Paul's Security Weekly - Episode 360 for Thursday January 30th, 2014
- New webcast next Tuesday 1PM EST called "Build A Security Program From The Ground Up: Crawl, Walk, Run" Go to http://securityweekly.com/webcasts for registration information!
- Security Weekly will be at the SANS ICS Summit from March 12-18th, doing a live podcast on Sunday night, covering the courses and attending the 2-day summit. Security Weekly subscribers can now enjoy a 20% off discount code! Use SecurityWeekly20 on checkout to get that discount applied. This conference will be held in Orlando at the Contemporary Resort & Convention Center in sunny Orlando, FL REGISTER NOW!
- We are looking for sponsors for our weekly webcasts and shows. Contact paul -at- hacknaked.tv for details, there are still a few slots available!
Guest Interview: Jared DeMott
Jared DeMott is a principal security researcher at Bromium and has spoken at security conferences such as Black Hat, Defcon, ToorCon, Shakacon, DakotaCon, GRRCon, and DerbyCon. He is active in the security community by teaching his Application Security course.
- How has auditing code for application security changed over the years?
- What are the most common errors when it comes to security that you see?
- Can you share any awesome war stories with us?
- In your opinion, what is needed to fix the current state of application security?
- What are your feelings on, strcpy, sprintf, strncpy & malloc. Is the problem the functions, or the developer not fully understanding what is happening?
- Do you use any fuzzing framework for your applications, or strictly code analysis?
- What are some of the winning strategies for the Defcon CTF?
- What are the 3 most important things you can teach a software developer about security?
- What is the exploitation technique called ROP? How can you defend against it?
- Do you believe you find more bugs in fuzzing or static analysis, or is it just different bugs? Does it depend on the type of application?
- Which software implementations are the easiest to fuzz? The most difficult?
- Are there techniques and "things" you can do to your application to make it harder to fuzz?
- Three words to describe yourself
- If you were a serial killer, what would be your weapon of choice?
- If you wrote a book about yourself, what would the title be?
- In the popular game of Ass Grabby Grabby do you prefer to go first or second?
- Stranded in a desert island, which tablet would you bring along: a) iPad b) Surface c) Android d) All of the above e) None of the above?
Tech Segment: Carlos Perez
- Larry teaching SANS classes: Check out his SANS page for the details" 617 in Orlando in March, Also 571 at RSA
- SEC504 in Mentor format in Downtown Boston coming up in April! Use the discount code "SecOrg" when registering for 10% off the class. Register at http://tinyurl.com/SEC504-Boston Email firstname.lastname@example.org for more info or for a special discount code if you prefer to get the GCIH attempt for free instead.
Windows Meterpreter recently got some new capabilities thru the Extended API module by OJ Reeves also known as TheColonial. He added support for:
- Interacting with the Clipboard
- Query services
- Window enumeration
- Executing ADSI Queries
We will cover in this Technical Segment the ADSI interface since it gives us a capacity in enterprise environments not available previously in meterpreter other than a module from Meatballs called enum_ad_computers.
To query ADSI we need to fist load the Extended API extension, for this like with any other extension we use the Load command:
meterpreter > load extapi Loading extension extapi...success.
If we use the **help** command or its alias **?** we can see the commands are now available inside of the Meterpreter session:
meterpreter > ? .... Extapi: Window Management Commands ================================== Command Description ------- ----------- window_enum Enumerate all current open windows Extapi: Service Management Commands =================================== Command Description ------- ----------- service_enum Enumerate all registered Windows services service_query Query more detail about a specific Windows service Extapi: Clipboard Management Commands ===================================== Command Description ------- ----------- clipboard_get_data Read the victim's current clipboard (text, files, images) clipboard_set_text Write text to the victim's clipboard Extapi: ADSI Management Commands ================================ Command Description ------- ----------- adsi_computer_enum Enumerate all computers on the specified domain. adsi_domain_query Enumerate all objects on the specified domain that match a filter. adsi_user_enum Enumerate all users on the specified domain.
2 of the ADSI commands simplify the process of enumeration using it, these are:
- adsi_computer_enum - does basic computer account enumeration.
- adsi_user_enum - this one does basic user enumeration.
If we look at the help options for one of the commands we will see they all have a Page Size and a Maximun number of results to get, this is becase AD can be very big and it can overwhelm Meterpreter.
meterpreter > adsi_computer_enum -h Usage: adsi_computer_enum <domain> [-h] [-m maxresults] [-p pagesize] Enumerate the computers on the target domain. Enumeration returns information such as the computer name, desc, and comment. OPTIONS: -h Help banner -m <opt> Maximum results to return. -p <opt> Result set page size.
