Register for PaulDotCom training at Blackhat USA: Defensive Countermeasures: Foundations for Becoming a Devious Defender & Offensive Countermeasures: The Art Of Active Defense July 27-28 & 29-30.
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 149 - April 16, 2009
- Training event in Rhode Island! SANS@Home/Community - SEC517 Cutting-Edge Hacking Techniques - May 11 & 13th 7-10PM use the discount code "PaulDotCom" for a 10% savings - Click here to register now!
- April 30th - PaulDotCom Security Weekly Special Edition - Episode 150 - A historic milestone to beer drinkers everywhere! We start recording/streaming at noontime (EDT) and don't stop until midnight! Call lines will be open to share your darkest secrets with 30,000 of your closest friends! Everyone should tune in and participate in the big event!
Special Guest: Mandeep Khera
Mandeep Khera of Cenzic will join us for a discussion on Web Application Security and the increasing relevance of being PCI compliant. Mandeep has 24 years of experience in marketing, engineering, business development, sales, customer services, finance and general management. Mandeep is Chief Marketing Officer at Cenzic.
- How did you get your start in information security?
- Why has Web Application security emerged as such a hot topic? Hasn't it always been a problem?
- Lets say you have an organization that has over 50 web applications running to support their business, how do you get a handle on the vulnerabilities and remediation?
- Automated tools don't find all of the bugs, how do you deal with the problem?
- How can we make people understand just how serious XSS and CSRF vulnerabilities are?
- Won't PCI save our web applications from all attacks?
- What is the major downfall in Web Application Firewalls? What are some good things?
- The web application scanning market is pretty saturated, What separates your product from everyone else's?
Tech Segment: An Introduction to Argus
Argus stands for Audit Record Generation and Utilization System. Argus is an open source program designed to perform IP network traffic auditing and provide Real Time Flow Monitoring. The Argus Project was started at Carnegie Mellon's Software Engineering Institute (SEI) in 1993, and subsequently released into the public domain, then taken over by QoSient LLC. According to the Argus website, it is developed on Linux and FreeBSD, and is tested on OpenBSD, NetBSD and Solaris. It has been ported to IRIX but really should port fine to any Unix O.S. However, as Argus uses libpcap as its packet capture interface, it can only be ported to systems that support libpcap.
- Argus Flows - An Argus Flow is simply a set of datagrams that share a common set of datagram attributes.
- Destination Address
- Network Addresses
- Addresses, Protocol, NSAPs, TTL, DSByte, Session Ids, Application data, etc,…
Argus uses a fix flow model taxonomy, to categorize every packet on the wire and supports 13 simultaneous flow models, enabling Layers 2 thru 5 based flow tracking & reporting.
- Argus uses a client server model:
- Data collection engine (Server):
- Monitors the network using libpcap, and collects network data into audit trails.
- This engine can output the data to a file or to a socket.
- Argus client: Reads audit data from a file or from a socket.
- Data collection engine (Server):
The following is from the Argus FAQ -
- How do I run Argus?
Argus is run either as a persistent daemon, reading live packets from a network interface, or as a program, reading packets from a packet capture file. The default, i.e. when it is run without any configuration, is to run as a daemon. The only real question to answer is where do you want argus to send its output. The basic options are to write to a file, or to offer remote access via a socket, or both. Most installations will run configure argus to write its output to a file. To do this, run argus as:
# argus -w outputfile
This will cause Argus to run as a daemon, reading packets from the first available network interface, and writing its output to an outputfile. If you intend to remotely attach to this argus, you'll need to tell argus what port to put a listen down on. The default port for clients is port 561. We recommend using this port number.
# argus -P 561 -w outputfile
In order to configure argus to read packets from a packet capture file, use the "-r" option.
% argus -r ./packetfile
Argus has a large number of options, which can be set through an .argusrc file, the use of command line options, or through a separate configuration file that is specifed at run time. These options are designed to specify things like, what type of information Argus should capture, how often it should generate output records, whether it should put the network interface in promiscuous mode when run, should it create a pid file, etc... The complete list is described int the argus.8 man page.
- How do you run argus on your systems?
# argus -e `hostname` -P 561 -U128 -mRS 30 -w $ARGUSHOME/argus.out
So that's all there is right? We haven't even scratched the surface yet!
One of the things I love about argus are the client applications that are distributed with it. These tools IMO are where argus really shines ra, rasort, and ragator give you some interesting abilities as you slice and dice your argus capture files.
ra allows you to read the entirety of the argus capture file -- and there's tons you can do with it, but to get started quickly, you might want to checkout the ra "daughter" apps. They are all based on ra, but help automate everything.
For instance, rasort is a great one to start since it lets you quickly learn things you might not have ever known.
- Who are the top talkers in terms of chatter?
# rasort -s packets -r $ARGUSHOME/argus.out
- Who are the top talkers in terms of data volume? (handy for finding P2P folks in your network)
# rasort -s bytes -r $ARGUSHOME/argus.out
- Which hosts have had the longest session (used this to find someone using TCP keepalives when we politely told them not to!)
# rasort -s duration -r $ARGUSHOME/argus.out
I hope this has whetted your appetite for argus. If you want to know more about this handy tool, just let us know! We'll be happy to go into more details. Future tech segments, Hack Naked TV, you name it!
As an added bonus: Larry "boy do I love me some WiFi" Pesce was kind enough to send me a link to folks who are using a wrt54gl as the source!
