Episode166

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 166 - For Friday September 4th, 2009

  • Thursday September 10th - come meet PaulDotCom at the Boston OWASP meeting to be held at Core Security near South Station. More info to follow....
  • We're looking for two interns - local to the Rhode Island area, listen to the podcast, into linux, able to lift 30 lbs, and if possible, willing to perform post-production work on the podcast. If that description sounds like you, please send us a note via psw [at] pauldotcom [dot com]
  • The Louisville Metro InfoSec Conference in, well, Louisville, offers John Strand as Keynote and serves PaulDotCom Asadoorian as Breakout Speaker. If that were not enough, they will also have a Capture The Flag event and Irongeek! All the above for the very low price of $99 on October 8th.
  • Community SANS: Sec 542 Web Application Penetration Testing - SANS is pleased to announce Community SANS Providence, running Monday, October 5 - Saturday, October 10. Larry will teach Security 542: Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University.

Episode Media

mp3

Interview: Nick Harbour shares some rnicrosoft Forensic Software goodness

Nick Harbour is a malware analysis expert with extensive experience in Incident Response and Computer Forensics. He specializes in advanced R&D for information warfare, forensics and anti-forensics and reverse engineering. He is the developer of numerous free computer forensics tools such dcfldd, tcpxtract, fatback, Mandiant Red Curtain and FindEvil, Anti-Reverse engineering tool PE-Scrambler and the Reverse Engineering tool APIThief.


Quetions for Nick:

  1. How did you get your start in information security?
  2. Which tool have you had the most fun writing and supporting?
  3. Favorite tool you use that you have not written?
  4. Who do you follow on Twitter?
  5. What was it like working in the DoD Computer Forensics Lab?
  6. Are there any crazy photos of you on the Mandiant website?

Tech Segment: Recovering Firefox Passwords

To quote Carlos, "shell is just the beginning". Now that we have access to a machine, we can gather all sorts of goodies from the machine; we just need to know where to look.

Some of my favorites are to grab Firefox passwords. Prior to version 3.5, (for version 3) the list of sites were stored in signons3.txt. With a master password set, the other items that you'd need are key3.db as well to recover the master password. For Firefox versions 3.5 or better, you'll also want to grab signons.sqlite as well. For a detailed description of the contents and format of each of these files, check out the FirePassword page.

But why recover these usernames and passwords? How many people do you know let their browser store passwords for them? Personally, I know a lot. These users store passwords for just about everything; personal sites, banking and corporate resources.

Yes, corporate resources. Now, if you have credentials to these resources, this may open up a whole new world to your testing. Imagine that you now have credentials to all sorts of web based management utilities where you can get access to a million credit card numbers, or something as equally juicy.

So how do we do it? Ok, first grab the signons3.txt and key3.db files (or signins.sqlite for Firefox 3.5) and get them to a system where you can work with them. I'm finding that a windows system is best, given the tools available. I'm using Windows 7 in a VM, with firefox installed. Many of the tools like to look for the default Firefox profile directory, so I often copy the files there - I'm not concerned about the install of firefox in this VM.

One tool that we can use to view the password stores is Firefox itself. Of course Firefox 3.5 uses a different format for storing passwords has changed; they now store them in a sqllite database. If we copy over our files to the default firefox profile (C:\Documents and Settings\<user>\Application Data\Mozilla\Profiles\<random>.profle in many cases) for an older version of Firefox. Fire up Firefox, (be careful, it needs updates!), and go to Tools, Options, Security, Saved Passwords, Show Passwords. Neat, now we have the URL, username and password!

Uh Oh, you mean now we are being asked for a master password? Well, we need to provide one in order to view the passwords! Now we can use another tool on windows to obtain the master password.

FireMaster to the rescue. FireMaster is a master password brute force tool, against key3.db and signons3.txt. It will do all of the typical brute force attacks; dictionary, hybrid and bruteforce. It is a fairly simple tool to use, but here are a few examples. In these examples, Firemaster is in the same directory as key3.db and signons3.txt so my profile path is set as "." at the end of the command:

[Update: During the writing of this segment, I noted that the author updated FireMaster so automatically detect the version of Firefox based on the storing of the information in signons3.txt or the sqlite method! We can now use this tool to get the goods from Firefox 3.5 as well.]

A dictionary attack:

FireMaster.exe -d -f wordlist.txt .

Note that you need to be careful with your wordlist. I used a copy of the all inclusive free version from ftp.openwall.org which I had to convert LF to CRLF. I also had to remove words with spaces and non US character sets. If I didn't I got a nasty crash from FireMaster. Can you say buffer overflow anyone?

A hybrid attack:

Firemaster.exe -h -f wordlist.txt -n 3 -g "0123456789" -s -p .

Again, same wordlist issues. With the hybrid, it will append (-s) and prepend (-p) the number of characters (-n 3) as defines by the defined character set (-g). The larger your number of characters and character sets the more time you will need.

A brute force:

FireMaster.exe -b -l 10 .

This one will set the max password length to 10 characters (-l), so adjust to you needs. It also uses the default character set of "abcdefghijklmnopqrstuvwxyz*@#!$123" which you may also need to tailor with the -g option. On my machine this would take over 300,000 days to complete at about 120,000 guesses a second. On a high end, non-virtual system the guessing jumped up to about 250,000 guesses a second for about 160,00 days to completion.

My vote is for a good dictionary. We covered scraping websites for making dictionaries before.

