Episode175

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

PaulDotCom Security Weekly - Episode 175 - For Thursday November 12th, 2009

  • We are growing mustaches for Movember! Goto http://pauldotcom.com/mo for more information and to make donations to our team that will benefit cancer research.
  • Sign up to get a free Website HealthCheck report from Cenzic to see how you can protect your Website from hacker attacks. As part of the Cenzic HealthCheck program, Cenzic will scan your Websites for “holes” that hackers can exploit and provide you with a detailed encrypted PDF report to you in 2-4 businness days. The report will contain:
  • An assessment summary of your Website’s “holes” (security flaws) and easy-to-read severity charts,
  • A prioritized listing of your most vulnerable Website locations (applications), and
  • A description of the security flaws and directions on ways to eliminate them.
For more information, please visit http://www.cenzic.com/2009HClaunch_PaulDotCom
  • Syngress Publishing - Quench your thirst for knowledge at syngress.com and use the referral link or the discount code "PaulDotCom" at checkout to save 20% on all security book titles!
  • Defensive Intuition - We are also sponsored by Defensive Intuition. Defensive Intuition is the provider of many security consulting services: penetration testing, physical assessments, and social engineering. Defensive Intuition: Owning your boxes, 7 ways to Sunday!
  • QuahogCon Call for Papers - QuahogCon is a Southern New England conference for the hacker culture in all forms, and is looking for presentations!

Episode Media

mp3

Tech Segment: Carlos "DarkOperator" Perez - DNS Enumeration with MetaSploit

DNS Enumeration has to be one of the areas of enumeration and recon most overlooked by many professionals. In the last couple of years I have been asked to give a check on a couple of clients after a Penteste team has done supposedly a test of the defenses of a client to find out that the client had Zone Transfers enabled and and it was not tested on, also we have seen internal IP's exposed by mistake and Active Directory SRV records exposed to the outside world that is why I wrote this MSF Module that is part of Metasploit 3.3 RC1. To use the module one simply launches msfconsole and load the dns_enum auxiliary module:

carlos@loki:~/svn/msf3-dev$ ./msfconsole

                                  _       _
             _                   | |     (_)_
 ____   ____| |_  ____  ___ ____ | | ___  _| |_
|    \ / _  )  _)/ _  |/___)  _ \| |/ _ \| |  _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
                           |_|


       =[ metasploit v3.3-rc1 [core:3.3 api:1.0]
+ -- --=[ 384 exploits - 166 auxiliary
+ -- --=[ 261 payloads - 20 encoders - 7 nops
       =[ svn r7485 updated today

msf > db_create
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /home/carlos/.msf3/sqlite3.db
msf > use auxiliary/gather/dns_enum

To get a list of the main options one simply runs the info command:

   msf auxiliary(dns_enum) > info
   Name: DNS Enumeration Module
   Version: $Rev: 7466
   License: Metasploit Framework License (BSD)
 Provided by:
 Carlos Perez <carlos_perez@darkoperator.com>
 Basic options:
 Name         Current Setting                                        Required  Description
 ----         ---------------                                        --------  -----------
 DOMAIN                                                              yes       The target domain name
 ENUM_AXFR    true                                                   yes       Initiate a zone Transfer against each NS record
 ENUM_BRT     false                                                  yes       Brute force subdomains and hostnames via wordlist
 ENUM_RVL     false                                                  yes       Reverse lookup a range of IP addresses
 ENUM_SRV     true                                                   yes       Enumerate the most common SRV records
 ENUM_STD     true                                                   yes       Enumerate standard record types (A,MX,NS,TXT and SOA)
 ENUM_TLD     false                                                  yes       Perform a top-level domain expansion by replacing TLD and testing against IANA TLD list
 IPRANGE                                                             no        The target address range or CIDR identifier
 NS                                                                  no        Specify the nameserver to use for queries, otherwise use the system DNS
 STOP_WLDCRD  false                                                  yes       Stops Brute Force Enumeration if wildcard resolution is detected
 WORDLIST     /home/carlos/svn/msf3-dev/data/wordlists/namelist.txt  no        Wordlist file for domain name brute force.
 Description:
 This module can be used to enumerate various types of information
 about a domain from a specific DNS server.

