Some times you just need to know more about a person...

Often times during some of the initial phases of a pen test, I find myself needing some avenues for delivering client side attacks - with permission and within scope of course! Now, finding appropriate attacks can be a challenge, but to me a larger challenge is the social aspect. How can I convince someone to actually execute my attack? Having a little more information about the "victim" is helpful.

So, how can we obtain more information? How about some information that implies some level of familiarity, so that we can spoof names. How about some context? GPG/PGP Keytrust information can serve us well here!

NOTE: Be very careful. Use at your own risk. IANAL. For illustration purposes only. Yada, yada, yada. The folks used as an example here are just that - an example. This is al public information!

So, how does a GPG/PGP Key get signed by third parties anyways? Well, some go to GPG/PGP Keysigning Parties (Yeah, I know, what nerds. Wait, I am those nerds!). Basically, a bunch of folks meet face to face, verify government issued IDs, and, based on that trust, sign each other's GPG/PGP keys. Read the whole shebang here. So, given that HOWTO (the first hit in Google for "pgp keysigning party"), what can we determine about V. Alex Brennen?

* He's the author of the document The Keysigning Party HOWTO

* He's the maintainer of the The Keysigning Party HOWTO as of January 24th, 2008

* He's likely got some GPG/PGP Keytrust information (see the first two bullets)

* His e-mail address is vab /at/ mit.edu

So, let's look up his GPG/PGP Keysigning info! Personally, I like to use the keyserver at MIT (and given that Mr Brennen's e-mail address is at the mit.edu domain, we'll likely have some luck there). Surf on over the page, and we're given the option to search right on the front page. Now, we can search for an e-mail of choice, and list all of the individuals that have signed the particular key for that user. Mr. Brennen obviously has a few! Now, in some cases you won't turn up any signers, and you'll pull up a dead end here.

What next? Me, I like to search the list of keysigners for recognizable names. Someone I know has their GPG/PGP key signed by at least one recognizable name in the industry, so creating a conversation there might be very interesting. In any case, if you don't recognize any names, you can always pick at random. Another method would be to pick a keysigner that has several e-mails. What's one more to the repertoire - this one you control! Create an e-mail at a free service and use it.

With this knowledge of keysigners we might be able to determine some information that they have in common to exchange e-mails about. In this case, we know that Mr. Brennen is an internet author on a particular subject. Surely we can use some social engineering skills to craft an e-mail for this one with web links or attachments.

Now you might be saying that someone that uses GPG/PGP is a pretty sophisticated computer. We do all make mistakes, and often that is all it takes for a compromise - one mistake. So, that being said, it may take all of your social engineering skills to craft that perfect e-mail.

Obviously, if you are using these methods during a test, be sure that it is within scope of your testing. Get permission! Make sure they know about social engineering e-mails, recipients and sources.

On the defense, there is no real way to restrict the posting of the keytrust info. That public acknowledgement is the basis of the network of trust based system. Certainly one could Revoke and create new keys, and have no one sign them.

GPG/PGP works just fine without keysigning. It just isn't as nerdy.

- L

Yes yours truly (Larry, that is) Will be teaching the 6 day SANS Wireless Ethical Hacking, Penetration Testing and Defenses (SANS 617) in Regina, Saskatchewan on March 23 - 28, 2009.

As this is the first time Wireless Ethical Hacking, Penetration Testing and Defenses is being offered in Saskatchewan it is anticipated to fill quickly. Seats are Limited! Register by Feb 11, 2009 to save $375. Use our referral link to register! Tell 'em Larry form PaulDotCom sent you!

Why should you attend this course now? With the economic downturn
affecting all of us in North America, there has been a significant
increase in people exploiting network vulnerabilities, especially
wireless vulnerabilities. This course will give you the tools to combat
these efforts for your organization.

Hope to see you there!

- L

Well, it has been some time since it happened but I passed my GCIH Gold paper! Some readers may already know this already, but figured I'd at least throw out the lowdown.

Read the whole paper here.

I entitled the paper "Document Metadata, the Silent Killer...". Ultimately the paper covers some traditional metadata found in jpeg images, Office documents, PDFs, and a few other interesting places. I talk at length about how to analyze, gather information and make reasonable assumptions about client/network/user configuration and possible attack vectors based on the information from metadata.

