The live stream should be active about 6:30 EDT, Thursday, October 30th. We should begin recording the live show at about 7:00 EDT. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

This week, our featured guest is Jason Ostrom, author of VOIPhopper!

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: http://ustream.tv/channel/pauldotcom-security-weekly

Icecast: http://radio.oshean.org:8000

Please join us, and thanks for listening!

- Larry & Paul

PaulDotCom Enterprises in conjunction with the SNENUG (Southern New England Network Users Group) is proud to present the second Linux Installfest for 2008. An installfest allows you bring in your old computers (or anything that will run Linux) and get help from others in the community with the installation and configuration. Got an old PC hanging around? Bring it by! Got a dusty old ipod or wireless router? Get help from Paul & Larry, authors of the WRT54G Hacking book!

Where: Care New England, Trowbridge Building, 10 Health Ln (or 455 Tollgate Rd for older GPSes) Warwick, RI (Right next to Kent Hospital), First floor rooms 102 & 103.

When: Saturday, December 6, 2008 (9:00AM - 4:00 PM)

Contact: Please email paul@pauldotcom.com for questions or more information

Registration: Registration will be done at the door, so just show up!

Directions Here

We also need volunteers to assist people with installing Linux, so if you're already a Linux guru please come by to help. Internet access will be provided, however if your device requires a monitor please bring one (a small one if possible). PaulDotCom will be sponsoring the food and drink for the event. Below are some answers to some common questions:

* What about MythTV? - By popular request this year we will be attempting some installs of MythTV with Mythbuntu. Please check the website for supported tuners to bring with you. There is no cable television service available in the facility, but we will provide a "local feed" for testing.

* Do I need to bring my own installation media? - This depends, if you have a particular Linux distribution that you would like to install, please download it and burn it to CD beforehand. If you don't have a preference, we will have some installation media here and can even download and install it once you get here.

* Do I need to bring a monitor and keyboard? - If you are bringing a computer (and not a laptop or other device that does not require a monitor or keyboard) please bring your own monitor and keyboard. It is highly recommended that you bring an LCD monitor to save space. We will have a few spare monitors on hand.

* Will there be Internet access? - Yes, both wired and wireless Internet access will be available. Again, please try to download all of the neccessary software beforehand such that the network does not slow down due to multiple people trying to download Linux at once.

* I've never installed Linux before, will people be there to help me? - Yes, there will be several experienced Linux users in attendence to help you install Linux. They will stick with you throughout the day until the installation is completed.

* I am an experience Linux user, can I still attend? - Yes, please come by to help people install Linux, eat, drink, and be merry. This is a fun, social, event!

* I want to do an advanced Linux installation, can I bring an embedded device and get help installing Linux on it? - Yes, I will actually be bringing 3 devices to try to install Linux on, a 2nd generation iPod, a Routerboard 532a, and a Soekris net5501. I may be asking for help too!

All:

The October Late-Breaking Computer Attack Vectors webcast this month will be held on:

Wednesday, October 29, 2008 2:00 pm EDT (GMT -04:00, New York)

Register Here For This Webcast

October has been a very scary month for computer security. The patch for the new Microsoft vulnerability was released out of cycle, now thats pretty scary. Join us for a discussion about the latest attacks and defense, such as:

• Autopwn Yourself With Metasploit's db_autopwn
• Bypassing Anti-Virus Software - Reloaded
• Banner Grabbing With Nmap
• Listening to Your Keystrokes
• FAIL Of The Month (FOTM) (No promises on this one)

This webcast will run about 45 minutes and I will get excited, probably rant about a few more things, hopefully show you how to do something, and improve your defenses.

Oh, and as much as we try to keep them away, there may be mindless flesh eating zombies for good measure. Notice the open door on the right hand side of the picture above. You'd think if they had a zombie problem they would shut and lock the doors!.

PaulDotCom

Larry does a tech segment, and we discuss the stories for the week.

Again, apologize for the sound quality.

