From Security Weekly Wiki
Jump to navigationJump to search

Tech Segment: Pen Testing: The Unanswered Questions

I'd like to take some time and cover a bit about the philosophy surrounding penetration testing and vulnerability assessments, and answer a few questions we've received in the past about pen testing.

Episode Media

mp3 pt 1

mp3 pt 2

Why Have a Penetration Test?

  • Understand threats for better defense
  • Determine risk to make informed IT decisions
  • Test incident handling procedures, intrusion detection systems, and other security
  • TSA is a good example

Phases Of a Pen Test


  • Finding your targets, and the "right" targets is very important. If I am external, I like to go slow and low. This means if there is only one IP address, take a week. Attackers have all the time in the world, you should at least have a week to slip past any IDS/IPS.
  • Nmap is your friend! Adjust the timings accordingly, refer to last week for some times on scanning internal networks
  • I have found some interesting ways to find targets:
    • Probe for SNMP Sys.Descr mib using community string public, SNscan is a great tool:


    • Compromise a Linux host and look in ~/.ssh/known_hosts
    • Compromise a Windows host and look in the RDP history
    • ntbscan is a great tool for Windows enumeration
    • Cain & Abel has a great ARP scanner
    • host -l <domain> sometimes works! Try it on the internal DNS servers too

Port Scanning & Service Identification

  • Nmap works great for this (nmap -T4 -n -sV -oA myscans -iL <file with arp scanning results>)
  • Nessus does a great job too, always export the results to NBE format and grep away
  • The mDNS.py program from GNUCITIZEN works excellent for Bonjour service identification, this is good because you can enumerate all devices in one shot with multicast


  • Most of us know how to execute an exploit, so I will leave that topic alone
  • Once you compromise a Windows system, grab the SAM database and crack the LM hashes. Sounds lame and real 1990's, but I am surprised as to how effective this method is even today
  • Dump stored passwords from all other applications
  • Poke around on the file system, be smart, here's a tip, look for files or folders named "backup"

Stories of Interest

Tamper proof CC terminals? - [Larry] - Research by some Cambridge University folks reveal that two Chip and PIN terminals can be modified to sniff CC data and PIN by tapping the serial communications line with either a paperclip or a needle/pin, and attaching it to some inexpensive hardware attached t a laptop. I'll discuss more details about the hack. The response form one of the manufacturerers is priceless: "The method identified by the Cambridge University paper requires specialist knowledge and has inherent technical difficulties. This method is therefore not reproducible on a large scale, nor does it take into account the fraud monitoring used throughout the industry."....hmm, seems to me that it is not accurate, or the point. Leave some smart guy alone on a night shift at the Quickee-Mart and I bet this attack is way too possible.

VMware Guest to Host Escape - [Paul] - This is a new way to exploit the file sharing feature in Windows based versions of Vmware to enable the guest to write files to the host operating system. There was a similar vulnerability release previously, but this appears to be a new one. We are mentioned in the write-up (Reference to our interview with Intelguardians on Vmescaping). It would be neat if you could 1) compromise a guest, 2) deliver a Core Agent to guest 3) Use that to deliver a core agent to the host. This capability should be showcased as an example why VMs provide separation, not security.

OOO Spam relays - [Larry] - Using OOO messages as a spam delivery module in seven easy steps:

1. Sign up for a web-mail account at a legitimate provider (possibly by defeating a captcha). 2. Set OOO message for your new legitimate account to contain your SPAM message. 3. Enable your OOO on the web-mail account. 4. Spoof e-mails to your legitimate web-mail address with forged reply-to addresses of the group that you want to spam. 5. Web-mail account replies to spoofed message with OOO message, utilizing web-mail providers DKIM, DomainKey or SenderID (all technology intended to reduce spam by "authenticating" the sender)

Sky Broadband Router Mis-config - [Paul] - Proof that hacking does not require exploits, Sky has rebranded a Netgear router and made the network key (WEP or WPA? guess it doesn't matter) easy to guess, based on MAC address. This is the problem we run into with home based routers, vendors want to make it easy for people to use, which almost always compromises security.

