This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.
This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!
Announcements & Shameless Plugs
Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 116 for July 31st, 2008
Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals.
- PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
- PaulDotCom Monthly Late Breaking Computer Attack Vectors Webcast - August ??th, 2:00PM EST
- ISC Podcast?
- ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas!
- Larry and I will each lead a team, names to be announced
- Attendance and participation is FREE, come join one of our teams!
- 4 Networks, 1) Attackers 2) Defenders 3) Public/Internetish 4) Spectator Room
- Looking for food/drink sponsor
- Featuring wireless, voip, and SCADA!
- DEFCON 16 - Larry will be there - Thursday, Quarks 2PM IRC Meetup, Core Security Party - 6:30 PM (invite needed), the Summit, 9:00PM. Saturday, podcasters meetup, Sunday, IOActive/StillSecure party.
- Help support pauldotcom with your donations. Visit http://pauldotcom.com and press the DONATE button.
Mini Tech Segment: Update to Larry's Hacker Keychain
- The list update -
- PNY 2 Gig USB - COFEE (Computer Online Forensic Evidence Extractor), for windows memory forensics. - Yes, I suspect that this has shown up somewhere....say here...
- Generic 512 Meg USB - Because sometimes you have to resort to sneakernet. I changed this to NTpasswd (via unetbootin), a simple password recovery tool...to hell with sneakernet. I can always use the guest for that...
- Sandisk 1 Gig U3 - USB Hacksaw with Gonzor payload. Yes, AV can kill this one. Yes it is modifyable to be able to change a few things to make it a little less obtrusive.
- Wants update -
- bootable, full featured Linux Distro - Ubuntu maybe? Got this one! Check out unetbootin, a windows tool that rocks for USB bootable distros.
- Winternals ERD bootable, or something similar to just change an admin password. Checked out nordahl, and trinity. Now I've got both.
- TSA safe screwdriver, something like this or more like this - I've failed on all of my ebay auctions thus far.
Tech Segment: Arp Cache Poisoning Notes
So, for some future technical segments I am researching the best ways in which to Arp cache poison. Below are some interesting notes:
There is a cool program called send_arp (http://insecure.org/sploits/arp.games.html) which does arp cache poisoning. Its pretty simple right, consider the following example:
- DNS Server: 192.168.1.10
- Attacker: 192.168.1.67
- Victim: 192.168.1.61
./send_arp 192.168.1.10 00:1f:c6:7b:4e:a2 192.168.1.61 00:0c:6e:20:6b:4e
In this example, 192.168.1.10 is our DNS server, followed by its Mac address. 192.168.1.61 is our victim, followed by its MAC address. The above command sends the arp entry for 192.168.1.10 to 192.168.1.61. In my example, I am tell the client "Hey, your DNS server's MAC address is really 00:1f:c6:7b:4e:a2". This now means that all of that traffic will be forwarded to that mac address. This works great, Windows is the target in my example, and its totally fooled. If I fire up tcpdump, I can see the requests:
16:17:24.561166 IP 192.168.1.61.2073 > 192.168.1.10.53: 3+ A? amazon.com. (28) 16:17:24.561179 IP 192.168.1.61.2073 > 192.168.1.10.53: 3+ A? amazon.com. (28)
However, from the client's perspective, things are not-so-happy. Why? Because my attacking hosts IP addreess is not 192.168.1.10, so the IP stack has no idea what to do with the packets. Essentially, we've spoofed layer 2 and didn't tell layer 3. So, even if I am running a DNS server at this point, my machine will not respond. It will only respond to IP traffic sent to 192.168.1.67, its assigned IP address. So, what most of us attacker type people do is enable forwarding in the Linux kernel:
echo "1" > /proc/sys/net/ipv4/ip_forward
So now the Linux kernel will forward the traffic to 192.168.1.10, and the client can then resolve names and the world is happy again. This works great for intercepting traffic and packet sniffing. However, what do you do if you want to manipulate DNS entries as they are going by? While further research is needed to find the best way to do this on Linux (I was hoping to receive feedback on this one :) Cain & Abel works great for this. They do APR (Arp Poison Routing) which takes care of this routing layer. This allows you to re-write the responses and change entries, screenshot below:
So how is this different from the DNS bug that Dan found? Arp cannot cross layer 3 boundries, so you have to be on the same subnet as your victim. However, if you are able to compromise the internal network, you can launch this attack. There are several ways to mitigate, using tools such as arpwatch and even snort has ways to monitor the Arp table. However, I've found that most people do not configure these defenses. This can be a very subtle way to control hosts on the network, and next week we will explore some attacks that will build on this segment.
Below are some tools that enable you to do this as well:
- dsniff - The "arpspoof" command will let you do this.
- Cain & Abel - A Windows-based tool that will let you do this as well.
Stories of Interest
Owned via updater - [Larry] - How about delivering exploits via an automatic update. The problem is that many of the automatic software update services for all of these software packages don't contain any authentication - it is all blind faith. Combine with a nice DNS cache poisoning attack and you get owned. Here's a link to evilgrade, Which implements this attack, DNS and all (plus more!)
802.11n USB Dongle From ASUS - [PaulDotCom] - " the USB-N11. Sporting integrated support for Mac, Windows and Linux-based computers, this draft-N compliant device also features a WPS (WiFi Protected Setup) button" I'm kinda turned on right now :) There not out yet, and I like how its supported under all platforms. I wonder if the drivers will be open-source or binary blob? Most likely the latter... WPS is interesting, and good to see it come to market, however I wonder just how usable it will be and if any vulnerabilities will be found...
