From Security Weekly Wiki
Jump to navigationJump to search

Episode Media

MP3 pt1

MP3 pt2


Security Weekly - Episode 339 for Thursday July 18th, 2013

  • We've released a book on Offensive Countermeasures! Visit tinyurl.com/OCM-Amazon to add this to your summer reading list.
  • We have a special webcast on Thursday August 22nd with Symantec titled "Fighting Malware: Taking Back The Endpoint". We are looking for sponsors for our September webcast. Contact mike -at- hacknaked.tv for details!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 9:00PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!

Honeyports: Cross-Platform Automated IP Blocking

\Visit The Security Weekly YouTube Channel for all of our latest videos\!\}

If you've seen one of mine, or John Strand's, presentations on offensive countermeasures, you know about Honeyports. If you've taken our class or read our book, you've seen this too! Just to recap:

If you tell your host to listen for connections on a port, and make certain the client is making a full TCP connection, you can "shun" or block the remote IP address. A Honeyport is a port that nothing should be listening on. When something, or someone, makes a connection to this port, you create and implement a local firewall rule on the host to block that IP address.

Previously we had shell scripts and a Windows command to make this happen. I wanted to extend this functionality, but quickly ran into limitations. So, I decided to write a Python script to implement this on all 3 platforms.

You can download Honeyports here, version 0.4 is the latest at this time.

Here is some quick usage:

bash-3.2# ./honeyports-0.4.py 
Honeyports Version: 0.04
I will listen on TCP port number:  
Honeyports detected you are running on:  Darwin
Setting sockets up for OS X
Usage: ./honeyports-0.4.py -p port 
Please specify a valid port range (1-65535) using the -p option

Honeyports prints out a bunch of information for you, such as the version number, the port it will listen on, and which platform it thinks you are running it on. The socket setup is different on OS X as I use "socket.gethostname()", but on Linux and Windows I use "s.getsockname()[0]". Ideally Honeyports will provide you with a list of interfaces, assigned IP addresses, and allow you to choose (its on the feature request list!).

Okay, so now lets run it and specify a port:

bash-3.2# ./honeyports-0.4.py -p 22
Honeyports Version: 0.04
I will listen on TCP port number:  22
Honeyports detected you are running on:  Darwin
Setting sockets up for OS X
Listening on  johnnymo.home  :  22
Got connection from
Blocking the address:
Creating a Mac OS X Firewall Rule

I just blocked:
Enter Commands: q=quit f=flush rules p=print rules.

You get the same info about how Honeyports was started, then it just listens on that port. I like to choose 22, as its a port people will likely try to connect to in order to attack my machine. I disable the real SSH service and let Honeyports listen on it. We can see that "" connected (yes, that is our own IP address, it was just for testing, and yes, we should have a whitelist and whitelist our own IP address, DNS servers maybe, etc… So, right now the script has its very own DoS vulnerability built-in for your pleasure, or dis-pleasure, then again so do all the rest of the Honeyports scripts, guess what I am doing tomorrow!). Honeyports shows the IP that was blocked and lets you either quit, flush the rules, or print them:

Enter Commands: q=quit f=flush rules p=print rules.p
Here is what your rules look like:
00100 deny ip from to any
65535 allow ip from any to any

Here is what the other side sees:

$ telnet 22
Connected to johnnymo.home.
Escape character is '^]'.

***** Fuck You For Connecting *****

johnnymo.home: Permission denied
Connection closed by foreign host.

You can customize the banner :) I've got a long list of changes and additions I'd like to make. The script is open source, so feel free to send me an updates you want to make, I would like to see:

  • A Daemon mode (so admins can run this on all their hosts in the background)
  • Ability to send to syslog (So you can snag the resulting logs and use them to correlate or for incident response)
  • Whitelist for source IP addresses
  • Multi-threading
  • Ability to customize the banners (e.g. if port is 22, emulate an SSH banner)
  • Set a lifetime to each firewall rule (so rules are flushed every hour or so)

Enjoy! (BTW, this new script will be included on the ADHD distro and in our Offensive Countermeasures courses).

