PaulDotCom Security Weekly - Episode 216 - For Thursday October 21st, 2010.
- Announcing Hack3rcon!The con will take place on Oct 23-24, 2010 at the Charleston Civic Center, alongside CharCon, a gaming conference that will interest many of you as well. Tickets are $40 for the whole weekend. Our very own Carlos Perez will be speaking!
- Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.
- Register NOW for Blue Teams: "Don't Call It a Comeback" presentation with Core Security Technologies on Wednesday, November 11, 2010 at 2pm EST]
Tech Segment: Defcon PaulDotCom Badge Challenge
This year we conducted another contest for DEFCON. While it wasn't for a party badge, it was for bragging rights and a cool laser cut badge. Here's the solution:
First off, we did mention that everything that you needed was in the blog post. Many of you thought incorrectly, that like last year, the hidden goodies were in the image. You were wrong. Close, but wrong. How close? Use the source Luke!
Looking at the HTML source of the page you would notice right under that image is a URL written in white text on a white background. Of course highlighting the blog post would have revealed it, or it would have rendered in a readable format using Chrome. What does it say? http://www.badguywalmart.com
So, what happens when you get there? You get a web page with a secret i-hacked contest code. But wait, theres more! Looks a little oddly formatted. Again, a reveal of the source or a highlight of the page reveals the following text:
Welcome! Everything you need is located at the server www.badguywalmart.com. (We're in no way affiliated with Walmart Corporation, BTW.) I sure hope noone portscans me, but you have permission to do so. You do not have permission to launch attacks or compromise this box though. Please be gentle with your scans, but be thorough. You only need to worry about TCP, and ports under 1000.)
Ok, so, lets do it. We'll even do it the easy way, with as few command line options as possible. We will make sure that we don't go over port 1000 in order to be gentle.
Hiroshige:~ lpesce$ nmap www.badguywalmart.com -p 1-1000 Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-12 10:52 EDT Nmap scan report for www.badguywalmart.com (184.108.40.206) Host is up (0.015s latency). rDNS record for 220.127.116.11: static-173-69-3-38.prvdri.fios.verizon.net Not shown: 483 closed ports PORT STATE SERVICE 1/tcp open tcpmux 6/tcp open unknown 9/tcp open discard 13/tcp open daytime 18/tcp open unknown 22/tcp open ssh 30/tcp open unknown 33/tcp open dsp 36/tcp open unknown 45/tcp open mpm 54/tcp open xns-ch 57/tcp open priv-term 70/tcp open gopher 71/tcp open netrjs-1 80/tcp open http 84/tcp open ctf 115/tcp open sftp Nmap done: 1 IP address (1 host up) scanned in 5.49 seconds
Uh, ok, so that's like a lot of weird services. Finger? Don't mind if I do. So, I did say to be thorough, right? One way we could have done that would have been with the Firefox plugin Header Spy, we would have noticed something very interesting about the header response for port 80:
The server identifies itself as "http://twitpic.com/photos/badguywalmart". Hrm. That's an interesting server header. That's no Apache! Of course, if you actually browse to that address, you'll get a bunch of pictures with phrases written on them..I wonder how those fit in.
Back to the header on port 80. So, I wonder if the other services are what nmap says they are. If we start plugging some of those other ports into a browser as well, we get the same web page as on on port 80. Clearly we have something here…even though I was looking forward to playing Netris.
Let's use the NSE script to look at HTTP headers! This one written by Ron Bowes, works real well, and when it can identify the server, it gives us a bunch of stuff (trimmed for brevity).
