From Security Weekly Wiki
Jump to navigationJump to search


Security Weekly - Quickie Episode 242 for Friday May 6th, 2011.

  • Register for Cyber Security World's Linux FAIL webcast - Wednesday May 11th at **STAY TUNED FOR POSSIBLE TIME CHANGE **
  • El primer Episodio de Security Weekly Espanol esta disponible aqui
  • Security Weekly Blackhat Training Part 1 Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
  • Security Weekly Blackhat Training Part 2 Sign up for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2
  • Larry is teaching SANS 617 SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses in the only country he is licensed to teach in - Canada! Catch him in Victoria May 9 to May 14th.
  • DerbyCon : Louisville, Kentucky – September 30th to October 2, 2011. Catch Carlos Perez's training session - "Automating Post Exploitation with Metasploit".

Episode Media


Tech Segment: Stealthy Nmap Host & Service Discovery Scanning


\Visit The Security Weekly YouTube Channel for all of our latest videos\!\}

Watch the live video version of this segment above. For more videos and to subscribe to Security Weekly TV visit http://blip.tv/securityweekly

Download the Audio (MP3) Version of this segment here!

You need nmap 5.51 as the scripts are new.

You do not specify any targets, so all traffic is sent to broadcast address of the adapter you run nmap from.



Everyone should run this command against their network:

nmap -P0 --script=broadcast
Starting Nmap 5.51 ( http://nmap.org ) at 2011-05-06 14:33 EDT
Pre-scan script results:
| broadcast-dns-service-discovery: 
|     22/tcp sftp-ssh
|       model=MacBookPro4,1
|       Address= fe80:0:0:0:21f:5bff:fecc:2df0
|     22/tcp ssh
|       model=MacBookPro4,1
|       Address= fe80:0:0:0:21f:5bff:fecc:2df0
|     548/tcp afpovertcp
|       model=MacBookPro4,1
|       Address= fe80:0:0:0:21f:5bff:fecc:2df0
|     3689/tcp appletv-itunes
|       txtvers=1
|       pass=0
|       DpPV=196619
|       PrVs=65538
|       iTPV=196614
|       OSsi=0x1F5
|       MdKd=0
|       MaID=0x6DBA67A2B152
|       Name=USer\xE2\x80\x99s Library
|_      Address= fe80:0:0:0:21f:5bff:fecc:2df0
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 40.08 seconds


Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast D NS-SD query and collects all the responses.

The script first sends a query for _services._dns-sd._udp.local to get a list of services. It then sends a followup query for each one to try to get more information.

Starting Nmap 5.51 ( http://nmap.org ) at 2011-05-06 15:05 Eastern Daylight Time

Pre-scan script results:

| broadcast-ms-sql-discover: 
|     Instance: MSSQLSVR
|       Microsoft SQL Server 2005
|         Version: 9.00.4035.00 - UNVERIFIED
|         Clustered: No
|         Server name: PWNME
|         Tcp port: 1433
|         Named pipe: \\PWNME\pipe\sql\query
Nmap done: 0 IP addresses (0 hosts up) scanned in 41.20 seconds

Looks like MS SQL servers adverise this information using UDP port 1434.

Stories For Discussion


\Visit The Security Weekly YouTube Channel for all of our latest videos\!\}

Watch the live video version of this segment above. For more videos and to subscribe to Security Weekly TV visit http://blip.tv/securityweekly

Download the Audio (MP3) Version of this segment here!