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Astaro, download a free trial of the Astaro Security gateway today!
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

We are joined by two special guests, Larry does a tech segment, and we discuss the stories for the week.

I do apologize for the sound quality, we are still working some of the kinks out of our new system. We will be replacing the recording laptop for next week, which seems to have been the cause of the background noise.

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Astaro, download a free trial of the Astaro Security gateway today!
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

I recently was able to meet up with Bob while he was on the run. He told me that he was on a long flight recently headed in to Boston
several weeks back (he's gotta keep on the move!), and he decided to fire up Kismet for some passive captures while on the plane. He let it run for an hour or so, and passed the captures to me for analysis. I trimmed them down to just spit out some interesting stuff that we can use for this example.

We'll replay them with tcpdump:

$ tcpdump -r bobs_intersting_packets

...and we get a bunch of probe requests. We've talked bout this ad-nauseum before. This is why we love Karma (and Karmetasploit). Windows (and other OSes, even some gaming consoles), automatically tries to connect to wireless networks in the preferred network lists. Kismet can then see those connect requests as the OS cycles through the list.

So, here's the first list from the first capture from the same MAC address:

16:32:04.483854 Probe Request (Free Public WiFi) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:06.763062 Beacon (Free Public WiFi) [1.0* 2.0* 5.5 11.0 Mbit] IBSS CH: 11

16:32:11.977047 Probe Request (Hyatt) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:13.978262 Probe Request (fcc) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:16.071853 Probe Request (Lake) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:18.130698 Probe Request (public1) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:20.099906 Probe Request (The Point) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:22.069924 Probe Request (REDZONE) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:24.085280 Probe Request (belkin54g) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:26.115367 Probe Request (hhonors) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:28.146203 Probe Request (GlobalSuiteWireless) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:30.084600 Probe Request (1811) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:32.092157 Probe Request (Wayport_Access) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:34.118208 Probe Request (guestnet) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:36.123724 Probe Request (FourSeasons) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:38.138125 Probe Request (killington) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:42.153053 Probe Request (Hotel Griffon) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:46.160227 Probe Request (RGPublic) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:50.115316 Probe Request (oakbluffs) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:52.122565 Probe Request (Cuttyhunk) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:54.175486 Probe Request (MARYA) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:56.131065 Probe Request (mattapoisett) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:32:58.131358 Probe Request (linksys) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

16:33:00.137978 Probe Request (HBS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

Now, go log in to wigle.net and search for some of the more unusual SSIDs. What do you want to bet we can figure out where this particular person lives/works/plays based on where they show up on the map. Then add the more common names to the list, and you can bet that they show up in those same two neighborhoods as well. Yes, several of them show up in very close proximitiy spread out over to distinct neighborhoods.

The second capture Bob provided also had more interesting SSIDs, just in case we REALLY wanted to triangulate:

16:26:51.357853 Probe Request (ibahn) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:26:53.106024 Probe Request (Elysium) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:26:57.259488 Probe Request (JFKRL) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:26:59.080305 Probe Request (phspiaguest) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:03.281251 Probe Request (needadog) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:05.260271 Probe Request (guest_ssid) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:09.408208 Probe Request (NUwave) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:11.080215 Probe Request (SpotOn) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:13.233782 Probe Request (holden) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:15.484724 Probe Request (SMC) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:17.131279 Probe Request (Wayport_Access) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:19.183281 Probe Request (Seaport) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:21.182520 Probe Request (Hynes Wireless Network) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:23.146459 Probe Request (iscguest) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:25.096483 Probe Request (LawLibrary) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:27.095193 Probe Request (roofnet) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:29.176267 Probe Request (in4net) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:33.146455 Probe Request (Harvard University) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:35.185946 Probe Request (default) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:37.613369 Probe Request (Back Bay Events Center) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:39.170252 Probe Request (Algonquin Club WiFi) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:43.587718 Probe Request (BostonPublicLibrary) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:45.285541 Probe Request (loganwifi) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:47.388067 Probe Request (CRS WAP) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:49.336783 Probe Request (HCBostonMember) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:51.285535 Probe Request (Linksys Secure) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
16:27:53.285419 Probe Request (Warehouse) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