Hiroshige:~ lpesce$ nmap -sV --script=http-headers www.badguywalmart.com -p 1-1000 Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-12 10:55 EDT Nmap scan report for www.badguywalmart.com (18.104.22.168) Host is up (0.048s latency). rDNS record for 22.214.171.124: static-173-69-3-38.prvdri.fios.verizon.net Not shown: 483 closed ports PORT STATE SERVICE VERSION 1/tcp open http lighttpd 1.4.26 | http-headers: | Content-Type: text/html | Accept-Ranges: bytes | ETag: "-1893968157" | Last-Modified: Tue, 27 Jul 2010 03:23:48 GMT | Content-Length: 1795 | Connection: close | Date: Thu, 12 Aug 2010 14:56:55 GMT | Server: lighttpd/1.4.26 | |_ (Request type: HEAD) 7 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port13-TCP:V=5.21%I=7%D=8/12%Time=4C640B67%P=i386-apple-darwin10.4.0%r( SF:GenericLines,1FF,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\x SF:20text/html\r\nContent-Length:\x20349\r\nConnection:\x20close\r\nDate:\ SF:x20Thu,\x2012\x20Aug\x202010\x2014:55:35\x20GMT\r\nServer:\x20I\x20come SF:\x20third\x20AND\x20sixth\r\n\r\n<\?xml\x20version=\"1\.0\"\x20encoding SF:=\"iso-8859-1\"\?>\n<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHT SF:ML\x201\.0\x20Transitional//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transitional\.dtd\">\n<html\x SF:20xmlns=\"http://www\.w3\.org/1999/xhtml\"\x20xml:lang=\"en\"\x20lang=\ SF:"en\">\n\x20<head>\n\x20\x20<title>400\x20-\x20Bad\x20Request</title>\n SF:\x20</head>\n\x20<body>\n\x20\x20<h1>400\x20-\x20Bad\x20Request</h1>\n\ SF:x20</body>\n</html>\n")%r(GetRequest,80D,"HTTP/1\.0\x20200\x20OK\r\nVar SF:y:\x20Accept-Encoding\r\nContent-Type:\x20text/html\r\nAccept-Ranges:\x SF:20bytes\r\nETag:\x20\"-1893968157\"\r\nLast-Modified:\x20Tue,\x2027\x20 SF:Jul\x202010\x2003:23:48\x20GMT\r\nContent-Length:\x201795\r\nConnection SF::\x20close\r\nDate:\x20Thu,\x2012\x20Aug\x202010\x2014:55:35\x20GMT\r\n SF:Server:\x20I\x20come\x20third\x20AND\x20sixth\r\n\r\n<html><body\x20tex ***SNIP*** Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 88.84 seconds
We will note that it isn't all formatted "properly". After speaking with Ron, you might want to modify the NSE script to perform the nice output for servers on ports other than 80 and 443. Entirely up to you, as we do get the information that we need either way.
Once we look at the results we will note that we have a bunch of server headers. Some for Lighttpd, which aren't very interesting, but we are left with the following ports and services (in addition to the one already discovered on port 80 for the twitpic pictures):
Port Header 13 i come third and sixth 33 i come first 54 i come seventh 57 i come second 70 i come dot fourth N AND dot eighth W 84 i come fifth
Well, that seems interesting. That seems to be instructions! If we arrange the port numbers according to the instructions and apparent punctuation in the header we get:
33 57 13 . 70 N 84 13 54 . 70W
33 deg 57' 13.70" N, 84 deg 13' 54.70" W
Now we're talkin'. However, what is at this location? Let's Google Map it! Unfortunately, Google doesn't play well with Degrees Minutes Seconds. We can use the page <a href=http://www.fcc.gov/mb/audio/bickel/DDDMMSS-decimal.html>here</a> to convert to decimal, which google likes. Try this location instead:
Which Google maps <a href=http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=33.953806,+-84.231861+(You+can+insert+your+text+here)&sll=37.771868,-122.422972&sspn=0.045321,0.089006&g=37.771008,+-122.41175&ie=UTF8&ll=33.953546,-84.231985&spn=0.003084,0.005563&z=18&iwloc=lyrftr:m,10459900436034087647,33.953822,-84.231899>here</a> to a location with a GameStop at 6050 Peachtree Pkwy, Norcross, GA. But, what else interesting is at that address.
Unfortunatley since DEFCON, the page rank for the company we are looking for has plummeted from the second entry to the middle of the <a href=http://www.google.com/search?q=6050+Peachtree+Parkway,+Norcross,+GA&hl=en&client=firefox-a&rls=org.mozilla:en-US:official&prmd=m&ei=AkCITJG6KMK78gbXsKH6AQ&start=20&sa=N&cad=cbv#q=6050+Peachtree+Parkway,+Norcross,+GA+30092&hl=en&client=firefox-a&rls=org.mozilla:en-US:official&prmd=m&ei=lUCITMT6CIH98AbivNyiAg&start=50&sa=N&fp=368644f9c0f1c536>fourth page</a> When you see it, you'll get it.
Want to confirm? How do we know which phrase? How about downloading some pictures from that twitpic stream and using exiftool to look at the pictures? Remember, you need to download the full size image, as often post processing will remove metadata. Once we do that, we'll note that one image has the exact same GPS location as determined from our port numbers. Yep, the first one in the list. That was your phrase that pays. Now, time to go "check" you work!
Guest Interview: Mati "Muts" Aharoni & Chris Hadnagy
Mati is the founder of Offensive Security. His day to day work involves vulnerability research, exploit development and whitebox / blackbox Penetration Testing. In addition, he is the lead writer and trainer for many of the “Offensive Security” courses, which focus on attacker tools and methodologies. Mati has been training security and hacking courses for over 13 years and is actively involved in the security arena, and is one of the core developers of the BackTrack live CD.
