Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!
- Larry, Mick, Carlos, John, Darren & Paul
]]>
Top ten tips to socially engineer management into implementing security the right way, plus all sorts of interesting stories including the "porn detection stick"!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds: 
Also, there were rumors we won an award somewhere for something ...
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!
- Paul, Larry, John, Carlos, Mick & Darren
]]>Proxychains is a Linux dynamically loadable library that will intercept any TCP and UDP traffic from a specific process and tunnel it over HTTP, SOCKS4 or SOCKS5 proxy. For this discussion I will be focusing on SOCKS4 proxies setup with the SSH -D parameter. Proxychains is already installed in Backtrack4 and configured to tunnel over a SOCKS4 listener on port 9050 on the local host. By default, proxychains uses the configuration file /etc/proxychains.conf. But Proxychains will look for a proxychains.conf file in the current working directory and use it if one exists. To illustrate how an attacker or penetration tester can use this powerful tool let us look at the following scenario. The attacker is attempting to gain access to the TARGET host at 10.10.1.2 on the following network. (Note the super 1337 Visio skills)
The attacker brute forced valid credentials to the public SSH service on 192.168.100.13. Then they cracked passwords obtained from that machine and used them to find valid credentials on a second DMZ host at 192.168.100.15. That host, has two network cards and the second network interface straddles the corporate firewall and connect to the internal network where our target 10.10.1.2 sits. Note that for this attack to work the second host is not required to straddle the firewall, it just needs to have firewall rules in place that allow it to access the internal target.
The attacker starts his attack by connecting to the external SSH listener at 192.168.100.13 as follows:
"-D 127.0.0.1:9050" causes a dynamic port forwarder to start on port 9050 of the attackers local host. Since the default proxychains.conf file already has an entry to proxy on port 9050 (tor's default) all the attacker has to do is launch a program and proceed it with "proxychains" and all its traffic will be shoveled to the host 192.168.100.13. If the attacker ran:
>proxychains wget localhost
They would get back the website listening on port 80 on host 192.168.100.13. But I want to bounce off that server and gain access to 192.168.100.15. So I could do this:
>proxychains ssh user@192.168.100.15
That would make an SSH connection into 192.168.100.15. On that host it would appear that the connection came from 192.168.100.13. In this case after I make the connection to 192.168.100.15 I really want to pivot a second time to get to the internal host. So I run the following:
What is really awesome here is that this establishes a NEW dynamic port forwarder on the attackers localhost at port 8090. The attacker now has the multiple dynamic port forwarders listening on his host. The first port forwarder on 9050 takes him into 192.168.100.13 and the second on 8090 takes him to 192.168.100.15. The attacker can use proxychains again with a different configuration file to tunnel all the TCP and UDP packets from a program to execute on the second pivot point at 192.168.100.15. To do this I did the following:
>mkdir aconf
>cd aconf
>cat /etc/proxychains.conf | sed "s/127.0.0.1 9050/127.0.0.1 8090/g" > ./proxychains.conf
or you can use your favorite editor to change the port at the bottom of the configuration file. Then from the directory containing my new configuration file I ran this:
View image
Which started the NESSUS server daemon and allowed me to do a full vulnerability scan on the internal host. Nessusd worked great over proxychains! Nmap, Metasploit and others also worked well. To launch Metasploit using proxychains you'd simply run the following:
Here is a quick video showing how quickly you pivot through hosts and capture the target.
SSH Gymnastics from PaulDotCom on Vimeo.
PREVENTION:
I hear you, "Dude... That is scary. How do I prevent this from happening?"
Well, first be sure to minimize the ports you open between hosts and don't have host that straddle your firewall. Second, you can turn off port forwarding in your sshd configuration files. Edit /etc/ssh/sshd_config and set "AllowTCPForwarding to NO". While your in there make all these changes. Remember that if an attacker has a shell they can install their own forwarders or use netcat so this is just one step in trying to preventing the host from being a relay. It does make the attacker job much harder when you turn off the DEFAULT mode of being a relay.
Additional References:
http://pauldotcom.com/2009/08/scanning-through-a-tor-network.html
http://netwarsplayers.googlegroups.com/web/SSH+Tunneling+In+The+Context+Of+Netwars.pdf
http://www.securityfocus.com/infocus/1816
http://proxychains.sourceforge.net/
Shout out to Jim Shewmaker and ace1 over at SANS Netwars. Ace1's excellent paper inspired me to take another look at proxychains.
Note: proxychains support CHAINS of proxies (imagine that). There is probably a more elegant way to do this using just one configuration file and a strict chain. Do you know how? Leave me a comment!
Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.
]]>On Wednesday, March 17th, please join DShield founder and SANS CSO Johannes Ullrich in a unique seminar at a tremendous discount to PaulDotCom listeners!