This information can be beneficial to a penetration tester, as wall as an attacker. In the "perfect storm" we can take the information gathered to be able to deliver a spear fishing type of attack, with a high amount of confidence that the attack will be successful.

The paper also delves into some methods for limiting initial exposure, as well as how to prevent some of the exposure to begin with. I also talk about organizational policy, and some methods on how to introduce separation of duties to prevent accidental exposure.

The paper is fairly lengthy with quite a few examples. Through the course of the paper, I was actually instructed that the paper was too long, and covered too much. I'm of the opinion that it should be done right, so the original content stayed.

So, now you know why much of my technical content lately has been on metadata! Certainly the paper only covers the tip of the iceberg for metadata contents and file formats, but one has to start somewhere. Over the next few weeks the podcast and here on blog I'll be covering some more metadata sanitization.

If you have any feedback, comments or sugestions, don't hesitate to drop me a note at larry /at/ pauldotcom.com

- L

All: The December Late-Breaking Computer Attack Vectors webcast this month will be held on: Tuesday, December 23, 2008 2:00 PM Eastern Standard Time (GMT -05:00, New York) Register Here For This Webcast Get ready to wrap up the year with the final Late Breaking Attack Vectors Webcast for 2008! Join us for a discussion about the latest attacks and defense, such as:

* Botnet Defense: Shadow server foundation
* Practical & Economically sounds defenses
* Deadly Firmware Attacks!
* PaulDotCom's Top 5 Defensive Recommendations
* Hack Naked TV - Latest attack vectors now with video!

This webcast will run about 30-45 minutes and I will get excited, probably rant about a few more things, hopefully show you how to do something, and improve your defenses.

PaulDotCom

Paul, Larry, and John talk security with special guest Dan Hoffman!

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

We at PaulDotCom have a very special Christmas gift for all of our listeners. Start you new year off right with Ed Skoudis and this very special presentation of SEC560 "Network Penetration Testing and Ethical Hacking" online course via the SANS@Home Program from Tuesday, January 13, 2009 - Thursday, February 19, 2009. This course will help you become a ninja, well, a penetration testing ninja, but I'm certain if you ask nicely Ed can show you how to throw a smoke bomb and disappear :)

This just in, PaulDotCom listeners get 20% off when using the discount code "Pauldotcom" when registering before January 6, 2009, so sign up today!

Learn some command line kung fu tricks on how to extract useful metadata from Office 2007 XML documents.

Hack Naked TV - Episode 2 - Office 2007 Metadata from PaulDotCom on Vimeo.

• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce (Voice), Paul Asadoorian (Editing & Command Line)

Email: psw@pauldotcom.com

Direct Video Download

Video Feeds:

Larry shows you how to build a Sim Card reader and use software to read the contents of Sim cards.

Hack Naked TV - Episode 1 - SIM Card Information Gathering from PaulDotCom on Vimeo.

• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce

Email: psw@pauldotcom.com

Direct Video Download

Video Feeds:

Paul, Larry, and John talk security!

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

The live stream should be active about 6:30 EST, Thursday, December 11th. We should begin recording the live show at about 7:00 EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

This week we have a special guest, Daniel Hoffman, to talk to us about mobile device security.

NOTE: Our Icecast server has changed!

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: http://ustream.tv/channel/pauldotcom-security-weekly

Icecast: http://radio.pauldotcom.com:8000

Please join us, and thanks for listening!

- Larry & Paul

by Paul Asadoorian

Back when I worked for a university I need to write a fast banner grabber. This had to grab banners either on a specific port, or a set of ports and run against two class B networks. Speed was key, the faster the better as my incident response process relied on saving time. Why? I was trying to look for one of two things:

* Compromised hosts listening on a particular port using a backdoor or FTP server that had a known banner

* Vulnerable software that had a specific banner which was being used by attackers to compromise systems