Interview: Mark Dowd

Mark is a director and founder of Azimuth Security, and brings over 10 years of security experience to the team. The bulk of his professional career has been focused in the area of application security research. He's worked at McAfee, IBM, as well as performing a variety of information security consulting services independently and for ITAC Consulting. He also was the winner of the 2009 Google Native Client Security Contest.


Interview Questions:

Five Questions:

  • Three words to describe yourself
  • If you were a serial killer, what would be our weapon of choice?
  • In a game of ass grabby-grabby do you prefer to go first or second?
  • If you wrote a book about yourself, what would the title be?
  • Stranded on a desert island, which tablet would you bring with you if you could choose only one: Android, iPad or Surface?

Tech Segment: Threat Analytics with Ty Miller

Ty Miller.jpg
\Visit The Security Weekly YouTube Channel for all of our latest videos\!\}

Ty Miller is CEO and Founder of Threat Intelligence , has had many TV appearances, radio interviews, print newspaper and magazine articles, and regular online commentary & BlackHat Trainings. Ty Miller's experience not only covers penetration testing, it also expands into regulations like PCI, developing and running industry benchmark accreditations, performing forensic investigations, as well as creating and executing security training ranging from introductory security through to highly advanced security concepts and skillsets. Today he is here to do a tech segment on his product Threat Analytics.

Ty Miller Tech Segment

1) About & Why

Threat Analytics is the security version of Google Analytics. Instead of tracking page clicks on your website like Google Analytics does, Threat Analytics tracks malicious data and malicious users on your website and around the world.

When a malicious presence is detected on your website, you are notified of the malicious activity immediately to your email and via a push notification to the new Threat Analytics mobile app.

At this point Threat Analytics is able to deploy a "Threat Analytics Agent" back to the malicious web browser to perform a range of configurable "Threat Protection Actions", such as closing the web browser, creating an overlay on the page, locking the form, gathering more information about the attacker, or even redirecting the attacker to a different web page or website.

All of this can be actioned before the attacker has even submitted their attack.

Lets say that a hacker is attacking a website in Spain that is configured with Threat Analytics. This hacker is automatically profiled and tracked. If this hacker then visits your website running Threat Analytics located in Canada, then the malicious presence will automatically be detected, you will be alerted, and your Threat Protection Actions will be deployed via the Threat Analytics Agent into the hacker's web browser to close down the attack.

Many organisations don't review their WAF and IDS logs because there is too much noise from vulnerability scans, so they don't know which are real attack. Threat Analytics is designed to filter out this noise by alerting you to only those attacks where a hacker is actually sitting on their web browser typing malicious data into your website.

This is often the first indicator that you are about to suffer an attack, allowing you to kick off your incident response procedures at a very early stage. The earlier you identify and contain a security breach, the lesser the financial and repetitional impact to your organisation.

The attack data, timestamps, and hacker profiles provided by Threat Analytics can then be used by your security team to review your web server, WAF and IDS logs to identify other actions performed by the attacker.

Threat Analytics also offers an API so that an Intelligence Feed can be utilised for integration into other products or SIEM solutions.

2) How

The best resource to read through to use Threat Analytics is the "Getting Started Guide".


a) Register for a Free Account

To get a free Threat Analytics account, go to http://www.threat-analytics.com/ and click “Sign Up”.

Sign Up Home Page.png

On the Threat Analytics Memberships page, choose the type of account that you would like.

There are a number of different levels of Threat Analytics membership, but we just want the Free Membership, so click "FREE SIGN UP".

Memberships Page.png

Next, on the Sign Up for Threat Analytics page, enter your Full Name, create a user name and then provide your email and create a password.

User Account Details Page.png

Once you have created your account, you must complete your profile setup to ensure that your account creation is successful. You do this by telling Threat Analytics the website that you own and selecting its industry;

Website Setup Page.png

Select the industry that your site most closely falls within or aligns to, and then enter your site domain or URL and click “Save” to register your site.

