This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out, because this new client site modules rock! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.
This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!
Announcements & Shameless Plugs
Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 104 for April 11, 2008
- PaulDotCom SANS Click-Through - Help us, help you, help us, help y...
- Network Security Projects Using Hacked Wireless Routers with Larry Orlando, FL. on Thursday, April 24
- Cutting Edge Hacking Techniques with Paul in N. Kingstown, RI on April 15-16
- Pen Test Summit - June 2-3 to be attended by Larry
- Rhode Island Linux Install Fest - We made a blog posting detailing the event (including pictures) - Was held on April 5 at OSHEAN; another to come, possibly as soon as September.
- Custom Laptop Skins - Mike Boman made us some. They rock!
- Raisl1n sent us the best beer in colorado, YETI Imperial Stout from the Great Divide Brewing Company.
Tech Segment: Wesley McGrew
Wesley discusses the McGrew Security RAM Dumper (msramdmp).
msramdmp is a bootable syslinux USB stick that manages to boot itself without overwriting the contents of RAM. This allows msramdmp to dump the contents of RAM to the USB stick for forensic/information-gathering/crypto-breaking purposes. As was discovered recently by some Princeton researchers, RAM can hold its contents for some time (under very specific conditions) after a computer is powered down.
Tech Segment: wfuzz - Fuzzing Your Web Apps
Web application testing has become the norm when it comes to security assessments. Even if the client does not sign-up for a full on web applcation assessment, I find myself always poking at the web apps on the target site, trying to find the low hanging fruit. We talk a lot about "manual" vs. "automated", and here is an example where a tool can help you automate your web app testing, but still keep that manual component. The game is pretty simple, a web app will have parameters to accept data, your job as a tester is to find ways to run code (XSS) or access databases (SQL Injection) using the data passed to those fields. wfuzz is a set of python scripts to help you do just that. I got mine running on OS X natively and used ports to install python2.4 and py-curl (port install python2.4 py-curl). Once I had done that, wfuzz would run for me:
$ /opt/local/bin/python2.4 wfuzz.py ************************************* * Wfuzz 1.4 - The web bruteforcer * * * * Coded by: * * Carlos del ojo * * - firstname.lastname@example.org * * Christian Martorella * * - email@example.com * *************************************
Its a pretty simple concept, it reads entries from a file and throws them at the web server directly or the parameter expecting data. For example, you can use it to find "interesting" directories as follows:
/opt/local/bin/python2.4 wfuzz.py -c -z file -f wordlists/common.txt --hc 404 --html http://www.somesite.org/FUZZ
The "FUZZ" parameter will be replaced with each entry from the file. It will output some HTML, which we are capturing above into a file called "results.html". The output on the screen will look like this:
Total requests: 947 =========================================================== ID Response Lines Word Request =========================================================== 00121: C=301 1 L 10 W "blog" 00226: C=301 1 L 10 W "css" 00319: C=301 1 L 10 W "events" 00408: C=301 1 L 10 W "images" 00508: C=301 1 L 10 W "members" 00549: C=301 1 L 10 W "news" 00703: C=301 1 L 10 W "scripts" 00745: C=301 1 L 10 W "search" 00808: C=301 1 L 10 W "templates" 00812: C=301 1 L 10 W "test"
Opening the HTML file will yield the following:
Now you can just click on the links and see the results. In addition to the links, I really like see the HTTP response code as well, as it is helpful to see what the web server came back with. Now lets say you are manually browsing the web site and you see a search field. Score! Now we have a place to enter data which has a high probablility of getting displayed back to us (i.e. the search result page sometimes says, "You jus search for "Foo"). You can use wfuzz to throw a whole bunch of XSS into that field as follows:
/opt/local/bin/python2.4 wfuzz.py -c -z file -f wordlists/Injections/XSS.txt --hc 404 --html -d "zoom_query=FUZZ" http://somesite.org/search/default.aspx 2> results.html
Which outputs the raw results to the screen, and gives us a nice HTML file to review, which looks as follows:
Now you can click the buttons, send the post requests, and see the results. wfuzz is a great tool for web application testing, one which I plan to use on future assessments. You can always add more/different attacks to the files to test different kinds of conditions and encoding. Don't forget that you should always obtain permission before embarking on any kind of security testing.
- http://www.edge-security.com/wfuzz.php - Download wfuzz
- http://ha.ckers.org/xss.html - XSS Cheatsheet, AWESOME reference
- http://darwinports.com/ - Darwin ports
Stories For The Week
Hacking 802.11n with Jwrght - [Larry] - An awesome RSA preso from our favorite, Josh Wright. Lets talk about all of thin things he found that is wrong with 802.11n, including his metasploit modules and fuzzing goodies.