As seen the options for enumeration are:

  • Zone Transfer
  • Brute Force with Dictionary
  • Reverse Lookup of an IPRANGE
  • Standard Record Lookup (NS, SOA, MX, A and TXT)
  • Top Level Domain Enumeration testing for gTLD's and ccTLD's
  • Service Record Enumeration by looking for the most common type of records.
  • Check for wildcard name resolution.

There are also Advanced Options that can be seen by running 'show advanced' command:

 msf auxiliary(dns_enum) > show advanced
 Module advanced options:
  Name           : RETRY
  Current Setting: 2
  Description    : Number of times to try to resolve a record if no response is
     received
  Name           : RETRY_INTERVAL
  Current Setting: 2
  Description    : Number of seconds to wait before doing a retry
  Name           : THREADS
  Current Setting: 10
  Description    : Number of threads to use when using ENUM_BRT, ENUM_TLD, and
     ENUM_RVL checks

as it can be seen the options are the Retry Interval, Retry and number of Threads. One special thing to be aware of is when running ENUM_BRT, ENUM_TLD, and ENUM_RVL checks and having everything logged in to a Database to use a DB like MySQL or Postgres so as to avoid lockouts or bring the number of threads if using SQLite to 1.

Let start by doing a simple enumeration of standard records for Google by disabling all other checks:

 msf auxiliary(dns_enum) > set ENUM_AXFR false
 ENUM_AXFR => false
 msf auxiliary(dns_enum) > set ENUM_SRV false
 ENUM_SRV => false
 msf auxiliary(dns_enum) > set DOMAIN google.com
 DOMAIN => google.com
 msf auxiliary(dns_enum) > run
 [*] Setting DNS Server to google.com NS: xxx.xxx.xxx.10
 [*] Retrieving General DNS Records
 [*] Domain: google.com IP Address: xxx.xxx.xxx.100 Record: A
 [*] Domain: google.com IP Address: xxx.xxx.xxx.100 Record: A
 [*] Domain: google.com IP Address: 74.125.45.100 Record: A
 [*] Start of Authority: ns1.google.com. IP Address: xxx.xxx.xxx.10 Record: SOA
 [*] Name Server: ns3.google.com. IP Address: xxx.xxx.xxx.10 Record: NS
 [*] Name Server: ns4.google.com. IP Address: xxx.xxx.xxx.10 Record: NS
 [*] Name Server: ns1.google.com. IP Address: xxx.xxx.xxx.10 Record: NS
 [*] Name Server: ns2.google.com. IP Address: xxx.xxx.xxx.10 Record: NS
 [*] Name: google.com.s9a1.psmtp.com. Preference: 10 Record: MX
 [*] Name: google.com.s9b2.psmtp.com. Preference: 10 Record: MX
 [*] Name: google.com.s9a2.psmtp.com. Preference: 10 Record: MX
 [*] Name: google.com.s9b1.psmtp.com. Preference: 10 Record: MX
 [*] Text: v=spf1 include:_netblocks.google.com ip4:xxx.xxx.xxx.70/31 ip4:xxx.xxx.xxx.72/31 ~all , TXT
 [*] Auxiliary module execution completed

As we can see Google was so nice to give us it's ranges for mail servers in the Text record for spf type entries. lets see the sabed data in the DB by running the 'db_notes' command:

