Episode197

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

PaulDotCom Security Weekly - Episode 197 - For Thursday April 29th.

  • Pen Test Summit! - June 14-15, 2010. The 2010 SANS What Works in Penetration Testing & Vulnerability Assessment Summit features an agenda loaded with brand-new talks from the best penetration testers and vulnerability assessment thought leaders in the world. This must-see event lets attendees interact directly with industry leaders, discussing tough technical and operational issues to get the most value from penetration testing and vulnerability assessment expenditures.

Episode Media

mp3 pt 1

mp3 pt 2

Guest Interview: Chris Nickerson & Ryan Jones

BACKGROUND

Chris Nickerson is a security researcher who specializes in Red Team Testing & Social Engineering and is the CEO of Lares Consulting. When he is not pistol whipping n00bs, Chris can be found sitting quietly in a corner, knitting.

Ryan "Lizzie Borden" Jones is a podcaster, security consultant, and unquestionably, the REAL star of the awesome but short lived TruTV program Tiger Team.

Questions

  1. How did you each get started in information security?
  2. I first saw you on the reality TV show "Tiger Team", please do tell us the story of how that came about.
  3. What is the value of penetration testing and vulnerability scanning, respectively
  4. What can we do and say to convince management to authorize the full blow, gloves off, penetration test?
  5. Do penetration tests really emulate real-world attacks?
  6. What are some tips you can give people to make social engineering more successful? What about defense?
  7. At some point you started a podcast, what prompted you to create one and how's it going? (we all listen and love every minute of it, laughing our asses off!)
  8. Why does everyone seem to get web application pen testing wrong?
  9. Do most organizations suck that bad at physical security? What are some tips to give people to improve physical security?
  10. What's next for you guys, more TV?

Tech Segment: Taking Over The World One Device at a Time

Find an ISP using a particular model

In this step you can use Shodan or Google. Shodan will let you enter something like "zyxel". Review the results, then do a whois lookup on the IP address. This will give you a full listing of the IP addresses in use by the ISP. You can also hunt through Google and read articles and determine which ISP is using which model router. Then use the ISPs name and do the lookup that way. In either case, you may end up with IP addresses that are in a weird format. For example:

My ISP HoldCo LLC MY-ISP-1A (NET-10-31-32-0-1) 10.31.32.0 - 10.31.255.255
My ISP HoldCo LLC MY-ISP-5 (NET-10-160-0-0-1) 10.160.0.0 - 10.170.127.255
My ISP HoldCo LLC MY-ISP-4 (NET-10-210-0-0-1) 10.210.0.0 - 10.210.255.255
My ISP HoldCo LLC MY-ISP-1B (NET-10-30-128-0-1) 10.30.128.0 - 10.30.223.255
My ISP HoldCo LLC MY-ISP-3-A (NET-10-92-160-0-1) 10.92.160.0 - 10.95.255.255

Massage The IP Data

Nmap does like accept IP ranges in this format. Nmap wants a subnet mask, not a range as is displayed above. I consulted the Internet Gods, closed my eyes, clicked my heels, and low and behold someone already wrote the code for me to convert the IP addresses! The program is a Perl script called ipcalc (http://freshmeat.net/projects/ipcalc/). It has the following options:

-n --nocolor  Don't display ANSI color codes.
 -b --nobinary Suppress the bitwise output.
 -c --class    Just print bit-count-mask of given address.
 -h --html     Display results as HTML (not finished in this version).
 -v --version  Print Version.
 -s --split n1 n2 n3 Split into networks of size n1, n2, n3.
 -r --range    Deaggregate address range.

We want the "-r" to deaggregate the address ranges. So, give the output from Arin's web site above(I did some massaging with bash to get just the range), I came up with this:

$ awk '{print "./ipcalc -r "$1 $2 $3}' bt.ranges | sh | grep -v deaggr > bt.ranges.targets

Which gives you this:

10.135.215.104/29
10.116.2.112/29
10.164.229.248/29
10.165.89.56/29

Start Scanning

Sweet! Now we can fire up Nmap:

nohup nmap --version-light --min-hostgroup 1024 -T4 -n -PN -oG roadrunnerall-take2 -sV -p 80 -iL rr.ranges.targets &

I like to use "nohup" to be certain my process never dies. The --version-light is great for scanning large numbers of embedded systems as it can enumerate the web server running a little quicker without causing problems with the target. Scanning for one port (80) means we can crank up the min-hostgoup to scan 1024 hosts at once at all times. I do set the rest of the timers to "Aggressive", disable name lookups, and tell Nmap not to ping (since we are only scanning one port).

Then you can parse the results as follows:

# grep open roadrunnerall-take2 | grep -v "\/\/\/\/\/" | egrep -v '(skype|IIS|Apache|tcpwrapped)' | less

And you get the "interesting results":

