Difference between revisions of "Episode294"

From Security Weekly Wiki
Jump to navigationJump to search
Line 141: Line 141:
== Jack's Stories ==
== Jack's Stories ==
#[http://www.infosecurity-magazine.com/view/26654/99-of-attacks-could-be-stopped-by-patching-/ 99% of who, what?] There is so much wrong here I don't know where to start. Like most conversations with crazy people it starts innocently enough, but gets crazy fast.
#[http://www.infosecurity-magazine.com/view/26654/99-of-attacks-could-be-stopped-by-patching-/ 99% of who, what?] There is so much wrong here I don't know where to start. Like most conversations with crazy people it starts innocently enough, but gets crazy fast.
#[http://www.gao.gov/assets/600/592008.pdf GAO testimony] Testimony Before the Subcommittee on Counterterrorism and Intelligence, Committee on Homeland Security, House of Representatives. Yes, it is a bit politicized, but still some interesting references and decent fundamental definitions.

Revision as of 22:31, 28 June 2012

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 294 for Thursday June 28th, 2012

Interview: Marcus Sachs


Marcus Sachs is the Vice President for National Security Policy at Verizon in Washington, D.C. where he works closely with government and business stakeholders in task forces, working groups, committees, and trade associations as part of the National Security/Emergency Preparedness (NS/EP) community in the Nation's Capital. In January 2011 he was elected to be the Vice Chair of the US Communications Sector Coordinating Council. In November 2007 Mr. Sachs was named a member of the Commission on Cyber Security for the 44th Presidency. From August 2003 to December 2010 he directed the all-volunteer SANS Internet Storm Center.


  1. How did you get your start in information security?
  2. What advice do you have for others on how to get their start in information security?
  3. How much of a role should the Government play in software security? Laws and regulations exist for things like smoking, seat belts and helmets, what about legislation for software security or even good passwords?
  4. How much of a threat is industrial espionage as carried out against US computers and networks?
  5. What can ISPs contribute to the overall security of the nations computer systems and networks?
  6. When discussing protecting the nations infrastructure from attacks, how much is internally focused (like FBI) and how much is externally focused (like CIA)?
  7. How is intelligence about evil bad guys different in the real word and the hacking world?
  8. What was the reaction from people when you proposed to create the US-CERT and what are the major goals? Have they been met?
  9. What type of security challenges are you faced with at Verizon?
  10. Which lessons in critical infrastructure security can we take and apply to all of our organizations?

Tech Segment: Jeff McJunkin on admin randomization and Kon-Boot over PXE

Teasers & Plugs

  • Larry will be delivering the Keynote at Hack3rcon^3 Doomsday Eve. Hackers and prepping, what could be better?

Tech Segment Details

Details can be found on Jeff's Blog

Tech Segment: Brute-Forcing Wordpress Password Hashes with Hashcat on Backtrack 5

Teasers & Plugs

  • DerbyCon Call for Papers and Ticket Registration is: available online. If you have not yet registered or submitted a talk, please do so now.
  • Episode 295 will feature an interview with Randy Marchany. Don't forget about Episode 300, being recorded on August 31 from 10AM-6PM Eastern in support of a cure for breast cancer. We will have technical segments and round table discussions from the security community!


This was a very simple way to brute force Wordpress password hashes. If you Google around a bit, its not straight forward what type of hash is being used and whether it is salted. However, I found a few sites that let you enter a password, and then hash it the same way Wordpress does. What does this mean? They are not salted! There may be options and add-ons that implement a better password hashing mechanism, such as bcrypt, but the version I was up against did not seem to use it. Another theory is that the blog was implemented before Wordpress implemented password hashing (version 2.5 I believe, or sometime around 2008). If the user created a password and never changed it, the unsalted hash could still be stored in the database. If Wordpress maintains backward computability, it would leave these users vulnerable. If anyone is deeper into the Wordpress code knows for sure, please sent me a note!

