Episode216

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Announcements

PaulDotCom Security Weekly - Episode 216 - For Thursday October 21st, 2010.

  • Announcing Hack3rcon!The con will take place on Oct 23-24, 2010 at the Charleston Civic Center, alongside CharCon, a gaming conference that will interest many of you as well. Tickets are $40 for the whole weekend. Our very own Carlos Perez will be speaking!
  • Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.

Episode Media

mp3 pt 1

mp3 pt 2

Tech Segment: Things in Kismac That Surprise Me

Kismac is a great wireless hacking tool, I found some neat things:

  • It supports your Alfa USB card with the RTL8187L chipset
  • Do not install the Realtek drivers. They have crabs and cause your card not to work with Kismac
  • Kismac supports WEP cracking for weak keys, Newsham 21 bit attack, regular brute-forcing, and wordlists
  • It works with your internal Airport card
  • It will put your internal airport card in monitor mode
  • You can use Hamster and Ferret on OS X with your airport once Kismac has it in monitor mode
  • No interface gets created by Kismac when using Alfa USB, which is a bummer

Tech Segment: Defcon PaulDotCom Badge Challenge

This year we conducted another contest for DEFCON. While it wasn't for a party badge, it was for bragging rights and a cool laser cut badge. Here's the solution:

First off, we did mention that everything that you needed was in the blog post. Many of you thought incorrectly, that like last year, the hidden goodies were in the image. You were wrong. Close, but wrong. How close? Use the source Luke!

Looking at the HTML source of the page you would notice right under that image is a URL written in white text on a white background. Of course highlighting the blog post would have revealed it, or it would have rendered in a readable format using Chrome. What does it say? http://www.badguywalmart.com

So, what happens when you get there? You get a web page with a secret i-hacked contest code. But wait, theres more! Looks a little oddly formatted. Again, a reveal of the source or a highlight of the page reveals the following text:

Welcome!

Everything you need is located at the server www.badguywalmart.com. (We're in no way affiliated with Walmart Corporation, BTW.)

I sure hope noone portscans me, but you have permission to do so. You do not have permission to launch attacks or compromise this box though. Please be gentle with your scans, but be thorough. You only need to worry about TCP, and ports under 1000.) 

Ok, so, lets do it. We'll even do it the easy way, with as few command line options as possible. We will make sure that we don't go over port 1000 in order to be gentle.

Hiroshige:~ lpesce$ nmap www.badguywalmart.com -p 1-1000

Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-12 10:52 EDT
Nmap scan report for www.badguywalmart.com (173.69.3.38)
Host is up (0.015s latency).
rDNS record for 173.69.3.38: static-173-69-3-38.prvdri.fios.verizon.net
Not shown: 483 closed ports
PORT    STATE SERVICE
1/tcp   open  tcpmux
6/tcp   open  unknown
9/tcp   open  discard
13/tcp  open  daytime
18/tcp  open  unknown
22/tcp  open  ssh
30/tcp  open  unknown
33/tcp  open  dsp
36/tcp  open  unknown
45/tcp  open  mpm
54/tcp  open  xns-ch
57/tcp  open  priv-term
70/tcp  open  gopher
71/tcp  open  netrjs-1
80/tcp  open  http
84/tcp  open  ctf
115/tcp open  sftp

Nmap done: 1 IP address (1 host up) scanned in 5.49 seconds

Uh, ok, so that's like a lot of weird services. Finger? Don't mind if I do. So, I did say to be thorough, right? One way we could have done that would have been with the Firefox plugin Header Spy, we would have noticed something very interesting about the header response for port 80:

The server identifies itself as "http://twitpic.com/photos/badguywalmart". Hrm. That's an interesting server header. That's no Apache! Of course, if you actually browse to that address, you'll get a bunch of pictures with phrases written on them..I wonder how those fit in.

Back to the header on port 80. So, I wonder if the other services are what nmap says they are. If we start plugging some of those other ports into a browser as well, we get the same web page as on on port 80. Clearly we have something here…even though I was looking forward to playing Netris.

Let's use the NSE script to look at HTTP headers! This one written by Ron Bowes, works real well, and when it can identify the server, it gives us a bunch of stuff (trimmed for brevity).


Hiroshige:~ lpesce$ nmap -sV --script=http-headers www.badguywalmart.com -p 1-1000

Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-12 10:55 EDT
Nmap scan report for www.badguywalmart.com (173.69.3.38)
Host is up (0.048s latency).
rDNS record for 173.69.3.38: static-173-69-3-38.prvdri.fios.verizon.net
Not shown: 483 closed ports
PORT    STATE SERVICE    VERSION
1/tcp   open  http       lighttpd 1.4.26
| http-headers:  
|   Content-Type: text/html
|   Accept-Ranges: bytes
|   ETag: "-1893968157"
|   Last-Modified: Tue, 27 Jul 2010 03:23:48 GMT
|   Content-Length: 1795
|   Connection: close
|   Date: Thu, 12 Aug 2010 14:56:55 GMT
|   Server: lighttpd/1.4.26
|   
|_  (Request type: HEAD)
7 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port13-TCP:V=5.21%I=7%D=8/12%Time=4C640B67%P=i386-apple-darwin10.4.0%r(
SF:GenericLines,1FF,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/html\r\nContent-Length:\x20349\r\nConnection:\x20close\r\nDate:\
SF:x20Thu,\x2012\x20Aug\x202010\x2014:55:35\x20GMT\r\nServer:\x20I\x20come
SF:\x20third\x20AND\x20sixth\r\n\r\n<\?xml\x20version=\"1\.0\"\x20encoding
SF:=\"iso-8859-1\"\?>\n<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHT
SF:ML\x201\.0\x20Transitional//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transitional\.dtd\">\n<html\x
SF:20xmlns=\"http://www\.w3\.org/1999/xhtml\"\x20xml:lang=\"en\"\x20lang=\
SF:"en\">\n\x20<head>\n\x20\x20<title>400\x20-\x20Bad\x20Request</title>\n
SF:\x20</head>\n\x20<body>\n\x20\x20<h1>400\x20-\x20Bad\x20Request</h1>\n\
SF:x20</body>\n</html>\n")%r(GetRequest,80D,"HTTP/1\.0\x20200\x20OK\r\nVar
SF:y:\x20Accept-Encoding\r\nContent-Type:\x20text/html\r\nAccept-Ranges:\x
SF:20bytes\r\nETag:\x20\"-1893968157\"\r\nLast-Modified:\x20Tue,\x2027\x20
SF:Jul\x202010\x2003:23:48\x20GMT\r\nContent-Length:\x201795\r\nConnection
SF::\x20close\r\nDate:\x20Thu,\x2012\x20Aug\x202010\x2014:55:35\x20GMT\r\n
SF:Server:\x20I\x20come\x20third\x20AND\x20sixth\r\n\r\n<html><body\x20tex

***SNIP***

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.84 seconds

We will note that it isn't all formatted "properly". After speaking with Ron, you might want to modify the NSE script to perform the nice output for servers on ports other than 80 and 443. Entirely up to you, as we do get the information that we need either way.

Once we look at the results we will note that we have a bunch of server headers. Some for Lighttpd, which aren't very interesting, but we are left with the following ports and services (in addition to the one already discovered on port 80 for the twitpic pictures):

Port  Header 
13    i come third and sixth 
33    i come first
54    i come seventh
57    i come second
70    i come dot fourth N AND dot eighth W
84    i come fifth

Well, that seems interesting. That seems to be instructions! If we arrange the port numbers according to the instructions and apparent punctuation in the header we get:

33 57 13 . 70 N 84 13 54 . 70W

or

33 deg 57' 13.70" N, 84 deg 13' 54.70" W

Now we're talkin'. However, what is at this location? Let's Google Map it! Unfortunately, Google doesn't play well with Degrees Minutes Seconds. We can use the page <a href=http://www.fcc.gov/mb/audio/bickel/DDDMMSS-decimal.html>here</a> to convert to decimal, which google likes. Try this location instead:

33.953822, -84.231899

Which Google maps <a href=http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=33.953806,+-84.231861+(You+can+insert+your+text+here)&sll=37.771868,-122.422972&sspn=0.045321,0.089006&g=37.771008,+-122.41175&ie=UTF8&ll=33.953546,-84.231985&spn=0.003084,0.005563&z=18&iwloc=lyrftr:m,10459900436034087647,33.953822,-84.231899>here</a> to a location with a GameStop at 6050 Peachtree Pkwy, Norcross, GA. But, what else interesting is at that address.

Unfortunatley since DEFCON, the page rank for the company we are looking for has plummeted from the second entry to the middle of the <a href=http://www.google.com/search?q=6050+Peachtree+Parkway,+Norcross,+GA&hl=en&client=firefox-a&rls=org.mozilla:en-US:official&prmd=m&ei=AkCITJG6KMK78gbXsKH6AQ&start=20&sa=N&cad=cbv#q=6050+Peachtree+Parkway,+Norcross,+GA+30092&hl=en&client=firefox-a&rls=org.mozilla:en-US:official&prmd=m&ei=lUCITMT6CIH98AbivNyiAg&start=50&sa=N&fp=368644f9c0f1c536>fourth page</a> When you see it, you'll get it.

Want to confirm? How do we know which phrase? How about downloading some pictures from that twitpic stream and using exiftool to look at the pictures? Remember, you need to download the full size image, as often post processing will remove metadata. Once we do that, we'll note that one image has the exact same GPS location as determined from our port numbers. Yep, the first one in the list. That was your phrase that pays. Now, time to go "check" you work!

Guest Interview: Mati "Muts" Aharoni & Chris Hadnagy

Mati is the founder of Offensive Security. His day to day work involves vulnerability research, exploit development and whitebox / blackbox Penetration Testing. In addition, he is the lead writer and trainer for many of the “Offensive Security” courses, which focus on attacker tools and methodologies. Mati has been training security and hacking courses for over 13 years and is actively involved in the security arena, and is one of the core developers of the BackTrack live CD.