Nortel IP Phone DoS - [Larry] - Welcome to 1995! Enter the ping of death! This one is an easy one - determine the IP of the phone, then: ping -s 65500 <ip of phone> (on windows: ping -l 65500 -t <ip of phone>). Apparently the phones have an issue reassembling fragmented ICMP traffic, and the phone then hangs (and hangs good), then reboots. To me it seems that it can take a while to fill available memory in order to DoS the phone, as my testing revealed different length of times from start of ping to crash. This works in the latest version of the phone firmware, with no patch available form Nortel yet. (I tested with a little bit older version).

Either way....a Ping? How about pining the broadcast address where the phones are located.... [Paul] - I also love phones that don't validate the certificate when using PEAP, see here. I like the idea of using 802.1x/PEAP to secure your VoIP network, but have zero confidence that these little devices we call IP phones can implement security correctly in today's world where vendors do not pay attention to embedded device vulnerabilities.

Social Network Abuse - [Paul] - So what prevents someone from going on LinkedIn or Facebook and registering an account as someone else? The attack could start by Google hacking a person, getting all sorts of information, even pictures, and then creating that persons account on a social network site and leveraging the relationships and gain information, and even trust! Very scary, so go register your account, put fake information, and then leave it alone so no one else can register the account.

We don;t examine no steenkin' certificates! - [Larry] - Those neat little Vocera Start Trek communicator type phones don't examint eh validity of certificates. So, when used in an environment that uses PEAP, the badges to not check the validity of certificates passed to the device due to processing overhead. This means that I can stand up a rogue AP with my own radius server and a self signed cert (WRT54GL or LaFonera anyone?), and when the badge connects to it, it assumes that the cert is valid (when it is not!), then the badge will pass it's weakly hashed password (read as easily cracked), or password in clear text to the rogue AP, and then the attacker, providing them valid credentials to the network. this effectively makes PEAP as weak as LEAP (ahem, AsLeap?).

Disk encryption = FAIL? - [Larry] - So, we can break whole disk encryption by gathering the keys from memory by making the memory really cold and placing it in another device. I say, so what? You need access to the device (and one to transfer the memory too), the device needed to be in hibernate (if the encryption software supports it), or in sleep mode, be able to chill the memory (with readily available tools you have to work REAL fast). Now I will say that this is a brilliant attack, but in my opinion easily remediated: Perform a full power down instead of a sleep/suspend/hibernate, and wait 30 seconds before leaving your device. use two factor authentication - USB key, prox card, fingerprint reader, etc. I think a lot os people are saying this technology is dead, but I don't agree...

Pakistan pwns YouTube - [Larry] - Paul, let's discuss this one. It seems that it was doe to BGP, but from what we understand this shouldn't happen...let's discuss where it could have gone wrong...and what it means for the internet (I want to keep my free porn, thanks).

Listener Submitted

Compromising Disk Encryption through Cold Boot Key Recovery [securethoughts] - Researchers at Princeton University have found that many disk-encryption mechanisms, such as BitLocker, TrueCrypt and FileVault, can be compromised by recovering the encryption key which remains latent in memory, even after the computer is cold-booted.

Critical VMware Security Alert for Windows-Hosted VMware Workstation, VMware Player, and VMware ACE [byte_bucket] - ""On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host's complete file system and create or modify executable files in sensitive locations.""

YouTube Hijacked by Pakistan - [securethoughts] YouTube was unintentionally(?) hijacked by the primary Pakistani ISP, after the government decided that the site contained blasphemous content. Apparently the ISP managed to keep YouTube offline for several hours after hijacking their IP ranges using BGP. By default internet routers use the most specific rulesets when directing traffic, and the Pakistani ISP's routes were more specific. This undoubtedly caused a major DoS of Pakistan, and their upstream provider decided to remove them from the internet until the issue is resolved. As the writer of the ZDNet article says to the Pakistani government: "Do not anger the Internet gods or you will suffer their wrath!"

For Your Enjoyment

Rumor has it that after 100 episodes Paul and Larry were due an eye exam. When the optometrists asked them each to read lines 1 though 8 this is what they saw.

Mobile FAIL! - a picture is worth 0xF4240 words

Larry has a posse - just like Andre the Giant.

Beer Of The Week


Psw poweredby.png