I wrote a quick banner grabber in C because Nmap was not quite right (at the time). Nmap was awesome at finding ports, and awesome at sending a bunch of packets at a port to determine the version and type of service running. With two class B networks, I didn't have time to wait for Nmap to send a whole bunch of packets to each port. I want to complete the handshake, send one packet with a "\n\r", and grab what comes back. Turns out, Nmap Scripting Engine solved my problem! Now with a little bit of Lua-Foo I can do what I want with Nmap, and take advantage of all of its powerful features (such as host discovery). I took my banner grabbing problem and just a few lines of code later, I had ported this functionality to Nmap:

id="Banner"

description="connects to each open port and send CRLF to grab banner"

author = "Paul Asadoorian (paul@pauldotcom.com)"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"discovery"}


require "comm"

require "shortport"


portrule = function(host, port)

  return (port.number and port.protocol == "tcp")

end


action = function(host, port)

	local try = nmap.new_try()


return  try(comm.exchange(host, port, "\r\n", {lines=100, proto=port.protocol, timeout=500}))


end

The output looks as follows:

# Nmap 4.76 scan initiated Wed Oct  8 23:15:50 2008 as: nmap -sV -oA bannertest%T%D -T4 -sS --script=bannergrab.nse -p1-65535 192.168.1.230 

Interesting ports on 192.168.1.230:

Not shown: 65531 closed ports

PORT     STATE SERVICE    VERSION

23/tcp   open  telnet     HP JetDirect printer telnetd

|  Banner: \xFF\xFC\x01

|  Please type [Return] two times, to initialize telnet configuration

|  For HELP type "?"

|_ > 

515/tcp  open  printer?

9099/tcp open  unknown?

9100/tcp open  jetdirect?

MAC Address: 00:60:B0:BD:68:B0 (Hewlett-packard CO.)

Service Info: Device: printer


Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

# Nmap done at Wed Oct  8 23:27:14 2008 -- 1 IP address (1 host up) scanned in 684.29 seconds

I ran both my script and -sV so you can see an example of the difference.

- Paul Asadoorian, PaulDotCom Enterprises

[Editor's note: Awesome work Paul! A great compliment to the official release of Fyodor's Nmap book. Hail the power of NSE!]

Paul, Larry, and John talk security with special guest Marcus Ranum!

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

The live stream should be active about 6:30 EST, Thursday, December 11th. We should begin recording the live show at about 7:00 EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

This week we have a special guest, Marcus Ranum! Expect plenty of lively conversation and debate!

NOTE: Our Icecast server has changed!

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: http://ustream.tv/channel/pauldotcom-security-weekly

Icecast: http://radio.pauldotcom.com:8000

Please join us, and thanks for listening!

- Larry & Paul

I just wanted to make a quick posting about the fun event we had this past weekend. Geeks got together to help each other install Linux, while drinking beer and eating pizza. I have a tough time coming up with a better Saturday plan for my day :) Special thanks to Larry for setting up the facility, and the SNENUG group who as always has fun attending the event. Some interesting installs included: * Centos 5 on an older dual-nic PC to be used as a firewall * MythTV using MythBuntu * I flashed Larry's Asus WL-530g with an unlocked version of uClinux * Puppy Linux got installed on some older Compaq hardware (with a dvorak keyboard layout, which was interesting) * I attempted to install OpenWrt on my Routerboard 532, but the lack of a CF reader = FAIL. See OpenWrt instructions here. We plan to hold this event again in the spring as well, so stay tuned! Thanks to all who attended! PaulDotCom

I just wanted to make a quick posting about the fun event we had this past weekend. Geeks got together to help each other install Linux, while drinking beer and eating pizza. I have a tough time coming up with a better Saturday plan for my day :)

Special thanks to Larry for setting up the facility, and the SNENUG group who as always has fun attending the event. Some interesting installs included:

* Centos 5 on an older dual-nic PC to be used as a firewall

* MythTV using MythBuntu

* I flashed Larry's Asus WL-530g with an unlocked version of uClinux

* Puppy Linux got installed on some older Compaq hardware (with a dvorak keyboard layout, which was interesting)

* I attempted to install OpenWrt on my Routerboard 532, but the lack of a CF reader = FAIL. See OpenWrt instructions here.

We plan to hold this event again in the spring as well, so stay tuned! Thanks to all who attended!

PaulDotCom

Paul & Larry talk security with special guest Andre Dimino!

