled and have a piece of electrical tape to prevent accidental contact. Then I shifted yellow and orange around so that they are in the right order this cable can connect directly to a 2200. Black is ground, Orange is Rx and Yellow is Tx.


I also built an adapter cable so that I don’t have to keep pulling the female pin headers out of the USB to Serial cable all the time and weaken the retaining clips. Its an old CDROM audio cable that I cut one end off and soldered it to a 3 pin male header. White lines up with Orange and red with Yellow. Then they are flipped on the female header so that it will work with the 2100.

You can set up your cables however you want Just need 3 connections Ground(black), Tx(Yellow) and Rx(Orange). Don’t connect red like I did and fry the LaFonera; Or let it make contact with al the other pins. Luckily this only locked up my Linux box and made the cable VERY warm. (and fried one router - Larry)

Front  <--     O O O O    --> Ethernet
               ^ ^ ^
               | | |
               B O Y

This is a 2100 hooked up close we will use the pins closest to the front or furthest from the Ethernet port. Ground / empty / Tx / Rx

Here is a 2200+ connection the pins are on the right side of the board and there are only a single row of 4 where the 2100 was a 2 rows of 5. Here you can clearly see Ground / Rx and Tx all in a row.

Ethernet
    ^
    |

O O O O O
O O O O O
  ^ ^   ^
  | |   |
  O Y   B

Step 3: The Flashing

Once you have all your cables sorted out it is ready to connect and bring up Redboot. Again I used putty for this exercise, so if you choose something else, your experience may vary slightly. Find your USB device on your linux system probably at /dev/ttyUSB0 as it was on my Ubuntu 9.04 instalation.

Again, settings for your serial terminal should be 9600,8,N,1 with NO flow control.

Once you have this all set, start your serial terminal connection, then attach power to the device. Wait for the magic to happen; you should start seeing output on your serial console.

Hit Ctrl-C to abort the boot process on the router, and you should get a RedBoot> prompt. If not then and you can see useful text then it may be a ground issue you have to have ground to send commands properly. Sometimes I had to simply power cycle the device again to get it to work.

GREAT now your in. Well almost. You need to get a TFTP server running somewhere on your network. I suggest google to find out the best method for your OS. For Ubuntu this guide was pretty straight forward. Once you have the TFTP server set up there are 2 files you need in your /tftpboot directory, extractable from this archive. Uncompress the file and move the 2 files inside to your /tftpboot directory.

Now back to RedBoot and your FON. Now is the time to connect the ethernet port on your router to your network in order to gain access to your TFTP server. We'll assume that your TFTP server is on 192.168.1.254, and the router will become 192.168.1.1. Adjust as needed for your setup.

A huge thanks to DigiNinja.org/Robin Wood for RedBoot commands. Below is a summary of the commands entered:

RedBoot> ip_address -l 192.168.1.1/24 -h 192.168.1.254

This forces the Fon to be on 192.168.1.1 and use 192.168.1.254 as the tftp server. These settings are for this session only, to store these settings permanently set them in the ifconfig settings below. You can chose any address here for instance I use a 10.x.x.x addressing scheme and put it on my network and not a cross over cable to the Linux machine it doesn’t matter what ever you prefer. You now need to execute the following commands (listed as a summary) in order to create, format and load the filesytems.

RedBoot> fis init
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7
< Wait for a while >
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs
RedBoot> fis create -l 0x6F0000 rootfs
< Wait for a long while >
RedBoot> fconfig
>> fis load -l vmlinux.bin.l7
>> exec
>> 
Boot script timeout (1000ms resolution): 2 (this is the time out to hit Ctrl-C at boot up time)
Use BOOTP for network configuration: false
Gateway IP address: 
Local IP address: 192.168.1.1
Local IP address mask: 255.255.255.0
Default server IP address: 192.168.1.254
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration - continue (y/n)? y
RedBoot> reset

Once the device comes back from that final reset you should see what you want to see via the serial connection; a nice recipe for Kamikaze, one of my favorite drinks in college. There is no password just hit enter and your in. You can run most normal linux commands and see what you have. Verify that you have Jaseger listening on port 1471 with:

netstat –an | grep LIST

And there you can see it on port 1471. The rest is up to you and your imagination.

(This method is a huge improvement over the old, install OpenWRT and then install the Jaseger packages. With the specialized firmware, it is now a one stop shop! - Larry)

  • Credit where Credit is due: Thanks to DigiNinja for the all in one firmware flash and to Ducksaze for tipping me off that the red wire is bad.

Coming up, Part 2, Using Jaseger, and setting it up for "evil", and how to integrate into your testing.