Chris Hadnagy, aka loganWHD, has been involved with computers and technology for over 13 years. As the founder of social-engineer.org his focus is on the “human” aspect of technology such as social engineering and physical security. Chris has spent time in providing training in many topics and also has had many articles published in local, national and international magazines and online journals. Chris is working on the management and planning of new and exciting programs with the Offsec family.

  1. How did each of you get your start in information Security?
  2. What led you to develop an expertise in Social Engineering?
  3. Tell us about BackTrack's current and future development, what we can expect for 2011 from BT and the SE podcast?
  4. What your goals for the Social Engineering webcast?
  5. Where you got the idea for the SE podcast,
  6. What are some of the current challenges to maintaining Backtrack?
  7. What are some of the hidden gems inside Backtrack?
  8. What hardware do you recommend for using Backtrack?
  9. Any good SE/pen test stories you can share?
  10. Info, on the business side, as to what offensive-security.com provides

Stories For Discussion

  1. 6 security leaks you should fix NOW! - [Larry] - Uhhh, wow these seem a little off base to me. Unauthorized smartphones on Wi-Fi networks, Open ports on a network printer, Custom-developed Web applications with bad code, Social network spoofing, Employees downloading illegal movies and music, SMS text messaging spoofs and malware infections. Lets discuss….
  2. Fake AV? Nah, it's real. - [Larry] - Kaspersky website gets poped, and links to download of fake style AV. Ironic. Kaspersky blames a third party component. You should still test it regardless, no?
  3. Topic - Tools Vs. Skills - How much do you rely on tools? Do inexperienced people give tools a bad name? Should you be an expert in tools, techniques, or both? If you're just starting out, don't tools help you? If you are experienced, should you write all your own tools or use other people's? What about customizing tools?
  4. Thief backs up data. - [Larry] - Man gets laptop stolen. Man admits he's ba at backing up. Thief backs up data and mails to victim. Aww, how nice. Wait, what?
  5. If everyone was jumping off a bridge... - [Pauldotcom] - Scott from NW posted an article on cloud security. Scott's arguement was that since salesforce.com says they are secure, and "everyone" (77k+ users) is using then, then it must be secure. Secure cloud review puts Scott in check, stating that just because everyone is doing it doesn't mean its the right thing. I think something that plays into this is that yes, people are jumping off the bridge, landing in the water, and swimming to shore unharmed. Since no one is apparently getting hurt, then its okay and the cloud is secure. What about the people with ear infections, parasites, or those who get run over by a boat? Until that happens, people will keep jumping. All it takes is one big data breach and salesforce is no more. What you need to decide is if its aceptable risk for YOU. Will you lose your company if saleforce succombs to a data breach? Thats the decisions you need to make.
  6. Six "Enterprise" Security leaks? - [Pauldotcom] - I'm all for ripping on article, but I think that the new school of infosec went a little overboard on this one. A computer world article was published titled, "Six Enterprise Security leaks you should plug right now". New school ripped on them for not covering the flaws that lead to most data breaches. THe first was actually not bluetooth rifles, which new school says could only be used to get address books. I think this is largely not true. First, if someone did penetrate a mobile phone, how would you know? What mechanisms are in places at most organizations to detect this? My answer: very little. With bluetooth, or wifi, you can get more than the address book. How about stored credentials? Uploading malware? OR Josh's example of using bluetooth as a listening device? While computer world was a little off its rocker, I think the main critism new school missed was: Physical access. You need some sort of physical acess in order to pull off these attacks, therefore lowing the risk. Now, still think an area that will make wireless security explode in people's face's like a TNT laced cigar is accessing devices remotely, then using the built-in wireless to attack other wireless devies. This should be an active area of research. Then there are printers. We all know, I just don't agree with dismissing printer security. Use shodan, there are printers on the Internet. Oh yea, and your relying on your firewall to protect your printers. Do this, pretend your firewall isn't there, then defend your network. So you've patched everything you can, use enryption between your workstations/server, and guess what? I will attack your printer, because most don't support enryption, no one patches them, the protocols implement weak, if any security, and no one seems to log information from the printers. Its not about doing what everyone else is doing, its about protecting whats important to you, not what the media is discussing.
  7. 0day in MOXA MDM Tool - [pauldotcom] - MOXA makes industrial/SCADA products, and Ruben has released an 0day for their products. Ruben states, "I've not notified the vendor because: I am not working for them and They don't have a security contact publicly available" I'm going to be honest, control systems vendors need to wake up and pay attention to security researchers. Having a security contact is not a bad thing.
  8. Wall Of Shame: Pros Cons? - [pauldotcom] - I think this is a great educational tool, provided its done correctly. I believe we need to use real data, and shame people into being secure. Its similar to showing teenagers the effects of STDs, child birth, etc... Does that stop teenagers from having sex? No. Okay, so maybe thats a bad example. On the flip side, if people can see, or even better experience, something bad happen it makes them more aware. However, with a wall of sheep, they don't truly experience the full brunt of the baddness, as most wall of shame data is obfuscated and an attacker does not get your password. However, if every open Wifi network had a wall of shame, we might see users change, would we?

Other Stories of Interest