Difference between revisions of "Episode198"

From Security Weekly Wiki
Jump to navigationJump to search
Line 27: Line 27:
 
== Questions ==
 
== Questions ==
  
= Tech Segment: =
+
= Tech Segment: Zone Transfers & Embedded Systems =  
  
 +
Security FAIL Dot Com update:
  
 +
* [http://www.securityfail.com/index.php/BT:Homehub BTHome Hub Recap]
 +
* [http://securityfail.com/index.php/APC:Smart_UPS_RT_10000XL APC Information Leak]
 +
* [http://securityfail.com/index.php/Belkin:F5D7633 Belkin Authentication Disclosure]
 +
* [http://securityfail.com/index.php/4610 Avaya 4610 Hacking Guide]
 +
 +
One method of finding embedded systems is to brute force the subdomains as described in the following article from GNUCitizen:
 +
 +
http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-6/
 +
 +
They even have a handy tool they created to help you do it!  Carlos also maintains the DNS Enum scripts in Metasploit, which also have the capability to do sub-domain brute forcing.
 +
 +
Zone transfers are even better, for example:
 +
 +
<pre># time host -la ourlinksys.com 66.161.11.121 > ourlinksys.com.out
 +
 +
real 0m2.564s
 +
user 0m0.456s
 +
sys 0m0.068s</pre>
 +
 +
The "host" command is great for doing zone transfers.  And in this case we found a DDNS provider that happens to allow zone transfers from one of its DNS servers.  Carlo's tool is better at finding these as you can point it at one domain and it will try to do a zone transfer for that domain from each DNS server listed. As for the results:
 +
 +
# wc -l ourlinksys.com.out 120815 ourlinksys.com.out
 +
 +
Sweet! Here are some easy ways to find all those DDNS providers:
 +
 +
http://www.dmoz.org/Computers/Internet/Protocols/DNS/DNS_Providers/Dynamic_DNS/
 +
http://www.oth.net/dyndns.html
 +
 +
You can put them in a list and do something like these:
 +
 +
for i in `cat ddlist.txt`; do ./msfcli auxiliary/gather/dns_enum DOMAIN=$i E; done
 +
~/msf3/msfcli auxiliary/gather/dns_enum DOMAIN=ourlinksys.com ENUM_AXFER=true ENUM_BRT=false ENUM_RVL=false ENUM_SRV=false
 +
 +
I find that calling Carlos's script in this way is really slow. I've already made the request for Carlos to build in a way to read from a list of domains, which shouldn't be that hard of a feature to implement.  Speaking of Carlos's script, here are the options:
 +
 +
<pre>msf > use gather/dns_enum
 +
msf auxiliary(dns_enum) > show options
 +
 +
Module options:
 +
 +
  Name        Current Setting                                Required  Description
 +
  ----        ---------------                                --------  -----------
 +
  DOMAIN                                                      yes      The target domain name
 +
  ENUM_AXFR    true                                          yes      Initiate a zone Transfer against each NS record
 +
  ENUM_BRT    false                                          yes      Brute force subdomains and hostnames via wordlist
 +
  ENUM_RVL    false                                          yes      Reverse lookup a range of IP addresses
 +
  ENUM_SRV    true                                          yes      Enumerate the most common SRV records
 +
  ENUM_STD    true                                          yes      Enumerate standard record types (A,MX,NS,TXT and SOA)
 +
  ENUM_TLD    false                                          yes      Perform a top-level domain expansion by replacing TLD and testing against IANA TLD list
 +
  IPRANGE                                                    no        The target address range or CIDR identifier
 +
  NS                                                          no        Specify the nameserver to use for queries, otherwise use the system DNS
 +
  STOP_WLDCRD  false                                          yes      Stops Brute Force Enumeration if wildcard resolution is detected
 +
  WORDLIST    /home/paulda/msf3/data/wordlists/namelist.txt  no        Wordlist file for domain name brute force.</pre>
  
 
= Stories For Discussion =
 
= Stories For Discussion =

Revision as of 20:55, 6 May 2010


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

PaulDotCom Security Weekly - Episode 197 - For Thursday May 6th.

  • Pen Test Summit! - June 14-15, 2010. The 2010 SANS What Works in Penetration Testing & Vulnerability Assessment Summit features an agenda loaded with brand-new talks from the best penetration testers and vulnerability assessment thought leaders in the world. This must-see event lets attendees interact directly with industry leaders, discussing tough technical and operational issues to get the most value from penetration testing and vulnerability assessment expenditures.