Stories For Discussion

  1. Smart grids are like a hacker's wet dream - We talk about this type of stuff ad nauseum, but let's beat the dead horse. Really, I wonder if these systems will stand up against Story #11 from last week.
  2. Time Warner FAIL! - [Larry] - You patch, that opens up a hole, so that I can get your username and password off your router in the clear, with no auth. Then you claim that you are powerless to fix it, leaving 65000 (although I suspect more) users vulnerable. I suspect way more than 65000 users were vulnerable. It also appears that it was available via the WAN port. If you make the problem, you should be able to fix the problem - even if it means rolling back changes…
  3. Free COFEE - [Larry] - When I read the title, "Microsoft to give investigators free COFEE" I was excited. Maybe now we don't have to rely on Bob for our copies? Well, I was disappointed, as "investigators" apparently means "Law Enforcement". And wait, a, they were going to charge for it? Ok, my challenge the to the community, develop a suit of tools for free…
  4. Why I love RSnake - [Larry] - Why, he has an evil side to that mind… such as using the CSS history hack to search for porn. Now target that to certain demographics...
  5. - FBI uses DMV photos in search for fugitives - [MikeP] - Don't worry, computers have never made mistakes or been compromised. Besides, does your photo even look like you?
  6. New TrueCrypt! - [Mick] - Crypto here! Get your crypto while it's hot!
  7. SOLD! - [Mick] - Metasploit has been bought by Rapid7.
  8. China is spying on the US - [Mick] - Apparently China spies on the US via (checks article) THE INTERWEBS!! In other news, water is still wet and your dog still wants steak.
  9. Hackers! Start your MALTEGO!! - [Mick] - Oh my goodness, recon is about to get *MUCH MUCH MUCH* easier. There's the google/twitter, and now there's bing/facebook
  10. Metasploit - A Rapid7 Open Source Projectt - [Carlos]
    My thoughts on Rapid 7 "buying" Metasploit:
    1) Its still open source - I think this is great, especially for a project that has a lot of people contributing to it, which they do. So leaving it open source benefits everyone. Its a lot of code to maintain though! I hope HD gets help managing the project as well, as Metasploit is the largest Ruby project.
    2) Will It Blend? - Blending a vulnerability scanning/management product with an exploit framework is an interesting idea. I'm not sure how these will go together, but we'll wait and see. Sure, exploiting remote vulnerabilities is one way to verify it and prevent false positives, but no framework has an exploit and associated shellcode for every platform. I still look at vulnerability scanning and penetration testing as two separate things. Vulnerabilities are general things, they can be outdated software, missing patches, weak passwords, and mis-configurations. Doing authenticated checks and configuration auditing is a good way to identify and fix those problems. A penetration test still requires a human to plan the attack, run the tools, evaluate the risk, look for sensitive ifnormation and *should be done in addition to vulnerability scanning*. Vulnerability management should be done as part of the every day operations. Penetration testing should be done to make sure the operational processes are functioning properly. So, use and run a vulnerability scanner, and do penetration test. You can buy software for this, or you can use all open source stuff (or you can write and maintain all your own tools). Doesn't really matter as long as it works as a tool to constantly evaluate your security posture and your making changes as a result.
    3) All Frameworks Now Have Commercial Backing - This is such a good thing! Its nice to see Metasploit level the playing field and get the resources it needs to be successful. Metasploit now has the chance to gain stability, a development process, and really shine as a framework. I think that all three frameworks have things that they do *really* well and stand out above the rest. For instance, Core has the agent technology, CANVAS has the rootkit, and Metasploit has post-exploitation awesomeness.
  11. Protect The Data- Yea Right - [PaulDotCom] - As usual, Richard brings up a great point. If you have the attitude that "Hey, I only need to protect my data" you will lose. Data exists everywhere, and attackers will just wait around until they can easily access it. For example, I remember being on a pen test and compromising a workstation (probably through a local admin account), and take screenshots and screen movies of a user accessing employee records contains the SSN. I've done the same thing with transaction processing systems. So, you can encrypt the data all you like, at some point a valid user has to read it, and thats where I strike. You can't throw out perimeter security, patching, etc... in favor of just securing the data, it doesn't work.
  12. Time Warner Cable Modem Service - FAIL, FAIL, and more FAIL - [PaulDotCom] - This has to be the FAIL OF THE YEAR with regards to ISP totally screwing up network security and screwing their customers. First, they give you a cable modem/router that is pretty crappy SMC thinger. Second, they don't give user's access to the settings other than to block URLs. Third, they provide you with a WEP network that you can't change (3b FAIL = your wireless key is the same as your neighbors? Does it matter if you are running WEP? Is it a random key?). Forth, if you disable Javascript you can gain admin access to the router and dump the config. Fifth, in the config they store the admin login in clear-text. Sixth, they allow remote access FROM THE INTERNET of the device. Can you feel it? Thats FAIL all around us, the moans of the undead as they sense prey and mindlessly seek out to eat human flesh and brains.
  13. Nikto 2.1.0 has been released - [PaulDotCom] - Some cool new stuff like directory brute forcing enhancments, domain brute foricing, and username/password guessing

Other Stories Of Interest