 msf auxiliary(dns_enum) >
 msf auxiliary(dns_enum) > db_notes
 [*] Time: Thu Nov 12 17:27:26 -0400 2009 Note: host=xxx.xxx.xxx.100 type=DNS_ENUM data=xxx.xxx.xxx.100,google.com,A
 [*] Time: Thu Nov 12 17:27:26 -0400 2009 Note: host=xxx.xxx.xxx.100 type=DNS_ENUM data=xxx.xxx.xxx.100,google.com,A
 [*] Time: Thu Nov 12 17:27:26 -0400 2009 Note: host=xxx.xxx.xxx.100 type=DNS_ENUM data=xxx.xxx.xxx.100,google.com,A
 [*] Time: Thu Nov 12 17:27:26 -0400 2009 Note: host=xxx.xxx.xxx.10 type=DNS_ENUM data=xxx.xxx.xxx.10,ns1.google.com.,SOA
 [*] Time: Thu Nov 12 17:27:27 -0400 2009 Note: host=xxx.xxx.xxx.10 type=DNS_ENUM data=xxx.xxx.xxx.10,ns3.google.com.,NS
 [*] Time: Thu Nov 12 17:27:27 -0400 2009 Note: host=xxx.xxx.xxx.10 type=DNS_ENUM data=xxx.xxx.xxx.10,ns4.google.com.,NS
 [*] Time: Thu Nov 12 17:27:27 -0400 2009 Note: host=xxx.xxx.xxx.10 type=DNS_ENUM data=xxx.xxx.xxx.10,ns1.google.com.,NS
 [*] Time: Thu Nov 12 17:27:27 -0400 2009 Note: host=xxx.xxx.xxx.10 type=DNS_ENUM data=xxx.xxx.xxx.10,ns2.google.com.,NS
 [*] Time: Thu Nov 12 17:27:27 -0400 2009 Note: host=xxx.xxx.xxx.10 type=DNS_ENUM data=google.com.s9a1.psmtp.com.,MX
 [*] Time: Thu Nov 12 17:27:27 -0400 2009 Note: host=xxx.xxx.xxx.10 type=DNS_ENUM data=google.com.s9b2.psmtp.com.,MX
 [*] Time: Thu Nov 12 17:27:27 -0400 2009 Note: host=xxx.xxx.xxx.10 type=DNS_ENUM data=google.com.s9a2.psmtp.com.,MX
 [*] Time: Thu Nov 12 17:27:27 -0400 2009 Note: host=xxx.xxx.xxx.10 type=DNS_ENUM data=google.com.s9b1.psmtp.com.,MX
 [*] Time: Thu Nov 12 17:27:28 -0400 2009 Note: host=xxx.xxx.xxx.10 type=DNS_ENUM data=v=spf1 include:_netblocks.google.com ip4:xxx.xxx.xxx.70/31 ip4:xxx.xxx.xxx.72/31 ~all ,TXT
 msf auxiliary(dns_enum) >

Now lets test for some SRV records for this we will pick Avaya, we enable SRV enumeration and change the target domain:

 msf auxiliary(dns_enum) > set ENUM_SRV true
 ENUM_SRV => true
 msf auxiliary(dns_enum) > set DOMAIN avaya.com
 DOMAIN => avaya.com
 msf auxiliary(dns_enum) > run
 [*] Setting DNS Server to avaya.com NS: xxx.xxx.xxx.99
 [*] Retrieving General DNS Records
 [*] Domain: avaya.com IP Address: xxx.xxx.xxx.75 Record: A
 [*] Start of Authority: njextdns.avaya.com. IP Address: xxx.xxx.xxx.99 Record: SOA
 [*] Name Server: njextdns.avaya.com. IP Address: xxx.xxx.xxx.99 Record: NS
 [*] Name Server: coextdns.avaya.com. IP Address: xxx.xxx.xxx.99 Record: NS
 [*] Name Server: frextdns.avaya.com. IP Address: xxx.xxx.xxx.99 Record: NS
 [*] Name: nj300815-nj-iereast.avaya.com. Preference: 100 Record: MX
 [*] Name: co300216-co-ierwest.avaya.com. Preference: 100 Record: MX
 [*] Name: de307622-de-ieremea.avaya.com. Preference: 100 Record: MX
 [*] Setting DNS Server to avaya.com NS: xxx.xxx.xxx.99
 [*] Enumerating SRV Records for avaya.com
 [*] SRV Record: _sip._tls.avaya.com Host: sip.avaya.com. Port: 443 Priority: 0
 [*] SRV Record: _sipfederationtls._tcp.avaya.com Host: sip.avaya.com. Port: 5061 Priority: 10
 [*] Auxiliary module execution completed
 msf auxiliary(dns_enum) >

As we can see they have a SIP VOIP system published and a Federation, both running over TLS/