The IPv6 Survival Guide class will introduce you to the very basics of IPv6 and answer questions such as:
- What are those long addresses about and how are they assigned?
- What is the difference between different tunnel technologies like 6-to-4, teredo, isatap and more?
- Will IPv6 work with my systems?
- How do I filter IPv6 and how do I detect if I already use it?
Johannes will also go over some of the new features offered by IPv6 like mobile IP, jumbo packets and auto configuration.
Date: Wednesday, March 17, 2010
Time: 3:00 PM - 5:00 PM EDT
Cost: $20 with discount code ($195.00 retail)
Discount Code: IPV6PDC
URL: http://www.sans.org/vlive/details.php?nid=21504
Johannes will also be teaching Security 503: Intrusion Detection In-Depth, a 36-hr course, on vLive! beginning April 12.
NOTE: Use discount code 503PDC for a $250 discount on the above class!
- PaulDotCom Crew
]]>[Note: We've given up on fighting iTunes and are now releasing both parts for each episode at the same time. Make sure you check your podcast application (most listeners use iTunes) and make sure you are getting both parts of each episode!]
Part 1: "Freedom TM"
The PaulDotCom crew interviews Daniel Suarez to discuss his new book Freedom TM, security, privacy, socialogy, and more!
Part 2: DNS sub-domain brute forcing & Penetration
We discuss when penetration is important, how to talk to management, coolest WRT54G hack, and a technical segment on DNS sub-domain brute forcing.
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
PaulDotCom Live! - You can watch, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
PaulDotCom Icecast Radio (Audio Only)
Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!
- Paul, Larry, Carlos, Darren, John & Mick
]]>Lets face it, security guys love their password protected screensavers. I am no exception. Without it, many users would likely never lock their computers. This simple mechanism may slow down or in some cases completely prevented the attacker from accessing resources on a remote machine. A strong password on a screensaver was one of the hurdles that you had to overcome in the Christmas 2008 Ethical Hacker challenge, "Santa Claus is hacking to town". Santa really could have used this script.
The Relentless-coding blog recently posted a meterpreter script that bypasses the screensaver password protection. The script patches the lsass process running in memory where the codes check the validity of the password that was entered. After the patch is applied the attacker can enter ANY password to unlock the screensaver. The script works on Windows XP SP2, SP3, Windows Vista and Windows 7. Lets take a look at the script in action:
Meterpreter Screensaver unlock script from PaulDotCom on Vimeo.
The script isn't currently part of the metasploit distribution so you'll need to download it from the Relentless-coding site. Save it to your "scripts/meterpreter" directory in your Metasploit installation. In a Backtrack installation you'll find that directory under "/pentest/exploits/framework3/scripts/meterpreter".
Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.
]]>Some of these attacks work across the internet, but most of these are limited to the LAN and rely on Layer2. The good news is that many of these attacks can be mitigated with new features deployed in the latest version of Cisco's IOS (12.2 or better). BPDU Guard, DHCP Snooping, DHCP Snooping +Dynamic Arp Inspection , DHCP Snooping + IP Source Guard, ARP Rate Limiting, Mac Address port security, PVLAN Protected, Isolated, Community and Promiscuous ports and 802.1x can all be used to effectively limit many of these attacks. Listener Brian Almond (Infosec Samurai) submitted this PDF on layer two security. Give it a gander! Nice work Brian.
Download Brian Almond's paper here
Other resources
http://isc.sans.org/diary.html?storyid=7567
http://www.ciscopress.com/articles/article.asp?p=1181682
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dhcp.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html
Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.
]]>
Figure 1: strings output of a Linux VM's memory image. The highlighted "forensics" happens to be the root password.
Shortly after Carey's presentation, DarkOperator posted a Meterpreter script that would dump memory and save it offline for later analysis. Passwords are a high value memory artifact for penetration testers. As someone working in app sec and incident response, Carey got me thinking about other things that forensics practitioners may find commonplace, but that may be overlooked by penetration testers. Both disciplines inform each other.
Let's say you're a penetration tester (or an Amortized Perennial Threat as Shawn Moyer says he is) and you're working for a client who wants you to go beyond the shell. Your client has requested that you go after important company data. Databases are an obvious target, but companies also have critical information floating around in Microsoft Office documents (e.g. business plans, bid contracts, vulnerability remediation tracking information, etc.).
What is the best way to locate these documents? You could manually navigate the various common directories where people store documents, read the directory listings and copy down those files that look interesting. But this is a labor intensive process and you may miss something if the user has tucked important files in odd locations.
If only there were a place on the file system that held information about files, a place where we could look and see all of the files that had been opened on the system and that would map back to the location of those files, even if those files were on network shares or removable media. Fortunately for us, there is such a location, in fact, there are two well known ones.
