- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
"Thanks to our sponsors Tenable network security, the developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more."
"Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool. "
"and Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."
Now, Pull up a packet capture, pour a beer, and give the intern control of your botnet...."
Shameless Plugs & General Announcements
Welcome PaulDotCom Security Weekly - Episode 206 - For Thursday August 12, 2010.
- Sign up for "Advanced Vulnerability Scanning Using Nessus" being offered at Brucon!
- It is finished... The Official Metasploit class from John Strand and Ed Skoudis is now complete. Two full days of Metasploit insanity. Want 25% off? Use MET25 when you register for Boston on August 8th and 9th.
- John Strand will be teaching SANS 560: Network Penetration Testing at SANS Virginia Beach August 29th - Sept 3. Come get shell and crabs with strandjs.
- The Kansas City FBI InfraGard program is looking for some penetration testers to participate on the "Red Team" for an upcoming mock Cyber Warfare exercise. The event pits systems and security professionals from the community against each other in a live cyber attack on a replicated commercial network. We are looking participants with Pen-test experience, or someone who has some "daemons" they need to get out in a controlled environment. This is a community event, and all skill levels are welcome, please see http://cyber-raid.com for more info.
- Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.
Tech Segment: Mark Baggett
[NOTE This is a follow up to Larry's segment in episode 170 ]
Back in Episode 197 Larry talked about talked about Reconnoiter. Reconnoiter builds a company specific list of usernames based upon linkedin.com profiles. I used the script in a recent penetration test and decided to use a similar approach to build custom password dictionaries for each user at the target company.
Userpass.py, like Reconnoiter, starts with a Google mobile search for linkedin.com profiles of a target company. On each of the linkedin.com pages it finds we grabs any web pages the user has self identified as being theirs. Then we grab the photo from the linkedin.com profile and run it through www.tineye.com to see what other pages on the internet contain the same photo. From there we take all of these user pages and run them through CeWL to generate a custom password dictionary for each user.
userpass.py has one required parameter, "Company Name". So the simples run is this:
python userpass.py "Target Company"
This will find all the linkedin profiles for “Target Company”. It will create a file called FirstnameLastname_Passwords.txt in the current working directory. You can specify additional options to set the output directory (absolute paths only), tweak the CeWL depth and minimum word length parameters, and specify how many google result pages to parse as options.
$ python userpass.py "Mark Baggett" -hUsage: userpass.py "Company Name" [options] Options: -g The number of google pages to parse looking for employees of the Company (default is 2) -t Enable TinEye lookup. (default is Disabled) -s additional search options -m minimum word length to give to CeWL (default is 5) -d depth of CeWL crawl (Default is 2) -o Absolute path to the output directory ex: /home/samurai (default is .) -p Path to CeWL binary (Default is "/usr/bin/samurai/cewl/cewl.rb")
If the -t option is specified then the script attempt to locate additional user pages by cross referencing their Linkedin.com photo with TinEye. Any additional pages are also parse with cewl and appended to the password file. NOTE:TinEye bot detection will temporarily blacklist your IP address when using this option. Use the -s to strictly limit your google results and limit the queries to TinEye or stay away from this option. If multiple pages are located for the user you should run the resulting password file through "uniq" to eliminate duplicate words found on multiple user pages.
Example: "cat username_passwords.txt | uniq > targetpasswords.txt"
./userpass.py "Company Name" -g 5
Will run at a google depth of 5 searching for employees of company
./userpass.py "Employee Name" -s "additional search qualifier" -g 1 -o /home/myhome/ -m 10 -t
Will start with a query of 'site:linkedin.com "Employee Name" additional search qualifiers' (note the quotes on Employee name, but not on qualifier).
Will do a tineye lookup on the linkedin photo. Will tell CeWL the minimum password length is 10 and will write the output to /home/myhome. Since I don't have permission to target any specific companies in this demo I will use myself and my good friend Doug Burks as sample targets. My results are not so interesting. Here i target myself telling CeWL that I am only interested in words that are 10 characters or longer.
$ python userpass.py "Mark Baggett" -m 10 -g 1 -t Making Google Query http://www.google.com/m/search?q=site%3Alinkedin.com+%22Mark+Baggett%22+&start=0&num=10 User Identified - First name: mark Last name: baggett ..Fetching Linkedin Profile http://www.linkedin.com/pub/mark-baggett/8/31/193 ..Found 0 Linkedin page references.
The script didn't find a Linkedin profile photo on my account to use for Tineye and I only have one page listed on my websites. Lets try Doug's profile. Here is a run without Tineye searches turned on Doug's account.
$ python userpass.py "doug burks" -s "security" -m 10 -g 1 Making Google Query http://www.google.com/m/search?q=site%3Alinkedin.com+%22doug+burks%22+security&start=0&num=10 User Identified - First name: doug Last name: burks ..Fetching Linkedin Profile http://www.linkedin.com/pub/doug-burks/1b/a2b/858 ..Found 1 Linkedin page references. ..Launching CEWL for http://code.google.com/p/security-onion/ End of Google search results reached.
The script found Doug's link to the Security Onion Project at Google code. Now lets try it with the TinEye.com option enabled
$ python userpass.py "doug burks" -s "security" -m 10 -g 1 -t Making Google Query http://www.google.com/m/search?q=site%3Alinkedin.com+%22doug+burks%22+security&start=0&num=10 User Identified - First name: doug Last name: burks ..Fetching Linkedin Profile http://www.linkedin.com/pub/doug-burks/1b/a2b/858 ..Using TinEye.com on photo http://media.linkedin.com/mpr/mpr/shrink_80_80/p/3/000/052/1fe/09cf495.jpg ....Adding 3 TinEye.com Pages. ..Found 4 Linkedin page references. ..Launching CEWL for http://code.google.com/p/security-onion/ ..Launching CEWL for http://securityonion.blogspot.com/2010/06/sans ..Launching CEWL for http://securityonion.blogspot.com/2010/02/defense ..Launching CEWL for http://securityonion.blogspot.com/ End of Google search results reached.
This time the script found Doug's blog at http://Securityonion.blogspot.com. More food to feed the CeWL monster!
So here is the script. Use it in good health userpass.py
Guest Interview: Barnaby Jack
Barnaby Jack is the Director of Research at IOActive Labs, where he focuses on exploring new and emerging threats, and recommending areas in which to concentrate IOActive's research efforts. He has over 10 years security experience and held research positions at Juniper Networks, eEye digital Security, and FoundStone. Over the course of his career, Jack has targeted everything from low-level Windows drivers to the exploitation of Automated Teller Machines.