Episode295

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Episode Media

MP3 part1

MP3 part2

Teasers & Plugs

PaulDotCom Security Weekly - Episode 295 for Thursday July 5th, 2012

  • Come by our table at Defcon in the vendor area! We will have on sale newly designed Hack Naked t-shirts! Mens shirts in black and red, with two different designs to choose from. Women's tank tops in black with both white and pink logos, Hack Naked branded post-exploitation clean-up towels, Toddler sized Hack Naked shirts, free Hack Naked stickers! And a special guest at the booth!
  • Don't forget to reach out to us for penetration testing services by sending email to consulting@pauldotcom.com!
  • Also, if you want to waste your time and comment/write-in telling us to grow up, go right ahead. Its way too late for that and we're having fun. So this episode will feature extra silly banter, just for you...

Interview: Randy Marchany


Randy.jpg


Randy is the CISO for Virginia Tech and a co-author of the original FBI/SANS Institute "Top 10/20 Internet Security Vulnerabilities" document that has become a standard for most computer security and auditing software. He is the co-author of the SANS Institute's "Responding to DDOS Attacks" document that was prepared at the request of the White House in response to the attacks of 2000. He is also acknowledged as one of the North American masters of the hammer dulcimer.

  1. How did you get your start in information security?
  2. What advice do you have for folks getting their start in information security?
  3. What are some of the current challenges in security for Universities?
  4. What are some of the more innovative ways in which security is being implemented in Universities?
  5. Have Universities always been faced with the BYOD challenge? In what ways is it the same or different from other organizations?
  6. What are some of the security and implementation challenges associated with IPv6?
  7. How does IPv6 help us with security?
  8. How does IPv6 hurt us when it comes to security?
  9. What problems are we faced with when trying to secure IPv6 networks and how do we overcome them?
  10. What advice do you have for people implementing IPv6?

Tech Segment: Using Nmap To Screenshot Web Services

Teasers & Plugs

  • Episode 300 of PaulDotCom Security Weekly will be recorded and streamed live on Friday August 31st in support of of a cure for Breast Cancer. We will broadcast live from 10am until 6PM Eastern time and the show will feature tech segments, round table discussions and special guests. Mark it on your calendars today!

Introduction

This segment is based on an outstanding post from the folks at Trustwave Spider labs. You can find the original post here: Using Nmap to Screenshot Web Services. Refer to that article on how to get started by installing the screenshot library and NSE script. I do like the idea of tying this functionality to Nmap, seems like a great fit! I made some changes to the scripts and results as follows:

My hack's to the NSE script

I made two changes to the NSE script:

  1. I changed the name of the binary to wkhtmltoimage-amd64 to match my platform (I supposed I could have just created a soft link on the command line)
  2. I removed the "screenshot-nmap-" from the begging of each screenshot filename

Below is the diff:

# diff /usr/local/share/nmap/scripts/http-screenshot.nse /usr/src/Nmap-Tools/NSE/http-screenshot.nse 
39,40c39,40
< 	-- Screenshots will be called screenshot-namp-<IP>:<port>.png
<         local filename = "screenshot-nmap-" .. host.ip .. ":" .. port.number .. ".png"
---
> 	-- Screenshots will be called <IP>:<port>.png
>         local filename = host.ip .. ":" .. port.number .. ".png"
48c48
< 	local cmd = "wkhtmltoimage-i386 -n " .. prefix .. "://" .. host.ip .. ":" .. port.number .. " " .. filename .. " 2> /dev/null   >/dev/null"
---
> 	local cmd = "wkhtmltoimage-amd64 -n " .. prefix .. "://" .. host.ip .. ":" .. port.number .. " " .. filename .. " 2> /dev/null   >/dev/null"

My Nmap command

I ran Nmap and told it to only find web servers on port 80 and 443 (as those are the only ports my script will handle). I used the -sV to get more information about the service. I also recommend running it with a few more NSE scripts enabled if you want more information, such as headers, from your web services. In an initial scan of the target, I may consider enabling all of the http modules. To test the script I ran it as follows though:

nmap -P0 -p80,443 -sV --script=http-screenshot <ip range/subnet>

My hacked up script

I created a mangled mess of awk to generate my HTML output:

#!/bin/bash
printf "<HTML><BODY><BR>" > preview.html
ls -1 *.png | awk -F : '{ printf "<A HREF=\"";sub(/\.png/,"");if ($2 == "443") printf "https://" $1 ; else printf "http://" $1 ":" $2 ; printf "\">" $1 ":" $2 "</A><BR><IMG SRC=\"" $1":" $2 ".png\" width=400> <BR>\n"}' >> preview.html
printf "</BODY></HTML>" >> preview.html
  1. I added an HTML HREF link so you can click and land on the web page displayed in the output (requested from someone in the comments to the blog)
  2. I removed the ".png" from the filename using the awk sub command
  3. I used the same if statement as my previous technical segment to distinguish HTTP from HTTPS

My HTML page resulting

Myscreen.png

Next steps

  • I really want to be able to identify all HTTP or HTTPS services, and print the appropriate URL. This means finding the web services on all ports, and constructing the appropriate URL if it is HTTPS or HTTP (so detecting HTTPS on ports other than 443)
  • I want the HTTP headers in the output, so I can see what type of web server, application server is being run
  • I want to be able to feed the script a list of directories that have been brute-forced for each of the hosts and ports. I took a quick look and didn't see an NSE script to do this, be nice to have a small wordlist, identify directories, then take a screenshot of the results for each directory