Windows systems have a feature that creates shortcuts for common document types, including Office files when those files are opened by a user. The idea of using these shortcuts during a pen test is not new. In fact, it was mentioned before on Security Focus' Pen-Test mailing list, but I don't believe it's been ahem, weaponized until now.
These shortcuts or link files are created by Windows to facilitate the "Recent" document features of modern Windows operating systems. For Windows XP the default location for link files is under Documents and Settings\<username>\Recent with Microsoft Office files having their own location in Documents and Settings\<username>\Application Data\Microsoft\Office\Recent\. Vista and later versions of Windows have moved the recent link files to Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\ and Users\<username>\AppData\Roaming\Microsoft\Office\Recent. There may be other locations specific to other applications as well.
For the two common locations, I have created a Meterpreter script port of Harlan Carvey's lslnk.pl that is commonly used by forensics analysts to dump the contents of Windows' .lnk files.
dumplinks.rb can be used with the Meterpreter to dump the contents of Windows' .lnk files either to the Metasploit user's local file system, or to the console. By default, dumplinks.rb, runs in a less verbose mode than Carvey's lslnk.pl, in that it only reports the time stamps for the .lnk files themselves, then prints the time stamps contained within the .lnk files that are time stamps for the target file and finally, the target file's location is printed.
Enough drivel, here's a couple of screen shots:
Figure 2: dumplinks help screen
And one of the script in action, dumping to the console:
Figure 3: dumplinks sending everything to the console
Of course there are other tools and techniques that cross-over from forensics to penetration testing. I will be back with another, as soon as I can find the time. For now, enjoy the dumplinks.
Dave Hull describes his working life as on the Venns between incident response, forensics and web applicaiton security. He will be teaching SANS Forensics 508: Computer Forensics Investigation and Incident Response in Boston, March 15 - 20
]]>After listening to Larry's excellent technical segment on dumping the event logs from a large list of computers, I decided to try it out on my own. If you missed the technical segment, you can find the notes here. To do my own testing I needed to start with a large list of computers. For my list, I want to have the names of every computer in the domain. So I turned to "dsquery computer " to get a list of all computers.
C:\WINDOWS> dsquery computer
"CN=CONTROLER1,OU=Domain Controllers,DC=subdomain,DC=domain,DC=com"
BLA BLA BLA... Truncated
"CN=WORKSTATION1,OU=ORGUNIT1,OU=OrgUnit2,OU=OrgUnit3,DC=Subdomain,DC=Domain,DC=com"
BLA BLA BLA... Truncated again
The length of the results changes because of the variable number of subdomains, but fortunetly for us the workstation name is always the first part of the string. It is always between the CN= and the first comma. We can strip out the workstation name with the "DELIMS" and "TOKENS" option of the FOR loop. Also, by default DSQUERY will only return the first 100 results. This can be changed using the "-LIMIT" option. Setting the LIMIT to 0 returns all result. For now lets check our output looking at only two entries.
C:\WINDOWS>for /F "delims=, tokens=1" %i in ('dsquery computer -limit 2') do echo %i
C:\WINDOWS>echo "CN=WORKSTATION1
"CN=WORKSTATION1
C:\WINDOWS>echo "CN=WORKSTATION2
"CN=WORKSTATION2
We are almost there. I need to strip the first 4 characters of the line. For this I stole a page or two from Ed Skoudis' play book. We can strip the first four characters with the SET command using the expression variable = %variable:~4%. But, since we are in a FOR loop we have to turn on delayed variable expansion and use ! instead of %.
C:\WINDOWS>cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in
('dsquery computer -limit 2') do set name=%i & set name=!name:~4! & echo !name!"
Dsquery has reached the specified limit on number of results to display; use a different value for the -limit option to display more results.
C:\WINDOWS>set name="CN=WORKSTATION1 & set name=!name:~4! & echo !name!
WORKSTATION1
C:\WINDOWS>set name="CN=WORKSTATION2 & set name=!name:~4! & echo !name!
WORKSTATION2
Now we have all the computer names in the domain being printed one at a time. I can dump all the names of the machines in the domain to file to feed Larry's event dumper.
C:\WINDOWS>cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in ('dsquery computer -limit 0') do set name=%i & set name=!name:~4! & echo !name! >> c:\temp\machines.txt"
Better yet, we could combine it with a WMIC command and other commands to do various useful tasks on our machines. For example, if I want to query every machine in my network for an instance of a process that starts with CMD I could run the following: (remember that % is a wild card in wmic)
C:\WINDOWS>cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in ('dsquery computer -limit 2') do set name=%i & set name=!name:~4! & wmic /node:!name! process where "name like 'cmd%'" list brief"
Dsquery has reached the specified limit on number of results to display; use a different value for the -limit option to display more results.
