Episode276

From Paul's Security Weekly
Revision as of 20:25, 2 February 2012 by Pauldotcom (Talk | contribs) (Paul's Stories)

Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 276 for Thursday February 2nd, 2012 - The Groundhogday edition, 6 more weeks of winter!

  • John Strand will be teaching Offensive Countermeasures at SANS Orlando March 23-24th: Check it out here
  • Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. Wether you smoke an occasional cigar or daily, this show is for you! Tune in as we review the latest cigars being released and talk "Stogie Tech".

Interview: Joe Stewart

Joe Stewart is the Director of Malware Research for Dell SecureWorks’ Counter Threat Unit℠ research team. As a leading expert on malware and Internet threats, he is a frequent commentator on security issues for leading media outlets such as The New York Times, MSNBC, Washington Post, USA Today and others.

JStewart.jpg

  1. What kind of work does the Counter Threat Unit concentrate on?
  2. Tell us about HTRAN and Shady Rat
  3. How is Shady Rat connected to the RSA breach?
  4. How worried should the average U.S. business be with cyber-espionage?
  5. Is conficker dead? How popular was your conficker eye chart during the height of conficker?


More info [PDF on Shady Rat]

Guest Tech Segment: Jon Oberheide

  1. Tell us about your Do Not Root Robots research and the dangers of "jailbreaking".
  2. How do the Android Market Interactions work?
  3. What are the problems with the web version of the Android Market distribution model?
  4. Can we trust the Android permissions model? Can the permissions be circumvented by an app?
  5. What did your RootStrap app do to make it deserved of the honor of being the first app to be remote-killed/wiped by Google from users’ devices using their GTalkService mechanism?
  6. What about post-rooting self protection? Can an app keep itself persistent?
  7. How is Android different than iOS in terms of your research?
  8. Does Android deserve its reputation for malware or are recent malware outbreaks such as Symantec's recent Android.Counterclank claim of mass infection?
  9. What do you think of Charlie Miller's recent research that caused his being booted out of the Apple Developer's program?
  10. What other research are you looking into at the moment? What's next for Team Joch?

Tech Segment: UPnP Hacking For Penetration Testers

By Paul Asadoorian

UPnP Discovery With Nmap

In a previous segment I covered how you can use Nmap to enumerate hosts via broadcast protocols, such as UPnP with the following command:

nmap -Pn -n --script=broadcast

It seems the Nmap team has added functionality (or I just have new stuff going on on my network, or both!). So check this out, it detect Dropbox in use:

| broadcast-dropbox-listener: 
| displayname  ip             port   version  host_int  namespaces
|_77339174     192.168.1.205  17500  1.8      77339174  69385827, 61346060, 82845516, 54162449, 69420146, 6768627, 58215509, 58372182

UPnP Discovery and Control with Backtrack 5 and Miranda

I am still fascinated with what information can be gathered from passive sniffing and broadcast traffic. I decided to take a deeper dive into UPnP, knowing that I have some deviced on my network that are running it (such as my TV, receivers, and Roku players). I found a tool called Miranda, written in 2008 it allows you to enumerate UPnP devices, gater information from them, and even make changes if the device allows that. My mission? From the network be able to mute my TV. Here's how I did it:

Miranda comes pre-installed on Backtrack 5, which is very handy. The first thing to do is fire it up (its located in /pentest/enumeration/miranda). First you need to execute a search for UPnP devices using the msearch command:

upnp> msearch

Entering discovery mode for 'upnp:rootdevice', Ctl+C to stop...

****************************************************************
SSDP reply message from 192.168.1.213:8060
XML file is located at http://192.168.1.213:8060/
Device is running Roku UPnP/1.0 MiniUPnPd/1.4
****************************************************************

****************************************************************
SSDP reply message from 192.168.1.224:52236
XML file is located at http://192.168.1.224:52236/rcr/RemoteControlReceiver.xml
Device is running Linux/9.0 UPnP/1.0 PROTOTYPE/1.0
****************************************************************

****************************************************************
SSDP reply message from 192.168.1.214:52235
XML file is located at http://192.168.1.214:52235/dmr/SamsungMRDesc.xml
Device is running Linux/9.0 UPnP/1.0 PROTOTYPE/1.0
****************************************************************

I've pruned the list for brevity, but you can see one Roku, my receiver and my TV. Turns out the receiver and TV use the same commands. Interesting to think how you could generalize commands and script them on a network. Next you can list out all the hosts dicovered:

upnp> host list

	[0] 192.168.1.213:8060
	[1] 192.168.1.219:8060
	[2] 192.168.1.215:8060
	[3] 192.168.1.224:52236
	[4] 192.168.1.214:52235
	[5] 192.168.1.241:8888
	[6] 192.168.1.16:2869 

Use the host get command to read the entire tree of UPnP commands. This needs to be successful if you are to be able to send commands to the device:

 upnp> host get 5

Requesting device and service info for 192.168.1.241:8888 (this could take a few seconds)...