Lets test for Zone Transfers for this we willl choose Intermedia. We set all other checks to false and change the target domain:

 msf auxiliary(dns_enum) > set ENUM_STD false
 ENUM_STD => false
 msf auxiliary(dns_enum) > set DOMAIN intermedia.net
 DOMAIN => intermedia.net
 msf auxiliary(dns_enum) > set ENUM_SRV false
 ENUM_SRV => false
 msf auxiliary(dns_enum) > set ENUM_AXFR true
 ENUM_AXFR => true
 msf auxiliary(dns_enum) >
 [*] Testing Nameserver: ns4.intermedia.net.
 AXFR query, switching to TCP
 [*] Zone Transfer Successful
 [*] Name: ns2.intermedia.net. Record: SOA
 [*] Text: v=spf1 include:spf.intermedia.net a:neii.intermedia.net a:multipurpose.intermedia.net a:fax-gw.intermedia.net a:relay.stanaphone.com a:exhub-1.intermedia.net a:exhub-2.intermedia.net mx a:external13.msoutlookonline.net a:vtrnz.com ~all  Record: TXT
 [*] Name: smtp.intermedia.net. Preference: 10 Record: MX
 [*] Name: intermedia.net. IP Address: xxx.xxx.xxx.183 Record: A
 [*] Name: ns2.intermedia.net. Record: NS
 [*] Name: ns3.intermedia.net. Record: NS
 [*] Name: ns4.intermedia.net. Record: NS
 [*] Host: ocs.intermedia-inc.net. Port: 5061 Priority: 0 Record: SRV
 [*] Host: xmpp-1.intermedia.net. Port: 5269 Priority: 0 Record: SRV
 [*] Host: sip.intermedia.net. Port: 5061 Priority: 0 Record: SRV
 ................................................
 [*] Name: antigen.intermedia.net. IP Address: xxx.xxx.xxx.27 Record: A
 [*] Name: sql1.antispam.intermedia.net. IP Address: xxx.xxx.xxx.248 Record: A
 ......................................................
 [*] Name: hpadmin.intermedia.net. IP Address: xxx.xxx.xxx.142 Record: A
 [*] Name: ic.intermedia.net. IP Address: xxx.xxx.xxx.133 Record: A
 [*] Name: pdc019.icpemail.intermedia.net. Record: NS
 [*] Name: pdc019.icpemail.intermedia.net. IP Address: xxx.xxx.xxx.17 Record: A
 [*] Name: multipurpose.intermedia.net. Record: CNAME
 [*] Name: iis.intermedia.net. IP Address: xxx.xxx.xxx.244 Record: A
 [*] Name: iis7.intermedia.net. IP Address: xxx.xxx.xxx.244 Record: A
 [*] Name: imapsync1-1.intermedia.net. IP Address: 10.10.192.183 Record: A
 [*] Name: imdev.intermedia.net. IP Address: xxx.xxx.xxx.15 Record: A
 ................................................................................
 [*] Name: kvm1.intermedia.net. IP Address: xxx.xxx.xxx.243 Record: A
 [*] Name: ldap10.intermedia.net. IP Address: xxx.xxx.xxx.122 Record: A
 [*] Name: ldap11.intermedia.net. IP Address: xxx.xxx.xxx.127 Record: A
 [*] Name: ldap12.intermedia.net. IP Address: xxx.xxx.xxx.14 Record: A
 [*] Name: ldap3.intermedia.net. IP Address: xxx.xxx.xxx.4 Record: A
 ................................................................................
 [*] Name: mac10.intermedia.net. IP Address: xxx.xxx.xxx.120 Record: A
 [*] Name: mac10-1.intermedia.net. IP Address: xxx.xxx.xxx.126 Record: A
 [*] Name: mac11.intermedia.net. IP Address: xxx.xxx.xxx.125 Record: A
