Episode144

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!


Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 144 - March 12, 2008

IMPORTANT - For those who wish to listen to older episodes via iTunes and other RSS feed readers you may need to delete the feed and re-add it. We recently changed servers for our archives which can be found at http://archives.pauldotcom.com. Again, this is important as the current hosting services will NOT extend past March of 2009.

  • Training event in Southern N. E.! SANS@Home - SEC517 Cutting-Edge Hacking Techniques - May 11 & 13th 7-10PM discounted (10%) class

Episode Media

mp3

Tech Segment: w3af

<Shameless Plugs> Build Your Own Army of Darkness: XSS Frameworks for Zombies and Profit – SANS Webcast sponsored by Core. - https://www.sans.org/webcasts/show.php?webcastid=92328 (3/18 @ 10AM EDT) SANS Phoenix – SEC401: Security Essentials SANS Calgary – SEC401: Security Essentials SANS Secure Europe – SEC542: Web Application Penetration Testing </Shameless Plugs>


What is w3af? w3af: Web Application, Attack, and Audit Framework Author: Andres Riancho (http://www.bonsai-sec.com) Current Release: 1.0rc1 (2/28/09) Platform: Windows/Linux Website: http://w3af.sourceforge.net/

w3af is a web application vulnerability scanner and exploitation framework from Andres Riancho. w3af stands for Web Application, Attack, and Audit Framework. The application is python based with an optional GTK+ front-end that currently is supported on both Windows or Linux. Quite a few installation requirements exist for w3af, which is why SamuraiWTF (Kevin Johnson and Justin Searle Inguardians) serves as one of the recommended delivery methods.

Why w3af?

News Flash: Web has vulnerabilities…  ;) As most of you know there are other web application vulnerability scanners out there (e.g. grendel-scan (-), Burp (-/$), Acunetix WSS ($$), Cenzic Hailstorm ($$$), HP WebInspect ($$$), IBM Rational AppScan ($$$)). Certainly, w3af being free (as in beer), as well as its being open source (free as in speech) are considerations. Another major feature of w3af is how easily extensible it is. The plugins are written in python and, because they are open source, can be readily understood/modified/cannibalized. w3af introduction:

Architecture

If you start off playing with the GUI, then w3af has a decidedly Nessus-like feel to it. Like Nessus, w3af searches for vulnerabilities in a target according to the plugins configured. So what plugins are available…

The 8 major plugin categories are (descriptions from Andres’ T2 presentation see references):

  • discovery – finds new URLs, fingerprints web server/architecture/application
  • audit – attempts to find vulnerabilities; leverages discovery plugin
  • attack – looks at vulnerabilities found in audit and attempts to exploit
  • output – self explanatory…how do you want to see the results (console, html, text)
  • bruteforce – used to brute force Basic and Forms based authentication
  • grep – helper that searches every request/response for info (emails, passwords, languages, IPs, etc.)
  • evasion – modifies requests to avoid IDS/IPS/WAF
  • mangle – modifies requests/responses based on defined patters/substitutions

Let’s zoom in on a couple of these and discuss some of the key checks within these plugins

discovery

successful configuration can make/break a successful scan

   * Lots of options available (currently over 40 separate plugins)
   * Spidering (webspider, spiderMan)
   * Web searches (Google, MSN, Yahoo, archive.org, PGP PKS, GHDB, 
   * pykto (nikto port to python)

audit

   * SQL Injection (blind SQLi and SQLi)
   * File Includes  (local and remote)
   * Command Injection 
   * XSS
   * XSRF/CSRF
   * Others (XPath, HTTP Response Splitting, LDAP Injection, WebDAV tests, SSI, XST)

attack – the attack plugin isn’t available as part of the general scan, rather you can send attacks after vulnerabilities have been discovered via the audit plugin.

   * BeEF
   * sqlmap
   * OS Command Shell

Advanced Techniques

  • Virtual Daemon – Use Metasploit payloads to exploit a vulnerable web application
  • w3afAgent – After exploitation, creates a reverse tunnel from the compromised server.

I mentioned before that if you first played with w3af via the GUI that you would likely feel some similarity to Nessus. What other options are there?

Console

If your first exposure to w3af was from the console you would like feel as if you had stumbled into a Metasploit console.

Script

One feature that I very much like is the ability to “script” the running of w3af scans. The script that we create is really just the exact commands that we would type into the console to configure/run a scan (including the ‘back’ commands). The main boon of this scriptability is that it makes repeat scans very easy to run. After creating a text file (here seth.w3af) with each console command on a separate line and the final line of start, we can simply run a scan using the following command line:

./w3af –s seth.w3af

Obviously it would behoove those trying to stay out of jail to only target w3af at systems they control… What if you don’t control any web applications (or pretend that yours don’t have security flaws to discover)? Then you can turn to Web Applications Intentionally Ate Up with Suck:

  • WebGoat – OWASP - J2EE
  • Hackme – Foundstone - Emphasis on Web Services
  • Mutillidae – IronGeek – PHP, Apache, MySQL