Stories

Teasers & Plugs

  • DerbyCon Call for Papers and Ticket Registration is: available online. If you have not yet registered or submitted a talk, please do so now.
  • Episode 296 will feature interviews with Ben & Lawrence of the Pentesticles Blog. Episode 300 will be streamed live on August 31 from 10AM-6PM in support of a cure for breast cancer. Pauldotcom members will all wear pink shirts, not to be missed!
  • Security BSides everywhere: Cleveland, Las Vegas, Los Angeles more. http://www.securitybsides.com/ - We have 5 BSides tickets (only 3 left) to give away! Listen to the instructions at the end of Episode 282 for complete details, or submit a technical segement!

Paul's Stories

  1. Printer Bomb spread using compromised .htaccess files - According to Symantec, the redirection is carefully controlled by the .htaccess file. The rules come between 1600 blank lines at the top and bottom of the file to avoid being spotted by a casual reader. Cute little trick, word of the wise, don't be a casual reader of your configuration files, detect change! This is a neat way to distribute malware, as you can re-write URLS in .htaccess files. If you run a web server, probably a good idea not to allow attackers to modify files. In order to do this, they had to gain some level of access to the file system. Appropriate permissions are key as well. I'd be curious to see where the security fail lies here, good configuration management and monitoring could easily prevent and detect this attack.
  2. Hearing-aid hackers fine-tuning their own devices - Future hearing aids could adjust to cope with even the noisiest environments You just have to see the picture associated with this comment, right out of a 20-something-year-old Facebook photo. In any case, its cool to see people hacking, and in the truest sense of the word.
  3. Security On A Budget: Cracking Excel Passwords with vb Script - If you've ever been on a pen test and came across an Excel file that's password protected, you should read this article. In fact, you should just read the article anyhow as it describes a free tool for brute-forcing an excel password. Users will try to be sneaky and password protect the important documents. Searching for tools to do this is a path to the dark side, scum, villany, you name it. I think most of the shareware/freeware results are malware themselves, preying on the users who locked themselves out of their company directory containing SSNs.
  4. Man And Robot Linked By Brain Scanner - This is the real life implementation of the movie "Surrogates". Totally awesome technology which allows you to control a robot with your mind. Sound like science fiction? Read the article! Its hard to imagine where technology will take us, and for us security folks our imagination turns towards thoughts of how to hack such devices. Malware for robots? What if I take over your robot and commit a crime? And yes, then there is what would it look like when a robot does dirty jestures, because thats the first thing I would do when I hack your robot (Why is your robot thrusting its hips at all the female neighbors?)
  5. Android's Smartphones Used For Botnet - Seems that Android smartphone insecurity is all over the news. Not suprrising as we've talked about how the platform is an easier target than iOS in many respects. Question remains, what do you do to secure your Android smartphone?
  6. Schneier’s Thoughts on How to Break into Security - I picked out the highlights: STUDY: You can learn a lot by studying other areas of security, and soft sciences like economics, psychology, and sociology. and DO: Computer security is fundamentally a practitioner’s art, and that requires practice. and SHOW: You can show your expertise by making podcasts and writing your own blog. You can teach seminars at your local user group meetings. You can write papers for conferences, or books. Great advice.
  7. Pwn Plug Command Execution Using USB Sticks - Neat little trick for accessing a Pwn plug over USB.
  8. Open Security Research: Hack Tips: CiscoWorks Exploitation - Nice tutorial on exploiting CiscoWorks.

Larry's Stories

Jack's Totally Rad Stories

  1. Ramon Krikken responds to the backlash against his WAF comments. Worth a read, he makes some good points, and doesn't simply cop out and blame the journalist for the tone of the article.
  2. Twitter Transparency Report An interesting look at requests for user information, and takedown/removal requests received by Twitter.
  3. Feeble data breach bill is feeble It may sound good, but it isn't. This would preempt data breach laws in 49 US states and territories, and doesn't even set a deadline for disclosure. This is A Very Bad thing disguised as a good thing.
  4. But there is a move to strengthen SEC reporting laws At least Sen. Rockefeller thinks we need more real disclosure.

Allison's Super Cool Stories

  1. Cisco's Linksys router update pushes cloud interface, raising user ire and privacy concerns Cisco raises privacy and security concerns when their new router update signs them up to their cloud interface without asking nicely.
  2. TOR finds intercept flaw in deep packet inspection devices The Tor project has found that the Cyberroam Deep Packet Inspection devices all share the same certificate. Any device can decrypt MITM'ed traffic from any other device.
  3. Criminals launch managed SMS flooding services Thieves are now offering SMS flooding services, designed to prevent an account owner from seeing any SMS alerts from their bank. This also has great potential for pranks.
  4. Police: Hacker may have targeted Lemont's tornado sirens Mystery hacker may have targeted Lemont's tornado sirens "Police suspect someone made a copy of the signal and broadcast it, activating the sirens"
  5. Legal problems loom for the cloud If you're considering moving your business data to the cloud, you should consider the legal issues
  6. New Java Exploit to Debut in BlackHole Exploit Kits Patch your machines before they patch their exploit kits.