 [*] Name: mac3.intermedia.net. IP Address: xxx.xxx.xxx.92 Record: A
 [*] Name: mac4.intermedia.net. IP Address: xxx.xxx.xxx.93 Record: A
 [*] Name: mac5.intermedia.net. IP Address: xxx.xxx.xxx.112 Record: A
 ................................................................................
 [*] Name: mailman.intermedia.net. IP Address: xxx.xxx.xxx.213 Record: A
 [*] Name: mailman-new.intermedia.net. IP Address: xxx.xxx.xxx.212 Record: A
 [*] Name: mis3.intermedia.net. IP Address: xxx.xxx.xxx.89 Record: A
 [*] Name: mis4.intermedia.net. IP Address: xxx.xxx.xxx.90 Record: A
 [*] Name: mis5.intermedia.net. IP Address: xxx.xxx.xxx.12 Record: A
 ................................................................................
 [*] Name: monitoring.intermedia.net. IP Address: xxx.xxx.xxx.12 Record: A
 ................................................................................
 [*] Name: mysql3.intermedia.net. IP Address: xxx.xxx.xxx.197 Record: A
 [*] Name: mysql5.intermedia.net. IP Address: xxx.xxx.xxx.190 Record: A
 [*] Name: mysql5a.intermedia.net. IP Address: xxx.xxx.xxx.191 Record: A
 [*] Name: mysql5b.intermedia.net. IP Address: xxx.xxx.xxx.191 Record: A
 [*] Name: mysql5c.intermedia.net. IP Address: xxx.xxx.xxx.191 Record: A
 [*] Name: mysql5d.intermedia.net. IP Address: xxx.xxx.xxx.191 Record: A
 [*] Name: mysql5e.intermedia.net. IP Address: xxx.xxx.xxx.191 Record: A
 [*] Name: mysql5f.intermedia.net. IP Address: xxx.xxx.xxx.146 Record: A
 [*] Name: mysql5g.intermedia.net. IP Address: xxx.xxx.xxx.63 Record: A
 [*] Name: mysqladm.intermedia.net. IP Address: xxx.xxx.xxx.4 Record: A
 [*] Name: mysqladwebmail-ro-1.intermedia.net. Record: CNAME
 [*] Name: mysqladwebmail-ro-1.intermedia.net. IP Address: xxx.xxx.xxx.76 Record: A
 [*] Name: mysqladwebmail-rw-1.intermedia.net. Record: CNAME
 [*] Name: mysqladwebmail-rw-1.intermedia.net. IP Address: xxx.xxx.xxx.76 Record: A
 [*] Name: devmysql3.intermedia.net. Record: CNAME
 ................................................................................
 [*] Name: neii.intermedia.net. IP Address: xxx.xxx.xxx.60 Record: A
 [*] Name: exchange100-1.intermedia.net.intermedia.net. IP Address: xxx.xxx.xxx.188 Record: A
 [*] Name: netflow2.intermedia.net. IP Address: xxx.xxx.xxx.245 Record: A
 [*] Name: netflow2a.intermedia.net. IP Address: xxx.xxx.xxx.219 Record: A
 ................................................................................
 [*] Name: provisioning.intermedia.net. IP Address: 10.254.254.85 Record: A
 [*] Name: provisioningdev.intermedia.net. IP Address: xxx.xxx.xxx.154 Record: A
 [*] Name: provisioningstage.intermedia.net. IP Address: xxx.xxx.xxx.166 Record: A
 ................................................................................
 [*] Name: squid.intermedia.net. IP Address: xxx.xxx.xxx.21 Record: A
