Training:
Offensive Countermeasures: Defensive Techniques That Actually Work:
Blackhat 2012 (July 21-22 & 23-24)
Sponsored By:
Follow Us On:
Felix "FX" Lindner and Judy Novak from SANS joins us for part 1. Paul selects some fine Halloween music for us. So download stay a while and listen.PaulDotCom YouTube Channel .
Episode 217 part 1 Direct Audio Download
Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez
Audio Feeds: 
We're constantly asked "How can I attend security conferences and network with security rockstars when my company just cut our training budget?"
Our answer is: "Get off Facebook, put your smartphone on mute, and join our IRC channel to *interact* with the Security Rock Stars of today every Thursday night"!
We've got Felix "FX" Lindner of Phenoelit fame to discuss his research with Recurity Labs on preventing Flash exploitation as well as IDS evader and Packetstan contributor Judy Novak to show us some Crafty Packet Evasion goodness.
Don't be a passive member of the Info Sec community - be active! Your first step is to tune into Episode 217 of PaulDotCom Security Weekly, and listen live! Remember - if IRC is not your thing, then chat at PaulDotCom Live!
Please be sure to view Judy's video at PaulDotCom Blip TV so that you can ask questions of Judy after her presentation.
If the TCP/IP spirits smile on us, the live stream(s) will be found at:
PaulDotCom Live! - where you can watch the live video, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
PaulDotCom Icecast Radio (Audio Only)
Break out your beverage of choice and enjoy the show live!
- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, and John Strand.
We're constantly asked "How can I attend security conferences and network with security rockstars when my company just cut our training budget?"
Our answer is: "Get off Facebook, put your smartphone on mute, and join our IRC channel to *interact* with the Security Rock Stars of today every Thursday night"!
We've got Felix "FX" Lindner of Phenoelit fame to discuss his research with Recurity Labs on preventing Flash exploitation as well as IDS evader and Packetstan contributor Judy Novak to show us some Crafty Packet Evasion goodness.
Don't be a passive member of the Info Sec community - be active! Your first step is to tune into Episode 217 of PaulDotCom Security Weekly, and listen live! If IRC is not your thing, then you can chat at PaulDotCom Live!.
Please be sure to view Judy's video at PaulDotCom Blip TV so that you can ask questions of Judy after her presentation.
If the TCP/IP spirits smile on us, the live stream(s) will be found at:
PaulDotCom Live! - where you can watch the live video, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
PaulDotCom Icecast Radio (Audio Only)
Break out your beverage of choice and enjoy the show live!
- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, and John Strand.
We work really hard at eliminating the PG rated part 1 to something that family members should not download. We have a couple of tech segments and some stories for you in here somewhere. You can find video of our tech segments in our YouTube channel at PaulDotCom YouTube Channel.
Episode 216 part 2 Direct Audio Download
Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez
Audio Feeds:
Mati "Muts" Aharoni & Chris "l0gan" Hadnagy help us heathens keep the first part of the podcast PG. But only the first part. So to their families this is the ONLY part you should ever download.
Episode 216 part 1 Direct Audio Download
Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez
Audio Feeds:
Social-Engineer podcast fans are in for a special treat. Instead of waiting another 30 days for your monthly fix, you can catch Mati "Muts" Aharoni & Chris "l0gan" Hadnagy on Episode 216 of PaulDotCom Security Weekly.
Chris and Muts will give us background on their podcast and details on the upcoming events and training that Social-Engineer.org are working on, as well as some insight into BackTrack development. Join the IRC channel to interact with the best and brightest minds in Social Engineering today!
If the TCP/IP gremlins cooperate, the live stream(s) will be found at:
PaulDotCom Live! - where you can watch the live video, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
PaulDotCom Icecast Radio (Audio Only)
Break out your beverage of choice and enjoy the show live!
- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, and John Strand.
Live from Mr. J's Havana Smoke Shop! Special guest Josh Corman.
Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez
Audio Feeds:
This week Doug Burks and I needed to decrypt a few gigabytes of SSL traffic to find a TCP stream that contained a key word. We learned a bit along the way so I'm passing it along here.
First, full packet capture rocks. You are capturing EVERY packet that goes in and out of your network, right? Yeah, I know you have a HUGE internet pipe. But for a few hundred bucks you can have TERABYTES of drive space on an old laptop with DAEMONLOGGER running. I'd suggest something a little better, but you can make full packet capture work on a shoestring budget. Capturing the data is the easy part. Finding a needle in that haystack when it is all encrypted is the hard part.