From Bob's capture, and again from the same MAC address, we also are able to capture some interesting network traffic. We can use this information in conjunction with the wireless info to create an even more detailed picture about the individual:

16:36:08.526921 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from 00:1e:52:b6:19:9b (oui Unknown), length 300
16:36:10.307924 IP 169.254.140.137 > 224.0.0.251: igmp v2 report 224.0.0.251
16:36:12.949124 IP 169.254.140.137.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0 (Cache flush) A 169.254.140.137 (40)
16:36:37.923110 arp who-has 10.71.0.123 tell 10.71.0.123
16:36:43.001662 IP 10.71.0.123.netbios-ns > 10.71.15.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
16:36:49.532485 IP 169.254.44.240.netbios-ns > 169.254.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:46:53.719602 IP 169.254.44.240.netbios-ns > 169.254.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
16:47:21.229266 IP 169.254.44.240.netbios-ns > 169.254.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

For some reason, Wireshark displayed some interesting domain information in the netbios requests. I suspect that I exported the packtes wrong, so the info isn't shown with the tcpdump output, but here they are in Wireshark:

Now, what else can we assume about the individual, and potential network/desktop policies in play?

You know what else I found frightening? While looking for images to be included in this posting, I stumbled across an interesting device from Teledyne Controls; An Aircraft Wireless LAN Unit (AWLU), which the vendor touts as being wireless for the cockpit, as well as the cabin all in one unit. There is also the ability to utilize the unit to upload FMS navigation databases for loading into a Flight Management Computer! While it doesn't state that you can do this over the 802.11 protocol, it also doesn't say you can't. Interesting.

- Larry "haxorthematrix" Pesce

The live stream should be active about 6:30 EDT, Thursday, October 23rd. We should begin recording the live show at about 7:00 EDT. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

We several special guests this week:

Chris Rioux (aka Dildog) - Veracode Co-Founder and Chief Scientist,an MIT graduate, was one of the original L0pht members and responsible for projects such as BUTTsniffer and backorifice.

Chris Wysopal (aka Weldpond) - Veracode Co-Founder and Chief Technology Officer, Chris was the co-author of the L0phtcrack application, and other such notible projects that I'm sure many of us have used once or twice, such as netcat.

Chris Eng - Veracode Senior Director, Security Research, Chris was s a Principal Consultant and then Technical Director of @stake, Inc. He led the development of WebProxy, a proprietary web application testing tool in 2002, pre-dating other modern proxy-based web security tools.

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: http://ustream.tv/channel/pauldotcom-security-weekly

Icecast: http://radio.oshean.org:8000

Please join us, and thanks for listening!

- Larry & Paul

For you listeners of the podcast, you may be aware that I'm doing some research into utilizing document metadata, and the inferences that an attacker can make about the victims overall operating environment. This analysis would allow an attacker to be able to deliver more accurate, targeted attacks against a victim.

One of the tools that I've been using is Exiftool, which at it's core, is an over driven command line front end to all of the options of libexif.

The other day I discovered an advisory about a integer-overflow vulnerability in libexif, the basis to several other tools I've been looking at as well. There is no know vulnerability, but from the description, it seems fairly trivial to create a corrupt file to trigger the condition.

Time to proceed my analysis with more caution.

That said, you should always be analyzing unknown, untrusted files in a protected environment. Maybe the environment is an air-gapped machine, or a VM with no networking that you can revert to a known state. This, all in your non-production lab of course.

This also brings up some more points. I relate this to some of the updates to the tools that many of us use every day that introduce vulnerabilities into our environments. Don't forget that the complexity of the options in a tool (Wireshark for example), or the complexity and implementation if a standard (Exif, 802.11) all contribute to some potential downfall.

That said, I love multi-purpose, extensible tools and standards (Wireshark, Exif and 802.11 included!), but for these complexity reasons, it is important to keep them up to date, and evaluate the implementations.

