This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.
This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!
Announcements & Shameless Plugs
Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 115 for July 17th, 2008
Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals.
- PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
- Network Security Projects Using Hacked Wireless Routers with Paul Washington DC, July 23, 2008 SANSFIRE and a joint podcast @ 7:00PM with the ISC folks!
- PaulDotCom Monthly Late Breaking Computer Attack Vectors Webcast - July 30th, 2:00PM EST
- ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas!
- Larry and I will each lead a team, names to be announced
- Attendance and participation is FREE, come join one of our teams!
- 4 Networks, 1) Attackers 2) Defenders 3) Public/Internetish 4) Spectator Room
- Looking for food/drink sponsor
- Featuring wireless, voip, and SCADA!
- Help support pauldotcom with your donations. Visit http://pauldotcom.com and press the DONATE button.
Special guest host
Rich Mogull - Rich is co-host of the Network Security podcast, founder of Securosis, LLC, security editor of TidBITS, a monthly columnist for Dark Reading, and frequent contributer to publications ranging from Information Security magazine to Macworld.
Tech Segment: Larry's Hacker Keychain
- The list -
- Lexar 1 Gig USB - BT3 Beta, cause this is the only version I can get to book on the mac.
- PNY 2 Gig USB - BT3 Final, cause I want the best of all the tools, when I have something other than my mac.
- PNY 1 Gig USB - bootable Ophcrack. you never know when you might need to crack an admin password, and have physical access...
- PNY 2 Gig USB - COFEE (Computer Online Forensic Evidence Extractor), for windows memory forensics.
- Lexar 4 Gig USB - Used for personal file store, encrypted virtual disk with TrueCrypt (because I can mount it easily on any platform).
- Generic 512 Meg USB - Because sometimes you have to resort to sneakernet.
- PNY 2 Gig USB - For sharing with a guest - no sensitive files, no payloads, no boot. (right now fill of Jackalope MP3s)
- Sansdisk 1 Gig U3 - Customized for automatic Core Impact agent deployment
- Sandisk 1 Gig U3 - Unused - see wants!
- Wants -
- U3 with Cusomized Meatasploit payload. Yes, gotta have one for each framework :-)
- bootable, full featured Linux Distro - Ubuntu maybe?
- Winternals ERD bootable, or something similar to just change an admin password.
- Adafruit high power TV-b-gone
- Other tools mentioned -
- Offline NT Password & Registry Editor Supports registry hives with different key indexing, so it covers all versions from NT3.51 to Vista 32/64bit and 2008 server.
Tech Segment: iPwn3d The iPhone (and Defense)
NOTE: EEEPC I am using is Eee PC 4G Surf Rev 701 (http://www.tigerdirect.com/applications/searchtools/item-details.asp?EdpNo=3701103&body=MAIN#detailspecs)
Building on last week's technical segment, I decided to experiment further with Karmetasploit. With all of the latest buzz surrounding the iPhone, and more iPhone users being added each day, the security (insecurity?) of this device is of interest. Also, its what I use as a phone and mobile device, which makes it available to me and concerning as to the security of this device. While there are many hacking their iPhones (jailbreak), I use mine for business, so I can't afford to have it be bricked. Plus, the iPhone is so pretty and Steve Jobs has me in a trance :) In any case, the first thing I noticed was there were two DNS queries that came from the iPhone:
[*] DNS 10.0.0.254:5353 XID 295 (IN::PTR 18.104.22.168.dnsbugtest.22.214.171.124.in-addr.arpa) [*] DNS 10.0.0.254:5353 XID 294 (IN::PTR 254.0.0.10.in-addr.arpa)
I did a bit of Googling and found this article, which explains this as "A Method and apparatus for detecting incorrect responses to network queries.". Interesting, well okay maybe not. Using the wonderful metasploit modules created by HD Moore within Metasploit, I fired up a browser on the iPhone and watched all of my cookies go across the network:
[*] HTTP REQUEST 10.0.0.254 > www.google.com:80 GET / iPhone Safari 3.1.1 cookies=PREF=ID=1f09d7096eab37e0:TM=1202141378:LM=1202141378:S=8HEkuIP5_zWb74Z1; MPRF=<cookie value; NID=12=<another cookie value>