Host data enumeration complete!  

Now review some information about the device using the host summary command:

 upnp> host summary 5

Host: 192.168.1.241:8888
XML File: http://192.168.1.241:8888/upnp_descriptor_0
MediaRenderer
	manufacturerURL: http://www.onkyo.com
	modelName: TX-NR509
	modelNumber: TX-NR509
	presentationURL: http://192.168.1.241/
	friendlyName: TX-NR509
	fullName: urn:schemas-upnp-org:device:MediaRenderer:1
	modelDescription: AV Receiver
	UDN: uuid:aeb01704-c117-04b9-db1e-0409c1b9c871
	modelURL: http://www.onkyo.com
	manufacturer: ONKYO 

The host info command gives you some further data:

upnp> host info 5

xmlFile : http://192.168.1.241:8888/upnp_descriptor_0
name : 192.168.1.241:8888
proto : http://
serverType : MediabolicMWEB/1.8.225
upnpServer : Linux/2.6.33-rc4 UPnP/1.0 MediabolicUPnP/1.8.225
dataComplete : True
deviceList : {}

You can save all of this data to disk with the following commands:

upnp> save data onkyo

Host data saved to 'struct_onkyo.mir'

upnp> save info 5 onkyo

Host info for '192.168.1.241:8888' saved to 'info_onkyo.mir'

Inside the file info_onkyo is all the commands for reference:

Device information:
        Device Name: MediaRenderer
                Service Name: AVTransport
                        controlURL: /upnp_control_2
                        eventSubURL: /upnp_event_2
                        serviceId: urn:upnp-org:serviceId:AVTransport
                        SCPDURL: /scpd/AVTransport_1
                        fullName: urn:schemas-upnp-org:service:AVTransport:1
                        ServiceActions:
                                SetNextAVTransportURI
                                        InstanceID
                                                A_ARG_TYPE_InstanceID:
                                                        dataType: ui4
                                                        sendEvents: N/A
                                                        allowedValueList: []
                                                direction: in 

Next we execute the command, pasing is the serviceID, tag, and command:

 upnp>  host send 5 MediaRenderer RenderingControl GetMute

Required argument:
	Argument Name:  InstanceID
	Data Type:      ui4
	Allowed Values: []
	Set InstanceID value to: 0

Required argument:
	Argument Name:  Channel
	Data Type:      string
	Allowed Values: ['Master', 'LF', 'RF']
	Set Channel value to: Master

CurrentMute : 0

We can see above the TV or receiver is not muted. Next, we can chenge the value:

upnp>  host send 5 MediaRenderer RenderingControl SetMute

Required argument:
	Argument Name:  InstanceID
	Data Type:      ui4
	Allowed Values: []
	Set InstanceID value to: 0

Required argument:
	Argument Name:  DesiredMute
	Data Type:      boolean
	Allowed Values: []
	Set DesiredMute value to: 1

Required argument:
	Argument Name:  Channel
	Data Type:      string
	Allowed Values: ['Master', 'LF', 'RF']
	Set Channel value to: Master 

It was pretty neat to be able to mute the TV over the network. This is a documented "feature", but should require some sort of authentication. Think about the devices on your nework that have this enabled, or could have this enabled. Good Lord, I hope there are no SCADA devices implementing this protocol, however if a control channel is left open without authentication, this is where things can go wrong.

I should note, that in order to get this to work, I had to modify the source code. When commands were being sent to the device, it was not building the POST request correctly, and ignoring one of the directories. So I changed the following lines:

if self.ENUM_HOSTS[index]['proto'] in service['SCPDURL']:
		-xmlFile = service['SCPDURL']
		+xmlFile = 'dmr/' + service['SCPDURL']
	else:
		-xmlFile += service['SCPDURL']
		+xmlFile += 'dmr/' + service['SCPDURL']

Yea, its a "wicked hack" and the logic needs to be changed to modify the path on the fly of the POST request.

UPnP Inspector

This tool does not come with Backtrack 5, however use the following two commands to install it:

# apt-get install python-setuptools

# easy_install UPnP-Inspector

Once installed it gives you a GUI to discover, browse, and send commands to devices. The neat part about this program is that you can browse files over UPnP if its configured to do so! Below are some screenshots:

