Episode176

From Paul's Security Weekly
Revision as of 22:00, 26 June 2013 by Rkornmeyer (Talk | contribs)

Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

PaulDotCom Security Weekly - Episode 176 - For Thursday November 19th, 2009

  • We are growing mustaches for Movember! Goto http://pauldotcom.com/mo for more information and to make donations to our team that will benefit cancer research.
  • Sign up to get a free Website HealthCheck report from Cenzic to see how you can protect your Website from hacker attacks. As part of the Cenzic HealthCheck program, Cenzic will scan your Websites for “holes” that hackers can exploit and provide you with a detailed encrypted PDF report to you in 2-4 businness days. The report will contain:
  • An assessment summary of your Website’s “holes” (security flaws) and easy-to-read severity charts,
  • A prioritized listing of your most vulnerable Website locations (applications), and
  • A description of the security flaws and directions on ways to eliminate them.
For more information, please visit http://www.cenzic.com/2009HClaunch_PaulDotCom
  • Syngress Publishing - Quench your thirst for knowledge at syngress.com and use the referral link or the discount code "PaulDotCom" at checkout to save 20% on all security book titles!
  • Defensive Intuition - We are also sponsored by Defensive Intuition. Defensive Intuition is the provider of many security consulting services: penetration testing, physical assessments, and social engineering. Defensive Intuition: Owning your boxes, 7 ways to Sunday!
  • QuahogCon Call for Papers - QuahogCon is a Southern New England conference for the hacker culture in all forms, and is looking for presentations!

Episode Media

mp3 pt 1

mp3 pt 2

Interview: Lars Ewe, Cenzic CTO

Lars Ewe is a technology executive with broad background in application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering, product management/marketing, and sales in a variety of different markets. Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts.


Questions:

  1. How did you get your start in information security?
  2. Tell us about your Free Website HealthCheck campaign.
  3. What’s the best way for companies to get started with Web application security in the cloud? We’ve heard about testing applications even in Production through virtualization and cloud computing -- Can you talk more on that?
  4. Some people believe that having a Web application firewall and focusing on Network Security is sufficient to stay secure and be compliant, is that true? Is that a good strategy?
  5. What types of new vulnerabilities and security trends is Cenzic seeing and what can we expect in the future? (We have recently released the Cenzic Trends Report that we can share results from as well…)
  6. Tell us more about Web 2.0 and how that affects web security.
  7. Tell us more about on-premise vs. SaaS.
  8. Tell us more about the reasons you see for the ongoing “negative” vulnerability trends (as per your Trend report).
  9. Tell us more about how companies should go about better protecting themselves against web vulnerabilities. Etc.



Thanks,

Healthcheck details provided by Cenzic

As part of the Cenzic HealthCheck program, Cenzic will scan your Websites for “holes” that hackers can exploit and provide you with a detailed encrypted PDF report to you in 2-4 businness days. The report will contain:

  • An assessment summary of your Website’s “holes” (security flaws) and easy-to-read severity charts,
  • A prioritized listing of your most vulnerable Website locations (applications), and
  • A description of the security flaws and directions on ways to eliminate them.


Bonus questions (as time/interest permits)

  1. What is some ammo workers can use to get management to understand why they need to take security seriously?
  2. What are some things C level officers need to be taught/learn from their reports?
  3. If a security worker wants to advance their career, what's are some suggestions you would give?
  4. What would you do differently if you had the chance to do so?

Tech Segment: Setting Up Your Own Hack Lab

The Hardware

The first order of business is to get a copy of VMware Workstation. This means buy a copy of VMware workstation. I now use the 64-bit version of VMware on a 64-bit version of Xubuntu. Virtual Box, from Sun Microsystems, will work, but I recommend gaining experience with VMware as it is a valuable and marketable skill.

I spent $600 on a laptop with a Core 2 duo, 4GB or RAM, and a 300GB HD. I know there are a lot of cheaper laptops running around, the so called "netbooks". These are great, don't get me wrong, but go with a larger laptop with more horsepower for your lab. I like to run 4 to 5 VMs at time on my system, and the laptop can come with me to do demos, serve as a lab for others, and takes up very little space.

