- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
"Thanks to our sponsors Tenable network security, the developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more."
"Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool. "
"and Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."
Now, Pull up a packet capture, pour a beer, and give the intern control of your botnet...."
Shameless Plugs & General Announcements
Welcome Security Weekly - Episode 203 - For Wednesday July 21, 2010.
"We don't suffer from insanity, we're enjoying every minute of it!'
- Sign up for "Advanced Vulnerability Scanning Using Nessus" being offered at Brucon and Black Hat Las Vegas!
- It is finished... The Official Metasploit class from John Strand and Ed Skoudis is now complete. Two full days of Metasploit insanity. Want 25% off? Use MET25 when you register for Boston on August 8th and 9th.
- John Strand will be teaching SANS 560: Network Penetration Testing at SANS Virginia Beach August 29th - Sept 3. Come get shell and crabs with strandjs.
- The Kansas City FBI InfraGard program is looking for some penetration testers to participate on the "Red Team" for an upcoming mock Cyber Warfare exercise. The event pits systems and security professionals from the community against each other in a live cyber attack on a replicated commercial network. We are looking participants with Pen-test experience, or someone who has some "daemons" they need to get out in a controlled environment. This is a community event, and all skill levels are welcome, please see http://cyber-raid.com for more info.
Interview: Alex Lanstein, FireEye
At FireEye, Alex has hands in product engineering, sales engineering, and security research. His security research led him to uncover botnet and Web malware sites associated with McColo Corp. His work was key in taking McColo off the Internet as well as significantly reducing worldwide spam. Prior to FireEye, Alex was founder, owner, and network administrator of an Internet hosting company. His areas of expertise include botnets, malware, network security, and functional binary analysis.
Tech Segment: Windows HoneyPorts
What makes a penetration tester truly outstanding at what they do?
Recently, I have been looking into a number of products that will automatically block attackers IP Addresses when an attack is detected. Most of the time if these products see an evil string of bits they will temporarily block the traffic from the target IP indefinitely or for a predefined period of time.
This can be very cool. It can also be used as a DoS attack against your systems. For example, lest say that an attacker spoofed a packet with a malicious payload from www.facebook.com. If the IPS device you are using automatically blocked this traffic your Help Desk would be quickly swamped with calls from your users complaining that they can no longer feed the cows on their farm, partake in Mafia Wars or get otherwise p0wned by Kevin.
It should be noted that many of these products are getting a bit smarter about the circumstances that need to manifest before blocking an IP address. But, there are still a good number that are doing it wrong.
Then I got to thinking.. How can we do this with built-in Windows tools?
I got to looking at the Windows syntax for adding firewall rules to drop traffic from a particular host and I was surprised to find that I was only mildly nauseated. Then, I came up with the idea of a HoneyPort. Initially, I was very happy because there were very few hits from Google on the term. One was from this guy it looks like his site simply had a typo. I was going to email him, but it looks like he is now currently some kind of zombie/vampire. I wish him and his family all the best with his current condition. Next, I found this post on how to set honeyports up in Linux. But after looking at it for a few seconds I realized it was an interesting start, but we would need to expand it a bit. And expand, enhance and enlarge we will, next week.
So how can we do this smartly, or at least less dumb, in Windows?
For this example I am going to use Netcat for the listener. You could use any listening port. However, Netcat is great because it is flexible and only will execute a script after a full connection. So simply sending spoofed packets to trigger the firewall rule will not work as easily.
So here is what we do.
Put the following into a .bat file:
@echo off for /L %%i in (1,1,1) do @for /f "tokens=3" %%j in ('netstat -nao ^| find ^":3333^"') do @for /f "tokens=1 delims=:" %%k in ("%%j") do netsh advfirewall firewall add rule name="WTF" dir=in remoteip=%%k localport=any protocol=TCP action=block
This will run netstat and pull only the connecting systems IP address then add a rule using netsh advfirewall to block all TCP traffic from that host. I cannot thank Mick enough for helping with this. Specifying the delims was a pain in the ass.
Next we need to start our netcat listener on the required port and execute our little .bat script when someone connects:
C:\>nc -L -p 3333 -e block.bat
Now lets see what an attacker would see when they scan my system with a standard nmap scan of 3333.
Geek:~ john$ nmap -PN -p 3333 172.16.30.244 Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-21 08:14 MDT Nmap scan report for 172.16.30.244 Host is up (0.00080s latency). PORT STATE SERVICE 3333/tcp open dec-notes
Yea! The port is open.
Now lets connect to it:
Geek:~ john$ nc 172.16.30.244 3333 ssad Hello hello? wtf?
Now we rescan with nmap:
Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-21 08:15 MDT Nmap scan report for 172.16.30.244 Host is up. PORT STATE SERVICE 3333/tcp filtered dec-notes Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds
And it is filtered.. As are all TCP ports on this system to the attacker.
The reason this is nice is it requires a full connect on the target system for the script to trigger. So if an attacker tries to spoof attack packets from Microsoft, Google and Facebook to this port it will not trigger the rule. Why? Initial Sequence Numbers, You see, spoofing a packet is easy. Spoofing a full connection is harder. Not impossible, but harder. Spoofing these numbers is even more difficult if the systems you are trying to spoof are online and readily sending RST control bits for unsolicited ACK/SYN packets.