It is documented that Wordpress uses PHPpass, as indicated by the $P in the beginning of the hash. So, on to my tutorial:

Step 1: Find a password dictionary

Lots of ways to skin this cat, but I opted for the lowest hanging fruit in the form of the John the Ripper database:

root@bt5:/pentest/passwords/hashcat# wc -l password.lst 
3557 password.lst

Step 2: Put your hashes in a file

Collecting the hashes is up to you (more on that in a later segment). I put them in a file and sanitized them for this segment:

# cat hashfile.all 

Step 3: Run Hashcat

Here are the options I used:

  • -a 0 - Perform a "straight" attack, regular dictionary attack
  • -o - Output file
  • -m 400 - The hashes I am using are in the format of MD5 Wordpress
  • hashfile.all - My hashes
  • password.lst - Default John the Ripper password dictionary (copied from the john directory)
root@bt5:/pentest/passwords/hashcat# ./hashcat-cli32.bin -o blogpasswords -a 0 -m 400 hashfile.all password.lst 
Initializing hashcat v0.38 by atom with 8 threads and 32mb segment-size...

NOTE: press enter for status-screen

Added hashes from file hashfile.all: 19 (19 salts)
Wordlist..: password.lst
Index.....: 1/1 (segment), 3551 (words), 26215 (bytes)
Recovered.: 2/19 hashes, 2/19 salts
Speed/sec.: 2.19k plains, 129 words
Progress..: 3551/3551 (100.00%)
Running...: 00:00:00:28
Estimated.: --:--:--:--
Started: Tue May 22 11:45:19 2012
Stopped: Tue May 22 11:45:47 2012

As you can see, it only took 30 seconds to see if users were using a stupidly easy-to-guess password. Turns out we got two!

Step 4: Review Results

root@bt5:/pentest/passwords/hashcat# cat blogpasswords 

And thats it!


Teasers & Plugs

  • Security BSides everywhere: Cleveland, Las Vegas, Los Angeles more. http://www.securitybsides.com/ - We have 5 BSides tickets (only 3 left) to give away! Listen to the instructions at the end of Episode 282 for complete details, or submit a technical segement!

Paul's Stories

  1. CVSS for Penetration Test Results (Part I) - SpiderLabs Anterior - Outstanding article discussing CVSS scoring as it related to penetration testing. Two great points: 1) It doesn't take into account the priveleges being used by the vulnerable service and 2) It does not take into account vulnerabilities that are linked together. I'm perplexed as to how this could help penetration testers, but am curious to see what Trustwave does with follow-up articles on this topic. While many tools and organizations will use CVSS scoring, the other big factor is the criticality in your network. This is one reason why I'm a big fan of penetration testing, it shows how attackers are looking at the bigger picture, and how you may not be, then you learn how to better defend your network. That is, if you are getting a real penetration test.
  2. Apple’s iOS Security Overview – Intrepidus Group - Insight - Turns out Apple doesn't provide all the details, and their new paper on iOS security is an overview, while somewhat helpful, not a gold mine. Profile manager has its downsides, Carlos always points out it doesn't really scale. The other thing is that iOS devices can use 3g, making it tough to secure. I don't think anyone has solved the mobile security problem, yet.
  3. More Disclosure of Vulnerabilities in Attacker Tools - Poison Ivy has vulnerabilities. I could have told you that, the code is just horrible and very finicky, which never shocks me that it has holes. The point is though, if no one is exploiting them, who cares. I am really interested in DoS conditions in attacker tools, and building in exploits for them into your network. I believe this to be one othe most overlooked aspects of defense.
  4. Can You Stop a Targeted Attack? - Could be one of the other most overlooked areas of defense: Regardless of what happens on the prevention side, you still need to monitor the hell out of your stuff. Its so true, we are still caught up on prevention. Realize, you can never prevent yourself from getting a cold. At some point, you will get one. Its how you deal with it that matters, lessening the symptoms so you can function becomes the goal. So, sure, use your hand sanatizer and take your vitamins, but once you have the cold get some rest and take the right drugs so you can function and recover.
  5. How much will your driverless car know about you (and who will it tell)? - I love this, all about privacy of cars that transmit where they are taking you: If, for example, you stop at a sporting goods store, and then Victoria's secret, it would be easy to guess you were a woman, possibly with kids who like sports. It also means you could be a MILF who likes to wear sexy clothing. Mmmmm, I mean, uh, anyhow, so yea, privacy is long dead?
  6. InfoSec Resources – Reconnaissance with Images - Great article on some tools for image data gathering, still very valid.
  7. Too big to fail? - So, if you are a security company, and you collect information about visitors, it could be interesting to see who is visiting. Maybe they had a breach we don't know about? :)
  8. Users still slack about passwords: Trustwave - Interesting note: Threatpost says that since no single password was found more than three times in the 1.2 million recovered passwords, “this brings into question the integrity of the original dump and the possibility of modification by the dumper”. Did the dumper modify the results? How can you trust an evil bad guy? Certainly no one is saying that users choose awesome passwords.
  9. Gartner: Web app firewalls can support secure application development - I had to include this article again, where Gartner has basically come out and said that writing secure code is too hard, so use a WAF. Discuss, rant, rave, use your WTF key gratutiously.
  10. Code crackers break 923-bit encryption record - Pretty neat, next story.
  11. Top 10 fascinating facts about WWII code breaker Alan Turing - IT News from V3.co.uk - Thought this would go well with the story above, reading about Alan Turing is interesting, and disturbing, not sure you can apologize for chemical chastration.
  12. Breach Notification in France - Should the Government tell you you must disclose a breach? What information should you disclose? Is this a good thing or bad thing?