SSLDUMP is one option, but I am really only interested in the text in the HTTP Payload and SSLDUMP give you a lot more information. We decided to use TSHARK because it has the ability to decrypt SSL and you can use Wireshark display filters.
We started out with something like this:
tshark -n "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 0.0.0.0,0,data,private.key" -o "ssl.debug_file: SSL-Decrypt.log" -r all.pcap -R "(tcp.stream eq 1)"
The first problem we ran into was the format of our private key. We had the right private key but every time we started tshark it recorded "unable to load PEM" in the log file. Long story short, '---BEGIN PRIVATE KEY ----------" and "------BEGIN RSA PRIVATE KEY-----" are NOT the same thing. Wireshark and Tshark want the private key in PKCS#1 format which is the "--- BEGIN RSA PRIVATE KEY---" format. The other format is PKCS#8 format and Wireshark won't load keys in that format. Step one was to convert the PKCS#8 private key to PKCS#1 format. Openssl does the trick:
openssl pkcs8 -in private.key -out rsaprivate.key -nocrypt
With our new PKCS#1 format private key (rsaprivate.key), the tshark command line became:
tshark -n -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 0.0.0.0,0,data,rsa_private.key" -o "ssl.debug_file: SSL-Decrypt.log" -r all.pcap -R "(tcp.stream eq 1)"
Now tshark's log file no longer said "unable to load PEM", but instead it said "key loaded successfully". However, two lines down in the log we saw "couldn't find key for this server, try the universal port 0 and the universal IP 0.0.0.0".
This entry was a little confusing as we were already using the universal IP and port. So we changed that to the actual IP address and port of the server and BAMM... The next time we ran tshark the SSL-Decrypt.log file grew REALLY fast.
So how do we make tshark output HTTPS traffic as decrypted HTTP traffic in plain ASCII format (similar to tcpdump -A)? One option is to tell tshark to output the data field (data.data) using the "-T fields -e data.data" parameters. However, this output is in hex. We can pipe it to "xxd -r -p" to convert to ASCII:
tshark -n -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:0.0.0.0,0,data,rsa_private.key" -o "ssl.debug_file:SSL-Decrypt.log" -r all.pcap -R "(tcp.port eq 443)" -T fields -e data.data | xxd -r -p
That seemed to work for us. Our SSL streams were dumping their payload in ASCII and we could find our string, but Doug (he is a bit of a perfectionist) changed the options to this:
tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:
"ssl.debug_file:rsa_private.log" -r all.pcap -R "(tcp.port eq 443)" -V
By changing the 3rd parameter of the ssl_keys_list form "data" to "http", tshark parses the decrypted packets with its HTTP parser. When the -V option is passed, tshark gives you a nice fully parsed unencrypted HTTP stream. Piping that through GREP works very nicely.
GET /index.html HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /index.html
HTTP/1.1\r\n]
[Message: GET / index.html HTTP/1.1\r\n]
Request Method: GET
GET /images/logo.gif HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET / images/logo.gif
HTTP/1.1\r\n]
[Message: GET / images/logo.gif HTTP/1.1\r\n]
Request Method: GET
Join me for SANS 504 Hacker Techniques, Exploits and Incident handling in San Antonio November 15th! REGISTER TODAY BY CLICKING HERE!!!
Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez
Audio Feeds:
Window 7 Symbolic file and directory links are pretty cool. Although the most common use of symbolic links is to make a folder or directory appear to exist someplace it does not, symbolic links can be used to take complex paths and filenames and make them simpler to understand. That's good because some of our applications aren't smart enough to understand complex paths. For example, lots of applications do not understand Alternate Data Streams. If you are not familiar with ADS then check out this article by Brian Wilson. http://www.ethicalhacker.net/content/view/115/24/
Try this experiment: Create an Alternate Data Stream and attempt to open it with Microsoft Word.
C:\temp>echo tst > mainfile.txtC:\temp>echo ads > mainfile.txt:ads.txt
Now try to open c:\temp\mainfile.txt:ads.txt with Word. It doesn't work. Word doesn't recognize the alternate data stream. Now create a symbolic link to the ads.txt alternate data stream like this:
C:\temp>mklink txtfile c:\temp\mainfile.txt:ads.txt
symbolic link created for txtfile <<===>> c:\temp\mainfile.txt:ads.txt
Open c:\temp\txtfile with Word. No problem. It works great. Symbolic links make Alternate Data Streams accessible to applications that don't support streams.