Setup Complete Page SiteID 0.png

When you register your site Threat Analytics will provide you with you the Threat Analytics Code. This is is a line of javascript software including a unique identifier for your site that you will need to add to your web site. For the purpose of demonstrations, the site ID is zero “0”, but whatever code you are supplied with keep it handy as you will need it when you install the agent on your site.

b) Add Threat Analytics to Your Website

At this point you want to add the Threat Analytics JavaScript code to your website by adding it to the footer of your website pages just before the </body> tag.

c) Login to Threat Analytics

Login to your Threat Analytics account using your email address and password via www.threat-analytics.com.

With the site registered, you can now go and customise your Threat Analytics configuration to set a policy – that is – what actions you want to happen when an attack or malicious user is detected.

You will find that there are a number of menus including "Agent Config", "Global Attack Detection" and "Notifications" that provide you with interfaces to these policies.

d) Configure Threat Analytics Agent

If you click on the Agent Config menu, you will be taken to the Agent Configuration page where you can configure the payloads to be deployed back to the hacker's web browser once a malicious presence has been detected.

Agent Configuration Page.png

This page will display your current policy settings, which by default will be empty and take the default action of not deploying any agents to the malicious web browser.

To configure your policy, you simply drag and drop the icons to the policy section on the right hand side.

This will provide you with configuration options for each Threat Protection Action, which may include the color of the overlay, the page to redirect to, or the banner to be displayed.

When you have configured your agent settings, hit the save button and your profile will be updated via Ajax and a small message in your policy will show "Saved".

e) Configure Global Attack Protection

Threat Analytics can block known attackers based on the Global Attack Detection scoring system. Once an attacker passes various thresholds they can be dealt with as soon as they visit your site.

Select the “GLOBAL ATTACK DETECTION” menu to configure how your site should respond to an attacker.

Global Attack Detection Configuration Page.png

Again, simply drag and drop the options that you wish to configure in order to change the default settings. The default settings will be displayed once you have dragged the configuration icon onto your policy.

You can then tweak these settings based on how you wish Threat Analytics to respond. For example, if you are a little more paranoid than most or are running a high security site then instead of classifying malicious activity once it exceeds a "Critical" threshold, you may configure Threat Analytics to classify malicious activity once it exceeds a "High" or "Moderate" threshold.

Similarly you may wish to adjust bad user, host and fingerprint thresholds to tune the sensitivity for your website.

The retirement option also allows you to configure how long it will take for you to forgive an attacker and allow them back onto your site, provided that they haven't done any further malicious activity within that timeframe.

e) Configure Threat Analytics Notifications

Threat Analytics notifies you when attacks occur against your site and when known attackers visit your site. You can define the notification settings for how and when you would like to be notified of malicious activity.

Select the “NOTIFICATIONS” menu to customise your notifications. Drag and drop the Notification Actions into the policy section on the right to configure how you would like to receive notifications, and the frequency of the notifications for each threat level.

Notifications Configuration Page.png

f) Testing Threat Analytics is Working

To test if Threat Analytics is working on your site, choose a page that has the agent installed on it and supply it with example malicious data.

To help you out we have provided the following examples to let you test your Threat Analytics installation and validate your site policy. To use any of these test patterns replace “http://www.your_site.com/” with the URL to a page that has the Threat Analytics agent installed on your site.

Non-Malicious Request: http://www.your_site.com/?test=clean

Cross Site Scripting (XSS): http://www.your_site.com/?test=%3Cimg%20src=x%20onerror=alert(1)%3E

SQL Injection: http://www.your_site.com/?test=';select%20*%20from%20users;--

System Command Injection: http://www.your_site.com/?test=cmd%20/cdir%20C:\

ColdFusion Injection: http://www.your_site.com/?test=cfusion_dbconnections_flush

Email Injection Attack: http://www.your_site.com/?test=%0d%0ato:%20test@b.com

HTTP Response Splitting: http://www.your_site.com/?test=%0d%0aLocation:%20http://www.test.com

