Sponsored By:
In this episode we announce the winners of the Network Forensics Puzzle, do a technical segment on using encryption and good passwords together, and discuss the stories of the week!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds: 
Sometimes, we all need a little incentive to do the things we should be doing anyways (like washing your hands or hardening [ahem] your network).
Let us help you harden the soft parts in your network - join us live at 20:30 EDT on Friday September 25th for Episode 169 of PaulDotCom Security Weekly for a talk with Tom Wilhelm about professional penetration testing (aka "unethical" hacking).
The live stream should be active around 20:30 EDT (8:30 PM), Friday. Please keep in mind that the recording time can be as fluid as our beer intake on podcast night.
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: PaulDotCom UStream Channel
Icecast: PaulDotCom Radio
Please join us, enjoy the show live, and thanks for listening!
- John, Carlos, Larry, Mick, & Paul.
Rowin' with the anchor up behind the firewall!
In this episode we talk to Ryan Dewhurst, the author of Damn Vulnerable Web App, a distrobution that is insecure and secure all at the same time! We also talk about all kinds of security fail, introduce a studio guest, and more!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
This week we interview Moxie Marlinspike of thoughtcrime.org to speak about hitchhiking and breaking SSL!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Don't be caught with your pants down for the next threat! Join us live at 22:45 UTC on Thursday September 17th for Episode 168 of PaulDotCom Security Weekly when we speak with Ryan Dewhurst about Damn Vulnerable Web App.
The live stream should be active around 18:45 EDT (6:45 PM), tonight. Please keep in mind that the recording time can be fluid, which is the same goal we have for our state of consciousness by the end of the podcast.
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: PaulDotCom UStream Channel
Icecast: PaulDotCom Radio
Please join us, enjoy the show live, and thanks for listening!
- Mick, Carlos, Larry, John, & Paul.
Please tune in live to hear Moxie Marlinspike talk with the PDC crew about his research, specifically how he has poked SSL with a hot pointer until it cries uncle.
The podcast will be recorded t at 8:30 PM EDT on Friday, September 11, 2009. The live stream should be active around 20:45 EDT (8:45 PM Eastern). Please keep in mind that these times are estimates.
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: PaulDotCom UStream Channel
Icecast: PaulDotCom Radio
Please join us, enjoy the show live, and thanks for listening!
- John, Paul, Mick, Carlos & Larry
We've been asked a number of times for advice on RFID equipment that can be used to start experimenting with RFID technologies. We've heard your request loud and clear; I'm going to give you a rundown of what is in my current kit.
The first reader that I picked up was the PhidgetRFID board.
Shortly there after I realized that I wanted to write tags. Of course I was familiar with the RFIDIOt project and I wanted a writer that would work with that particular code. I picked up an ACG reader with USB interface from Major Malfunction (the author of RFIDIOt) in order to help support the project.
It was expensive and it needed to be imported to me from the UK but I couldn't find an equivalent reader elsewhere that could come close to the cost. I picked up the ACG LF USB reader, which works like a champ reading and writing to all manners of tags. If I had to do it again, I'd upgrade to the ACG LAHF USB which wasn't available at the time. While I was there, I also picked up the ultra cheap USB Keyboard Wedge Verification LF Reader just for fun.
Unfortunatley the next project that I wanted to purse involved the reading of ISO 14443A/B tags, which wasn't supported by my ACG reader (the upgraded model does, hence my recommendation for the upgrade). In order to support the reading of ISO 14443A/B tags, I picked up the Omnikey Cardman 5321, which also has a smart card reader as well.
Ooh, two hacking tools in one! I did acquire this reader much cheaper here in the US. The supplier no longer has them available but there are several that are Google-able. In typical fashion I wanted to be able to read ISO 14443A/B tags in order to read PayPass RFID tags which I found out isn't supported by RFIDIOt...yet. A chat with Major Malfunction at Defcon revealed that he is close to being able to support the PayPass chips.
I was also fortunate to be able to acquire some Parallax modules form the Defcon Wireless village RFID scavenger hunt a few years ago. Thorn put them together in a kit to build a standalone EN4X02 reader with serial LCD display.
It worked great, but I've got some new plans for the modules, such as integrating them with an Arduino and a few extra goodies for good measure.
A few weeks ago I picked up a VivoPay Paypass 3000 reader off of ebay for a few dollars (under $10).
It was "tested and working" and it does appear to be that way. Unfortunatley I need to construct a serial adapter for it and my tools seem to be missing. I have some headed my way this after noon, so this is an ongoing project.
The neat option with this reader is the PayPass support. It will read the card and handle all of the over the air encryption. The module handles all of the decryption, and hands off the clear text of the tag voa serial; this is the paort that would be handed to the Point of Sale System. Bonus, let's use the intended purpose of the hardware do the crypto for us, and interface with 3ric's pwnpass script. Stay tuned for more goodies with this one.
[Update: During the writing of this post, I was successful in building the serial adapter and testing it with the tools from VIVOtech, as well as the pwnpass script. However, I think that this reader has an old version of firmware that cannot understand the commands issued to it. I have to call VIVOtech to get ahold of the latest firmware, which I'm told is fairly easy to do.]
You'll note that I don't have any inventory of active RFID equipment; all of my gear is passive. I haven't had any experience with any active gear, and for me, the cost is more prohibitive.
