Episode135

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

Welcome to PaulDotCom Security Weekly, Episode 135 for January 8th, 2009. A show for security professionals, by security professionals.

  • HACK NAKED TV - Hack Naked TV! Episode 1 and 2 are out. Look for more goodies here!
  • PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
  • Register for SANS Security 560: Network Penetration Testing and Ethical Hacking before January 6th, 2009 using the discount code "Pauldotcom" and receive 20% off! More details here.
  • SANS Saskatechewan - Larry teaching the 6 day wireless track (SEC 617) in Regina on March 23 - 28, 2009.
  • Shmoocon! - All sorts of goodies! Larry and Dave Lauer Speaking on building Shmooball launchers.
    • We also have two tickets to give away! Thats right, FREE Shmoocon tickets! Two of them! Listen to the trivia question at the end of the show and the first TWO people to respond with the correct answer will win a free Shmoocon ticket! One condition, if you are a winner and attend you must come by the PaulDotCom booth at Shmoocon and receive your free spanking!
    • One ticket donor asked us to mention the SANS class SEC606 - Data and Drive Forensics
  • Best Of Webcast Series - Part I - Best Of Network Penetration Testing Tools - Tuesday, January 13, 2009 2PM EST REGISTER HERE

Episode Media

mp3 pt 1

mp3 pt 2

Interview: Billy Rios & John Walton From The Microsoft Penetration Testing Team

Join two of the best looking security researchers in the world

So, like, you guys must be busy, huh? ;)

  • So, how did you get your start in infosec and what landed you as a pen test team for MS?
  • What do you recommend for defenses against pass the hash?
  • What logging and alerting systems would recommend to track post-exploitation activities?
  • Tell us about your presentation at Chicago con on client?
  • Whats it like to pen test for Microsoft? Do you pen test yourselves or others? Any weird situation arise?
  • What do you think of that latest version of ASP.NET and its security model?

Tech Segment: Information gathering with GPG/PGP keytrusts

Some times you just need to know more about a person...so, bring in the non-traditional metadata.

Often times during some of the initial phases of a pen test, I find myself needing some avenues for delivering client side attacks - with permission and within scope of course! Now, finding appropriate attacks can be a challenge, but to me a larger challenge is the social aspect. How can I convince someone to actually execute my attack? Having a little more information about the "victim" is helpful.

So, how can we obtain more information? How about some information that implies some level of familiarity, so that we can spoof names. How about some context? GPG/PGP Keytrust information can serve us well here!

NOTE: Be very careful. Use at your own risk. IANAL. For illustration purposes only. Yada, yada, yada. The folks used as an example here are just that - an example. This is al public information!

gpg_icon.jpgSo, how does a GPG/PGP Key get signed by third parties anyways? Well, some go to GPG/PGP Keysigning Parties (Yeah, I know, what nerds. Wait, I am those nerds!). Basically, a bunch of folks meet face to face, verify government issued IDs, and, based on that trust, sign each other's GPG/PGP keys. Read the whole shebang here. So, given that HOWTO (the first hit in Google for "pgp keysigning party"), what can we determine about V. Alex Brennen?

  • He's the author of the document The Keysigning Party HOWTO
  • He's the maintainer of the The Keysigning Party HOWTO as of January 24th, 2008
  • He's likely got some GPG/PGP Keytrust information (see the first two bullets)
  • His e-mail address is vab /at/ mit.edu

So, let's look up his GPG/PGP Keysigning info! Personally, I like to use the keyserver at MIT (and given that Mr Brennen's e-mail address is at the mit.edu domain, we'll likely have some luck there). Surf on over the page, and we're given the option to search right on the front page. Now, we can search for an e-mail of choice, and list all of the individuals that have signed the particular key for that user. Mr. Brennen obviously has a few! Now, in some cases you won't turn up any signers, and you'll pull up a dead end here.

Key-128x128.pngWhat next? Me, I like to search the list of keysigners for recognizable names. Someone I know has their GPG/PGP key signed by at least one recognizable name in the industry, so creating a conversation there might be very interesting. In any case, if you don't recognize any names, you can always pick at random. Another method would be to pick a keysigner that has several e-mails. What's one more to the repertoire - this one you control! Create an e-mail at a free service and use it.

With this knowledge of keysigners we might be able to determine some information that they have in common to exchange e-mails about. In this case, we know that Mr. Brennen is an internet author on a particular subject. Surely we can use some social engineering skills to craft an e-mail for this one with web links or attachments.

Now you might be saying that someone that uses GPG/PGP is a pretty sophisticated computer. We do all make mistakes, and often that is all it takes for a compromise - one mistake. So, that being said, it may take all of your social engineering skills to craft that perfect e-mail. k-gpg-128x128.png Obviously, if you are using these methods during a test, be sure that it is within scope of your testing. Get permission! Make sure they know about social engineering e-mails, recipients and sources.

On the defense, there is no real way to restrict the posting of the keytrust info. That public acknowledgement is the basis of the network of trust based system. Certainly one could Revoke and create new keys, and have no one sign them.

GPG/PGP works just fine without keysigning. It just isn't as nerdy.

Take these concepts and consider applying them to other mediums, such as social networking...