References

Get w3af:

w3af 2 Part Tutorial from Josh Summit at Pen Tester Confessions:

http://pentesterconfessions.blogspot.com/2007/10/how-to-use-w3af-to-audit-web.html (Part 1) http://pentesterconfessions.blogspot.com/2007/10/w3af-tutorial-part-2.html (Part 2)

w3af Video Demos:

http://w3af.sourceforge.net/videos/video-demos.php


Tech Segment: Fun with Basic auth and base64 encoding

Recently I've been having some fun with my test Snort box. I've been spending a lot of time with the emerging threats rules, and found one that kept triggering with interesting results. That rule was #2006380 for Outgoing Basic Auth Base64 HTTP Password detected. I thought, "Who uses basic auth nowadays?" Boy was I shocked to find out.

As an example, I found a number of applications that I was using used basic auth:

  • Tweetdeck - Mostly fixed with the the latest version, but still one action...
  • NetNewsWire - based on website, one being delicious...
  • MobileMe - Not sure where or how (not my MobileMe), but not good.

From this, I wanted to set up a new installation of snort on my OSX box. The install was relatively straight forward. I won't bore you with those details, as I want this to be platform independent; just make sure that you read the included INSTALL file for any caveats based on OS. Other than that it was as simple as a:

./configure ; make ; sudo make install

So, to do this setup, I only wanted to use the one rule. This is a fairly simple task.


First I created a new rules file that contained just my one rule. I put it under /Users/larry and called it base64.rules. Then I edited the default snort.conf (in my installation under /opt/local/etc/snort/snort.conf) to change the rules configuration. I commented out all of the existing rules in the file and added one new one:

import /Users/larry/base64.rules

Then it was just a matter of starting up snort with a few options:

sudo /opt/local/bin/snort -c /opt/local/etc/snort/snort.conf -u larry -g larry -i en1 -l /Users/larry/Desktop -D

What this means is I'm running the snort binary (as root through sudo) out of /opt/local/bin/ and using -c to specify my snort.conf in /opt/local/etc/snort. Then, after setup, I'm going to drop privileges to the "larry" user (-u) and group (-g). I'm also going to listen on interface en1 (-i), which happens to be my wireless interface; you'll need to set this to reflect your interface in your environment. I'm also redirecting the logged output to /Users/larry/Desktop in order to make it easy to look at often. Send this to a place that works for you. This is the reason I wanted to drop privs to "larry", as now I don't have to be a superuser to open the files. The -D starts is in daemon mode (in the background)

Ok, so we examine the log files and we see that we have some alerts in the "alerts" file:

[**] [1:2006380:10] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1] 
03/11-14:35:37.043941 172.16.180.93:60003 -> 76.13.6.191:80
TCP TTL:64 TOS:0x0 ID:40173 IpLen:20 DgmLen:1304 DF
***AP*** Seq: 0x4C06A0E6  Ack: 0x871DC10B  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 693619253 2348041489 
[Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Basic_HTTP_Auth][Xref => http://doc.emergingthreats.net/bin/view/Main/2006380]

Cool. But what about the packet? I want to figure out what caused it! Let's examine snort.log.<number>

First off is the nice easy GUI method; wireshark! Open the snort.log.<number> file, which is actually a pcap capture file. This capture will include all of the offending packets. In this example, I examined a GET from TweetDeck. In the packet analysis window of Wireshark, under HTTP, GET, there is an Authorozation: Basic <base64 encoding> line. If you expand this, it will automatically decode the base64 for you...

I'm working on a nice command line one for this but ran out of time. There is always copy and paste to a text file...

perl -MMIME::Base64 -ne 'print decode_base64($_)' < base64.txt

Instead, listener Paul S. sent in the command line options for tshark that work like a champ:

tshark -R http.authbasic -Tfields -e http.authbasic -r http.pcap > passwords.txt


Using A WRT54GL As A Kismet Drone - Update

I have my issues with the WRT54GL, specifically the broadcom chipset and its proprietary driver limit what you can do on the wireless side. Also, this keeps it running kernel version 2.4, and the older whiterussian.

Recenty the open-source driver, BCM47xx, has been getting pretty stable on a kernel 2.6 platform such as OpenWrt Kamikaze. I compiled a development version today and ran it on a WRT54GL. The OS installed great, and iwconfig comes pre-installed and showed the wirless card as up and available:

root@OpenWrt:~# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

eth0.0    no wireless extensions.

eth0.1    no wireless extensions.

br-lan    no wireless extensions.

wmaster0  no wireless extensions.

wlan0     IEEE 802.11bg  Mode:Monitor  Frequency:2.427 GHz  Tx-Power=27 dBm   
          Retry min limit:7   RTS thr:off   Fragment thr=2352 B   
          Encryption key:off
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