Sometimes this is easier said than done.

- Larry "haxorthematrix" Pesce

While we love Google (I mean, they make a fantastic search engine), it was time to say goodbye to Google groups and get our very own mailing list server. Look for more good things to come on that front...

In the mean time, I have moved everyone over from the old Google groups mailing list to the new one. The "PaulDotCom" mailing list is for discussions about the show, general computer and network security topics, hacking, and the like. Feel free to discuss and ask questions. If you don't get an answer right away, be patient, it may take some time before people are able to respond.

If you have not yet joined the mailing list, then what are you wait for?

You can subscribe here.

You just have to join the debate, who knows, we may even bat around the old "Ninjas Vs. Pirates" debate just for fun.

Cheers,

PaulDotCom

Yes, you guessed it. We're taking a break for the week!

Don't worry, we'll be back next week with more awesome shows you've come to expect. We've got some great interviews planned for the coming months, and maybe even an episode of PaulDotCom TV in the works!

See you all in a week. Thanks for listening!

- Paul and Larry

Paul and Larry are in the studio with special guest Ed Skoudis!

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Astaro, download a free trial of the Astaro Security gateway today!
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

Paul and Larry are in the studio with special guest Ed Skoudis!

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Astaro, download a free trial of the Astaro Security gateway today!
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

The live stream should be active about 18:30 EDT, Thursday, October 9th. We should begin recording the live show at about 19:00 EDT. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

We even have a sepcial guest this week: International man of mystery, and alleged double "agent" Ed Skoudis!

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: http://ustream.tv/channel/pauldotcom-security-weekly

Icecast: http://radio.oshean.org:8000

Please join us, and thanks for listening!

- Larry & Paul

First off: Whoa. This year's ICE games were a significant departure from last years games (in a good way of course). Last year, Paul and I MC'ed, this year we ran teams. The scoring engine was much slicker as well. The educational experience for the defenders was immense.

There's nothing like walking in to a network that you must begin to perform incident response with little to no system documentation, patches or time. The team had no access to patches, a firewall that we could only examine logs on (with default ip permit any any rules), and every service under the sun running on the systems; Windows 2000, and an older version of Fedora. This is exactly what I would come to expect as a third party consultant taking over a customer's network during an incident response engagement.

It didn't help that we had to keep the "business" up and running while we responded either. It was also typical that Tim, our game host and "CE-Oh no" showed up immediately to demand that our e-commerce site be up; Did I mention that it was not up, or even configured when we walked in the door? Yeah, now time to learn MySQL and ZenCart on the fly.

In other words, this was an almost perfect real world scenario.

Night 1 - Where to Start?

The first night only delivered us a few participants. We didn't even have enough folks to fully staff both teams - team 2 had one person. We made a decision early on to only focus our efforts on team one, and eventually we had some more help. With this strategy (and some more help) a few hours into the game, we were able to use team 2 as a "test" environment to see what worked, and take those lessons and apply them to team 1.

The first order of business; change those bad default passwords. Once we completed that, we started to harden systems; turn off unneeded services, change passwords, begin hardening, change passwords, discover an intrusion and mitigate, change passwords...

Then you begin finding more about the systems. Did I mention default usernames and passwords for the Asterisk web interface? Yep, they've re-routed all of the phone traffic. Change the password on the SCADA box? What password on the SCADA box! In fact, no authentication at all! No wonder the re-routed phones kept powering down.

At least we put up some "calling cards" handed out by some gentlemen on the street in front of the web cams.

The guys did a fantastic job dealing with all of my harassing on the status of the systems, while acting as incident commander. they developed some hardening guidelines, created some scripts to disconnect suspicious incoming sessions, and implemented some host based firewalling - most had to learn Windows ipsec policies and iptables rules in game.

Eventually, the folks at Fortinet came over and gave us the ability to manage our firewall. At that point the game turned a little bit, and we were fairly successful at keeping the attackers out, and restoring business services.

Night 2 - Game On!

