Episode154

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 154 - June 1, 2009

  • Welcome to our special live podcast from the exotic City of Sin - Las Vegas! Paul, Larry, Mick, John and Carlos Dark0perator Perez are together at last for mischief and mayhem ...
  • Episode 150 Audio has been posted for the entire out-of-this-world shindig! It is available in sections here
  • 2009 South Florida ISSA Conference and Exhibition - June 24th Learn more!
  • SANS Denver 560 - July 8th - 13th 2009!!!: SEC560 SANS Network Penetration Testing - John Strand, Colorado, Beer and SANS... Could it get any better?
  • SANS Raleigh Durham - June 22 thru 27th: SEC 401 SANS Security Essentials Bootcamp - The first step in the path to Enlightenment! Taught by Mark Baggett!
  • DEFCON! The Poetry Jam is back with more even more snark!

Episode Media

mp3

Tech Segment: P2P Information Disclosure with Larry 'Big Blackjack' Pesce and Mick 'Vegas Baby' Douglas

Here are the slides: http://pauldotcom.com/p2p.html

Stories For Discussion

0) The Future Of Metasploit According to HD Moore:

  • metasploit, 6 years in the making
  • now becoming a platform for other people's cool techniques
  • dynamically generate word and pdf docs to bypass a/v when doing client side pen tests
  • carlos perez meterpreter scripts mentioned in talk
  • full ruby intepreter in meterpreter
  • machterpreter being added, os x support for meterpreter, and linux (meterpretetux) and php
  • adding dect and ziggbee sniffing and protocol support
  • stole openvas client and reporting engine, plugins become metasploit modules
  • use warvox to test security of voicemail on your employees phones
  • write modules to automate exploits for vulnerabilities you find (i.e. default passwords)


  1. BASE XSS vulnerabilities & responsible disclosure - [pauldotcom] - I wanted to speak out, again, on the topic of responsible disclosure. There is lots of software available today, free software even, software that is created by people who give it away for free to better your lives, jobs, and the security of our information. If you find vulnerabilities in this software you should embody the spirit of free software and contribute your findings to the project first, before posting them publically. We cover vulnerabilities every week, and often discuss how certain vendors or software makers fix these problems. open source project are typically some of the best organizations to work with to get bugs fixed, its simple, they just fix them ASAP. So, if you do spend time auditing open-source software, or any software, at least tell the creator what you found before you release it out to the world. I may not always believe this, but for open-source software this is the most responsible thing to do.
  2. Read Vulnerabilities Carefully! - [PaulDotCom] - be careful when you read these vulnerability reports. this is still an issue, but not csrf in the same context as you would think. important different, knowing the default username/password and executing commands, and executing commands when the broswer is already logged in are two different things. this is the former, so its not a big deal, and an issue we talked about already, but just goes to show you really need to read vuln. announcements carefully
  3. taking over a botnet - [pauldotcom] - taking over a botnet can be fun, its kind of like taking a sports car for a joy ride, except its your neighbors sports car and he left the keys in it, and oh yea, its not street legal either. in this case the botnet hearders failed to claim the next domain name in the queue that all the bots would connect to! if you've never had access to a botnet its a fun thing to do, also don't forget to be responsible and always contact and work with law enforcement.
  4. directory traversal in printers a big deal? - [pauldotcom] - in fact, yes. whats nice is that this is an embedded device AND its made by HP, this means they've left out security completely. even better, its a web server in an embedded device, which means its got to have vulnerabilities (recently someone was just telling me about an apache vulnerability, how long has apache been around and we still find bugs?). so this will also let you read cached documents, sweet! this is pretty stealthy, use SNMP, find printers, find ones with this vulnerability, use the web flaw to download documents going through the printer!
  5. Keyboard sniffing details & software released! - [pauldotcom] - this is great news, the ability to sniff and/or inject keystrokes for wireless keyboard has been released! thanks to max moser for posting this, you will be able to order the hardware pcb's soon for "a reasonable price".
  6. Obama creates a Cybersecurity Coordinator - [MikeP] - Full text of Obama's speech creating the Cybersecurity Coordinator position.
  7. Patch your BlackBerry Servers! - [Mick] - I have routinely seen that BlackBerry systems are *the* holy grail when it comes to attackers. One stop shopping for all sensitive docs? Sign me up!
  8. Best Video! - [Mick] - Thanks for tweeting this you bot! I'm glad you're sharing your vids. Ugh. I do not envy Twitter's spam/security team's workload. Good luck!
  9. Fiber seeking backhoe cuts NSA link - [Mick] - The mental image of black SUVs rushing to the construction site is hilarious to me.
  10. It's a hoax people! - [Mick] - While I'm all for hardening SCADA, I don't like these "oh noes! I can pwn j00" type things. (maybe I'm turning into a grumpy old man)
  11. Sending Beacon frames with the AirPCAP adapter - [Larry] - a short neat script from Didier on crafting some beacon frames.
  12. BT4 Pre Final - [Larry] - Whoah, big changes, even from the BT4 beta release. New compressed drive images, new tools, new update methods...and of course, all sorts of new guides for configuring and booting
  13. All your BASE are belong to us - [Larry] - Go update BASE to 1.4.3.1, as previous versions have some reflexive and stored XSS vulnerabilities. Apparently the vulnerabilities were in code as originally forked form ACiD, but a big kudos from Kevin Johnson for rolling out updates incredibly quickly. I think that this is a great example of third party legacy code that someone ends up supporting that has serious issues. I also goes to show that even well respected professionals can make mistakes.
  14. Remote Data Backup win - [Larry] - Yet another reason why backups are good. User backs up file to online backup store, with scheduling. User has laptop stolen, and thief uses laptop to take pictures of himself. Backup kicks off, and copies the pictures to online backup store. User views, and provides to law enforcement.
  15. Injecting shell commands - [Larry] - Linksys WAG42G2 can be sent a modified POST request that will run shell commands. Of course, an attacker needs to modify the post command in transit....I mean there are NO tools that can do that....
  16. ioscat - [strandjs] - Yea.. Thats right.. Netcat for Cisco IOS.. Thank you Robert VanderBrink.
  17. Great Plugins for Volatility - [strandjs] - Some side plugins for the volatility framework for detecting Malware. As a bonus they are not traditional signature based.
  18. bugspy - [strandjs] - Bugspy is an open source link aggregator. As part of any penatration test you can now look for current open bugs in Open Source software. Why do you care? There are two reasons for this. First, it is a good place look for bugs to write exploits. Second, you can at least find some DoS vulnerabilities.
  19. Turkish Hacking group "m0sted" breach Army computers - [Dark0perator] - They "rendered useless supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches" using SQL injection, no less.

Other Stories Of Interest

  1. Vegas should appreciate this - From the website: "Introducing the Dice-O-Matic mark II, now generating the die rolls on GamesByEmail.com. It is a 7 foot tall, 104 pound, dice-eating monster, capable of generating 1.3 million rolls a day."
  2. If this isn't an example of Social Engineering ... then there is a poisonous gas in your building which can only be neutralized by peeing on those around you.