 [*] Name: sslvpn.intermedia.net. IP Address: xxx.xxx.xxx.4 Record: A
 [*] Name: stage.intermedia.net. IP Address: xxx.xxx.xxx.183 Record: A
 [*] Name: sugarcrm.intermedia.net. IP Address: xxx.xxx.xxx.201 Record: A
 [*] Name: kb.intermedia.net. Record: CNAME
 [*] Name: supportftp.intermedia.net. IP Address: xxx.xxx.xxx.87 Record: A
 [*] Name: survey.intermedia.net. IP Address: xxx.xxx.xxx.228 Record: A
 [*] Name: devsvn1.intermedia.net.ru. Record: CNAME
 ................................................................................
 [*] Name: syslog3.intermedia.net. IP Address: xxx.xxx.xxx.245 Record: A
 [*] Name: syslog4.intermedia.net. IP Address: xxx.xxx.xxx.18 Record: A
 [*] Name: syslog5.intermedia.net. IP Address: xxx.xxx.xxx.100 Record: A
 [*] Name: syslogw-mt-1.intermedia.net. IP Address: xxx.xxx.xxx.229 Record: A
 [*] Name: syslogw-nj-1.intermedia.net. IP Address: xxx.xxx.xxx.101 Record: A
 [*] Name: syslogw-vx-1.intermedia.net. IP Address: xxx.xxx.xxx.115 Record: A
 ................................................................................
 [*] Name: vmcenter.intermedia.net. IP Address: xxx.xxx.xxx.210 Record: A
 [*] Name: vmclumt-1.intermedia.net. IP Address: xxx.xxx.xxx.100 Record: A
 [*] Name: vmclumt-2.intermedia.net. IP Address: xxx.xxx.xxx.110 Record: A
 ................................................................................
 [*] Name: wiki.intermedia.net. IP Address: xxx.xxx.xxx.11 Record: A
 [*] Name: wssv003-1.intermedia.net. IP Address: xxx.xxx.xxx.72 Record: A
 [*] Name: wsus01.intermedia.net. IP Address: xxx.xxx.xxx.200 Record: A
 [*] Name: wsus02.intermedia.net. IP Address: xxx.xxx.xxx.200 Record: A
 [*] Auxiliary module execution completed
 msf auxiliary(dns_enum) >
 msf auxiliary(dns_enum) > set ENUM_RVL true
 ENUM_RVL => true
 msf auxiliary(dns_enum) > set IPRANGE xxx.xxx.xxx.0/24
 IPRANGE => xxx.xxx.xxx.0/24
 msf auxiliary(dns_enum) > set ENUM_AXFR false
 ENUM_AXFR => false
 msf auxiliary(dns_enum) > run
 msf auxiliary(dns_enum) > run
 [*] Setting DNS Server to intermedia.net NS: xxx.xxx.xxx.2
 [*] Running Reverse Lookup against ip range xxx.xxx.xxx.0-xxx.xxx.xxx.255
 [*] Host Name: intermedia.net. IP Address: xxx.xxx.xxx.0
 [*] Host Name: intermedia.net. IP Address: xxx.xxx.xxx.4
 [*] Host Name: hosting7838-1.intermedia.net. IP Address: xxx.xxx.xxx.2
 ................................................................................
 [*] Host Name: h7838-4.wh001.domain.local. IP Address: xxx.xxx.xxx.14
 [*] Host Name: h7838-4.wh001.domain.local. IP Address: xxx.xxx.xxx.15
 ................................................................................
 [*] Host Name: hosting7838-2.intermedia.net. IP Address: xxx.xxx.xxx.128
 ................................................................................
 [*] Auxiliary module execution completed
 msf auxiliary(dns_enum) >