Lets enumerate computer account:
meterpreter > adsi_computer_enum acmelab1 acmelab1 Objects ================ name distinguishedname description comment ---- ----------------- ----------- ------- CLIEN01 CN=CLIEN01,CN=Computers,DC=acmelab1,DC=com COLLECTOR CN=COLLECTOR,OU=International Marketing,OU=Marketing,DC=acmelab1,DC=com DC1 CN=DC1,OU=Domain Controllers,DC=acmelab1,DC=com DC2 CN=DC2,OU=Domain Controllers,DC=acmelab1,DC=com DC3 CN=DC3,OU=Domain Controllers,DC=acmelab1,DC=com Total objects: 5
In the domain field we can also provide a LDAP Distinguished name also to control the scope of the query:
meterpreter > adsi_computer_enum 'OU=Domain Controllers,DC=acmelab1,DC=com' OU=Domain Controllers,DC=acmelab1,DC=com Objects ================================================ name distinguishedname description comment ---- ----------------- ----------- ------- DC1 CN=DC1,OU=Domain Controllers,DC=acmelab1,DC=com DC2 CN=DC2,OU=Domain Controllers,DC=acmelab1,DC=com DC3 CN=DC3,OU=Domain Controllers,DC=acmelab1,DC=com Total objects: 3
For user accounts it functions in the same manner:
meterpreter > adsi_user_enum acmelab1 -m 10 -p 10 acmelab1 Objects ================ samaccountname name distinguishedname description comment -------------- ---- ----------------- ----------- ------- Administrator Administrator CN=Administrator,CN=Users,DC=acmelab1,DC=com Built-in account for administering the computer/domain CLIEN01$ CLIEN01 CN=CLIEN01,CN=Computers,DC=acmelab1,DC=com DC1$ DC1 CN=DC1,OU=Domain Controllers,DC=acmelab1,DC=com DC2$ DC2 CN=DC2,OU=Domain Controllers,DC=acmelab1,DC=com DC3$ DC3 CN=DC3,OU=Domain Controllers,DC=acmelab1,DC=com Guest Guest CN=Guest,CN=Users,DC=acmelab1,DC=com Built-in account for guest access to the computer/domain cperez carlos Perez CN=carlos Perez,CN=Users,DC=acmelab1,DC=com helpdesk IT Helpdesk CN=IT Helpdesk,CN=Users,DC=acmelab1,DC=com krbtgt krbtgt CN=krbtgt,CN=Users,DC=acmelab1,DC=com Key Distribution Center Service Account krbtgt_28732 krbtgt_28732 CN=krbtgt_28732,CN=Users,DC=acmelab1,DC=com Key Distribution Center service account for read-only domain controller Total objects: 10
Now the command that provides the greatest flexibility is the the **adsi_domain_query** command since this one lets you craft your own queries and specify what fields you want. For these we need to use the LDAP Filtering Syntax, one of the best resources I have found for this is the SelfADSI page <http://www.selfadsi.org/ldap-filter.htm> The command differs from the rest in that it lets you build your query and you can specify the fields. This can get tricky if you have no previous experience with LDAP and AD. You can check in MSDN, user PowerShell [adsisearcher] accelerator or use ADSI Edit on a lab Domain to figure the fields.
Lets look for disabled accounts, get their name, disguishedname and description:
meterpreter > adsi_domain_query acmelab1 (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.1135220.127.116.113:=2)) name distinguishedname description acmelab1 Objects ================ name distinguishedname description ---- ----------------- ----------- Guest CN=Guest,CN=Users,DC=acmelab1,DC=com Built-in account for guest access to the computer/domain User15 CN=User15,CN=Users,DC=acmelab1,DC=com User28 CN=User28,CN=Users,DC=acmelab1,DC=com User36 CN=User36,CN=Users,DC=acmelab1,DC=com krbtgt CN=krbtgt,CN=Users,DC=acmelab1,DC=com Key Distribution Center Service Account krbtgt_28732 CN=krbtgt_28732,CN=Users,DC=acmelab1,DC=com Key Distribution Center service account for read-only domain controller Total objects: 6
Lets find all OUs in the Domain:
meterpreter > adsi_domain_query acmelab1 (objectclass=organizationalunit) name distinguishedname acmelab1 Objects ================ name distinguishedname ---- ----------------- Domain Controllers OU=Domain Controllers,DC=acmelab1,DC=com ITS OU=ITS,DC=acmelab1,DC=com International Marketing OU=International Marketing,OU=Marketing,DC=acmelab1,DC=com Local Marketing OU=Local Marketing,OU=Marketing,DC=acmelab1,DC=com Marketing OU=Marketing,DC=acmelab1,DC=com Sales OU=Sales,DC=acmelab1,DC=com Total objects: 6
- Anyone Using POS Is At Risk - So, malware that infects POS systems has been for sale in the underground for a while. The thing that get me is, attackers need access to the system, either via credentials or vuln/exploit. So, to me, this is nothing new. The fact remains that people will re-use credentials, use weak passwords, and not patch their systems. So, defense against this new malware is the same! We've got PCI, and a lot of good its doing now. I think the real failure here is security implementations, credentials and patches, and then being able to monitor effectively. Now before you jump around and yell, yes I know, the Target breach came from a partner credential or something. This is a problem, how do you get your partners and vendors to maintain a strict security policy like you do?