Larry's Stories

  1. SONY, we told you so - [Larry] - Running unpatched apache? Yeah, that's bad. Running it allegedly without a firewall, yeah, that's bad too (althought it is unclear what kind and which methods of firewalling are meant here…). But, having third parties tell you those very things as part of their assessment and then not doing anything about it for months, well, that's just plain deplorable. You tell us that something like this won't happen again, but I think that you need to look deeper than the security technologies and configuration in use. How about looking at your risk decision matrix (cause you do have something like that, right?) and re-prioritize things to address known vulnerabilities, and maybe weight internet facing systems a little higher, mmkay? How about patching that stuff even if those ports aren't directly exposed and are firewalled? Want another chuckle? read the letter they sent to a House Committee, which even government officials (and we know the track record of the security of government systems) called Sony's efforts "half-hearted, half-baked." From the report: "First, detection was difficult because of the sheer sophistication of the intrusion. Second, detection was difficult because the criminal hackers exploited a system software vulnerability" and "…gone undetected, even after highly trained technical teams had examined the network infrastructure that had been attacked…Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack…" The comments about additional protections may seem good, but end up being a bit laughable too, given the short period of time that they are taking to implement…
  2. Security Understanding Fail - [Larry] - I SRSLY cannot make up stuff this funny. so let's quote from the article directly: "A police department laptop computer containing “a fair amount of records” was stolen from a marked cruiser…The police chief said he's been advised that it's unlikely anyone could access personal information stored on the stolen laptop because the battery is so old it barely functions without a companion power cord." Wow. Battery and power cord? How will I EV-ebay-ER find one of those. (I was going to comment on the article, but their comment system sucks.
  3. Hack the Password Manager - [Larry] - Ugh, passwords are so broken, so what do we do? Random, long passwords that we need a password manager to remember for us, so we store those in an online password manager so we can get to them wherever we are. Now, said Password Management site gets hacked…
  4. Mmmm, post exploitation goodness - [Larry] This one is ripe for it. How many of you see BMC Remedy in use on assessments? Think of the type of information stored there! Users lists, IDs, asset information, IP addresses, and often usernames and passwords, not to mention loads of info useful for social engineering attacks. With this, we can gain access through a default account, although I can't see it (so just use the XSS to steal cookies instead) and the XSS cal let us start to compromise the browser, for systems that will likely have more privileged access to IT systems…

Paul's Stories

  1. Debate over Wireless Payment systems on Mobile Phones - Should the payment information be stored in your SIM card (where carriers have access to it) or in an NFC (Near Field Communications)? This is scary, once your credit card it stored in your phone, mobile attacks will EXPLODE. This will be the new way for attackers to get CC info, gone will be the days of planting devices in the store, attackers will now either attack your phone, or attack the carrier or mobile provider to get credit cards. Given that some stats I read say that one in every two americans will have smartphones, which may even be more than people with computers this is bad!
  2. Topic: What can companies do to battle the mobile device security threat? What about wireless?
  3. Tips for safer Gaming - Or, security recommendations that will make no difference. 1) Trust No One, 2) Utilize an Alternative Payment Method (Reduce your personal risk.), 3) Segment your home network, 4) Consider the source of software. So, trust is a funny thing. I could trust no one, but then I wouldn't be able to do gaming. I could use a different credit card, but thats just sacrificing something that we just shouldn't have to. Segmenting your network is just ridiculous, it solves very little. Software can be insecure, regardless of the source.
  4. Long Range Bluetooth - A crafty hacker modified his BT dongle to clip to his CB antenna. He is now able to communicate with his phone from 100 feet away, and picked up 27 discoverable devices. If you are not including Bluetooth and other non 802.11 wireless technologies in your defensive strategy, you should be. Chris Hadnagy presented a good example of how attackers can extend wireless range. I'll add a pre-text, call an employee and tell them they've won an iPhone or iPad. Send it to them, then put software on it to connect to wireless network and bluetooth. Game over. I don't believe we can still look at wireless as a local problem, attackers will be crafty, knowing that you likley are not doing anything with Bluetooth security inside your building.
  5. Linksys WRT54G XSS - Folks, this is a remote exploit. Don't give me that "oh, but admin is not enabled on external interface" crap. User clicks on link, you guess default password, then store XSS in the router that will re-configure the device. Game over. How many of your remote users run these devices? Chances are, a lot.