From Security Weekly Wiki
Jump to navigationJump to search


PaulDotCom Security Weekly - Episode 246 for Friday June 3d, 2011.

  • El primer Episodio de PaulDotCom Espanol esta disponible aqui. Tenemos mas entrevistas en las semanas que vienen....
  • ExCon and B-Sides CT coming June 11th & 12th with Larry 'No Such Thing as an ExCon' Pesce and PaulDotCom!
  • [1] Wednesday June 15th at 2PM is a special "Secure Protocols" Special Edition with CyberSecurityWorld.com.
  • Sign up for Blackhat Training Courses:
    • PaulDotCom Blackhat Training Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
    • Tenable Security Blackhat Training Sign up for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2

Tech Segment: Penetration Testing Quick Tips


EmbedVideo does not recognize the video service "bliptv".

Watch the live video version of this segment above. For more videos and to subscribe to PaulDotCom TV visit http://pauldotcom.blip.tv

Download the Audio (MP3) Version of this segment here!

Quick tip #1 - Know which hosts are firewalled

When running Nmap, use the --reason and --open flags. They give you information on why the port was closed, and how all the ports responded. Filtered means there was no response, and there was likely a firewall blocking your probe. Connection refused means you got a RST back, which means likley not firewalled, though could be an IPS or active firewall. Sometimes you get a mix of filtered and connection refused, which could mean that ports were open in the firewall but the host was not listening on those ports. This is awesome information for exploiting and scanning the hosts further. In the following example I just scanned for the top 100 ports (--top-ports 100):

A mix:

Host is up, received user-set (0.022s latency).
Not shown: 53 closed ports, 45 filtered ports
Reason: 53 conn-refused and 45 no-responses
443/tcp  open  https      syn-ack
1025/tcp open  NFS-or-IIS syn-ack

Firewalled with a few ports open:

Host is up, received user-set (0.022s latency).
Not shown: 98 filtered ports
Reason: 98 no-responses
80/tcp  open  http    syn-ack
443/tcp open  https   syn-ack


Host is up, received user-set (0.023s latency).
Not shown: 95 closed ports
Reason: 95 conn-refused
21/tcp   open  ftp         syn-ack
|_banner: 220 Service ready for new user.
80/tcp   open  http        syn-ack
1720/tcp open  H.323/Q.931 syn-ack

Quick Tip #2: Use screen

[Yes, most seasoned Linux people know how to use screen, this tip is for those that do not. If you know about screen already, just fast forward or take some time to email/Tweet and make fun of me.]

screen is a great way to execute commands, like Nmap or other tools that take a long time to run, leave them running, but still interact with them. Nmap is the best use case because it lets you interact with it using commands to dump packets and get statitics.

When you first launch the "screen" command, it starts the server and the client. You can enter the "screen" command again to create new screens, then re-attach to them using "screen -r <pid>.<tty>.<hostname>". The best part is if you get disconnected, the screen server still runs so you can go back and interact with your commands.

You can use the "screen -ls" command to list all the available screens:

# screen -ls
There are screens on:
        24376.pts-1.PenTest     (06/03/11 19:37:45)     (Detached)
        24255.pts-1.PenTest     (06/03/11 19:33:30)     (Attached)
2 Sockets in /var/run/screen/S-root.

To attach to a detatched screen use "screen -r", and to attach to a screen that is running use "screen -d".

You can use keyboard shortcuts to bounce between the running screens. Example, "Ctlr-a-C" launches a new screen, and "ctrl-a-N" to move to the next screen. No more backgrounding or "nohup", which isn't the best way to do it because you can't interact with the processes.

Reference: http://www.rackaid.com/resources/linux-screen-tutorial-and-how-to/ and "Intern Ian".