Cisco NAT failure for DNS attack - [Larry] - This single issue appears to affect several different Cisco technologies when using NAT/PAT in front of your DNS server with either a PIX, ASA or IOS based device. The NAT/PAT translation as handled by the the Cisco device still leaves the ports un-randomized after the NAT/PAT translation. So, even though your server is patched and appropriately randomized, the Cisco device, can "un-randomize" it for you. Insert evil use for unpatched Cisco theory here.
Evilgrade is so evil! - [PaulDotCom] - I love this concept. Many vendors update processes, iTunes, Java, Winzip, do not authenticate their updates. This means I can spoof the update server and insert programs as updates. This group released a toolkit that looks similar to metasploit that will let you manipulate the update processes and install backdoors, for example. This is a great example of "Hacking Without Exploits", with one caveat, you have to Arp spoof or somehow get a MITM attack going to make this work. Fortunately, we have lots of examples of this, our very own tech segment, and even the new DNS exploit. There is a video which shows an example, can you say sexy?
Irony and HD Moore - [Larry] - HD Moore writes a metasploit module for the DNS attack. It gets used against an unpatched AT&T DNS server, and the Portions of hte BreakingPoint (metasploit parent company) internet traffic gets redirected fake google site. Owned. HD's quote "It's funny," he joked, "I got owned." UPDATE: Turns out the Quote is fake, and HD clarified a number of the issues.
A/V is not dead, you should still use it - [PaulDotCom] - But understand its limitations! With A/V there is a much greater exploitation, or infection, window if you will. This means that virus writers/malware is far ahead in a lot of cases than the A/V companies. So, don't always fall back and lean on A/V to keep your network safe, and sleep easy at night. You need other layers to suppliment.
Information disclosure is good - [Larry] - ....but onot listening is bad. Some researchers discovered how to decode the high security Medeco locks utilizing a design flaw. It took a long time for Medeco to listen, and revert to an older style part. The other question is, where is the patch for all of the old locks?
Additional security for Gmail - [Larry] - Now you can force HTTPS connections for the entire session. This will also protect your cookies, which should prevent "sidejacking" or the hamster attack. This would be interesting to see if it works at the wall of sheep at DEFCON.
The KARMA Cafe! - [PaulDotCom] - Yes, thats right, its the KARMA cafe, where all your wireless is free!
One fail begat another - [Larry] - Remember the story we reported on in the last episode about the issues with the San Francisco city network, and the admin not revealing the passwords? Well, to make matters worse, they ended up revealing the passwords in the documents for the legal proceedings. Now, not only they have to recover said passwords/devices, now they also have to change the passwords.
Open Source/Free OSX laptop locator - [Larry] - something good to have on your laptop - this one is a free one for OSX (there is also a linux and windows version too!). I wanted to look into something like this, as I shoul dhave something for DEFCON. Let's discuss the advantages/failures of some of the laptop asset tracking stuff.
iPhones in the enterprise - [Larry] - Sure, new toys are awesome, but don't forget to evaluate the security implications of those new gadgets. Discuss the implications of iPhones in the enterprise, and why ActiveSync may not do all you need.
Other Stories of Interest
Performance issue with bind 9's -p1 release [byte_bucket] - In an email to the bind-users mailing list earlier this week, Paul Vixie briefly outlines some of the performance problems with bind 9's -p1 patch (the one we all know and love thanks to Dan Kaminsky). Before -p1 was released, Vixie indicates that there were know performance issues with high-traffic recursive servers handling over 10K queries/sec. After its release to the public, some more serious issues related to port allocation became apparent. A new patch for these (fixes and others) is due out at the and of this week. Here are the [ISC's] recommendations for dealing with these issues:
- IF you are NOT experiencing any issues with the 9.5.0-P1, we recommend that you continue as you are and install the -P2 version when it is available.
- IF you are experiencing any problems with 9.5.0-P1, ISC recommends that you roll-back to 9.4.2-P1 and not run the 9.5.0-P1 code at this time.
- IF you are running 9.4.3b2 or 9.5.1b1 without issues, continue as you are and wait for the next beta, release candidate or production release of that version.
- On the download page, we will be adding the following: 9.5.0-P1 is NOT recommended for Windows environments, there will be a follow-on release for Windows available shortly.
Atheros unveils free Linux driver for its 802.11n devices [byte_bucket] - from the post on the MadWifi wiki - "We are pleased to announce Atheros has released ath9k to the community. This driver is aimed at inclusion to the Linux kernel and supports all Atheros IEEE 802.11n devices. This represents a major shift in terms of support from Atheros with respect to Linux. The ath9k driver comes shortly after Atheros hired two key Linux wireless developers -- Luis Rodriguez and Jouni Malinen.
We have been informed Atheros does plan to add access point support to ath9k and to work with the community to enhance and complete access point support in the Linux kernel. It is understood there is plenty of work required on the wireless stack to complete full access point support. Jouni Malinen will help drive this process within the community while Luis helps enhance regulatory compliance in the Linux kernel.
We are eager to work with Atheros with ath9k and applaud their efforts for properly supporting Linux."
The ath9k driver includes supports for the following chipsets:
For now, further information can be found here
Hacker keychain - additional links
- ERD commander lives as part of the Microsoft Diagnostics and Recovery Toolset. A 30-day trial version is available here
- Trinity Rescue Kit Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.
- Cold boot forensic utilities Utilities published by the Princeton University research team for "cold boot" memory analysis and encryption key recovery.
List of recommended books