Episode126

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

Core Security

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

Tenable Network Security

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Astaro

Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.

One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.

Announcements & Shameless Plugs

Welcome to PaulDotCom Security Weekly, Episode 126 for October 9th, 2008. A show for security professionals, by security professionals.

  • PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
  • ChicagoCon - October 27 - November 1, Talks by Ed Skoudis, Gregory Conti West Point, Author of "Security Data Visualization", Daniel V. Hoffman CTO SMobile Systems, EH-Net Columnist, Billy Rios/John Walton Microsoft Pen Testers (Blue Hat)
  • A big thanks to John McCash for the iPhone forensics article we covered last week.

Episode Media

mp3 pt 1

mp3 pt 2

Tech Segment: Banner Grabbing: Reloaded

Back when I worked for the university I need to write a fast banner grabber. This had to grab banners either on a specific port, or a set of ports, and run against two class B networks. Speed was key, the faster the better as my incident response process relied on saving time. Why? I was trying to look for one of two things:

  • Compromised hosts listening on a particular port using a backdoor or FTP server that had a known banner
  • Vulnerable software that had a specific banner which was being used by attackers to compromise systems

I wrote a quick banner grabber in C because Nmap was not quite right. Nmap was awesome at finding ports, and awesome at sending a bunch of packets at a port to determine the version and type of service running. With two class B networks, I didn't have time to wait for Nmap to send a whole bunch of packets to each port. I want to complete the handshake, send one packet with a "\n\r", and grab what comes back. Turns out, Nmap Scripting Engine solved my problem! Now with a little bit of Lua-Foo I can do what I want with Nmap, and take advantage of all of its powerful features (such as host discovery). I took my banner grabbing problem and just a few lines of code later, I had ported this functionality to Nmap:

id="Banner"

description="connects to each open port and send CRLF to grab banner"

author = "Paul Asadoorian (paul@pauldotcom.com)"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"discovery"}

require "comm"
require "shortport"

portrule = function(host, port)
  return (port.number and port.protocol == "tcp")
end

action = function(host, port)
	local try = nmap.new_try()

	return  try(comm.exchange(host, port, "\r\n", {lines=100, proto=port.protocol, timeout=500}))

end

The output looks as follows:

# Nmap 4.76 scan initiated Wed Oct  8 23:15:50 2008 as: nmap -sV -oA bannertest%T%D -T4 -sS --script=bannergrab.nse -p1-65535 192.168.1.230 
Interesting ports on 192.168.1.230:
Not shown: 65531 closed ports
PORT     STATE SERVICE    VERSION
23/tcp   open  telnet     HP JetDirect printer telnetd
|  Banner: \xFF\xFC\x01
|  Please type [Return] two times, to initialize telnet configuration
|  For HELP type "?"
|_ > 
515/tcp  open  printer?
9099/tcp open  unknown?
9100/tcp open  jetdirect?
MAC Address: 00:60:B0:BD:68:B0 (Hewlett-packard CO.)
Service Info: Device: printer

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# Nmap done at Wed Oct  8 23:27:14 2008 -- 1 IP address (1 host up) scanned in 684.29 seconds

I ran both my script and -sV so you can see an example of the difference.

Interview: Ed Skoudis & Josh Wright

  • Josh has been freed from the Matrix
  • Ed discusses his penetration testing course & how he built a cool hacking challenge
  • Josh will talk about cool wireless stuff
  • So tell us, how do you combine pen testing, web apps, and wireless for world domination? (Taking over the world has been on my to do list for quite some time, just getting around to it now)

Stories Of Interest

clickjacking deets - [Larry] - It is about time we started to get some the details. Lots remain broken. For those that haven't heard, at least one method is all about hidden iframes obscuring the real window that allows access - and folks click allow, because it is the only thing left to do. No-script in the latest version can help here. Goodies from gnucitizen here as well. [PaulDotCom] - Good to note that it can allow an attacker to take over your cam and mic, so for all of you hacking naked, watch out, someone might be watching (Frankly I've seen some of our listeners and am glad they all don't really hack naked :). A good demo is here, and rsnake's write up is here.