Try putting a copy of Netcat in an alternate datastream and running it. You can run executables from alternate data stream using "start" or "wmic processs call create" but symbolic links can make it really simple. By using symbolic links to access alternate data streams you no longer have to jump through hoops to create and run backdoors in your alternate datastreams. Putting netcat into an ADS and executing it as simple as this:
C:\temp>mklink backdoor.exe c:\temp\mainfile.txt:nc.exesymbolic link created for backdoor.exe <<===>> c:\temp\mainfile.txt:nc.exe
C:\temp>copy z:nc.exe backdoor.exe
1 file(s) copied.C:\temp>backdoor.exe -h
[v1.11 NT www.vulnwatch.org/netcat/]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [options] [hostname] [port]
options:
-d detach from console, background mode-e prog inbound program to exec [dangerous!!]
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-l listen mode, for inbound connects
-L listen harder, re-listen on socket close
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-s addr local source address
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]C:\temp>
You can remove file based symbolic links with "del" and directory based symbolic links with "rmdir". When you're done with the netcat backdoor you "del backdoor.exe". That will remove the symbolic links, but the alternate data stream will remain.
You can also create symbolic links to windows device objects and System Volumes. Have you ever seen your systems boot partition? You can make copies of it or edit it with BCDEDIT.EXE, but what is really in there? You want to see it? Try this.
WARNING: If you mess up your boot partition it is going to be a long day. Proceed with caution.
C:\temp\>mklink /D root \\?\GLOBALROOT\Device\HarddiskVolume1\C:\temp\>cd root
C:\temp\>dir /a
Here is what it looks like.
Note the "/D" to create a link to a directory rather than a file. Your boot volume is now accessible through the "root" directory. All the files on the partition have the HIDDEN, SYSTEM and READ ONLY attributes set so you'll need to tell explorer.exe to show hidden files and system files. Now you can use normal file utilities to manipulate the boot partition. You can also hide files in your boot partition by simply copying them to the directory. After removing the symbolic link explorer.exe will not find those files when you search for them. In my limited testing files seem to be completely invisible to the OS and the antivirus software until you recreate the symbolic link. You can also create data streams and symbolic links in the boot partition. In short, there are a variety of ways for attackers to use the boot partition to hide information. If an attacker is putting malware in there will you recognize it? Check out your boot partition. Know thy system.
Join me for SANS 504 Hacker Techniques, Exploits and Incident handling in San Antonio November 15th! REGISTER TODAY BY CLICKING HERE!!!
Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez
Audio Feeds:
Who doesn't love a good googledork? Francis Brown and Rob Ragan over at Stach & Liu sure do. They have given us a few reasons to fall in love with Google hacking all over again. If you haven't seen their excellent presentation called "Lord of the BIng" at Defcon, Blackhat, B-Sides, etc here is what you've missed.
Google considers all search results to be their intellectual property. To prevent automated scraping of their results they implemented controls that block tools that do hundreds of google searches to collect the results. That makes automatically launching hundreds or thousands of google searches to find sensitive data, configuration files and other interesting things a time consuming process. Francis and Rob have figured out a few ways to make that process simple.
First, BING doesn't have any of the restrictions that Google does. But BING's syntax is a little different that Googles so you can't just plug your GoogleDorks into BING. So they converted the entire GHDB to BING Searches and have made that publicly available on their website. That is pretty awesome by itself. But there is more.
Second, Google doesn't blacklist or apply restriction to searches conducted from Google services (imagine that). They took the entire Google Hacking Database, Foundstone Hacking Database and their new BING Hacking Database and turned them into Google READER RSS feeds. As soon as Google or BING indexes a new site that matches your "intitle:Index Of passwords" criteria Google reader adds it to your RSS feed. (Your Google reader is able to get BING results by leveraging BING's &format=rss parameter) As a result, Google and BING are constantly searching for all the Googledorks in the database and maintaining a realtime database of the results! Then Rob and Francis exported their RSS feeds to OPML format so you can just import them into your own Google reader account. That is REALLY cool! (note: importing that huge xml file takes some time. Be patient) But there is more! If you order today they will send you the GHDB converted to the BHDB and the entire GHDB, FHDB and BHDB in Google Reader format but they don't stop there. There is a suite of command-line and GUI based tools to make it easier to search your sites for sensitive data using Googledorks.
How do we defend ourselves against Search Engine Data leakage? We use the "SITE:mysite.com" and the google dork to see what data we are leaking. Without automation it is very time consuming to try hundreds of Googledorks against one site. So what if you have 1000 or more sites? You probably just ignore the threat and hope for the best. Their SearchDiggity project comes to the rescue. With their tool you can plug in multiple domains and easily use the unfiltered BING results to keep tabs on you the sensitive data search engines are finding on your sites.
All of the tools and the Google Reader OPML are available for download here:
http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/
Join me for SANS 504 Hacker Techniques, Exploits and Incident handling in San Antonio November 13th! REGISTER TODAY BY CLICKING HERE!!!