As we can see from the results the zone was a very large one and many host are very very interesting in terms of their names, also we can notice some internal ip's bein showned.

I do invite you to run all the other checks and provide bug reports and feedback.

Tech Segment: Mick "BetterSafetyNet" Douglas - network packet analysis with Xplico

(video will be posted once Mick figures out how to keep the 12:00 from blinking on the VCR -- this will also be posted on the www.pauldotcom.com page too)

Say you have large pcaps -- too big for wireshark -- or maybe you have lots of little ones. Xplico is the tool I've been using for this sort of work for a little while now... and I have to tell you I *like* what I'm seeing.

There's two modes of interacting with xplico, web and CLI. Today we're focusing on the web...

It allows you to login and upload pcap files, or begin a live capture (but why would you do this?)

The web interface works sort of like a more "white hat" and easier to use iteration of the dsniff suite of tools. It allows reassembly and presentations of the following protocols

  • FTP/TFTP
  • email (POP/IMAP)
  • HTTP
  • Videos & images

It also has some nice reporting

  • top talkers
  • GeoIP -- allows graphic representation of hosts!


Xplico, check it out! You might really dig it!!  :-)

Stories For Discussion

  1. iPwned via SSH - The Aussie edition - [MikeP] - Larry had a similar Dutch story last week. This time, jailbroken iPhones with the default ssh password were rickrolled [DISCLAIMER: link to the left is not a RickRoll :-) ]
  2. Ipwnage, again - [Larry] - In a follow up to our story about default SSH passwords on jailbroken iPhones, the talk was that this was nothing to worry about. Of course now there is a PAYLOAD that will grab all of your data, including contacts, SMS and email.
  3. Apple App cracks Irish modem passwords - [Mark Hillick] - Listener submitted story (Thanks Mark!) showing Apple approved App which cracks the password given SSID. Approximately 250K modems vulnerable from Eircom.
  4. Safeguarding pacemakers - [Mick] - We get fired up over vulnerabilities because it's often a matter of life and death... literally.
  5. Be the polygraph - [Mick] - This is a very nice intro to lie detection. File this under no-tech hacking and social engineering. Warning, some of the ads on the site might be NSFW.
  6. DDOSing a federal wiretap - [Larry] - Of course, when all is said and done, I wonder what the legalities are. Apparently, the way the "digital taps" work is to create a 64k data channel back to the feds. If you can claim all that bandwidth, guess what gets dropped…
  7. Buy me an ATM - [Larry] - Real easy to buy your own ATM off of eBay or craigslist, but what about a used one? If they don't wipe the ATM before they sell it, they will keep the transactions in the device. All it takes is a readily available manual. Now, once you have the tam, install a skimmer and camera and deploy. A related news article noted how easy it would be to bait unsuspecting users.
  8. COFEE Leaked - [Larry] - Uhh, yeah, where you been? The reviews are in too: apparently if you are technical this tool isn't all that great for you. It only grabs limited information and is pretty light on anything hardcore. Some of the arguments that I heard bashing the leak was that now attackers will create tools to circumvent COFEE. Uh, guys, those tools are already out there.
  9. More MS Patch Tuesday Hate - "Instead, an attacker would have to convince the user to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes the user to the attacker's site." - Bullshit, users visit web sites on their own, they don't have to be convinced. And all it takes is a simple XSS or other vulnerability on ANY web site, and it can be used to launch an attack. What about a public Wiki? Ads from a malicious site? Why does Microsoft water down these types of vulnerabilities? They are doing their customers a dis-service!
  10. "Security is a people problem, not a software problem" - [Pauldotcom] - My take on this is that security is everyone's problem, and passing the buck and saying that people should "just encrypt your hard drive" is plain stupid. Fact is, security needs to be addressed from all angles, this means creating security software and educating users, so, well, go do that! :)
  11. The Problem With Browser Security... = [Pauldotcom] - So cenzic released their trends report and Firefox is in the lead with 44% of the vulnerabilities. I believe this is a good thing for Firefox and SOLIDIFIES it as the more secure alternative. First, the vulnerability severity is not calculated into the equation. Second, Firefox is open source and hopefully that leads to more bugs being found and more bugs being fixed. See, finding and fixing more bugs means that Firefox's programmers are paying attention to security and fixing stuff. Furthermore, with IE having more of a market share, wouldn't you hold on to that IE 0day?
  12. ZDI - Upcoming Advisories Page (from @hdmoore) - [pauldotcom] - I can't believe we've never talked about this page, it backs up so much of what we talk about sometimes!. Its a listing of 0days, by how long since they were first reported to ZDI, and the vendor responsible for the vulnerable software. Guess what, some software program developed by HP has a bug that has gone reported and unpatched for 1129 days. No other details are published, but goes to show you that exploits exist for vulnerabilities that have not been patched! So, don't design your network around a "patched based" model, you will fail.
  13. iPhone Worm Spreads via Default Password - [pauldotcom] - while limited in scope to jail broken iphones running the SSH app, the brilliant creators of that app gave it a default password of "alpine". Dear developers, never include default passwords, they suck. We've ranted about this in the past, and I think its time to reach the creators of the software, so if you know someone who writes software, tell them to ditch the default password and prompt the user for the password the first time they use it, please.
  14. And while were on the topic, someone smack the Apache Tomcat developers! - [pauldotcom] - a built-in admin account with a BLANK password, FTW!
  15. MMMM, fresh Windows 7 0day - [pauldotcom] - Will we ever be done finding bugs in SMB, wait let me answer that, no! PoC added to Metasploit, sweet!

Other Stories Of Interest

  1. Str0ke not dead Offesive Security takes over Milw0rm - [The Intern] - it appears that Str0ke is alive and fine and Offensive Security will be taking over the updating of the milw0rm site. More to come before the show I am sure.
  2. Family tree of Beer - [Mick] - "To alcohol! The cause of and solution to all of life's troubles." -- Homer J. Simpson
  3. Where do you put the quarters? - [Mick] - Pac-man, cool. Hacked Roombas, cool. Put them together? Awesomesauce!