This night we already had some significant game plans form the previous night. We also had some more help, and alas, some defectors to the dark side. John Strand came by, and we put together a new strategy; take two of the team "leaders" from the night before, and make them incident commanders.

Why is this a big deal? The natural reaction for the two new incident commanders was to pull up a keyboard and start remediating. This is the wrong thing to do as an incident commander, and they, and the team quickly learned that having someone as the middle management and not being technical was a big help. The incident commanders could offer some limited technical advice, but they could spend more time with the "customers".

Enter social engineering. We had attempts to gain credentials to the system via phone asking for a password reset, and for a new account. Fortunately, the incident commanders responded appropriately, and the attacker (whom they recognized as the voice of the Lt. Col. from the Air Force) could not provide the appropriate information to validate the request. However, we had the tables slightly turned. During the day, one of the 560 students came to me to see if a mole on the attacker's side would be permitted. It was, and the mole was able to SMS text message me through the event that evening letting the teams know where attacks were originating from, what was compromised, and that they could hear us on the microphones. I'm still not sure why they didn't pick out the really big guy SMS-ing all night.

A few times the teams needed to enact their disaster recovery plan, and have some of the systems restored to a last known working point. they became so hosed by the attackers, or the defenders were no longer able to log in, that the only option was to "restore from tape".

This night also gave us a wireless access point. That was an easy reconfigure of the username and password, and a re-config of a known strong WPA2 key. The problem that we made was that we had a "remote" worker whom we appropriately reconfigured to utilize the new wireless settings. The attackers were able to gain physical access to the remote worker, and compromise that system to use as a pivot point. It just proves a point about needing to protect your remote workers...

Night 3 - The Filthy Rogues!

On the third night, most of the teams had everything coming together pretty well. The typical scramble ensued in the beginning, however this time the defenders were given 5 minutes to disconnect form the network and begin locking down. We also assigned some different incident commanders, and had one of the star incident commanders from the previous night take on the role of upper management to manage the commanders.

Everything went well. The teams came together quickly, and the new commanders suffered the same problems and the previous ones, which was to be expected. The hardening scripts and firewall rules were easy to re-do from the knowledge gained. The configuration of the e-commerce site got easier. We also found us without a wireless network this time. Heck, we even got one of the teams (team 2, the former "lab" from night one) to do some serious poking at the webcams and phones, changing the passwords and such on the devices themselves.

From there, the game was pretty much the same.

Or was it?

The team members kept seeing attacks coming from an unusual network address range, but couldn't determine what it was. Upper management made some suggestions well into the exercise this night that may have been overlooked, and game progressed in the usual fashion.

Enter the rogue AP.

The teams made the assumption that because no hardware device for wireless was obviously present that it didn't exist. Except that it did. There was an AP deployed under the conference table, and no-one spotted it, either physically or via a wireless assessment. Soon, a call came in from Tim the "CE Oh-no", that there was a rogue AP and the game had ended.

Lessons Learned

Incident Response is hard. Don't expect everything to be working when you show up.

Overcoming the drive to do technical items while being incident commander can be detrimental. It is certainly something that can be uncomfortable, but is a skill that can be learned.

Remote workers need to be secured appropriately. This means physical access too.

Don't underestimate the power of the Rogue AP. Sure, your policies may say no wireless, but you can't be sure that it isn't there until you test for it.

Social Engineering can be defeated with the proper staff training.

Windows 2000, without any host based protection is almost impossible to defend, even behind a firewall. Go for the crunchy on the inside, crunchy on the outside security model. Once the attacker is inside without host based protection, the game is almost assuredly over.

A big thanks to Tim, Dwight, Joe, Justin, Alex, Anthony, and the sponsors (Immunity, CORE, Think Geek and Fortinet and all those who came out (both the attackers and defenders). I can't wait to do this one again!

