From Security Weekly Wiki
Jump to navigationJump to search

Episode Media


"Tech" Segment: Shmoocon Update

Larry will give us the update from Shmoocon.

Tech Segment: OS X - From Recon to Exploit


I've been using a Mac now for quite some time (3 years roughly) and never really thought of it as a pen testing platform. However, in recent months I've been using it more and more during assessments. I've found that it is well suited to run the tools I need for target identification, vulnerability scanning, exploitation, and even wireless assessments! I am using a MacBook Pro, which runs a Core 2 Duo processor with 2GB of RAM. Due in large part to the Intel processor and many developers who've ported their tools, I can atest that for many penatration testing tasks, OS X is well suited.


Nmap is perhaps the best port scanning tool ever created. The speed and flexibility of this tool are outstanding. Thankfully it compiles natively on OS X, provided that you have the following:

  • Xcode toolkit (compilers and such for OS X)
  • Darwin Ports (Tons of open-source software for OS X, for things like python and libpcap)

Once you've installed the above tools (they are pretty easy to install) you can then download, unpack, compile and install the latest version of Nmap (4.53 at the time of this writing). I've had to scan some pretty large network recently (1,000 -> 3,000 devices) and Nmap has helped my identify targets quickly. The best case is that you are plugged into the same subnet as the targets, then run the following:

nmap -PR -sP -n -oA mytargets

The above command will use ARP requests to enumerate all of the hosts on the network. The "-n" flag disables hostname lookups, and the "-oA" option takes a filename as a parameter and will output three files containing the results (grepable nmap, regular nmap, and xml output). I like to output all three in case I decide to do anything with these files later. Another tool that is great for host discovery is nbtscan which very quickly will enumerate windows hosts on the network:

# nbtscan

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------     HANZO            <server>  HANZO            00-00-00-00-00-00     ZATOICHI         <server>  ZATOICHI         00-00-00-00-00-00

Vulnerability Scanning

Nessus is my favorite vulnerability scanning and has ported the Nessus Client and Server over to OS X. You can download and install them easily and set it to automatically update plugins. I like to build scripts to parse the Nmap and nbtscan output that build files containing the IP address of my targets. Nessus can be slow when used for host discovery, so I always feed it the output of other tools. The client and server run great and give you the results as they come in. When you see a host in a red color that means there were "Security Holes" found. Once you see that and read about the vulnerability, on to the next step...


I am using Core IMPACT for the exploitation piece, running in a VMWare Fusion virtual machine on Windows XP. However, you could very easily use Metasploit for this purpose as well as the latest 3.1 version will run natively on OS X. You can use Darwin ports to install all of the neccassry ruby binaries and libraries. Using Core IMPACT, I feed in the vulnerable hosts and attempt to exploit them.


This process, which can be accomplished using 100% totally free tools, is very valuable to run on the INSIDE of your network. This is where attackers lie, typically by compromising desktops, or exploiting other devices on the network to gain access. It is vitally important that you lock down the hosts on the inside of the network, and follow the process described above on a regular basis to ensure that an attacker cannot easily compromise hosts on your network.

Stories of Interest

Cool Little PC - [Paul] - I thought this was a neat little PC and really like the design. Its scary to think that powerful computers are this small. Great for planting inside the network, also scary because someone could be walking out of your organization with one under their coat :)

Philips Skype Phone Vulnerabilities - [Paul] - Its really amazing to see vendors using default usernames and passwords in this day and age on embedded devices. This one is worse, the username is the same as the password (service/service). What were they thinking, or were they? Companies producing consumer and industry products need to step up their game when it comes to security. Oh wait, there's more, the directory traversal vulnerability discloses your Skype credentials. Sweet! I wonder, how many vendors would let a vulnerability like this slip by in a web application exposed to the Internet? Maybe some, but my point it, whats the difference?

Cisco IP Phone DoS - [Paul] - You may write this one off as a silly DoS attack against a phone and say, "So What". However, DoS attacks that cause a system to reboot, especially a VoIP phone, are powerful tools for an attacker. For example, if I want to sniff the initial handshake between the phone and the VoIP server (SIP or other protocol) I can simply use the exploit to make the phone reboot. Also, its pretty scary to know that an attacker can cause all of your phones to reboot simultaneously. And, we know, jumping VLANs is trivial and often how VoIP is deployed.

CSRF + VoIP Phones = Bad - [Paul] - Another great little embedded device hacking tip from the folks at Gnucitizen. This time, using a CSRF attack on a VoIP phone, you can cause it to make calls. these calls can be to 1900 numbers the attacker controls or two the attackers phone number/system to monitor the converstations. My question, who enable the http server on the phone, and more importantly allow people to make calls from the web interface? This feature should be turned off!!!!

Another Black Eye For Anti-Virus: Mirc - [Paul] - Its interesting to see attackers use software that is completely legitimate, such as the popular Mirc IRC client for Windows, and use it for illegitimate purposes such as a backdoor IRC client to send/receive commands and transfer files to/from a compromise host. This is going to be the challenge for Anti-* vendors, dealing with attackers using legitimate tools, generating legitimate network traffic, but having the underlying purpose be malicious. For example, in my tech segment, Nmap ARP and nbtscanning generates seemingly legitiate traffic on the network (unless you are looking at thresholds for NBT traffic and ARPs, which, well, lets face it, we all have better things to do as IDS analysts).

Asus Eee PC Root-Out-Of-The-Box - [Paul] - This is just sillyness, why do vendors ship products with known vulnerable software? An exploit for Samba Version 3.0.24 was published early last year!!! I am putting the responsibility for fixing these flaws solely on the vendor. I will again go back to this episode's tech segment and say that its easy and important to scan devices and look for flaws.

Caller-id spoofing by example - [Paul] - This is a neat little interview with someone who used called-id spoofing to exploit an organization. The expoit, trust in caller-id. By spoofing the caller-id of the HR person, the CEO, etc.. you can get people to pick up the phone. If your caller-id is an external number, they might not pick it up, but if its an internal number that corresponds to the CEO, but your butt they will pick it up. Pretty slick, he then goes on to describe attacks that expoit the trust people have in called-id, for example the credit card company. Defense: never trust called-id, get the phone number and call the person or credit card company back.

Best Social Engineering Hack EVER - [Paul] - By sniffing the 900Mhz signals from employees wireless headsets on their landlines, this firm was able to gain enough knowledge to become an insider. They pretended to be an employee that had never been to the facility, printed business cards and everything. They gave the guy a cubicle, coffee, access to the network, everything for 3 DAYS!!!! Don't use wireless headsets or wireless keyboards, and have a process that checks people's ID cards before issuing them access credentials. This fix for this one is policy and process, plain and simple. Not every security hole can be fixed by applying a software patch, and I think that too much emphasis is put on this by the industry, process is the most important thing, once you have that, then you may want to look at tools to help you.

Listener Submitted

TrueCrypt 5 Released [securethoughts] - TrueCrypt 5.0 now supports full-disk encryption of Windows Boot volumes, and also brings Mac OS X support with GUI (although no full-disk yet).

For Your Enjoyment

l33t Eye Chart [securethoughts] - Much more interesting than the real thing ;)

Scamming the Scammers [securethoughts] - Great article showing the best counter-scams. [Paul] - I was going to add this story, but it was already here. Funny stuff! I love the "Mr Bukkake" :)