Sweet, I love cookies. You can use a tool such as webscarab to play back these cookies as well. Maybe a tech segment for a future episode. Now, we showed you last week that you can grab cookies from those web sites. But lets say you want to grab cookies from a different web site, such as a web site local to the client, like their own captive portal, web-based email, or ERP system. Metasploit gives you the ability to customize the sites that you are forcing browsers to go to in the following files located in:
In this directory there is a file called "sites.txt", which lists the sites that you will force the user to visit. In the "forms" directory is a file, corresponing to each site, which contains the form information to trigger for the client:
<form name='f' action='/search'> <input name="hl" type="hidden" value="" /><input name="ie" type="hidden" value="" /><input name="q" size="55" title="Google Search" value="" maxlength="2048" /><input name="btnG" type="submit" value="" /><input name="btnI" type="submit" value="" /></form>
So, you can hack in your own sites and form values to trigger responses for other sites. Again, I would use webscarab (A Kevin Johnson recommendataion (tm) to visit the sites legitimately, review the request, then build the form file. Again, maybe in a tech segment coming soon :) One of the other things I find handy on my iPhone is the email client. Unfortunately for the end user, and fortunate for the penetration tester, metasploit comes with a module to grap POP3 and IMAP connections:
auth_imapAUTH 0.0.0.0:993 firstname.lastname@example.org mypassword auth_imapAUTH 0.0.0.0:143 example.com s00pasekr3t
TIP: You can more easily search through the sqlite3 database using the command 'strings karma.db | grep iPhone'.
Metasploit will spoof the SSL certificate, which forces the user to accept a dialog on the iPhone, and then is able to pluck the credentials from the SSL stream. IMAP with no encryption is even better, and be careful because by default my .Mac (or whatever its called now) was set to plain text by default. Some other interesting things include:
[*] HTTP REQUEST 10.0.0.254 > iphone-wu.apple.com:80 POST /glm/mmap iPhone cookies= [*] HTTP 10.0.0.254 is using Google Maps on the iPhone
Cool, metasploit at least knows when the user goes to Google maps. Wouldn't it be fun to feed them back mis-information, wrong directions, and tell them that whatever they are trying to find on the map always goes back to their home address? Or, the local gentlemen's club :)
[*] HTTP LOGIN 10.0.0.254 > twitter.com:80 pauldotcom / $1$Us2aQ0gF$2PEP6CZIzc0LqTQkrrmKP0 => /statuses/replies.xml [*] HTTP REQUEST 10.0.0.254 > twitter.com:80 GET /statuses/replies.xml Unknown cookies=
I pwn your Twitter. BTW: First person to email me what they think my twitter password is will win a prize. I made this one easy, but you may see more little challenges like this in the future. Hurry, better decypher it before defcon....
[*] HTTP REQUEST 10.0.0.254 > iphone-wu.apple.com:80 POST /dgw iPhone cookies= [*] HTTP 10.0.0.254 is using Stocks/Weather on the iPhone
Nice, now I can tell you that it will rain for the next 53 years, and that you are rich because Apple's stock is at 312 :)
- Always use encrypted wireless networks on the iPhone, never use open SSID
- Use the EDGE/3G network, which for now, will have less attackers than wireless
- Always use IMAP & POP over SSL and NEVER accept a bogus cert, ever.
- Be certain the iPhone is set to "Ask to Join Networks" in your wireless settings
- Disable wireless if you know it will not be needed
- Install some iPhone security apps: http://discussions.apple.com/thread.jspa?messageID=7572542 NOT! Okay, I did get a message from an listener who is involved with some iPhone security software call iRedHanded. I will plug it because its some of the only iPhone security software I could find, more geared towards losing your phone, but security none the less!
Stories for Discussion
Schneier et al hack "invisibility cloak" - [Larry] - Looks like Deniable File System (DFS), isn't so deniable afterall!. DFS is a method for storing files with Truecrypt that encrypts files, then stores it in an encrypted volume, which allegedly hides the files. All that is required is to prove that the encrypted data exists - and we have plenty of methods for detecting that.