- Larry "haxorthematrix" Pesce

Live from SANS Las Vegas! Be certain to download Larry's presentation that is associated with this episode:

Simcard Forensics, An Adventure in Information Gathering

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Astaro, download a free trial of the Astaro Security gateway today!
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

I've been giving and maintaining this talk all year and most recently gave it at SANS NS2008, which was an absolute blast! I taught the one-day "Up and Running With The Metasploit Framework" course, participated in the SEC560 penetration testing course, and got to lead a team of attackers in a three night hacking challenge. More on all that later, as I also presented on how embedded devices continue to be a threat. The goal of this talk was to raise awareness about the inherent insecurities in embedded systems, understand some example vulnerabilities and associated "exploits", and identify defenses. I covered just how easy it is to "karmetasploit" the iPhone and some of the implications, an SSID script injection vulnerability in DD-WRT, and some interesting things I found on an Axis web camera.

As a side note, I was leaving Las Vegas early in the morning while people were coming out of the clubs, which was an interesting site to say the least. I happened to be standing next to Trent from www.i-hacked.com who stated how nice it would be run Karmetasploit as people were "under the influence" enough to click on anything (I suppose one could argue that people will click on anything even while not drinking). It got me thinking how interesting it would be to take over an iPhone and download all of the pictures stored on the phone, especially after a wild night in Vegas... In any case, you can download the latest (and final) slides here:

Things That Go Bump In The Network: Embedded Device (In)Security

Note: A previous version of this talk, including the audio version of the presentation, can be found here

The EeePC I was using seemed to pique the interest of many during the demo section of the talk. Below is some information about my EeePC setup:

* Eee PC 4G Surf Rev 701

* Madwifi drivers (I'm using this one) with the Karma patches from DigiNinja (I highly recommend these drivers over the ones in Backtrack, they seem to work far better)

* Metasploit 3.1-latest

* A copy of "evilap.sh" from the Backtrack CD with some modifications, primarily to make it work with dhcpd on Ubuntu (Example can be found in Episode 114's show notes)

I believe this talk served its purpose, many have commented that they were going to bring this knowledge back to their respective organizations and begin to think about embedded system security differently. Mission accomplished? I'm not quite sure, while I believe that many have taken embedded systems security more seriously as end-users of the products, the vendors still have some work to do. I'd like to see more of:

* Vendors allowing the user to create the initial password(s) and security certificate

* Doing their own security evaluations before the product is released to the market

* Using secure protocols for management (SSL, SSH, SNMPv3, etc...)

With respects to defense and active scanning/penetration testing of your internal network, well, more on that later...

PaulDotCom

As I mentioned earlier, Larry and I each led teams in the ICE2 games last week hosted by White Wolf in collaboration with SANS. This was a three night hacking game/challenge/simulation. As you can tell, I'm having a tough time putting an appropriate label on it, as it was a unique, fun, and educational exercise. There were three networks to attack, two of those networks were defended by Larry and various SANS students. The third network was defended by Fortinet, who did great, and put up with some of my typical vendor harassment and taunting. In all honesty, when you have two networks with no IPS, and one with, the attackers are going to go after the ones without IPS. However, don't become complacent with your IPS, if an attacker has your passwords, spent time with evasion techniques, or can look like legitimate traffic, its game over. I had a blast at this event, and learned a lot about penetration testing strategy and techniques.

Night 1 - Organizing Hackers Is Like Herding Cats

On the first night I was pumped. For the first hour of the exercise, we're given access to the networks completely exposed, no firewall and the defenders are only allowed to use operating system tools. This was so exciting! I had about 15 hackers the first night, including Justin and Alex from Immunitysec and Anthony from Core Security. I started organizing all 15 people, getting them networked, assigning tasks, having them Nmap, vulnerability scan, exploit, etc... That plan quickly fell apart and I realized I needed to add a layer of "middle management" and assign a leader to each table, then work through that leader. Things went smoother, however most people wanted to just come in and use remote exploits to pop boxes and do their victory dance. While this is fun, its only the tip of the iceberg. Once you compromised a machine, you had to have it update the scoring engine by running a python script. Many missed this step the first night, party due to logistics, and partly due to shells dropping before you had the chance to upload and run the script. I learned a lot on the first night about how not to organize a large team of attacks, the importance of keeping access, and proper testing of tools and automation.