I've also had some good luck with Firefox Password recovery from top-password.com. Granted, it wasn't free, but the $18 was something I could afford for expenses on an engagement. It won't crack or bypass the master password, but may be a little more safe than a machine running an old version of firefox. Just another option. It hasn't been updated for Firefox versions 3.5 or better signons.sqlite yet.

So, want a free solution? The author of FireMaster has a command line FirePass and GUI FirePasswordViewer tool to do the same, with Firefox 3.5 support!

Mini-Tech Segment - Penetrating VPN Concentrators

There are a few nice tools available that allow you to enumerate, and hopefully penetrate, VPN concentrators. Typically this will be all you will find on a remote assessment. Let me set the record straight, VPN's are a good thing. They reduce your overall exposure to the Internet. However, they need to be hardened, just like everything else on your network (including your users). Below are some quick tech tips to enumerating and attacking VPN systems.

PPTP

PPTP is a crappy protocol (pun intended). I think what many people miss is that PPTP is similar to the wireless protocol LEAP (Remember LEAP?) that uses MS-CHAPv2 for authentication.

Reference: http://www.willhackforsushi.com/code/asleap/2.2/README

Basically this means its vulnerable to password brute force guessing attacks. You can use the Asleap took mentioned about, but you will need a packet capture of a successful authentication to use it. pptp-bruter from the fine folks at THC (The Hackers Choice) is a bit dated, but can work really well. It takes just a simple word list and the IP of your PPTP server:

thc-pptp-bruter 10.78.3.10 -n 10 < wordlist.lst 

I think some of the code in thc-pptp-bruter may be a bit dated as some systems will not accept the authentication handshake from it, and it just keeps trying the same 10 passwords over and over again.

IKE

IKE is the key exchange protocol used in IPSec based VPNs. IPSec is great, but make sure you configure it correctly. This means never using agressive mode and choosing strong encryption protocols and hashing algorythms (Like AES, etc..). One of the best resources on this topic is actually the ike-scan documentation User Guide:

Reference: http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide

Tons of great information here on how to enumerate and attack VPN systems. There are two basic commands that I put together in order to attack systems, the first one figures out what kind of encryption and hashing algorythms are in use:

./generate-transforms.sh | xargs --max-lines=8 ike-scan 10.99.2.11

The above command runs ike-scan against a target using all the different key combinations. You can download the web site from the NTA Monitor web site. Once you figure out what the VPN concentrator like, you can fingerprint it using the UDP backoff technique:

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.99.2.11	Main Mode Handshake returned
	HDR=(CKY-R=c60fc677eb1c7f5d)
	SA=(Enc=DES Hash=SHA1 Group=1:modp768 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
---	Ignoring 80 bytes from 216.87.243.8 with unknown cookie 749c204df5af3877

IKE Backoff Patterns:

IP Address	No.	Recv time		Delta Time
x.x.x.8	1	1251660594.483955	0.000000
x.x.x.8	2	1251660604.484525	10.000570
x.x.x.8	3	1251660614.489095	10.004570
x.x.x.8	4	1251660624.485665	9.996570
x.x.x.8	5	1251660634.486235	10.000570
x.x.x.8	6	1251660644.490805	10.004570
x.x.x.8	Implementation guess: Cisco IOS 12.1, 12.2 or 12.3 / Watchguard Firebox / Gnat Box

There are attacks for aggressive mode, all documented nicely in the ike-scan user guide. There are other tools as well, but these seem to be my standby. Once you fingerprint the VPN you can then look for specific vulnerabilities, or set one up in your lab and find some new ones :) Its an important point that I want our readers/listeners to take away from this one, just because the tool available is outdated, don't put it past an attacker to modify or extend it. If you assets are worth it, they will spend weeks/months/years making tools and exploits to break into your network.


Stories For Discussion

  1. The story behind the Apache.org compromise - [Larry] - and now we have the details behind that compromised SSH key. Seems reasonable, but I'm missing something about the solution of the from="" and command="" usage to keep the keys from being used form third parties. I thought that the way it happened was through a backup.resture that used the keys to copy data form one machine to the other. They compromised the backup, and used the backup to overwrite on a restore. That seems like a perfectly legitimate use of the keys, with the same source and commands...
  2. Getting lucky? - [Larry] - Here is a good reason why password and encryption brute forcing can be good. Sometimes you get lucky. Apparently the Netherlands Forensics Institute was able to get lucky and crack the encryption on a very large store of child port to be used as evidence. They got lucky, as the needed bits were at the beginning of the key space.
  3. BT4 Kernel update - [Larry] - Ya, there have been some kernel vulns recently, and this is exactly why they went with the update method. If you use BT4, I highly suggest that you update.
  4. Sued for lax security - [Larry] - Bank customer gets owned, legit user and pass gets used to steal their money, and judge orders that the bank is negligent because they only use single factor authentication for online banking. I wonder, does this set precedence for other types of suits like this? [Mick] SQUWWWWWWEEEEEEEEEEEEEEEEEE!!!! Is this the dawn of a new day! Will data custodians be held accountable?
  5. POTUS Power! - [Mick] - "Don't worry, we're from The Government! We're here to help!" Oh boy! is this a chilling bill. If we give up enough freedoms, we'll be safe, right? Right?!?

Other Stories Of Interest

  1. I can has terminator vision? - [Mick] - Augmented reality is cool and could be really useful. 'Nuff said.
  2. I really would like teh terminator vision - [Mick] - There are so many potential applications of this I don't even know where to start!