Hiding Malware In Your Browser: An Example - [PaulDotCom] - What a better place to hide malware, inside Firefox as a hidden extension? This article covers some code that hides the extensions, its up to you to write the malware and then get the user to install it. This should not rely on an exploit, but use the built-in functions inside the browser to operate. This is a fantastic idea, I'd love to see a good way to install a hidden firefox extension that grabs all user cookies/usernames/passwords/all form fields, and posts it to a web server. Extend this further, and grab all requests, like a remote sniffer but for browsers, and collect information to perform CSRF attacks against internal applications. Of course, a standard network sniffer would accomplish the same thing, but leave more of a trace and get picked up by A/V much easier.
Testing in production is bad - [Larry] - Facebook had a bug that in their private, for developers only beta version, were able to access "hidden" birthdays. Two words of advice - don't test systems with live data, or in a production environment, and don't use your real birthday online, unless absolutely required...
Own The Enterprise Though the BES - [PaulDotCom] - Man, people love their crackberrys, and most organization's use them. After all, they can be locked down and remote wiped, features that many other smartphones lack. This exploit requires that you send a PDF to end-users, which gets parsed by the blackberry attachment service, which has an overflow vulnerability. Now you own the blackberry server, can read all emails, and even potentially install malware on user's phones. Wouldn't that be neat...
Information reveal form partially encrypted disks - [Larry] - this one if kind of a no braininer if you think about it, but who thinks about it? So, create an encrypted volume, put all your word and google docs in there. Mount the volume, and open a document to begin working on it. So, where is that data now unencrypted? Memory, sure. But what about auto saves, temporary files, and crash recovery documents?
Wayward faxing - [Larry] - This can lead to information disclosure! Sure, the manual prpcess, but what about automated, computer based faxing systems? do you know where you faxes are really going? Who has the ability to edit the phone numbers in your automated system? what if an attacker were to do it?
Processor bugs - [Larry] - Sometimes I think it, and it becomes reality...last week when we talked about DNS issues, I mentioned that it could potentially lead to remote code execution. I was reminded by a listener (cs_weasel) that the DNS implementations were across several OSes, and architectures, and that made a ubiquitous attack nearly impossible. well, now here is the possibility, that regardless of the os, is may be possible to have an attack that works at the hardware level... [PaulDotCom] - This has potential to be serious as it is independent of the OS, if you have say an Intel Core Due processor, you could be vulnerable. My question is, what's the patch? Software? Hardware? Do I need a new CPU to be safe? Guess we'll have to wait for the conference for more details (HITB conference)
Dialogs Of Doom - [PaulDotCom] - Interesting little thought piece on how to get a user to click on something by using pop-ups in front of it, like lots of them, and hope they keep clicking their way past them and then saying yes to a bogus cert or other security warning. In short, I like, and I think it will work.
analyzing scripts in malicious PDFs - [Larry] - A neat way to analyze PDFs for scripts that may be harmful. Hexeditors, ghostscript and perl are your friends!
IT admin hijacks city network - [PaulDotCom] - There are several puzzling things here, such as how this person was able to lock everyone out of the router. Password recovery anyone? Also, it underscores the need for checks and balances, review your procedures and practice carefully such that one person cannot easily lock everyone out of the entire network. Use logging to identify when something like this happens. The article references replacing the gear, which is silly because I've always been able to do password recovery, as I've locked myself out of far more cisco devices securing them than I care to mention :)
of duties - [Larry] - Oh man, this is a prime example of why segregation of duties (and having backup staff), and checks and balances are a good thing.
240 seconds - [Larry] - That's the ISC new time for how long an un-patched, unprotected system lasts on the internet. Ouch. 4 minutes.
Webroot founder update - [Larry] - he went missing, and now unfortunately found dead. Our sympathies to his family.
Reboot my router? - [Larry] - You'd think embedded devices would be stable, but no.... [PaulDotCom] - This is an implementation thing, and most are doing it wrong. Your router should not have to reboot when you change the wireless settings, but many firmwares will do this, ignorance maybe? You really need to change the NVRAM values, then in OpenWrt, for example, run the "wifi" command to restart the wireless drivers. I think many device manufactures are lazy and just reboot, yet another reason to hack your router :)