Episode59

From Paul's Security Weekly
Jump to: navigation, search

Episode Media

mp3

Tech Tips: Embedded Devices For Hacking

WRT54GWRT54G/GS - Broadcom CPU/Wireless Ethernet, varying Flash/RAM combos, everyone should have at least 2.

WRTSL54GS - Very fast version of the WRT54G, the WAN is separate from the LAN interface which yields more throughput on the switch, 266Mhz CPU, 8MB/32MB, USB port!

Asus WL-500G Deluxe - This device is HOT, 266Mhz processor, 8MB/32MB, mini-PCI wireless, USB 2.0.

NSLU2 - Intel IXP420 ARM processor, 8MB/32MB, USB port, Debian! You can use these as a DVR!

Buffalo WHR-G54s - Broadcom-based device, similar to WRT54G, CHEAP, like $40!

Security professionals and hackers should be all over this stuff:

- Great for a pen test, drop it off at the customer site as a backdoor

- They support OpenVPN, IPSec, and SSH

- Play with wireless, learn how to secure it, WPA, crack WEP, WPA2, etc...

- Kismet runs on it, nuf said

- Learn how to play with firewalls, iptables

- With two WRT54Gs, that have two RP-TNC connectors, the possibilities are endless! (Wardriving, bridges, etc...)

- Learn about switches, VLANs, etc... (An EXCELLENT addition to our getting started in security thread)

- Most also support VoIP! Something that needs more focus with respects to security.

- There might be a book coming out that you should buy :)

Tool Of The Week

VPN testing with ike-scan

I found this cool little utility (in a flash demo for BinNavi, wierd). It compiles and runs on Windows or Linux and fingerprints VPN servers:

  1. ike-scan 192.168.10.57

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

192.168.10.57 (192.168.10.57) Main Mode Handshake returned HDR=(CKY-R=82ff33fbef80bf13) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Other features include PSK cracking! Cool stuff, always good to pick apart a clients VPN to be certain people are not lazy (using aggressive mode, weak keys, weak hashing, weak encryption, etc...).

Stories For Discussion

Keep out hackers, don't broadcast your SSID - [PaulDotCom] - Just seeing if you were paying attention. The article does recommend that users enable WPA, but does not get into WPA vs. WPA2. It should come as no surprise that they recommend MAC address filtering too. [Larry] - Psst. Your wireless is showing!

Centrino IPW2200 remote code execution - [Larry] - Did we talk about this allready? Either way, a pretty trivial attack. Only tested on limited drivers....

New Version of BinNavi can debug/step IOS and ScreenOS - [PaulDotCom] - I won't pretend to know all the intimate details, however this will make it easier for reverse engineering of embedded devices, which means easier to find vulnerabilities. [Larry] - I'm not an expert either, but I can see this being tied to many upcoming embedded system exploits...

Speaking Of IOS Vulnerabilities.. - [PaulDotCom] - Wow, we got three yesterday! So much fun updating IOS. No details on an exploit, Cisco's recommendations seemed kind of lame to me, like apply access lists, duh... [Larry] Not to mention the "Detecting" advisories didn't really talk about detecting in detail other than relating to the ACLs the recommend - if our recommended ACLs are being triggered, you detected it. Detected what? deets please! (Ican inderstand the reason for no...)

MSN password stealer Torrent - [Larry] - Now, I know people get pwned by downloading torrents all the time....but usually as an "afterthought". The one, the only purpose of the torrent was the resulting pwnag3.

Bluetooth DoS Vulnerability in Various Cell Phones - [PaulDotCom] - Now here is one way to quiet down that noisy cell phone user, provided they are using a supported phone. [Larry] - Make this work in my car for that woman swerving all over the road in front of me.

Skype delivers enterprise managemet - [Larry] - Now with version 3.0 administrators can manage Skype capabilities with Windows Group Policy. Good thing I have it installed on my Mac - No GPO!

Quicktime is Patched - [PaulDotCom] - A source once told me that Quicktime gets fixed quicker because its a smaller codebase with less dependencies. It took Apple 30 days to patch it. When will we see patches for all the other MOAB apple flaws? Open source projects have already patched (VLC and Colloquy). So, what do we think? 30 days - too long? reasonable? how long would it have taken MS to patch a similar threat on WMP?

VoIP Phone Vulnerability - Free Calls Result! - [PaulDotCom] - This is just too good, I had to read it twice to make certain I was really reading what I thought I was. So, I connect to the phone's web server and login as administrator. Once that happens anyone else can send HTTP requests to the web server and they are executed as administrator, regardless of IP address! What do I get? The VoIP users provider, username, and PIN #. Don't enable HTTP access to your VoIP phones AND filter them with a firewall and private network. Or, leave them exposed to the Internet and let hackers make free calls, we like that.

Oooh, babies with rfid! - [Larry] - Not just that, sometimes security that makes people feel good is a better return than a small risk.

802.11n Disasters - [PaulDotCom] - I hope vendors will come around, but most likely they will not. 802.11b/g stuff is just too cheap, more margin, so 802.11n may exist in the 2.4Ghz spectrum (some with 40Hz wide channels!!!). Solution? I'm moving my important stuff to 802.11a (With WPA of course).

Fyodor vs. GoDaddy - [Larry] - Wow.

Cool TCP/IP Fuzzer - [PaulDotCom] - Very cool tool to craft and send large amounts of bogus TCP/IP traffic to get around firewalls and crash IP stacks. Interesting note, it was written by a Cisco employee... (Warning from author states: "ISIC may break shit, melt your network, knock out your firewall, or singe the fur off your cat"). Hairless cats are scary, so be careful! I ran this against a WRT54GS Ver 5 running DD-WRT Micro. Ping times went from .05ms to 30ms, but its still running strong... [Larry] Hmmmm. So, the recent Cisco advisories were found during "in house testing"...and to me seem like the the result of TCP/IP fuzzing. Coincidence? I think that the exploits for the Cisco advisories will be available shortly - enough information has been given out to turn said fuzzer against....oh, say IOS, and determine what the issues are. Infact, we're probably months behind the ball already.

Zone-H Gets Defaced - [PaulDotCom] - Talk about irony! [Larry] - i·ro·ny–noun, plural -nies. The use of words to convey a meaning that is the opposite of its literal meaning: the irony of his reply, “We love Defacements!” when they cataloged their own "defacement". Not really a defacement, but more of a DNS hijack.

When Printers Attack - [PaulDotCom] - This has always gotten spotty coverage, and always grossly underestimated and mis-understood. Many have been "blogging" lately about it, and Matasano chimes in to help set the record straight, and we will too. 1) Printers can harbor malware and no one would know where to begin defending themselves 2) Printers are file servers and make a great place to store "stuff" 3) Printers are used to print checks 4) Printers are used to print very sensative information in every organization 5) Printers have vulnerabilities, exploits, operating systems, and the ability to run code yet everyone treats them like they are, well, a printer with a freaking hand crank or something! [Larry] - Ditto. Oh, BTW, HP has released a fix for the FTP brick method. IronGeek documentes it here.

Auditing Wireless Networks with VMware and backtrack - [PaulDotCom] - I must try this with Parallels, this would be HOT.



Other Stories Of Interest

l33t sp33k rulz - [PaulDotCom] - B3w4r3 0f 1337 sp34k!!!!

Stealing The Network: How to 0wn a Shadow The Chase For Knuth - [PaulDotCom] - Go buy this...

Security through Obscurity - Brown stripe underwear - [Larry] Ew.