Right now, that's what I've got in my kit and I've found I can read just about any type of tag that I can encounter, from passports to physical security cards. Some are a work in progress, but they are just a matter of time. Scan away! Also, I'm more than willing to let you scan my RFID implant in person should we meet.
Larry "haxorthematrix" Pesce
This week we interview Nick Harbour of rnicrosoft.net to speak about Forensic Software tools and techniques!
We've got two fabulous technical segments, one on stealing Firefox passwords and another on enumerating VPN concentrators.
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
To quote Carlos "dark0perator" Perez, "shell is just the beginning". Now that we have access to a machine, we can gather all sorts of goodies, we just need to know where to look.
Some of my favorite local system information gathering techniques include grabbing Firefox stored passwords. Prior to version 3.5, (for version 3) the list of sites and associated passwords were stored in signons3.txt. If a master password is set you also need the file "key3.db" as it will allow you to unlock the password store. For Firefox versions 3.5 or better, you need to acquire the file "signons.sqlite". For a detailed description of the contents and format of each of these files, check out the FirePassword page.
But why recover these usernames and passwords? How many people do you know let their browser store passwords for them? Personally, I know a lot. Users store passwords for just about everything; personal sites, banking and corporate resources.
Yes, corporate resources. If you have credentials to these resources, this may open up a whole new world to your testing. Imagine that you now have credentials to web based management utilities allowing access to a million credit card numbers (or something as equally juicy such as social security numbers).
So how do we do it? Ok, first grab the signons3.txt and key3.db files (or signins.sqlite for Firefox 3.5) and get them to a system where you can work with them. I'm finding that a windows system is best, given the tools available. I'm using Windows 7 in a VM, with firefox installed. Many of the tools like to look for the default Firefox profile directory, so I often copy the files there - I'm not concerned about the install of firefox in this VM.
The Firefox browser itself can be used to view the passwords in the password store. Firefox 3.5 uses a different format for storing passwords; they now store them in a sqllite database. If we copy over the files (signons3.txt and key3.db) to the default firefox profile (C:\Documents and Settings\[user]\Application Data\Mozilla\Profiles\[random].profle in many cases) run Firefox, and go to Tools -> Options -> Security -> Saved Passwords -> Show Passwords we can see them in plain text. Neat, now we have the URL, username and password! But wait, you mean now we are being asked for a master password? Well, we need to provide one in order to view the passwords!
We can use FireMaster to obtain the master password. FireMaster is a Windows-based master password brute force tool, and operates against key3.db and signons3.txt. It will do all of the typical brute force attacks; dictionary, hybrid, and bruteforce. It is a fairly simple tool to use, but here are a few examples. In these examples, Firemaster is in the same directory as key3.db and signons3.txt so my profile path is set as "." at the end of the command:
[Update: During the writing of this segment, I noted that the author updated FireMaster so automatically detect the version of Firefox based on the storing of the information in signons3.txt or the sqlite method! We can now use this tool to get the goods from Firefox 3.5 as well.]
Below is an example of a dictionary attack:
FireMaster.exe -d -f wordlist.txt .
Note that you need to be careful with your wordlist. I used a copy of the all inclusive free version from ftp.openwall.org which I had to convert LF to CRLF. I also had to remove words with spaces and non US character sets. If I didn't I got a nasty crash from FireMaster. Can you say potential buffer overflow anyone?
Below is an example of a hybrid attack:
Firemaster.exe -h -f wordlist.txt -n 3 -g "0123456789" -s -p .
Again, same wordlist issues. With the hybrid, it will append (-s) and prepend (-p) the number of characters (-n 3) as defines by the defined character set (-g). The larger your number of characters and character sets the more time you will need.
Below is an example of a brute force attack:
FireMaster.exe -b -l 10 .
This one will set the max password length to 10 characters (-l), so adjust to you needs. It also uses the default character set of "abcdefghijklmnopqrstuvwxyz*@#!$123" which you may also need to tailor with the -g option. On my machine this would take over 300,000 days to complete at about 120,000 guesses a second. On a high end, non-virtual system the guessing jumped up to about 250,000 guesses a second for about 160,000 days to completion.
Ouch.
My vote is for a good dictionary. We covered scraping websites for making custom wordlists in Episode 129 of the podcast.
I've also had some good luck with Firefox Password recovery from top-password.com. Granted, it wasn't free, but the $18 was something I could afford for expenses on an engagement. It won't crack or bypass the master password, but may be a little more safe than a machine running an old version of Firefox. Just another option. It hasn't been updated for Firefox versions 3.5 or better signons.sqlite yet.
So, want a free solution? The author of FireMaster has a command line FirePass and GUI FirePasswordViewer tool to do the same, with Firefox 3.5 support! Start recovering and use the results responsibly (and with permission)!
- Larry "haxorthamtrix" Pesce
This week, we are recording the podcast at 8:30 PM EDT on Friday, September 4th. The live stream should be active around 20:45 EDT (8:45 PM Eastern), Friday, September 4th. Please keep in mind that these times are estimates.
Please join Malware Analyst Nick Harbour of rnicrosoft.net to speak about Forensic Software tools and techniques!
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: PaulDotCom UStream Channel
Icecast: PaulDotCom Radio
Please join us, enjoy the show live, and thanks for listening!
- John, Paul, Mick, Carlos & Larry