Darknets: The "Dark" Places on the Internet - [PaulDotCom] - I love darknet data, in fact, I should be collecting more of it. Darknets represent the unsed IP address space that has been allocated to you. You may be routing, you may not be. However, if you have IP space that you know should never contain any hosts or devices, then why should someone send a packet to it? They shouldn't, and there are various mechanisms to collect those packets, so go do it! This could be done internally (i.e. anything outside your DHCP scope and in a range where there are no static assignments), or externally, (i.e we have a class C but only use the first 10 IPs).
Mac security not so much about teh Mac - [Larry] - It took me two reads to get this article - I need more coffee! But, the long and the short of it is, that they argument that is no one is attacking Macs because of low market share, and that when they are attacked, it is form third party (non-apple) software; Flash, Firefox, VLC, or something that is cross platform - Safari and iTunes for example. I'd also argue about the open source components that OSX is built upon as well.
Sockets without telnet or netcat - [PaulDotCom] - If we had a web site of the week, this would be it, shell-fu.org! I just #! /luv/it :) This tip shows you how to retrieve a web page by using raw sockets built into the kernel. Sweet, one more way for attackers to get malware on you systems once they pwn it.
Oracle taking the lead in secure coding - [Larry] - While I certainly applaud Oracle for stepping up to the plate, I find it ironic that a company that has 160 - 400 patches a year to fix potential coding related security issues is the one... Paul, I know you have some commentary here as well.
Festival Backdoor - [PaulDotCom] - You've got to be careful what services you enable on your systems, and typically ones that have added an ad-hoc ability to open a remote socket and accept commands spell trouble. Festival is no execption, and its listenon daemon has a command execution vulnerability that is trivial to take advantage of and gain remote access. Don't let it happen to you, even if it is on the so-called "inside" of your network.
DoS Vuln in ILO-2 from HP - [PaulDotCom] - If we had a rant of the week, this would be it. There is no useful information in this advisory to help me evaluate risk. Does it DoS the server? Just ILO? Just the ILO web interface? It is a remote buffer overflow type thing? What causes the DoS? This is just crap, help me evaluate risk and give me SOMETHING to go on. Do I need to drop what I am doing and go patch my systems?
HP infected USB drives - [Larry] - Hey another consumer device with malware. allegedly this one can spread from computer to computer over the network, and or other USB keys. This is so 1991, with infected floppy disks...
The Software Security Problem - [PaulDotCom] - Excellent article and efforts from the CSO of Oracle, yea, thats right, I said the CSO of Oracle. How'd ya like to have that job? There is also a silver bullet interview with her, which is very good as well. I love this idea, I'm sure its ticking EDU people off, but I really love this idea. Its the kind of thing that needs to change to really help make things better.
Kisok Hacking - [Larry] - We've talked about this before, but GNUCITIZEN had a great write up as well. With Kisoks, is isn't always about going after the low hanging fruit. Sometimes it takes a few steps to where you need to go, and often the installers/admins have no idea that some of the steps exist...
EMC Auth Bypass - [PaulDotCom] - If I can control your data backup server, all your data are belong to us. I love the following statement, "Specifically, the authentication code contains a hard-coded login and password. By connecting to the RPC interface, and logging on with these credentials, it is possible to bypass the normal authentication process." A hard-coded password!! What were the developers thinking? This goes so far above and beyond secure coding, and makes me scard that even when developers have secure code training experience that mistakes like this will still happen. Why? Companies are driven by profit and if hard-coding a password saves 30 hours on a project, that will happen instead of the right thing.
Hacking the power! - [Larry] - Own a power station in one day - Check. This article states EXACTLY what we've been claiming all along - these systems can be hacked, generally without any knowledge of SCADA. Go after the machines/people that control the SCADA gear, usually a commodity OS, and fallible person. sure sure, those control systems should be air gapped...but we all know how many time something gets overlooked, missed or just done plain wrong - that's why we have this industry to begin with!
ShmooCon 2008 presentations [byte_bucket] - The presentations from ShmooCon 2008 have been posted. Bruce says the videos should be available soon.
From Ottawa Canada [Kraigus] Secure your wireless access points.
Empirical Exploitation of Live Virtual Machine Migration Paper [mmiller] This is a interesting paper I have not read all of it. I am told that it talks about possible exploits / or ways you can exploit VMotion and XenMotion transfers.
Tracking cars via wireless Tire Pressure Monitoring Systems? [mmiller] Things to think about when you buy a new car.
Symantec Global Internet Security Threat Report in PDF format [Mike Perez] The Higlights section has interesting notes, such as:
- Microsoft® had the shortest patch development time, at six days; Sun had the longest patch development time, at 157 days.
- During the second half of 2007, there were 88 vulnerabilities reported in Mozilla browsers, 22 in Safari, 18 in Internet Explorer, and 12 in Opera.