- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
"Thanks to our sponsors Tenable network security, the developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more."
"Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool. "
"and Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."
Now, Pull up a packet capture, pour a beer, and give the intern control of your botnet...."
Shameless Plugs & General Announcements
Welcome PaulDotCom Security Weekly - Episode 206 - For Thursday August 12, 2010.
- Sign up for "Advanced Vulnerability Scanning Using Nessus" being offered at Brucon!
- It is finished... The Official Metasploit class from John Strand and Ed Skoudis is now complete. Two full days of Metasploit insanity. Want 25% off? Use MET25 when you register for Boston on August 8th and 9th.
- John Strand will be teaching SANS 560: Network Penetration Testing at SANS Virginia Beach August 29th - Sept 3. Come get shell and crabs with strandjs.
- The Kansas City FBI InfraGard program is looking for some penetration testers to participate on the "Red Team" for an upcoming mock Cyber Warfare exercise. The event pits systems and security professionals from the community against each other in a live cyber attack on a replicated commercial network. We are looking participants with Pen-test experience, or someone who has some "daemons" they need to get out in a controlled environment. This is a community event, and all skill levels are welcome, please see http://cyber-raid.com for more info.
- Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.
- Ron Gula, Renaud Deraison and Marcus Ranum invite you to a Security Showcase on September 15, at the Embarcadero Center in San Francisco!
- The current status of Nessus® and future development plans The advantages of pairing active and passive scanning
- “How I learned to stop worrying and love regulatory compliance”
- Free breakfast! Free lunch!
More info from rstewart [AT] tenable.com
Tech Segment: Mark Baggett
[NOTE This is a follow up to Larry's segment in episode 170 ]
Back in Episode 197 Larry talked about talked about Reconnoiter. Reconnoiter builds a company specific list of usernames based upon linkedin.com profiles. I used the script in a recent penetration test and decided to use a similar approach to build custom password dictionaries for each user at the target company.
Userpass.py, like Reconnoiter, starts with a Google mobile search for linkedin.com profiles of a target company. On each of the linkedin.com pages it finds we grabs any web pages the user has self identified as being theirs. Then we grab the photo from the linkedin.com profile and run it through www.tineye.com to see what other pages on the internet contain the same photo. From there we take all of these user pages and run them through CeWL to generate a custom password dictionary for each user.
userpass.py has one required parameter, "Company Name". So the simples run is this:
python userpass.py "Target Company"
This will find all the linkedin profiles for “Target Company”. It will create a file called FirstnameLastname_Passwords.txt in the current working directory. You can specify additional options to set the output directory (absolute paths only), tweak the CeWL depth and minimum word length parameters, and specify how many google result pages to parse as options.
$ python userpass.py "Mark Baggett" -hUsage: userpass.py "Company Name" [options] Options: -g The number of google pages to parse looking for employees of the Company (default is 2) -t Enable TinEye lookup. (default is Disabled) -s additional search options -m minimum word length to give to CeWL (default is 5) -d depth of CeWL crawl (Default is 2) -o Absolute path to the output directory ex: /home/samurai (default is .) -p Path to CeWL binary (Default is "/usr/bin/samurai/cewl/cewl.rb")
If the -t option is specified then the script attempt to locate additional user pages by cross referencing their Linkedin.com photo with TinEye. Any additional pages are also parse with cewl and appended to the password file. NOTE:TinEye bot detection will temporarily blacklist your IP address when using this option. Use the -s to strictly limit your google results and limit the queries to TinEye or stay away from this option. If multiple pages are located for the user you should run the resulting password file through "uniq" to eliminate duplicate words found on multiple user pages.
Example: "cat username_passwords.txt | uniq > targetpasswords.txt"
./userpass.py "Company Name" -g 5
Will run at a google depth of 5 searching for employees of company
./userpass.py "Employee Name" -s "additional search qualifier" -g 1 -o /home/myhome/ -m 10 -t
Will start with a query of 'site:linkedin.com "Employee Name" additional search qualifiers' (note the quotes on Employee name, but not on qualifier).