Segmentation

This will be short, don't be stupid. I mean really, don't leave all of these application running in a place where someone can use them. Also keep in mind that it needs to be accessible as well, so I do run them in bridge mode, however I don't run an open wireless access point either! When you travel, switch to host-only mode to avoid being pwned.

Choose a good mix of technology

I like to have different operating systems running. Recently I've begun to setup things like Solaris, FreeBSD, etc... You never know what you may run into on a pen test, so its fun to practice and see how your tools and techniques work against these different OSes. Also, you want different web apps. The awesome thing about the VMware virtual marketplace is you can download an application, such as movable type or joomla, and get a working, or almost working, copy right out of the box. This saves time and lets you test tools against vulnerable versions. For example, I am working with a Joomla! application, so I downloaded the VM appliance with an older version.

Finding Vulnerable Software

Go here now: http://explo.it/ !

This is a great site! Props to the off sec guys for putting this together. The best feature is not only can you download the exploit, but the vulnerable application too! This is great to have a couple of different VMs of just the operating system, and then install the vulnerable app on them. I got an old PC and installed ubuntu on it. I spent some time and install apache and mysql, as insecurely as possible. Then I just tack on vulnerable apps when I find them.

Go to the VMware virtual appliance marketplace. You can download all kinds of operating systems, some are older so they contain tons of vulnerabilities.

Also, http://oldapps.com/ is an awesome web site to get old software.

The Setup

My laptop:

FreeBSD - I keep an old version of FreeBSD around, usually run older services such as TELNET. Many devices, like firewalls, are based on FreeBSD so its good to understand how it looks on the network and what vulnerabilities are present.

Solaris 10 - Why not run Solaris? I primarily run this to test out Nessus with respects to patch and configuration auditing. However, I have run across it in a pen test, and the exploitation/post-exploitation tools are weak. Playing with metasploit 3.3, I see they have bind, reverse, and find port payloads available for Solaris x86. This is something I plan to test and get working, just in case I run across it on a pen test again. You don't want to be in a situation where the first time you are running exploitation/post-exploitation is on a customer site. Sometimes this can't be helped, but having this lab allows you to minimize those cases.

Windows 2000 - Ah, good old Windows 2000. I think this one is SP0, more vulnerable than a woman after a rough breakup, you may wonder why I keep this in my lab. The answer is we find it on almost every pen test. Somewhere, hidden in the deepest, darkest corners of your network, right next to that old Novell server, is a Windows 2000 box. I want to test how new scanners and exploits work against it. Do they crash it? What configuration will cause it not to crash? See, thats the problem, it crashes too easily. For me to be successful, it has to stay up (insert Larry's trademark "Thats What She Said"). It has to be up long enough for me to connect and collect information, usernames, passwords/hashes, network information, sensitive information, etc... This gives me a chance to practice.

Movable Type (Fedora) - I keep this around for a couple of reasons, first and foremost its what we run our web site on for PaulDotCom. I want to make sure that this software gets tortured, scanned, probed, and so one as much as possible. I want to see how it reacts to being scanned, what happens when I let web app scanning tools spend days scanning it. When new attack methods come out, I want to test them on it. Its good to have a major blogging/CMS platform in your lab too. They are common in many organizations. A great way to get these is from www.jumpbox.com, which is where this one comes from. Setup is painless, took me about 10 minutes and I had a working MT installation to test out a new Nessus plugin.

Debian 4 - Really, just for the LOLZ. I just added this one, so I am interested to see just how many vulns are in here. I really want to test the Linux kernel privilege escalation vulnerabilities, in addition to the openssl bug.

Ubuntu 9.04 - [STANDALONE] - So this one is not in a virtual environment, but is running on an old PC. It runs "LAMP", and I install all kinds of vulnerable web apps, from Multilldae, to DVWA, to phpmyadmin. It works really well to test web app scanning and assessment tools.