Night 2 - Wireless FTW

The second night we were a bit more organized, I ran the recon efforts and put up the vulnerable hosts and open ports on the projector for the entire team to see. The defenders had access to the logs, so I ran an Nmap command to run interference and keep the Fortinet guys busy:

nmap -n --badsum -PN -T5 -f -D `cat 1128ips.csv` -sSU --packet-trace [ip or subnet]

The above command tells Nmap to send fragmented traffic (-f), with bad checksums (--badsum), really fast (-T5), and spoof 128 decoy IP addresses (-D), do this for both UDP and TCP (-sSU), and show me the packet trace while the scan is running (--packet-trace) . This worked fairly well as a >distraction, however I believe Ftester would have been a much better option. The firewalls went in place in the second round and the defenders really locked things down, and managed to change the passwords to several systems. Unfortunately for them, they left the default password to the web cam, which also had a mic for us to listen to all their conversations. Turns out the joke was on us, as the defenders sent over a mole on our team, which turned only slowed us down a bit (all is fair in love and hacking). We spent some time analyzing the web apps and found several vulnerabilities, such as XSS and SQL injection. We were then given access to a wireless client on the defender network, and thought great we can use XSS and make some progress (Grab cookies, gain credentials, etc...). However, we were given physical access to the client, so we deployed an Immunitysec payload to the target system, and had it call back to us. We then used that machine to pivot and compromise machines on the defender network. While that was fun (we did the victory dance), I was still disappointed and wanted to cause mass destruction and pwnage...

Night 3 - Hiding In Plain Site

I spent some time scripting some interesting things for night 3. The first thing I had to do was select the best tool to compromise the most machines, and do it the fast. I also wanted to score big (TWSS) on night 3 (most of my other nights were spent helping students, which was also great fun). The first thing I did was take the scoring engine script and convert it to a Core IMPACT module. I selected this tool because I didn't want to spend time converting it to Ruby, and I did not have CANVAS. Also, Core IMPACT has a "mini-shell" which allows me to interact with the command shell on the host and not end up in the process list on the compromise system (metsrv.dll shows up in a process listing). The "mini-shell" is a python program which interprets commands from the user and runs them directly via syscalls on the target system. Those paying close attention are probably saying that my sessions still show up in a "netstat" command output. Yes, its hard to hide on a system without a "rootkit" (Immunity has one, which worked well and is something I need to evaluate more). In any case, I wanted to make it hard for the defenders to find me. I had a way to compromise systems and score easily, however I needed to keep my access and continue scoring once the firewalls got in place. I wrote some scripts to kill common processes and applications that would lead to my detection:

:loop
process -k "cmd.exe"
process -k "taskmgr.exe"
taskkill /F /IN taskmgr
taskkill /F /IN cmd
goto loop

A couple of things about this script. When I wrote it, I said to myself, "Wow, I would never run this on a customer's system". However, and evil bad guy would most certainly run this on a target system. So, the defense gets some real world experience, which I think is really neat. Just to clarify, I don't actually kill my own shell because I never run "cmd.exe" on a target system, the "mini-shell" lets me list files, upload files, download files, and execute programs. Once I have access to a system I use this shell to start executing commands. I change the administrator password, expose services like RDP, and various other nasty things to lock them out of the system. Then, things started falling apart. "cmd.exe" no longer existed, neither did sc.exe, the net command, or netsh. What happened? I took a quick walk around the divider to see fellow SANS instructor John Strand helping the defense (I am shaking my fist yelling, "Bastard!" as I type this). It was all in good fun and it turns out we were using similar techniques to both attack and defend. Wait, did I just say that? Yes, the defenders were killing processing, using scripts to look for new connections. So, they locked us out and hardened their systems and implemented a firewall. Game over? No way, this is an excerise that sets out to mimic the real world. Wireless enters the equation again, and we gain access to our wireless router which is plugged into the defender's internal network. Its using a hidden SSID and running WPA2-PSK. We associate to the network and manage to find one box to compromise with Metasploit and deploy a meterpreter payload. I'm able to use this payload to score in one of the later rounds, and grab password hashes, then use john to crack the administrator password. A fitting end to the evening for the attackers was to hand them their administrator password on piece of paper, to which they asked, "Which system is this for?", and I responded, "I dunno, you guys should be able to figure it out". An even more fitting end was when Tim from White Wolf Security, responsible for managing game play, called the defenders on their VoIP phones and told them about the access point. The red team gathered around to watch and cheer when they found it. Game over....