Host: 10.26.37.251 ()   Ports: 80/open/tcp//http//Cisco IOS administrative webserver/
Host: 10.26.48.75 ()    Ports: 80/open/tcp//http//Grandstream HT502 VoIP router http config/
Host: 10.26.51.67 ()    Ports: 80/open/tcp//http//Crestron MPS-200 AV routing system http config/
Host: 10.26.51.128 ()   Ports: 80/open/tcp//http//VoIP|POTS gateway http config/
Host: 10.26.54.94 ()    Ports: 80/open/tcp//http//TeamViewer httpd/
Host: 10.26.56.126 ()   Ports: 80/open/tcp//http//m0n0wall FreeBSD firewall web interface/
Host: 10.26.56.188 ()   Ports: 80/open/tcp//http//TRENDnet TVIP-422w webcam http config/
Host: 10.26.57.108 ()   Ports: 80/open/tcp//http//D-Link DCS-900 webcam http config/
Host: 10.26.58.80 ()    Ports: 80/open/tcp//http//Cisco IOS administrative httpd/
Host: 10.26.62.7 ()     Ports: 80/open/tcp//http//Grandstream HT502 VoIP router http config/
Host: 10.26.63.10 ()    Ports: 80/open/tcp//http//Mathopd httpd 1.1/
Host: 10.26.64.68 ()    Ports: 80/open/tcp//http//Mbedthis-Appweb 2.0.4/
Host: 10.26.65.185 ()   Ports: 80/open/tcp//http//Boa HTTPd 0.93.15/

Now, Bob scanned 50 million+ IP addresses on the Internet and only one person complained. Bob exmplained this was for research, excluded his IP addresses from all future scans, and when on scanning.

Be Afraid, Very Afraid

This is scary for a lot of reasons:

1) If you port scan the Internet, almost no one notices. If they do, they are easily socially engineered.

2) You can discover embedded systems web interfaces very quickly and efficiently.

3) As most of us know, the web interfaces are full of vulnerabilities. From default/easily guessable passwords to authentication bypass, to XSS, etc...

4) If attackers can find, exploit, and take over routers we're in big trouble. No one would notice, sensitive information passes throught them, and just what do we do if the majority of the infrstructure that we are trying to protect is compromised?

Even scarier, what if attackers applied automation to this process and started to automatically find and exploit routers, re-configuring the DNS servers of people's routers?


Stories For Discussion

  1. NYC MTA Magic Key - [Larry] Thanks to Renderman for sending this link along. Apparently the NYC MTA has issues with folks stealing fares, because folks have been selling copies of the "magic" key that allows them to unlock the turnstiles and pass without paying. What did they do? Ran an article in the NY Daily News with a picture of the alleged key and lock. Now we can likely recreate it from the picture. Mental note, if you ace concerned about folks having some information about your company, don;t take a picture of it and publish it on the internet.
  2. Turn up the heat! - [Larry] Nothing like an LFI and Remote Code execution. On a heat pump. with the server running as root. Yes, it requires authentication, but the LFI gives you the abolity to launch a CSRF attack…
  3. Trusted banking via virtual - [Larry] - …the IronKey way. It seems like a good idea, but something doesn't sit right with me. The Virtual system can be updated remotely (maybe that's it), the USB drive can't be written to by the user (is that it?), and the custom Linux and firefox installation takes extra steps to deter key loggers (hmm, how can you tell, and no IE), is it the virtaul keyboard (no, sureley those can't be defeated)…Maybe it is the $250 price tag per seat (DING!). I guess after all the proof is in the pudding, after all the IronKey folks to REALY good work.
  4. What kind of Pimp are you - [Larry] - I mean, really, do we have to put a label on everything?
  5. Web Application Security Underfunded? - [Pauldotcom] - Whitehat and Imperva has both released studies that show web app security is not getting enough of your security budgets. No suprise this comes from these organizations, but I believe its true. The author offers up some reasons, such as: Decision makers are unaware of the relative risks. Inertia Legal and regulatory requirements overlook web app security Perception that web application security cannot be solved by throwing money or resources at it. some good reasons, I think its up to us to reaise awareness, buil inertia, push the compliance standards to take it seriously, and identify it as a real problem that cannot be solved by just throwing money at the problem.
  6. Windows malware targets iPad Users - [Pauldotcom] - Kind of funny that malware authors will use the iPad to lure people in, but still target Windows, and not the iPad. You could most likely easily write malware to collect user's iTunes passwords, but I wonder what that gains you? Can you profit from this? Likely not, but still something to consider...
  7. I am a narcissistic vulnerability pimp - [pauldotcom] - I had this story last week where Verizon tried to sum up vulnerability disclosure. There has been a slew of articles about it lately as well. Many have tried to sum it up, but I think the elephant in the room is: A majority of vendors don't fix their code (and customers don't apply the patches) until something bad happens. Until there is a public exploit and/or public exploitation, people give vulnerabilities a low priority. This is just one way that organizations prioritize risk, and unfortunately it leaves you open to attack. Software vendors *should* be fixing their code, and my view over the years has changed. I believe the evil stuff has to be released in order to affect change. There I said it. It may not be true 100% of the time, but that seems to be where its headed.
  8. Sharing: We learned about it in Kindergarten, why not apply it now? - [pauldotcom] - The Apache project released the details of a compromise on one of its servers. Its a pretty neat hack, however it seems to me that the attackers were very noisy (why brute force the logins is you've got a working 0day XSS vuln?). Apache has a nice writup that answers the questions of What worked? What didn't work? (a longer list :) and What are we changing?. The one thing missing, pointed out by one of the commenters, is how to delete your account from the affected system.
  9. Phishing... Courtesy of the Red White and Blue - [strandjs] - What the hell are they doing at Guam? I am glad they are testing for this stuff, but it looks like it got out of hand.
  10. Sharepoint: A gift for Pen Testers - [strandjs] - There is so much evil one can do with SharePoint, here is another example.
  11. Symantec Buys PGP - [strandjs] - PGP, passed around like a joint at a frat party.


Other Stories