Chinese Skype IM monitoring - [Larry] - I don't know why, but people who don't get security don't think that an upstream ISP can sniff your traffic, and that it must be safe. They think you only need to encrypt at the server and workstation...not the entire conversation. This is why, that idea is false and bad. Remember, if Twitchy can has a span port, Son can China or any other provider.

Wifi Robot Uses WRT54G! - [PaulDotCom] - This dude is cool, he built an RC car witha webcam and a WRT. I really want to use this as recon in pen tests, would be so cool to sit in the parking lot and drive this vehicle in. As I found out in the ICE games, doing it in person can be dangerous!

TCP DoS Attacks: New, Old, Different? - [PaulDotCom] - TCP has been known to be vulnerable to DoS attacks for quite some time. Is there something new? The researchers who claim to have found new bugs seem to think so, or is it just hype? I agree with Fyodor, if you found something new and bad, keep it quiet until its patched. However, I agree with Dan, he had to tell people because other people figured it out. Disclosure is tricky business, but don't do it for the fame and glory.

iPhone SMS bug - [Larry] - Gah, effective thorough testing be damned! Set your iPhone not to notify on incoming SMS when locked, and no messages are revealed to third parties. Put the phone in Emergency call mode, and they are. Hmm....this is the second issue with the emergency call mode. Remember, "emergency" shouldn't mean "drop pants". Why didn't this stuff get tested, and more importantly, what is so different about the two modes that the security features are so different.

SMS as ATM backdoor - [PaulDotCom] - This is an ATM skimmer that scans your ATM card, then sends the results in a text message. This is challenging to defend against, SMS is hard to detect leaving the network.

Scan with credentials - [PaulDotCom] - My good friend Jason makes a nice point when it comes to credential scanning. Scanning all 65,535 TCP and UDP ports takes time, and can leave services unavailable. Doing a credential scan is much better, results are more accurate and it does not leave services unavailable. There is a nice blog post on Tenable's site with more information. I also like the credential scan because you can develop audit files that, for example, check that certain registry values and file permissions exist. This is a nice way to enforce your server hardening policy, you do have one, right?

TIP: Move common Windows binaries (netsh, net, cmd, sc, wmic, telnet, ftp, netstat, nbtstat) to a special folder with admin only privs. Or, remove these binaries entirely.

I get it! SIP Demystified - [Larry] - A real simple explanation on how the basics of SIP work, and now I can understand how easy, and why SIP sucks form a security perspective.

Waht goes in a response kit - [Larry] - Great suggestions, and I'd love to hear Ed's suggestions. I think I heard Ed mention at one point "magic fingers" (TWSS).

Is Hacking Into Someone's Email Not A Crime? - [PaulDotCom] - Well, it happened to Sarah Palin and to Alan Shimel. They went after Sarah's hackers, but not Alan's! My only real point on this story is that this should be illegal, and people should be prosecuted in my opinion. Otherwise we send the wrong message to people, thinking they won't have charges against them for hacking someone's email. If I open your regular mail, thats a federal offense, why should email be different? Example, email comes from insurance company, with only email access (maybe some personal information) you can cancel the policy. This was a local case and local authorities never found anyone, let alone press charges.

S/MIME? I'm confused - [Larry] - Call me an e-mail n00b, but I'm confused about this one. Mail.app stores Draft emails that are supposed to be S/MIME encrypted in clear text on the server when using IMAP. I thought S/MIME was a server to server protocol for mail transfer, and not a server to client security mechanism, or even at that a storage security mechanism....

Hidden USB Storage - [PaulDotCom] - File this one under neat, take a phone jack, hide the USB dongle in the wall, then make a conversion cable from RJ11 to USB. Sweet!