Lessons Learned

• Organizing people is hard, smaller teams and appointing team leaders is helpful
• Assign tasks explicitly in your penetration testing team (one person responsible for password cracking, one for recon, exploitation, etc...)
• Remote exploits are just one small part of the test, password attacks, web application, default passwords are all vital to your success
• Set yourself up to do password cracking for a variety of platforms. Have john configured and ready to go on a fast system, as well as ophcrack
• Keeping access is so key to your success, test and use your payloads in our lab in different environments, figure out which ones work best in each case, and document them
• Hiding on systems is difficult without a rootkit, just be certain to define your rules of engagement so you know whats in play, and whats hands off
• Deploy, or develop, your own tools to deploy to compromised systems (if in rules of engagement)
• Defender tip: Renaming or removing tools (such as netsh.exe, net.exe, cmd.exe, and sc.exe for starters) will slow down the attackers and force them to either find the tools on the filesystem, or upload their own utilities

Thanks to Tim, Dwight, Joe, Justin, Alex, Anthony and all those who played in the games. Looking forward to next time!

PaulDotCom

Paul & Larry continue penetration testing discussions with Core and discuss the stories for the week!

• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program and sign up for SEC535 - Network Security Projects Using Hacked Wireless Routers Today!
• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Sponsored by Astaro, download a free trial of the Astaro Security gateway today!
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

Let me preface this by stating I am not a lawyer. I don't live in California. I'm also not an expert at reading legislation, and I may also be thinking about this the wrong way.

That said, I've been reading California's legislation marked SB 31, which makes it illegal to read RFID without the possessor's prior consent and approval. This raises some very interesting questions to me...

How does this affect installed systems used for automobile toll collection? Does this mean that each time I drive through a tollbooth with this technology, the State of California has to ask my permission to read, and then I have to consent? Certainly, they can pre-authorize consent through the usage agreement, which they may need to change now. Until then (if it isn't already in the agreement), is the State of California currently engaging in an illegal act?

The same becomes true of those using RFID for access control or payment information. Does my employer need to ask me permission to read my RFID enabled badge every time I enter the building? Or, do they need to cover it with a blanket usage agreement?

In my opinion, I think that the legislators went about this a little backwards. I personally think that they should not have made it illegal to read without permission, but that they should have done the opposite; pass legislation that requires the RFID vendors to implement technology to prevent unauthorized, unencrypted reading of data from RFID. Sure, form a technological standpoint it is certainly a challenge, but consider making it a future rollout, such as the new digital TV rollout here in the US.

Certainly neither plan is perfect or foolproof. I just see this as going after the attacker, while really not fixing the problem.

When you outlaw reading RFID, only outlaws will read RFID.

Paul talks Metasploit and Core comes on the show to talk shop!

• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program and sign up for SEC535 - Network Security Projects Using Hacked Wireless Routers Today!
• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Sponsored by Astaro, download a free trial of the Astaro Security gateway today!
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

We offer our sincere apologies.

We made an attempt to stream the podcast live from NS2008 last night, but unfortunately there were some technical difficulties that were beyond our or SANS' control, with respect to some internet access.

Unfortunately, our handy little EVDO connection isn't able to handle the demands of the audio and video streams, so we had to punt last minute and not put them up.

We'll have the podcast out to you all as soon as we are able.

Thanks to all of our listeners that showed up, and for SANS for hosting us again!