Stories For Discussion

http://www.darkreading.com/blog/archives/2009/01/dont_worry_your.html

The real risks of the SSL MD5 collisions - [Larry] - This article lays out some practical advice on the real meaning. Now, that being said, I'm still concerned that this attack is well within the reach of those looking to do bad things, with a reasonable budget. The Firefox SSL blacklist extension looks to be a good install too. Here's a great layman's explanation of the attack. [PaulDotCom] - There are some really interesting things about this research. First, MD5 hash collisions have been around for a long time now. This article provides a nice, simple, description using a practical example. Second, they did not tell the CAs about this vulnerability in fear of a gag order. This is interesting move by the researchers and begs the questions, "When you find a way to break the Internet, just who do you tell?". Also, I thought it was interesting how they used 200 PS3's to do the calculations, pretty sweet. Finally, it highlights just how important it is to actually SHOW people that something can be done, as mentioned by the Vericode blog in order to make people change. This is more of a lesson is sociology than anything else.

Some Recent Embedded Systems Security Research - [PaulDotCom] - In addition to the Juniper hacks we talked about on the last show, there has been some other research released that is *very* interesting. First, FX has some reliable exploit/shellcode that will run on 1700 and 2600 series routers. Very cool stuff! Second, what if instead of a Zune player that was shut down on 12/31/08, it was a device that controlled some sort of critical infrastructure. Third, if you don't think hackers will attack your device because its proprietary or what have you, check out the research on the Nintendo Wii released at 25c3 (which now I wish I had attended). Also, [http://wiibrew.org/wiki/Main_Page see the WiiBrew Wiki for complete technical details on all things Wii.

Twitter Admin interface hacked - [Larry] - Why is this that common? Expose your management interface to a "regular" user via the internet, and then not enforce any password complexity. Seems like a bogus thing to do to me. The hacker allegedly brute forced the user's password using a tool that they wrote. Hmm, no password lockout or throttling. [PaulDotCom] - Such an easy thing to prevent! (BTW, "happiness" is not in the default password.lst for John The Ripper ;). You can implement a VPN, restrict access by IP address, enforce password complexity, account lockout, and even check your logs to see more than 10 attempts from the same IP address or from the same username.


How To Pwn A Windows Domain - [PaulDotCom] - This attack scenario is kinda scary. So you pwn a windows domain member server or workstation. Then use some Windows Command Line Kung Fu to figure out the domain and domain controller. Then use incognito to impersonate tokens and give you a domain admin shell. Then you add a user to the domain. While there are multiple layers of defense to at least slow this attack down, your central log management system should set off every alert, pager, text message, bell, whistle, and flash that red beacon at the top of you cube everytime a user is added to the "Domain Admin" group of your Windows domain. You do have a central log management/SEM system, right? (I also highly recommend the red flashing beacon at the top of your cubicle, its a nice effect :)

3DES for Pay at the Pump - [Larry] - This is one of those things that many of us don't think about, should be done, and costs a lot of money. Pay at the pump? New Visa/PCI regulaions no state that the pump terminal myst support 3DES for transaction details. Upgrades to the million plus pumps could cost $1200 to $28,000 each, and 2500 a day would need to be upgraded by the deadline...

CSAT testing 0wned - [Larry] - More on password complexity. E-mail harvested from a press release. Discovered that the password was the same as the account name. Access to the mail account turned up e-mails with more passwords and other sensitive information.

Passwords are just so easy to abuse... - [PaulDotCom] - But why bother when you can just change the password via an authentication bypass vulnerability? Here's an example, there is a vulnerability in the COMTREND CT-536 wireless router which allows unauthenticated users to access the password changing feature (http://192.168.0.1/password.html). Nice, but that just gets us read-only privileges (assuming we can only change the "user" password and not the "admin" user password). But wait, there's more! When logging in via TELNET, the "user" user has the same privilege as the "admin" user. Now, its interesting because most home/SOHO routers use embedded Linux, so why can't we come up with a secure framework for implementing management on embedded systems? We could, but there are so many different platforms, processors, devices, kernel versions, etc... that it would be very difficult. I love open-source, but this is an example of some of the challenges it presents.

Multi platform IOS attacks - [Larry] - Interesting stuff. Only works against some PPC stuff, but this is a trend that I expect to see more of. More here. Check out the Cisco device/IOS emulator too.

Wireless Cheat Sheet - [John] - Looking for cheat sheets over Christmas and I pulled up this one. I cannot stress enough how valuable these things are when working on an implementation.

Passive Port Identification - [John] - Network Miner is a mix of p0f and Nmap. It identifies ports Hostname and the open ports on a system either through sniffing or by going through a capture file.

Netenum for Meterpreter - [John] - Could you make the meterpreter better? In fact you can. There are additional scripts that you can drop on a system post exploitation is Netenum by Carlos Perez. This script does a variety of sweeping and DNS recon on a network post exploitation.

More Post-Exploitation Fun - [PaulDotCom] - DarkOperator has created a meterpreter script for information gathering that runs all sorts of Windows commands to collect information about the host and network. Its *very* comprehensive, and even includes some of the new research by Josh on enumerating wireless networks using the Vista command line. BONUS: He's coded up a couple of more, one that enables RDP, adds a user, and puts the user in the right group so you can RDP to it, and one for network enumeration. I have not yet tested these scripts, but I most certainly will!

TJX, and now you know the rest of the story - [John] - Why go into cybercrime? It seems to me that there are better ways to use hacking talents. 30 years in a Turkish prison is a very long time.

Other Stories Of Interest

Hackaday post about JanusPA - [mmiller] - Back in December of last year, hackaday had a posting about the Janus project's wired plug-n-play hardware privacy adapter. It looks like a good way to anonymise your traffic when plugged into hostile network ( Security Conference or Hotels ). Direct link JanusPA