- Target traces security breach to stolen vendor credentials - See my question above, interesting. Attackers, get this, used a system not related to payment systems. Go figure, and this is one of my main problems with PCI, people as a result only focus on the payment systems. If you are not enforcing a security policy that restricts which systems can talk to some other systems, then everything needs to be at the same, higher, security model. Even if you try to segment, the problem is stuff needs to communicate, and those channels will be exploited. After years of pen testing, the strategy remains the same, gain a foothold and work you're way through. One of the keys to defense? Try to detect this early on and make it harder to jump from segment to segment.
- Toy Maker Hasbro’s Site Serving Drive-By Download Attacks - And knowing is half the battle. If you have a popular web site, you are under attack.
- "High-Volume DDoS Attacks Top Operational Threat to Businesses - Lots of new about DDOS, I refer to Allison for exper opinion, but I gotta imagine there are security folks working on this problem. My question is how much time and effort should you put into DDOS defense? Guess it depends on what you have at stake.
- Would NFC smartphones have helped at Target? - I fail to see how this solves the problem. A Google wallet? Are you kidding me? Why would I trust the security of 1) NFC 2) My Smartphone and 3) Google with payment information?
- Remote code execution bug in Yahoo servers leads to root access - With so many properties, this is bound to happen.
- Use MediaWiki and hate malware? This patch is for you - Time to update!
- Multi-platform Java bot marshals ZOMBIE FORCE against spammers - Love the multi-platform.
- "Red or Blue - Interesting article, I agree we need to encourage everyone, of all sexes and race, to join our great field. Though, I don't see us only marketing to a certain crowd, nor do I feel like the security community is a "boys club". In fact, out of all the professions and such, I believe security is the most accepting and diverse. However, 13% are women, not sure why this is!
- Multi-platform ZOMBIE - [Larry] - uhhhh, yes. Written in java. of course it is multi platform. However it is targeting a specific vulnerability, so it might not present it self in all platforms, such as android…
- Stolen @N - [Larry] - How a little social engineering compromises some domains, almost nails paypal, and results in domain for a twitter handle ransom.
- Scumbag Pentester - [Larry] - I really want to know who the company was that issued this report. The read is hilarious.
- Targeting vendor credentials. - [Larry] - A vendor password, eh? Not a lot of details here, but I'm hoping that we can discuss. BMC's bladeLogic was mentioned in some of the reports, but was a "ruse". Let's dicuss a hypothetical around that.
- More Spyeye guilty pleas In its heyday, Spyeye was a financial theft malware that required little to no technical skill to build and deploy. It also had a rivalry with Zeus, including "zeus killing" features in its bots.
- Punish careless employees to reduce security breaches, vendor says This might be cathartic in the short term but reigns of terror in the workplace are generally not so helpful.
- The Only Thing Scarier Than Self-Driving Cars Are the Hackers Waiting to Attack Them For software defects that can be fatal, I don't think the status quo of "patch, and if you get hacked it's your fault" is acceptable here.
- First Android bootkit malware spotted; reportedly found on over 350,000 mobile devices, most in China - [Carlos] First ever Windows Malware to infect Android Phones, so now we see a new way for malware writers to jump in to Mobile devices, in this case the device needs to be left with USB Debugging enabled.
- First ever Windows Malware that can hack your Android Mobile - [Carlos] Wow no we are seeing root kits on mobile devices and yet most MDM solutions fail and many still say they is not enough data to worry.
- In this old post CSO Andy asks and answers the question "Why don't websites default to SSL/TLS?" Still timely, possibly moreso now.
http://www.securitytracker.com/id/1029699 - Cisco Identity Services Engine Input Validation vulnerability.
This story is a reminder of how much we need organizations to integrate security early in the development planing process.
http://owasp.blogspot.com/2014/01/owasp-statement-on-security-of-internet.html - OWASP stating their strong preference for the importance of application security. Application security awareness is not at a stage of general public awareness but the basic principles and issues at hand need to be communicated.