Why do this? Well, first and foremost, because you can. There are a number of cool situations where this may come in handy. Penetration Test forced upon you? Fire this up on some ports that will be scanned by the testers and presto! Your network goes dark. It could also be a neat trick to detect insider attacks. Run this on a few internal systems on ports of interest (i.e. 22) and wait for someone to connect. If it trips, you now have an internal IP address that needs to be investigated.
Finally, you may find yourself in a Red vrs. Blue challenge where all you have is a bunch of unpatched 2003 and XP systems, no firewall, no IDS, no AV.. And the attackers have every attack tool known to man. All up to date and shiny. This is an excellent little script to balance the scales a bit.
Next week we will add another chapter to the Blue Teams Playbook when we do the same thing on Linux.
-strandjs (Fr. John)
Stories For Discussion
- Finally someone popped VxWorks - [Paul] - So awesome! I hope this raises some awareness with respects to embedded security. My fear is that it will be fixed, quietly exploited, and everyone will go on with life thinking embedded vulnerabilities aren't a big deal. I mean, so what if I can pwn your storage arrays, printers, voice conferencing systems, and routers? Right? Sounds like the same story: vulnerabilities are the result of a debug service that allows attackers to read/write to memory.
- SCADA Virus? - strandjs - Stop me if you heard this one before.. So a Windows virus is targeting Windows systems that are industrial control systems. This wonderful little attack targets Simatic WinCC, which runs on Windows. Seriously? USB drives? Naw.. No one would allow those in to sensitive environments. Oh... And no one is running WebDav..
- Write up and info on the Zero-day here - strandjs - I am pretty sure we have seen this type of thing before.
- Millions! I say Millions - strandjs - If only someone has done some research on embedded device security. Paul? [Paul] - So I am anxious to see this attack in action. I am a bit confused on how it actually works. DNS rebinding, as far as I understand it, is primarily successful due to flaws in the web browser, not in the router. The "Exploit" they talk about in the descriptions say it attacks the router using a default password, which, well, we've been down that road and even have our own site dedicated to it. So, yes you can use DNS rebinding to attack the router, but I am interested to see how one router is more vulnerable than the next.
- Malware on Dell Motherboards - strandjs - Nice. The motherboads on some Dell R410 servers is pre-infected with spyware. So far, not enough information to go on. Carry on your panic.
- The Return Of Zeus - the Botnet - [Paul] - Someone stumbled across a C&C server that was home to over 5,000 infected hosts. Most were home users, but many were corporations and government computers. There was over a gigabyte of information collected from the hosts in the botnet. I can't tell you how sad this is for information security, bad guys are stealing our data, so what do we do about it?
- VPN Will Save You On Open Wifi? - [Paul] - I'm still not convinced that VPN offers much protection on open Wifi networks. I think the advice is not sound, as on an open network many things are possible. Whatever VPN protocol you are using could be subverted or attacked directly. Using encryption on the wireless network helps, but of course is not available at your local Starbucks. My solution is to use a 3G or EVDO Internet connection, which signifigantly raises the cost of attacking you and limits the number of people who can be successful. This my friends is how you need to think about your security. Is the medium any more or less secure? No, however its more challenging (right now anyway) to attack than Wifi. Do I still run a VPN and use encrypted protocols over my cellular Internet? Yes. I guess thats step two, be paranoid.
- New Nmap Out - [Paul] - I think Nmap is one of the best tools out there, and I still use it on almost every assessemnt. The NSE scripts are a very powerful feature, and I have some ideas for implementation which I will be working on in the coming months. Its ability to test default passwords and implement quick tests for weak security in protocols, databases, and more is exceptional. Lua is a pretty cool language too.
- Siemens: Don't change your password - [Paul] - It just goes to show you how broken many of the embedded systems are that run our infrastructure. Changing the password causes the system to crash. When will we stop using crappy software to run SCADA systems?
- Command Line Kung Fu - Fricken' users - [Paul] - In a pen test you may have to add a user. It does make a change to the system, but sometimes adding a new user is required to accomplish your goals. Maybe you want to create one in the domain administrators group and see how long it takes the systems administrators to notice? in any case, so many times you only have command line or shell access to the box you've compromised, so knowing how to add users from the command line is key.
- Did you leave your 96GB encrypted pr0n collection connected to your computer? - [Paul] - Just what kind of pr0n do you think exists on a 96GB encrypted volume? Probably the kind that warrants a call to the FBI.
- researcher pulls "cash machine" talk - [Paul] - What would you do if you knew how to make the money come out of an ATM like magic? There is a responsibility for the public good, but when will it get fixed?
- Some Possible Insights into Geo-Economics of Security - [Paul] - I found this interesting: "For instance, a $3000 bug bounty for something that takes two weeks to work on equates to a $78k a year job if you can be consistent. In the United States for a skilled researcher that¿s barely worth the time. But in a country where the average income is closer to $10k a year". I agree, its all about the economics. Recently Mozilla raised its bug bounty, most likely to keep up with the demand. However, what Rsnake fails to calcuate in is that a researcher in a foreign country could sell it on the black market for 3x what Mozilla is paying, and buy a house complete with armed guards, bikini clad women, a pool, etc...