This is great! Now we can actually run newer software on the WRT54GL and enjoy life with Kamikaze. Kamikaze comes with a slew of packages pre-built, a new web interface written in LUA called LUCI. (do "opkg install luci-admin-mini" to check it out, make sure you use the "mini" package or you will run out of space on the WRT54GL, not that I tried that and had to back out a bunch of packages). So, now that we have all this wonderful new stuff, lets install Kismet. I had to modify the /etc/opkg.conf file to point to the snapshots directory:

src/gz snapshots http://downloads.openwrt.org/snapshots/brcm47xx/packages

Then I installed kismet-drone (And only the drone):

# opkg install kismet-drone

I then edited the /etc/kismet/kismet_drone.conf file and changed the following two entries:

allowedhosts=192.168.1.0/24
source=bcm43xx,wlan0,wrt54gl

Then run kismet_drone:

root@OpenWrt:~# kismet_drone -f /etc/kismet/kismet_drone.conf

Now you can connect to it using any Kismet client. It solves one problem in that the driver will now do channel hopping, so you don't need an add-on script. Also, kismet can put this driver into monitor mode for you, so you don't need to run any extra commands to do monitor mode. Next, I am going to attempt to compile Kismet-newcore for this platform and see if I can get it going. My goal here it to get the most out of a $59 device, and it seems software is evolving to allow us to do more than ever before!


Stories For Discussion

1) WPAD Sppof fix? - [Larry] - Paul. back to your methods about naming your machine WPAD for testing, which windows machines search for...Microsoft has apparently recognized this as a threat, in that there is no authentication for client machines to create these entries in DNS...via the way you mentioned. This patch is intended to address that functionality in DNS/WINS.

2) Layoff leave orphans - [Larry] So, how do all of those empty desks impact your security? Are they getting patched? Rebooted? as closely monitored for theft, or use by a social engineer? How about the disposal methods with an already overworked staff?

3) Social engineering prank... - [Larry] - This one went to far. More prank than anything, but just goes to show how convincing a social engineer can be. A caller got the staff to set off the fire extinguisher, then got them to strip to get the chemicals off. The victims only suspected something was up when the caller said they needed to urinate on each other to counteract the chemicals on the skin...

4) Adobe JBIG2Decode w/o user interaction - [Larry] - Nice work Mr Didier Stevens! Didier poked at the PDF JBIG2Decode stuff for a little while, and found ways to compromise systems with little user interaction - such as rendering PDF metadata through Shell extension COM objects, by just having the user browse to a folder in thumbnail view, mouse-over for tool tip and single click for preview generation. It gets better: How about uploading a file to a system that has file indexing using Windows Indexing Service (which runs as system. This functionality is used for things such as MS Search Server 2008, Desktop Search, Sharepoint and SQL Server.

5) HIPAA Violations in my yard? - strandjs - Will this trigger a HIPAA violation? What does it take? I am wondering how much longer until HIPAA gets some traction in the media?

6) Credit Card Breach Timeline - strandjs - It is interesting to see the timeline of a processor breach. Take a look at all of the banks that had to issues press releases. Compromised Account Management System is going to be something that I am going to keep tabs on very closely from here on out.

7) OSSEC 2 released!!! - strandjs - one of my favorite monitoring tools has upgraded to a new version. If you are looking for a free tool to do file integrity checks, rootkit detection, log analysis, and HIDS take a look at OSSEC.

8) e-voting delete logs feature - strandjs - We have known for some time that the electronic voting systems have had some flaws... But the ability to delete the logs? That just rocks. Am I the only one that thinks we need to get back to punch cards and pregnant chads?

9) Passwords? Cleartext? Windows? Check! - strandjs - OK.... I am lazy. There has been quite a bit lately about how you can get the password hashes out of memory on a Windows system... But it usually involves regular expressions, sed/awk, and other scripts... And, as I said.. I am lazy. So I created a password on a Windows XP box 'pauldotcomrocks' dumped the memory, then ran strings through grep looking for pauldotcomrocks... Turns out that the password is in cleartext in memory, further is it prefixed with "###Password:" Humm... Now I just search for ###Password and it pulls all of the cleartext passwords for logged on users... Check out the video! As a side note, we are not done with this yet.

10) Software Will Have Vulnerabilities - Even Software Written By D.J. Bernstein - [PaulDotCom] - Even though it only affects a few users, this was a vulnerability in djbdns. There were many that sat up on their high horses with pride when Bind had serious issues uncoved by Kaminsky. They were knocked clean off recently when someone found a flaw in djbdns, long toughted as a secure alternative. First, get off your high horse and realize that ALL software has flaws. I just laugh at those who implemented djbdns, did a big conversion and scrapped Bind to be "more secure". Dudes, when are you going to realize that its your patching process that makes you secure, not which software you run? Sure, some software is better than others in terms of published vulnerabilities, but any software without maintenance will be pwned. Other thought, how many people are holding an 0day for some software? Anyone? Care to share? Didn't think so... Your defensive strategy must assume that someone has an exploit for your software, plain an simple. Audit, log, test, patch, firewall, and harden, oh and a bit of luck helps too.

Other Stories Of Interest

Protect Yourself From Those Harmful DTV Signals

The Coolest/Geekiest Business Card On The Planet