Remote File Inclusion: http://www.your_site.com/?test=

If you have installed and configured Threat Analytics correctly then these tests will trigger the policy response that you configured in 3.1 Configure Threat Analytics (Agent Config) in your browser, you should receive alerts to the email address that you used to register your account, and there will be data in the Threat Analytics Dashboard for you.

g) Analysing Your Attacks in the Dashboard

When you login to your Threat Analytics account, you will be taken to the Dashboard. This presents you with an overview of the Recent Threats including their severity and confidence, when they occurred, and where from. As well as the Threat Profile, Membership Usage, Threat Map, Threat Timeline, Threat Locations, and Industries Under Attack.


h) Analysing Your Attacks in the Threat Engine

The Threat Analytics Threat Engine shows you a time ordered history of all attacks against your site, starting with the most recent.

Threat Engine with Context Menu.png

You can then click on any of these threat entries to reveal a context menu where more options are available. This includes: • View a hacker profile (see what Threat Analytics thinks of this attacker) • View request details (see what data would have been sent to your site, including the path and 
even which form field) • Mark as suspicious (note that this record is of particular interest) • Mark as Malicious (note that this record is definitely bad) • Perform Whois Query (interrogate the Internet management data for this source address to 
return detail such as the issuing ISP/company, an administrative contact email address and physical/postal address to help with incident response and collaborative efforts to shut down the attack).

In the following screenshot you can see the result of the Threat Analytics Request Details selection.

Request Details Ajax Box.png

And in the next screenshot you can see the result of the Threat Analytics Whois Query selection.

Whois Query Ajax Box.png

In this screenshot you can see the result of the Threat Analytics Hacker Profile selection.

Hacker Profile Ajax Box.png

If you find that you exceed your Free Membership subscription then you can always upgrade via the Memberships menu.

There is also a mobile app being released for push notifications.

3) References

Threat Analytics Website: http://www.threat-analytics.com/ Threat Analytics User Guide: http://www.threat-analytics.com/threatanalytics/gettingstarted/ Threat Analytics Features: http://www.threat-analytics.com/threatanalytics/features/ Threat Analytics Memberships: http://www.threat-analytics.com/threatanalytics/memberships/

4) Plugs

Threat Intelligence Website: http://www.threatintelligence.com Threat Intelligence Security Training: https://www.threatintelligence.com/threatintelligence/securitytraining/ Twitter: @tyronmiller (https://twitter.com/tyronmiller) LinkedIn: http://www.linkedin.com/pub/ty-miller/16/a45/963 The Shellcode Lab, Black Hat USA Training: https://www.blackhat.com/us-13/training/the-shellcode-lab.html BeEF Bind Shellcode: http://2012.ruxcon.org.au/assets/rux/Rooting_Your_Internals-RuxCon12-Orru-Miller.pdf


Paul's Stories

  1. Incomplete Thought: The Psychology Of Red Teaming Failure – Do Not Pass Go…
  2. Windows Phone shows little market share growth
  3. Black Hat hacker claims he can make $15k to $20k an hour
  4. Hackers demonstrate Toyota Prius hijacking on video
  5. Windows phones can be burned by rogue hotspots
  6. HP plugs password-leaking printer flaw • The Register
  7. Hackers to NSA chief: Read the Constitution | Security & Privacy - CNET News
  8. Car hacking code released at Defcon
  9. Wi-Fi routers: More security risks than ever
  10. #BlackHat Briefings USA 2013: Day Two Notes
  11. #BlackHat Briefings USA 2013: Day One Notes
  12. admin to SYSTEM win7 with remote.exe
  13. Chinese hackers take over fake water utility
  14. Android Apps Can Access All Of Your Google Account
  15. Posh potty owners flushed by dodgy Bluetooth password
  16. Water-Utility Honeynet Illuminates Real-World SCADA Threats
  17. Windows Phones open to hackers when connecting to rogue Wi-Fi

Larry’s Stories

  1. GPS Spoofing attacks - [Larry] -
  1. Hillbilly Tracking of Low Earth Orbit Satellites - [Larry]