Stories For Discussion

PaulDotCom Blog Roundup

Larry's Stories

  1. What a big Weiner you have! - [Larry] - Oh my, did you hear that social media is insecure? So, the story is that Rep. Weiner made some inappropriate tweets involving some boxers and, well, an appendage. Looks like the tweed ended up coming through yfrog's mobile tweet service. Yfrog adds an e-mail account of your twitter name folled with a "random" number. If the e-amil is sent to the correct email account, it gets posted to yfrog and twitter…so, can you say SCRIPT! More info here.
  2. I'm tired of talking about Sony - [Larry] - but it is hard not to when Sony gets hacked AGAIN! Lulzsec reports that with simple QL injection over at teh Sony Picture website they were able to recover a million usernames and plaintext passwords. Wow, plaintext passwords? Simple SQL injection? Are they not learning? No, because they are all separate silos within the parent company who do what they want. But, you'd think that someone form each of the silos watches the news and would figure that they are targets.
  3. MiTM MCAT - [Larry] - Ingenious. Man takes MCAT with pinhole camera. Sends images to a third party who translates the questions into an interface being given to 4 people who think they are taking a practice MCAT exam to beccome paid MCAT tutors. Test taker gets answers back from 4 test takers via third party.
  4. YAY Netgear. Now gimme all your passwords. - [Larry] - By accessing some URLs directly without authentication on the Netgear WNDAP350. These pages are accessible without any authentication. Of course Bob attempted to use SHODAN to locate a device for testing but was unsuccessful.
  5. Twitter control everything! What could possibly go wrong! - [Larry] - wow, now we have an app/api for controlling ANYTHING with twitter. Oh boy, how many folks are folks are going to forget to set their control twitter accounts to private and we'll be able to find all sorts of good info, or control other devices.

Paul's Stories

  1. Russian Hacker Cracks Skype - I've heard rumours that the Chinese had hacked the Skype protocol, now here's one claiming it has been cracked by a Russian security researcher. He wants to make an open-source version of Skype. Someone I think this will end in a law suite from Ebay, who owns Skype. I think its a little crazy, even it it was open-souce, how does that help protect your privacy? Truth is it doesn't, if you don't want someone snooping on your calls, use your own encryption on top of it. Similar to PGP for email.
  2. Battle looms over securing virtualized systems - " the firewall and intrusion-prevention appliances, the host-based antivirus software -- simply do not work well in virtualized environments for which they were never designed." First, I'd argue that firewalls and intrusion prevention appliances really don't help protect your networks all that much anyhow. Few people run them in blocking mode, and if they do, getting around them just requires some exploit "massaging". Second, If you setup a virtual environment, why wouldn't you put it behind a firewall or IPS? I guess once an attacker compromises something in the virtual environment, few are implementing protections to keep it from spreading on the virtual host. However, the key to firewalls is management, and I don't see the resources we need to be able to manage network and virtual firewalls. Collecting requirements for this is tough, people usually just say, "well, everything needs to talk to everything". I believe if we can simplify the "zones", we may have a strategy that will be easy to manage and provide enough security to make it worth it. Example: I hacked Sony, but I couldn't get subscriber data because of internal controls. Okay, now everyone drink and come back to reality :)
  3. Firesheep on the go - Polish secrity researcher has created a version of Firesheep for Android, even supports WEP, WPA, or WPA2 encrypted networks. I'd assume you'd need the key for those networks to perform the attack. Link includes video!
  4. Hacking Weiner's...Twitter Account - Did Weiner TXT a photo of his weiner to a coed via Twitter? He says it was a "hoax", implying his Twitter account was hacked. We'll never know for sure, but we do know, thanks to Erratasec, that it was not "enhanced" to depict an "enhanced" weiner.
  5. Java Payloads FTW - I think this is perhaps the best payload to use when going "phishing", or even just setting up a malicious web site. Great quote from egypt: "Code signing certs are pretty cheap -- around a hundred bucks. Grabbing a domain and cert for company.net when you're pentesting company.com will be worth it's weight in shells.".

Darren's Stories

  1. Gmail targeted phishing - [Darren cause its my section... duh] - Gmail hacking targeting the White house. Chineese Gov't denies responsibility and why not they hacked into all our defense contractors already... These attacks were very targeted and used proper engrish.
  2. Speaking of defense contractors - [its still my section] - Defense contractors Northup Grumman and Lockheed Martin supposedly hacked. Did the RSA data breach come full circle?
  3. Make a bomb... enjoy your cake - [me again] - Mi6 has supposedly hacked the jihadist online magazine to replace a recipe for making a pipe bomb for a recipe for making a cake. Proving humor does exsist in the gov't.
  4. Finally no wires and security… maybe - [this formatting sucks I am not doing it anymore] - 128 bit AES encrypted wireless keyboard and mouse from M$. I am sure that they aren't using static keys transmitted over the air or anything, or have a default of 0000
  5. See Mac's don't have malware problems! - [..|..] - Mac 'quickly' released an update to catch the pesky MacDefender malware. To bad 5 seconds after the release MacDefender adapted and can bypass the detection.