Will do a tineye lookup on the linkedin photo. Will tell CeWL the minimum password length is 10 and will write the output to /home/myhome. Since I don't have permission to target any specific companies in this demo I will use myself and my good friend Doug Burks as sample targets. My results are not so interesting. Here i target myself telling CeWL that I am only interested in words that are 10 characters or longer.
$ python userpass.py "Mark Baggett" -m 10 -g 1 -t Making Google Query http://www.google.com/m/search?q=site%3Alinkedin.com+%22Mark+Baggett%22+&start=0&num=10 User Identified - First name: mark Last name: baggett ..Fetching Linkedin Profile http://www.linkedin.com/pub/mark-baggett/8/31/193 ..Found 0 Linkedin page references.
The script didn't find a Linkedin profile photo on my account to use for Tineye and I only have one page listed on my websites. Lets try Doug's profile. Here is a run without Tineye searches turned on Doug's account.
$ python userpass.py "doug burks" -s "security" -m 10 -g 1 Making Google Query http://www.google.com/m/search?q=site%3Alinkedin.com+%22doug+burks%22+security&start=0&num=10 User Identified - First name: doug Last name: burks ..Fetching Linkedin Profile http://www.linkedin.com/pub/doug-burks/1b/a2b/858 ..Found 1 Linkedin page references. ..Launching CEWL for http://code.google.com/p/security-onion/ End of Google search results reached.
The script found Doug's link to the Security Onion Project at Google code. Now lets try it with the TinEye.com option enabled
$ python userpass.py "doug burks" -s "security" -m 10 -g 1 -t Making Google Query http://www.google.com/m/search?q=site%3Alinkedin.com+%22doug+burks%22+security&start=0&num=10 User Identified - First name: doug Last name: burks ..Fetching Linkedin Profile http://www.linkedin.com/pub/doug-burks/1b/a2b/858 ..Using TinEye.com on photo http://media.linkedin.com/mpr/mpr/shrink_80_80/p/3/000/052/1fe/09cf495.jpg ....Adding 3 TinEye.com Pages. ..Found 4 Linkedin page references. ..Launching CEWL for http://code.google.com/p/security-onion/ ..Launching CEWL for http://securityonion.blogspot.com/2010/06/sans ..Launching CEWL for http://securityonion.blogspot.com/2010/02/defense ..Launching CEWL for http://securityonion.blogspot.com/ End of Google search results reached.
This time the script found Doug's blog at http://Securityonion.blogspot.com. More food to feed the CeWL monster!
So here is the script. Use it in good health!
Guest Interview: Barnaby Jack
Barnaby Jack is the Director of Research at IOActive Labs, where he focuses on exploring new and emerging threats, and recommending areas in which to concentrate IOActive's research efforts. He has over 10 years security experience and held research positions at Juniper Networks, eEye digital Security, and FoundStone. Over the course of his career, Jack has targeted everything from low-level Windows drivers to the exploitation of Automated Teller Machines.
- How did you get your start in information security?
- In 2006 you presented at Blackhat on exploiting embedded systems. I thought this was some awesome research! Creative uses of JTAG and exploitation on ARM for an embedded system. Can you tell us a little about this research? What has been done to thwart these attacks?
- We discussed your research in 2007 when you presented at CANSEC about NULL pointer vulnerabilities in ARM processors. Can you tell us a bit about that research?
- It seem people seem to throw out security on embedded platforms, why do you think this happens?
- So, I hear that ATMs have some vulnerabilities, care to elaborate?
- (From Twitter @eternalsecurity): How easily could your rootkit be modified for other Windows CE devices (such as POS Terminals)?
- What were the initial reactions from the vendors and how did you work with them?
- It seems most ATMs are connected via phone lines, do you think this has helped the security or hurt it because people think they are "safe" because they're not running Ethernet?
- How did you find and acquire the ATMs? Was it easy? (and I'm sure getting them on stage at Blackhat was no small challenge!)
- What made you decide to look at ATM security?
- I have to ask, what were some of the deciding factors that went into making the move from your previous employer to IOACtive?