All I can say is WOW!! If only there were a wifi ap which had more storage available to it... (cue foreshadowing music)
Tech Segment Short: UPnP Detection & Exploitability
UPnP is bad, if left open it can allow hosts behind your firewall to manipulate rules. In fact, the Conficker worm uses this to change your firewall and help it spread. You can use several tools to find open UPnP services, such as Nmap. Below, I ran Nmap against a WRT54G Version 8 router with the default factory firmware:
# nmap -sVU -sC -p1900 192.168.1.65
Starting Nmap 4.76 ( http://nmap.org ) at 2009-04-16 16:37 EDT Interesting ports on 192.168.1.65: PORT STATE SERVICE VERSION 1900/udp open upnp? | upnp-info: VxWorks/5.4.2 UPnP/1.0 iGateway/1.1 |_ Location: http://192.168.1.65:2869/IGatewayDeviceDescDoc MAC Address: 00:1A:70:75:B5:FB (Cisco-Linksys) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 57.41 seconds
THe SSDP port (1900) provides information about which services the UPnP host is offering (It also leaks the operating system and version, BONUS!). One of the ways it does this is to provide a link to the HTTP interface and associated XML configuration. You can see the link above, if we visit that link we are presented with an XML file, which contains things like:
Which is the management interface URL and port. Nice! From here we can go ahead and change firewall rules, add new ones, etc... There is a Nessus plugin, (35711, [href="http://www.nessus.org/plugins/index.php?view=single&id=35711 UPnP discovery]) that will attempt to create firewall rules, and if successful throw an alert (it removes them after :). What I found interesting is that there is no built-in authentication to UPnP! GNUCITIZEN has some good stuff on this as well:
Stories For Discussion
- Hacking PINs - [Larry] - There will always be one weak link. In this case, it looks like decrypting PINs is possible, aside form capturing them in the clear form memory. All it takes is one misconfigured (and easy to misconfigure) device, that can be tricked into giving up the encryption keys. What's it take to fix? A redesign form the ground up, and tons of $$$ - [PaulDotCom] - Don't ya just love the 4-digit pin that protects your bank account? So do attackers. Trying to get the details on this one, I find interesting stuff that we've talked about on the show before: Some of the attacks involve grabbing unencrypted PINs, while they sit in memory on bank systems during the authorization process. and HSM is interesting: The module is a tamper-resistant device that provides a secure environment for certain functions, such as encryption and decryption, to occur. Ahh, Now we get to the root of the problem: "Essentially, the thief tricks the HSM into providing the encryption key," says Sartin. "This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device."
- New rootkit, old kernel - [Larry] - a new method for stealthier kernel rootkit insertion - by directly modifying memory contents in /dev/mem. Of course this only works on kernel 2.4...
- Mafiaboy spills the beans - [Larry] - Well, not really. The article tells us a lot that we already know, but mostly that the weak element is usually the human, that either gets exploited, makes mistakes, makes poor decisions, or is lazy. The part that I got out of the article: "We are advancing too quickly for our own good.... We are constantly creating new technology without fixing predecessor technology and making sure that is secure before moving on.... We need to secure things before we move down the line. We're just jumping ahead and we're not stopping. We're not even looking back" Discuss. :-)
- Twitter Worms - [Larry] - See, we knew it would happen. It is interesting to note that it was from profile/Bio testing. Hmm, Paul, what happens at Shmoocon stays at Shmoocon?
- Fonera 2 vs the Competition - [Mick] - What a feature set! I think it even shines your shoes for you. Launch in Europe is April 21st! Happy hacking Europeans!! US release will be sometime in May.
- The folly (or greatness) of national jurisdictions - [Mick] - Nothing new here, but can we keep at this forever? Yet another story of attackers hiding behind cloaked security. Until something is done about this, can we be nothing but defenders?
- Multiple Anti-Virus Software Bugs Revealed - [PaulDotCom] - Here is a situation where a DoS or crash bug is a big deal. If I am a malware writer, or even a pen tester, I can just build this into all my payloads (provided it does not cause the system to become unstable). More AV FAIL :( People tend to dismiss DoS bugs, I like to find ways in which to use them.
- Intelligent Vulnerability Management - [PaulDotCom] - Yea, we talk about sexy exploits, sexy hacking, super-cool wireless network sniffing, MITM attacks that go undetected, etc.. However, probably the most important thing to being "Secure" is process and vulnerability management. I think if I had to pick one or two things that are most critical to protecting your organization, this is it. You need to find and remediate the vulnerabilities in your environment. The only way to get good at defending is to do it! (Think about how long a boxer or a bouncer would last if they never stepped into the ring and fought). Of course doing it relies on buy-in from the entire organzization, which can be the hardest part.
- Command Prompts Could Land You In Court - [PaulDotCom] - I'm glad the EFF is defending on this one, sounds like the student is being treated unfairly, but who knows. THe investigation does not sound technically sound: "..uses two different operating systems to hide his illegal activities.....a black screen with white font which he uses prompt commandson". Command line kung fu is evil!
- Symantec Web Site Has XSS - [PaulDotCom] - What happened to filtering? I mean this is a VERY BASIC XSS! I mean come on, "><script>? Really? Shouldn't someone have caught that a long time ago? You should be checking your web apps on a regular basis, just like your network, systems, and even people, for security vulnerabilities, espcially the obvious ones.
- Fresh OS X 0Days - Not Patched By Apple - [PaulDotCom] - There is also news that there is a botnet which is targeting OS X. Apple better get their act together, and quick, because their respnse to security problems in the past, and present, TOTALLY SUCKS. Its really embarassing for Apple to drop the ball on just so many vulnerabilities.
Other Stories for Discussion
- Conspiracy Theories-R-Us - [MikeP] - Bruce Schneier wants your most preposterous Conspiracy Theories.