Guest Interview: Matt Jonkman

BACKGROUND

Matt is the founder of Emerging Threats, and spent five years in the Army as an Air Traffic Control RADAR and Communications Tech. He currently works for Metaflows under NSF grant funding as well as leading Emerging Threats and the OISF.

Suricata, the Open Source Intrusion Detection and Prevention engine

Questions

Tech Segment: Zone Transfers & Embedded Systems

Security FAIL Dot Com update:

One method of finding embedded systems is to brute force the subdomains as described in the following article from GNUCitizen:

http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-6/

They even have a handy tool they created to help you do it! Carlos also maintains the DNS Enum scripts in Metasploit, which also have the capability to do sub-domain brute forcing.

Zone transfers are even better, for example:

# time host -la ourlinksys.com 66.161.11.121 > ourlinksys.com.out

real	0m2.564s
user	0m0.456s
sys	0m0.068s

The "host" command is great for doing zone transfers. And in this case we found a DDNS provider that happens to allow zone transfers from one of its DNS servers. Carlo's tool is better at finding these as you can point it at one domain and it will try to do a zone transfer for that domain from each DNS server listed. As for the results:

  1. wc -l ourlinksys.com.out 120815 ourlinksys.com.out

Sweet! Here are some easy ways to find all those DDNS providers:

http://www.dmoz.org/Computers/Internet/Protocols/DNS/DNS_Providers/Dynamic_DNS/ http://www.oth.net/dyndns.html

You can put them in a list and do something like these:

for i in `cat ddlist.txt`; do ./msfcli auxiliary/gather/dns_enum DOMAIN=$i E; done ~/msf3/msfcli auxiliary/gather/dns_enum DOMAIN=ourlinksys.com ENUM_AXFER=true ENUM_BRT=false ENUM_RVL=false ENUM_SRV=false

I find that calling Carlos's script in this way is really slow. I've already made the request for Carlos to build in a way to read from a list of domains, which shouldn't be that hard of a feature to implement. Speaking of Carlos's script, here are the options:

msf > use gather/dns_enum
msf auxiliary(dns_enum) > show options

Module options:

   Name         Current Setting                                Required  Description
   ----         ---------------                                --------  -----------
   DOMAIN                                                      yes       The target domain name
   ENUM_AXFR    true                                           yes       Initiate a zone Transfer against each NS record
   ENUM_BRT     false                                          yes       Brute force subdomains and hostnames via wordlist
   ENUM_RVL     false                                          yes       Reverse lookup a range of IP addresses
   ENUM_SRV     true                                           yes       Enumerate the most common SRV records
   ENUM_STD     true                                           yes       Enumerate standard record types (A,MX,NS,TXT and SOA)
   ENUM_TLD     false                                          yes       Perform a top-level domain expansion by replacing TLD and testing against IANA TLD list
   IPRANGE                                                     no        The target address range or CIDR identifier
   NS                                                          no        Specify the nameserver to use for queries, otherwise use the system DNS
   STOP_WLDCRD  false                                          yes       Stops Brute Force Enumeration if wildcard resolution is detected
   WORDLIST     /home/paulda/msf3/data/wordlists/namelist.txt  no        Wordlist file for domain name brute force.

Stories For Discussion

  1. Is Barnaby Jack back at it? - [Larry] - Last year after a gagged attempt on revealing flaws in a popular ATM machine, it looks like he's back on for BlackHat this year. Because a year has passed, he's been given another year to research, this time to demonstrate a rootkit, for not one, but two ATMs. Jeff moss is stated as saying "Jack has a living room full of ATMs."
  2. Silent patches - [Larry] - Core Security Technology reveals that Microsoft released two patches that patch for "secret" vulnerabilities. The information on these vulnerabilities were never disclosed, but were reversible form the patches. So, what do you think about silent patches and the disclosure? Not giving admins the correct information to choose deployment schedule? Providing info to an attacker?
  3. Chinese Wifinders - [Larry] - Wireless cracking and piggybacking has come to the masses. For about $25, you get a USB wireless card, antenna and an apparently customized Version of Backtrack, that will get you some wifi keys, and set up your windows install to use them.
  4. Getting phished can happen tot he best of us - [Larry] - It just goes to show that someone who is savvy can get owned. Of course they were able to realize that they had been phished, and what it meant, AND how to address it. How many of our grandmas would know?
  5. I can stalk you! - [Larry] - Hmm, how about stalking through twitter. This project is intended to raise awareness on inadvertent information sharing through social networks by harnessing teh power or metadata.

Other Stories