- Some may call your research, and the release of the few details you provided, irresponsible. What is your take on disclosure?
Stories For Discussion
- Dlink new secueity features? - [Larry] - Sure DNSSEC. IPv^ a security feature? maybe because it will take me forever to find you. Captcha for admin pages? Hmmm, I thought those were mostly broken. Of course this does nothing to address human stupidity and poor default choices…
- iPhone patches PDF flaw - [Larry] A couple of things I found interesting here: One, that now PDF exploits are coming to other devices than just your PC. What's next? Two, it only took Apple 10 days to patch a vulnerability that wasn't "properly disclosed" (whatever that means). That is shocking, as often OSX vulns take weeks to acknowledge and patch. Three, Many news sources are claiming that "OMG, your iPhone is now safe!" , uhh, no, it will be some time, if ever before EVERYONE installs the update… user intervention is required.
- Image analysis - [Larry] - I know a dating site. but here is some great things that you can find out with large collections of images. Apparently iPhone users have more secks. I've got some other research that I'm exploring around dating sites…stay tuned.
- Broswer Private mode - [Larry] - …isn;t so private after all. Well, somewhat, but one can begin to build a small profile based on artifacts stored on the system, even in private mode, such as SSL keystores, etc.
- HAcking the Ninja badge - [Larry] - Dennis, all you buddy. I wanted to highlight this as a great exercise in understanding an undocumented protocol for fun and profit. That, and I'm still trying to figure out how I didn't a badge. I guess I'm not cool enough. :-(
- an Interesting take on the Social Engineering contest - [Larry] - From none other than Kevin Mitnick. Much resect to Kevin on his response and to the contest organizers.
- Decompiling Flash - A picture speaks a 1000 words - [Larry] - Wow, gives great insight into stuff that makes it in to flash SWF items, some for stuff that was even unintended. I'll be looking at flash in a whole new way.
- Jailbreaking = root exploit? - [pauldotcom] - Root exploits FTW! I still love my iPhone and Steve Jobs is still my hero, even though my phone has unpatched root exploits...
- Password Complexity Is Lame - [PaulDotCom] - And I agree. With seemilingly unlimited computing power available cheaply to most attackers, cracking password hashes offline is trivial (be sure to check out Hashcat). Second, the Internet and systems are pretty fast, to brute-forcing can happen. Most don't implement account lockout, because, well, users can get locked out! It comes down to passwords being THE SUCK, and us needing to move to two-factor authentication. I like using an SSH key plus a password to gain access to a system.
- My Patch Tuesday Update: Geronimo Edition - [Pauldotcom] - I just want everyone to know something about this update. Microsoft said that a mitigation to the SSL MITM bug was to use HTTP. Yes, I'm serious about this, why isn't everyone up in arms about it? They also FLAT OUT LIED in the latest round by saying that "An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability." THAT IS A LIE!!!! PANTS ON FIRE!!!!
- Unauthenticated File Retrieval (traversal) within ColdFusion administration console - [pauldotcom] - this looks like a fun one to attack, consider some Google dorks like: inurl:CFIDE/administrator I'd use this to read files that contain credentials and other such fun! BTW, Adobe, your security SUCKS. PHP gets a load of crap, I think ColdFusion may be just as bad, worse even.
- Removing plugins from a Nessus report - [Pauldotcom] - I know, Nessus, blah blah, I won't event talk about this one, just a heads up that you can use the Nessus GUI to do some pretty neat filtering, such as removing plugins from a Nessus report.
- What the fuck is your information security strategy? - [pauldotcom] - Don't know the answer to that question? Just visit the site http://whatthefuckismyinformationsecuritystrategy.com/ and it will tell you! Its like the Oracle of information security, stating things like: "Audit and monitor identity access controls and apply visualization to metrics to demonstrate clear risk reduction to the enterprise" and "Apply secure architecture frameworks to emerging applications by promoting awareness and providing secure policy requirements to vendors" and my favorite: "Enable C-levels to achieve deeper penetration in business risk management by implementing a multidimensional security program that minimizes risk by maximizing accountability"