Episode 214 of PaulDotCom Security Weekly will feature Mr. Brian Honan, European editor of SANS Newsbytes. Mr. Honan will be here to provide us with a European take on the current state of Info-Sec. You don't want to miss this one; it's not every day that we drink Belgian beer while speaking with Irish guests via introduction from British pimps who put out Austrian podcasts.
When active, the live stream(s) can be found at:
PaulDotCom Live! - You can watch the live video, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
PaulDotCom Icecast Radio (Audio Only)
Break out your adult beverage of choice and enjoy the show live!
- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, and John Strand.
Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez
Audio Feeds:
We wanted everyone to know about a webcast we are giving (on a bit short notice!):
Description: How the most popular vulnerabilities are exploited in the wild. Attend this presentation to hear how the most popular web application security vulnerabilities have been exploited in the wild. You’ll see real-life examples of how hackers sullied big brand names, disabled cars, and stole personal information from powerful people such as New York Mayor Michael Bloomberg and White House Chief of Staff Rahm Emanuel.
Title: Hacking Horror Stories
Date: Wednesday, October 6, 2010
Time: 2:00 PM - 3:00 PM EDT
Register here: https://www1.gotomeeting.com/register/739957033
While I was attending Brucon 2010 I had the opportunity to do an interview with Aluc.tv. Aluc is a great guy and we discuss, among other things:
Aluc.tv does a great job putting together video and audio episodes of his podcast which discusses information security and hacking. Check it out!
Yea... Sorry it is just true. I was hanging out with D3ad0ne at a recent SANS conference then he unleashed the monster below on me.
I have to say that I felt a bit dizzy just thinking about the specs for this monster. The biggest shock was that it was cooled not my water, but with Chuck Norris's tears. Sure, the damn things cure cancer, but D3ad0ne uses them to cool his password cracking system.
Below is the insane email he sent me with pics of the beast.
##Begin D3ad0ne's email##
Hey John, You said to send you the specs on my super hash cracking rig. I call it Erebus after the Greek god. So lets get down to the stats:
Motherboard: EVGA SR-2 Classifed
CPU(s): Two Intel Xeon x5650's, 24 total cores
GPU(s): Six EVGA GTX 480 Hydrocopper, 2,880 total cores
Memory: 12GB Corsair Dominator tripple channel
Harddrive1: 1TB drive dual boot Ubuntu/Win7,
Harddrive2: Two SSD Corsair C300 128GB drives in raid 0
Just FYI stuff:
The system is set up to be versatile running dual boot Win7 64 and Ubuntu 64. With 12GB and 24 CPU's I can run a dozen virtual machines for testing in a lab environment. The SSD's have gig's of rainbow tables, and dictionaries for use with cracking hashes. Using Cryptohaze GPU rainbow table program I can find hashes in the rainbow tables within seconds thanks to the GPU/SSD combination. Mostly I use hashcat or oclhashcat. Oclhashcat is able to utilize both dictionaries and bruteforce separately or at the same time including rules, all on the GPU, It is also one of only a few tools that is supported in both windows and linux as well as being able to use both nvidia or ati video cards. For NTLM without overclocking I tend to get around 10.5Billion password attempts a second even with several thousand hashes. The creator Atom is also working on a multigpu version of md5(unix) and currently I am getting 5.5million/sec. This may seem slow but usually with JTR you may only see a couple hundred/sec with this hash type. If I'm cracking something with dictionaries and I want to use a lot of rules, I will use regular hashcat, if I use the -n 24 switch it will utilize all 24 CPU cores 100%.
So far I've spent close to $10K US. But I'm also getting a second shelf with a PCI-E bus extender from a company called Magma. The ExpressBox4 will allow me to install up to 4 more cards, but I only plan on getting 2 more GTX 480's, so 8 in all. Also I should mention that all the GPU's are water cooled, as well as the CPU's. I use a program coded by Atom to allow me to test the GPU's to ensure that the shaders are 100% stable when overclocking. Currently I can run the GPU shaders at 1711Mhz instead of the stock 1400Mhz so a little over 17% over stock. And of course hash cracking speed is based off of the number of cores * clock speed. In total it surpasses 5 TeraFLOPS. Not bad for a personally owned machine. Pictures attached. :)
Do you have an impressive home rig? Shoot us an email and share: pauldotcom@mail.pauldotcom.com
-strandjs
John Strand will be presenting Hacker Techniques and Incident Response at SANS San Francisco this November. Also, there is no way in hell his wife would allow him to have a rig like this... It would scare the children.