Larry's Stories

  1. RSA Keyless - [Larry] - Woohoo, steal RSA keys in 13 minutes, but only from one specific USB enabled keyfob. Looks like that this keyfob also stores certificates that can be retrieved, and additional attacks can be conducted. One also needs to have physical access to the fob. Of course RSA comes back and says their stuff is secure.
  2. Apple's change of heart? - [Larry] - After flashback, apple is apprently changeing the marketing form "We're invinceable" to "We do it better", and also "Safeguard your data. By doing nothing" (yay grammar Nazi), so now we have automatic updates…
  3. Pwning your WD TV - [Larry] - User input validation? Never heard of it. Use this script to run commands on your WD TV as root. I sense a complete hacking of this device coming a la the WRT54G
  4. Overshare much? - [Larry] - Cambridge University conducted a study that users were willing to overshare information on online surveys. Uhhh… I could have told you that without the need for some large study. Just look at all that crap on facebook…
  5. Great analysys of eHarmony passwords - [Larry] - so, LinkedIn was bad, but eHarmony was worse. Converting all passwords to uppercase? Really? Wow, they didn't learn from LM?
  6. 0day in hacker tools - [Larry] - Yes, the tables can be turned. I find this interesting for those of us that like to use Poison Ivy on assessments (or maybe just friendly CCDC) in that we could be using tools that leave the client systems potentially more vulnerable than they started.

Allison's Stories

  1. 1) http://www.hackforums.net/showthread.php?tid=2623715  2) http://www.justice.gov/usao/nys/pressreleases/june12/cardshoparrests.html 3) http://krebsonsecurity.com/2012/06/carderprofit-forum-sting-nets-26-arrests/#more-15655 - carderprofit forums were actually an FBI sting operation and a couple dozen people just got arrested.  The krebs and justive.gov link are work safe, but the hackforums link is more entertaining.  Some of those arrested were prominent members of the forums.
  2. Don’t Believe Everything You Read…Your RSA SecurID Token is Not Cracked - RSA responds back with a "don't believe everything you read" response
  3. Why RSA is misleading about SecurID vulnerability- And Nate Lawson from root.org fires back at RSA.
  4. JSDetox- Here's an interesting tool that I found.  If you find yourself needing to decode weird exploit kits, this might be a better solution than actually running the code and changing the 'eval's to 'alert's

http://krebsonsecurity.com/2012/06/dnschanger-trojan-still-in-12-of-fortune-500  - This is just sad because every single IDS out there ought to be able to alert if a user is making DNS requests to the FBI's seized server.  Shame! Shame!

Jack's Stories

  1. 99% of who, what? There is so much wrong here I don't know where to start. Like most conversations with crazy people it starts innocently enough, but gets crazy fast.
  2. GAO testimony Testimony Before the Subcommittee on Counterterrorism and Intelligence, Committee on Homeland Security, House of Representatives. Yes, it is a bit politicized, but still some interesting references and decent fundamental definitions.