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

The live stream should be active about 6:30 EST, Thursday, December 4th. We should begin recording the live show at about 7:00 EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

This week we have a special guest, Andre' M. Di Mino "SemperSecurus" from the Shadowserver Foundation.

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: http://ustream.tv/channel/pauldotcom-security-weekly

Icecast: http://radio.oshean.org:8000

Please join us, and thanks for listening!

- Larry & Paul

In the past on the podcast we've talked about a number of tools for document metadata gathering and how we can use them for gathering good information.

I've talked about EXIFtool for examining and deleting metadata from JPEGs. This was helpful for some info, but only on images.

I've covered Metagoofil, where we use it to download all sorts of common data and word processing type documents and analyze them for interesting information. Unfortunatley, Metagoofil only will produce download from the web and process. We have no ability to process from our store on disk.

By accident I discovered that we can get much of the same information by using EXIFtool not on JPEGs, but on Word, Excel and PowerPoint documents! EXIFtool has the ability to parse metadata as defined by the FlashPix standard, introduced in 1996 developed by Kodak, Hewlett-Packard and Microsoft. Microsoft still uses the format for documents and storing data. We can use EXIFtool to gather usernames from the documents.

Note: This will only work on Office documents were not created with Office 2007 (.docx), as the new version relies on a different metadata storage format. I'll have a solution for this one soon!

We can start down and dirty with getting the information on Office documents. In the directory that contains our supported office documents, we can execute the following commmand:

$ exiftool -r -h -a -u -g1 * >output.html

This will execute EXIFtool to extract all EXIF metadata recursively in the current directory (-r), with all output including duplicates (-a), organizing by EXIF tag category (–g1), for all files, with HTML friendly formatting (-h), into a file named output.html in the current directory (>output.html). With this we get a handy little report HTML report!

But, we may only want just the info on usernames/authors. We can trim the output information down to jsut the appropriate data elements:

$ exiftool -r -a -u -Author -LastSavedBy * >users.txt

We've removed the HTML and sorting options, as they will only serve to make any additional processing difficult. I've also only grabbed the Author and LastSavedBy tags, as these are the most common places for usernames. Now we can take our users.txt, and remove all of the extra information with some unix text processing:

$ strings users.txt | cut -d":" -f2 | grep -v "\=" | grep -v "image files read" | tr '[:space:]' '\n' | sort | uniq  >cleanusers.txt

Now all we are left with is a list of potential user names one per line. We've dropped all of the extra text up to the first delimiter (:), dropped the lines that start with "=" and "image files read", coverted spaces to newlines, sorted alphabetically and removed the duplicates. This will introduce some need for a manual culling, as sometimes the author is listed as "Firstname Lastname", and they get kept as each name individually. However, in some smaller companies just a first or last name is perfectly acceptable as a username, so you may not want to to cull your list at all.

Now, we are left with a list of potential usernames that we can utilize for password brute force attempts for other services, such as VPNs or web based applications.

by Paul Asadoorian

It has been a few weeks since the release of patches (and exploits) for MS08-067. We all should have had plenty of time to deploy patches to our systems and reboot for them to take effect.

How about we make sure?

Don't have one of those expensive scanning tools? How about Nessus? Sure, Nessus is great, but how about something more lean and mean?

Nmap to the rescue!

Note: You must use the current svn version to make this work, so go get it with the following command:

svn co --username guest --password "" svn://svn.insecure.org/nmap/

Ok, now let's make Nmap work for us! We'll tell Nmap to output the results to a file named for our subnet (in all 3 file formats no less), perform a SYN Scan on port 445, and execute the SMB vulnerability checking NSE script against the discovered hosts on the 192.168.1.0/24 network:

nmap -oA 192168-filename -sS -p445 --script smb-check-vulns.nse 192.168.1.0/24

Now we can take these results and verify which Windows hosts on our network require a little extra attention in the patch department.

You want fast? Fyodor will give you fast! In a live network, Nmap was able to perform the scan in just over a minute:

Nmap done: 256 IP addresses (156 hosts up) scanned in 83.53 seconds

[Editors note: Paul, what a great use of a free, simple to use tool. I'm really liking the focus on NSE expansion for Nmap! -Larry]