Episode204

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

"Thanks to our sponsors Tenable network security, the developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more."

"Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool. "

"and Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."

Now, Pull up a packet capture, pour a beer, and give the intern control of your botnet...."

Shameless Plugs & General Announcements

Welcome PaulDotCom Security Weekly - Episode 204 - For Sunday August 1, 2010.

  • Sign up for "Advanced Vulnerability Scanning Using Nessus" being offered at Brucon!
  • It is finished... The Official Metasploit class from John Strand and Ed Skoudis is now complete. Two full days of Metasploit insanity. Want 25% off? Use MET25 when you register for Boston on August 8th and 9th.
  • John Strand will be teaching SANS 560: Network Penetration Testing at SANS Virginia Beach August 29th - Sept 3. Come get shell and crabs with strandjs.
  • The Kansas City FBI InfraGard program is looking for some penetration testers to participate on the "Red Team" for an upcoming mock Cyber Warfare exercise. The event pits systems and security professionals from the community against each other in a live cyber attack on a replicated commercial network. We are looking participants with Pen-test experience, or someone who has some "daemons" they need to get out in a controlled environment. This is a community event, and all skill levels are welcome, please see http://cyber-raid.com for more info.

Episode Media

mp3

Tech Segment: How to Survive non-showering attendees at Cons

Soap

Tech Segment: HoneyPorts on Linux

Building on the concepts that we discussed last week with HoneyPorts on Windows we will now take a look at how to do roughly the same thing on Linux.

First, the setup:

[root@linux ~]# while [ 1 ] ; echo "started" ; do IP=`nc -v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1`; iptables -A INPUT -p tcp -s ${IP} -j DROP ;  done


Once again, we are using netcat because it does a very good job of only logging connections when a full connection has been made. We do not want to have our block rule tripped and a system blocked simply based on a SYN packet. This would be disastrous because an attacker would be able to spoof traffic from a number of legitimate sources to cause your system to DoS itself.

Please note that the syntax of the cut commands may change based on the version of Netcat you may be using. This was a great tip provided by ByteBucket, who was a great help with this little project.

Lets see what the portscan looks like..

Nmap scan report for 172.16.30.191
Host is up (0.0012s latency).
Not shown: 990 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
111/tcp  open     rpcbind
2222/tcp open     unknown
3306/tcp open     mysql

Please note that we are not running nmap as root. By default, when running an nmap scan as a non-root user the scan type will be -sT or a full connect scan.

Lets see what happens when we try the scan again:

Nmap scan report for 172.16.30.191
Host is up.
All 1000 scanned ports on 172.16.30.191 are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.24 seconds


And our iptables rule is now in effect;


[root@linux ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  172.16.30.1          anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)


And now the scanner, and only the scanner,is blocked. Once again, remember this is effective because it is hard to spoof an ip address and the associated ISN numbers. It is even more difficult if the real system is alive and sending RST packets.

However, it is not impossible.

Please note that the rule I have used can be extend to add the use of the recent module in iptables so the drop rule will time out after a specified period of time.

A full write-up can be found here.

So there you have it. A nice little way to mess with attackers, pen testers and the pesky red-teamers you may have to face in the future.

-strandjs (Fr. John)


Stories For Discussion

1) Vuln scanning vs pen testing - do you need to exploit something to know you have to patch it? Does "exploitability" factor into a risk calculation? What if the vendor makes software that can;t be patched? some people are then trying to exploit it to gauge risk, I kinda think this is dumb.

2) IP6v - Its coming, large ISPs are already there because they are out of address space. So, given a typical network will be 1-10 million addresses worth of space, with only a small percentage of live hosts, how do we do host discovery? Arp is different in v6, you can't scan it like v4. Some thoughts are DNS, passive recon, sniffing, smb enumeration, we will have to be creative. I think we should apply these methods to v4 to be more stealthy and speed up our scans!

3) RFID, ATMs, and attacking daily life - I think we're going to see "hacking" start to trickle into the mainstream. As devices become computers, and everyday computers become devices we use daily, hacking life will be accessible to us and all those teenagers living in their mom's basements that we always talk about. The ATM hack was cool, and its still not fixed. RFID tags can be read from a mile away, stealing your personal information. I believe we will see these attacks get easier and digital and physical crimes will merge. Example, I will scan your wallet to get your pin number, then use ATM hacks to cover my tracks when I take out money.

Other Stories of Interest