Chris Hadnagy, aka loganWHD, has been involved with computers and technology for over 13 years. As the founder of social-engineer.org his focus is on the “human” aspect of technology such as social engineering and physical security. Chris has spent time in providing training in many topics and also has had many articles published in local, national and international magazines and online journals. Chris is working on the management and planning of new and exciting programs with the Offsec family.
- How did each of you get your start in information Security?
- What led you to develop an expertise in Social Engineering?
- Tell us about BackTrack's current and future development, what we can expect for 2011 from BT and the SE podcast?
- What your goals for the Social Engineering webcast?
- Where you got the idea for the SE podcast,
- What are some of the current challenges to maintaining Backtrack?
- What are some of the hidden gems inside Backtrack?
- What hardware do you recommend for using Backtrack?
- Any good SE/pen test stories you can share?
- Info, on the business side, as to what offensive-security.com provides
Stories For Discussion
- 6 security leaks you should fix NOW! - [Larry] - Uhhh, wow these seem a little off base to me. Unauthorized smartphones on Wi-Fi networks, Open ports on a network printer, Custom-developed Web applications with bad code, Social network spoofing, Employees downloading illegal movies and music, SMS text messaging spoofs and malware infections. Lets discuss….
- Fake AV? Nah, it's real. - [Larry] - Kaspersky website gets poped, and links to download of fake style AV. Ironic. Kaspersky blames a third party component. You should still test it regardless, no?
- Thief backs up data. - [Larry] - Man gets laptop stolen. Man admits he's ba at backing up. Thief backs up data and mails to victim. Aww, how nice. Wait, what?
- If everyone was jumping off a bridge... - [Pauldotcom] - Scott from NW posted an article on cloud security. Scott's arguement was that since salesforce.com says they are secure, and "everyone" (77k+ users) is using then, then it must be secure. Secure cloud review puts Scott in check, stating that just because everyone is doing it doesn't mean its the right thing. I think something that plays into this is that yes, people are jumping off the bridge, landing in the water, and swimming to shore unharmed. Since no one is apparently getting hurt, then its okay and the cloud is secure. What about the people with ear infections, parasites, or those who get run over by a boat? Until that happens, people will keep jumping. All it takes is one big data breach and salesforce is no more. What you need to decide is if its aceptable risk for YOU. Will you lose your company if saleforce succombs to a data breach? Thats the decisions you need to make.
- Six "Enterprise" Security leaks? - [Pauldotcom] - I'm all for ripping on article, but I think that the new school of infosec went a little overboard on this one. A computer world article was published titled, "Six Enterprise Security leaks you should plug right now". New school ripped on them for not covering the flaws that lead to most data breaches. THe first was actually not bluetooth rifles, which new school says could only be used to get address books. I think this is largely not true. First, if someone did penetrate a mobile phone, how would you know? What mechanisms are in places at most organizations to detect this? My answer: very little. With bluetooth, or wifi, you can get more than the address book. How about stored credentials? Uploading malware? OR Josh's example of using bluetooth as a listening device? While computer world was a little off its rocker, I think the main critism new school missed was: Physical access. You need some sort of physical acess in order to pull off these attacks, therefore lowing the risk. Now, still think an area that will make wireless security explode in people's face's like a TNT laced cigar is accessing devices remotely, then using the built-in wireless to attack other wireless devies. This should be an active area of research. Then there are printers. We all know, I just don't agree with dismissing printer security. Use shodan, there are printers on the Internet. Oh yea, and your relying on your firewall to protect your printers. Do this, pretend your firewall isn't there, then defend your network. So you've patched everything you can, use enryption between your workstations/server, and guess what? I will attack your printer, because most don't support enryption, no one patches them, the protocols implement weak, if any security, and no one seems to log information from the printers. Its not about doing what everyone else is doing, its about protecting whats important to you, not what the media is discussing.
- 0day in MOXA MDM Tool - [pauldotcom] - MOXA makes industrial/SCADA products, and Ruben has released an 0day for their products. Ruben states, "I've not notified the vendor because: I am not working for them and They don't have a security contact publicly available" I'm going to be honest, control systems vendors need to wake up and pay attention to security researchers. Having a security contact is not a bad thing.
- Wall Of Shame: Pros Cons? - [pauldotcom] - I think this is a great educational tool, provided its done correctly. I believe we need to use real data, and shame people into being secure. Its similar to showing teenagers the effects of STDs, child birth, etc... Does that stop teenagers from having sex? No. Okay, so maybe thats a bad example. On the flip side, if people can see, or even better experience, something bad happen it makes them more aware. However, with a wall of sheep, they don't truly experience the full brunt of the baddness, as most wall of shame data is obfuscated and an attacker does not get your password. However, if every open Wifi network had a wall of shame, we might see users change, would we?