Stories

Paul's Stories

  1. Boardroom Spying for Fun and Profit - Most will dismiss the threat of video cameras and conferencing systems. On a pen test, I was able to access several cameras in the organizations, pan, zoom, tilt, and look around, even catch a meeting or two. You can even read passwords off a sticky note! Nice article and research from HD Moore on how to pwn thy conferencing systems. Examples are key here to get people to patch these systems, Polycom being the most popular and vulnerable )in my humble opinion).
  2. When will wearables be wearable? - When computers become truly wearable, I will be able to pwn you, literally. They will rely even more so on wireless technology, though its similar to a smartphone that you wear. Will will all look like Borg? If anything, geeks need help to be more stylish, and looking like a borg is not going to get you dates. I think between this and cars Bluetooth security is even more important than ever.
  3. Why I Love Routerpwn? Simplicity! - Its good to see Routerpwn getting some attention, I heard the lightening talk at Shmoocon went really well. Now, if we could only get vendors to patch their stuff. Someone needs to port all these exploits into Metasploit, that seems to get people' attention!
  4. 10 SharePoint Security Mistakes You Probably Make - the release of sensitive government cables may have been partially prevented, had the military better secured and monitored its SharePoint servers. Yes, lock down your Sharepoint servers to help secure our nation. Bradley Manning reportedly used scripts that sucked data from Sharepoint servers, then send them to Wikileaks.
  5. Basics of embedded firewalls - Exploding the myths - More than just firewalls, this article talks about how vulnerabilities in embedded systems are, well, bad. Sounds familiar, right? Cars, medical devices, IP cameras, and more are listed, much of the same stuff we've been talking about for a long time. We hear the same arguement as to why devices don't need protections: As non-Windows devices, embedded devices are not vulnerable to Internet based threats. Embedded devices are not attractive targets for hackers; there is no incentive to attack embedded devices. Only authentication and encryption are required to ensure a device is secure
  6. Firewalls and SSL: More Profitable than Facebook - Turns out Checkpoint and Verisign are more profitable than Facebook, go figure. I feel like Facebook owns me, I may just buy stock so I own some of them.
  7. Apple and Apache security fixes and releases - Patch yo' shit. Just sayin', several vulnerabilities have been released for Apache lately, you need to patch them, as you likley have it installed all over the place.
  8. Who’s Behind the World’s Largest Spam Botnet? - Cool article on who is behind the botnets.
  9. SocialShield Releases the Top Social Networking Terms Kids Don’t Want Their Parents To Know - So, D46, then TDTM and GNOC. Okay?
  10. Island Hopping the SpiderLabs Way - Probably the BEST article I've read on how a penetration test really goes, and how segmentation is useless of you are not implementing good configuration and patch management, thats more important that putting your systems on different subnets!
  11. VeriSign Breached - This is just bad, really bad, attackers were after SSL root certificates, go figure. I mean, the little lock in your browser really just means less and less every year.
  12. Hacker extracts RFID credit card details - Such a cool hack, feel like we've seen this before, but its great that its now getting attention. However, I believe you can only read your card number, not name, expiration, CVV or pin?
  13. Critical PHP vulnerability being fixed - Yes, more PHP for the loss?

Darren's Stories

Larry's Stories

  1. Verisign Hacked… - [Larry] - Thanks Dan! Well, in 2010 anyways, but some very elusive, cryptically worded items were included in the 2011 SEC Filings. Now we start to get very little more information. Of course this was around the same time that the certificate portion to Symantec, so who knows. BUT, and here is the nice conspiracy theory here….what happens if this is all tied to the Symantec source code disclosure? Either way, some of the other things that may be (or may have been) at risk is their hosted DNS - meaning that .com or.net zones might be, well, funky.
  2. Sacrificial Computing for Land and Sky - [Larry] - Otherwise known as the F-BOMB! It's a Falling/Ballistically Launched Object that Makes Backdoors. Cheap, stable, of the shelf, small and easily powered. It hax wireless networks and can provide backdoors. Yay, Shmoocon!
  3. Wargames relived? - [Larry] - Students break into a janitor's closet, steal the master key and make copies. Once the key was copied, they used it to break into classrooms and plant keyloggers on teacher computers, grabbed usernames and passwords and then used them to nudge grades upwards slightly to get A's. While in posession of the keys, they stole tests and figures out the answers, then resold them (which is of course what got them busted). Don't get greedy…
  4. No, leave PCAnywhere there for us Pentesters - [Larry] - Wow, Symantec is asking to have customers to remove or disable PCAnywhere versions 12.X due to some serious security vulnerabilities. There is speculation that these vulnerabilities are unresolvable, especially after the release of source code in 2006.
  5. Not helping the cause - [Larry] - Bones, I think you need to call a computer technical consultant. SRS, a computer virus that makes a computer crash and catch fire, gets on the computer througha fractal on the bone of a shooting victim. Really? WTF, how is that even remotely even? a dream. I suppose that truth will soon be stranger then fiction. Why? How many research projects start as totally off the wall ideas.
  6. SmartMeter hacking too release delayed - [Larry] - What would a security conference be without drama? So, Don Weber's talk on hacking IR smart meters (including a tool). Inguardians voluntarily pulled out after some concern from a smart meter vendor who wanted more time. Kudos to the respect on their part, but I suspect that there is more to the story.

Jack's Stories