References

http://www.irongeek.com/downloads/hacklab.pdf

Stories For Discussion

  1. Bill to ban P2P on federal netowrks - [Larry] - Oh wow, this is so wrong on so many levels. The fact that it takes a BILL to enact this type of network policy is just beyond absurdity. [Mick] - Bout damn time! Only took a fighter jet, ethics probe details, and lord only knows what else... sheesh.
  2. Malware analysis with Google - [Larry] - A plugin for IDA Pro uses the power of Google to analyze common code components.
  3. Got $1800? - [Larry] - if you do, you have a pretty good way to own China? Why? That's the asking price for the domain wpad.cn. According to Duane Wessels (Vessels, Scotty?) who owns wpad.com, wpad.net, wpad.org, wpad.biz and wpad.us, he gets 5 million hits day. Hmm. [Mick] Really? wpad? that's like TEN years ago!! <Mick's head explodes at this point>
  4. Smartphone vulnerable over WiFi - [Larry] - SNot the phones themselves, but the traffic - sniffing, SSLstrip, etc. Uhhh, yeah, where ay been? this stuff is valid, regardless of the client device. I suppose someone needed to say it...
  5. XSS Kisok Busting - [Larry] - While XSS and Kiosk hacking aren't new, this heed a new perspective on things for me. I suppose someone needed to say it for me to connect the dots…
  6. Finally the pain of escalating to install RPMs is over... oh wait what - [The Intern] - Horray the new release of Fedora 12 now allows you to install RPMs via GUI (where more retards live) and YOU DO NOT have to escalate to root to install. Click the link its easy to fix but its a DEFAULT setting.
  7. 2 Zbot/ZeuS users arested over the pond - [The Intern] - Scotland Yard e-Crime unit has made the first two arrests for use of the Zbot/ZeuS trojan. Known for stealing online banking creds, installing a root kit,and is a large spam bot net.
  8. Hacking A Brazilian Power Company and Posting The Results To the Internet - [PaulDotCom] - SQL injection strikes again against this power company, and shows fail all around. One thing that is interesting is how the power companies all say, "Our control networks are separate", but it never really turns out to be true. At somepoint there has to be a way for employees to interact with the control network and that is what attackers are going to exploit, the user. I think that thinking you are safe because there is a separate network is what gets you into trouble in the first place. [Mick] If only a group of people were, you know, mentioning that power grids and SCADA were vulnerable. *cough* *cough*
  9. Metasploit 3.3 Released - [PaulDotCom] - This is pretty cool, some notable features are the use of SSL as the connect-back protocol for payloads. This is just so awesome and will make it difficult to detect, if you are a pen tester yell out loud right now "WIN!". My other favorite feature is the meterpreter being added to support Linux. This is huge, not only can we have the wonderful meterpreter features in Linux, but it would be so cool to be able to pivot off Linux boxes, esp. embedded devices. Speaking of payloads, they've got some really awesome support for weird platforms now, which is great when you need whip up an exploit, or you want to deploy a payload to Linux running on PowerPC. Oh, and stuffing a payload into an already existing binary should be standard now for payload deployment. I think that Anti-Virus/Malware products are in a world of hurt right now. BTW, I still think color on msfconsole is a no biggie that got too much attention, and I like how they are not supporting the gui or web interface who used those anyway?
  10. DNS Rebinding Re-Visited - [PaulDotCom] - Rsnake provides some good details on how this attack can be used in the real world. The jist of it is that through DNS re-binding you can modify the same origin policy. Rsnake extends it by re-using cookies in interesting ways, and extends it further with all sorts of fun stuff that makes my head hurt. The bottom line for defense if that Browsers need to be smarter and honor the HTTP Host header.
  11. Freakin Cool Lock Uses Rhythm! - [PaulDotCom] - This is so cool, its a device that unlocks the door based on the knock! It uses arduinio and is just too cool. I think that this and RFID based systems are a good factor in authentication, but should be used in conjuction with a key.

Other Stories Of Interest

  1. Analyze crashes to find Security vulnerabilites in your applications - [The Intern] - In the ongoing effort to educate developers MSFT has a tool to help analyze your application crashes to see if where they lie in memory are likely to lead to security issues. Now if there was a way to check for default passwords or lack of password and trigger a tack hammer to smash their big toe.
  2. How To Make A Chumby - [PaulDotCom] - He said chumby, heh.

Moment of Zen (yes, we *are* ripping off the Daily Show)

Filet o' Fish Tat? - [Mick] - Whaaaaaa?