C:\WINDOWS>set name="CN=WORKSTATION1 & set name=!name:~4! & wmic /node:!name! process where "name like 'cmd%'" list brief
HandleCount Name Priority ProcessId ThreadCount WorkingSetSize
33 cmd.exe 8 2308 1 1654784
C:\WINDOWS>set name="CN=WORKSTATION2 & set name=!name:~4! & wmic /node:!name! process where "name like 'cmd%'" list brief
HandleCount Name Priority ProcessId ThreadCount WorkingSetSize
33 cmd.exe 8 2368 1 1626112
So there you go. Now using this basic syntax...
cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in ('dsquery computer -limit 0') do set name=%i & set name=!name:~4! & Any command here based on !name!
... you can run any command you want on every machine in your domain.
Join me for SANS 504 June 21-26
]]>Part 1: Pwning VMware and the Smart Grid...
Part 2: Windows command line kung fu and discussion of the stories for the week!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Back in the day, msfpayloads -x parameter read the template.exe from the /data/ directory and did a simple string replacement. msfpayload would look for the string "PAYLOAD:" in the binary and inserts the "RAW" encoded payload at that point in the binary. Creating custome templates required that you create your own templates containing the PAYLOAD string at the execution entry point. If you did create your own template that you want to continue to use because NO ONE detects it, msfencode will still support the old style template. If you want to use old style templates you can use an "undocumented" encoder type called "exe-small".. Set your -t output type to "exe-small" instead of "exe" to use the old style templates.
But that is a lot of work. Now, msfencode reads the PE header, finds a .text section in the executable and either prepends or appends (at random) the payload to the code. Then it modifies the entry point in the executable so that the payload is called before the programs normal code is executed.
Pretty cools stuff. Nice video John!
Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.
]]>For the penetration tester gaining remote access is a two step process. 1) Load malware on the remote host. 2) cause malware to execute. If you have one, but not the other, the system is "safe" from attack. In the financial world, for the GL-Hacker (General Ledger Hacker) they also have a two step process. 1) Affect the transfer of funds between the company and a third party (banks, vendors, employees, credit card companies) 2) Make the appropriate adjustment on the general ledger. If they can do one, but not the other, the company will notice the funds are missing during their "reconciliation process" where they compare the balance of the two systems. Accountants, auditors and CFO's tend to assume that system controls such as authentication, confidentiality and integrity (Yes, I know the A in CIA is availability) are in place and functioning properly. That is our job. They focus on the authorizations given to an account to determine if they allow both functions a GL-Hacker requires (transfer funds, adjust ledger).
With that in mind lets look at some of the major components (sub-ledgers) of a general ledger that are often targets of fraud and how the GL-Hackers tries to manipulate them.
Accounts Payable (IE Money we owe)
Accounts Payable generally have two major components. One for "Purchase Orders" where you are paying vendors for good and services and a "financial transactions" process. Not all vendors will accept checks or payments through traditional means and not all business transactions go through the Purchase Order process. Items such as mergers and acquisitions and other one time executive initiatives are often done via a wire transfer and are done through the "financial transactions" process. The PO process tends to be very well structured and monitored where as the transactions process, by it's nature as a one off process and more often susceptible to fraud. Within the Accounts payables system you often see the following vulnerabilities.
Payroll/HR
This is pretty self explanatory. We should all be pretty familiar with the fact that employers can send us money and other financial benefits such as 401k and medical disbursements. Payroll can have similar issues. The person who can create an employee and edit their direct deposit and or benefits information should not have the ability to start or end their active employment (IE pay them)
Accounts Receivables - (Money we are collecting)
We are collecting money here, so its all good right? Not really. There are a couple of things to watch for here. First, does all the money you collect make it to the bank or does it end up in an employees pocket. Second think to worry about is the "account adjustments" such as refunds or chargebacks. The money issue is again solved by separating the lock from the key. The person who collects the money isn't the same person who posts how much money you should have received to the ledger. For refunds and chargebacks, the person who authorizes a refund should not be the same person who determines where the refund goes. A chargeback occurs when a customer disputes a credit card charge on their bill. In those cases the business is required to prove the transaction is legitimate.
Like hacking computer systems, the number of ways a GL-hacker can commit fraud is only limited by their imagination and their understanding of the system they are attacking. Having good auditors who understand the system and can look at it in terms of how an attacker might game the system is essential to the success of a good risk management program. Accountants rely on logs, monitoring and separating the two essential elements of the attack to protect their systems. Wow.. that sounds familiar.
So there you go, maybe hacker and accountants aren't that different after all. We just have different "geek" speak. We talk in three letters acronyms "SSL, TCP, GRE and SSH" They talk in two "FI, AR, AP, GL". Information Security is pretty new compared to accounting. I think you'll find that by adopting some of their language or at least understanding some of it, you are able to effectively communicate risk and influence change during your next pen test.
]]>
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
