Register for PaulDotCom training at Blackhat USA: Defensive Countermeasures: Foundations for Becoming a Devious Defender & Offensive Countermeasures: The Art Of Active Defense July 27-28 & 29-30.
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 273 for Thursday January 12th, 2012.
- Check out our new shows: Hack Naked TV with John Strand, Hack Naked At Night with Larry and Darren, PaulDotCom Espanol with Carlos Perez.
- John Strand will be teaching Offensive Countermeasures at SANS Orlando March 23-24th: Check it out here
- Larry is teaching SEC617: Wireless Ethical Hacking, Penetration Testing and Defenses 5 times this year (discount code may be in our future):
- Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. Wether you smoke an occasional cigar or daily, this show is for you! Tune in as we review the latest cigars being relesaed and talk "Stogie Tech".
- Information Security Career Study A new survey on attitudes about careers in information security. More info
- Don't forget to Read our blog, Participate on our mailing list, Visit PaulDotCom Insider, Follow us on Twitter, Join the IRC channel at irc.freenode.net #pauldotcom, Watch our Videos and Add us on Facebook where we can be "friends"
Guest Technical Segment: Chris "loganWHD" Hadnagy on Framing
Chris Hadnagy, aka loganWHD focuses on the "human" aspect of technology such as social engineering and physical security. Chris is also the lead developer of Social-Engineer.Org as well as author of the best-selling book Social Engineering: The Art of Human Hacking and has co-authored a ground breaking course on Social Engineering to be given in the UK, Seattle, and Vegas. He's on tonight to give us a taste of one of the topics on the course: Framing in Social Engineering.
Chris was last on PaulDotCom in Episode 216, October 2010
- What is framing?
- Give us some examples of how you use Framing in an SE engagement.
- How can you 'teach' framing in a course?
- How do you adjust your framing once you dentify the target’s dominant communication style?
- For your Social Engineering podcast on Framing, you interviewed Sam Yagan of www.okcupid.com. Do you think statistical analysis is accurate and can be used in Social Engineering? Have you used any of their research in your SE engagements?
- What have you learned about Framing and Social Engineering from your course partner, Robin Dreeke?
- What was your favorite section of the course?
- We've heard there are homework assignments, specifically, getting the brasize of a stranger at the mall in a non-sexual way. Will you do a writeup of the student failures? :)
- Is it true students who fail assignments have a make-up assignment that consists of dumpster diving? :)
- How do you 'certify' one is a Social Engineer?
- Does the FBI conduct any SE training for its agents?
Tech Segment: Using pfSense and an Alix.6F2 For A Wireless Access Point
TIP: For the segment on how we built my pfsense firewall, see this document.
I wanted a new access point. I have stacks of WRT54G series routers, and they are good, but often aren't up to the task. They are low in memory and processing power, and share one single 10/100 Ethernet bus. This limits their usage for things like streaming HD. Can you do it? Sure. My other problem was the WRT54G I had was constantly needing to be power cycled. All my old ones either went to friends and family members, bricked, or are in pieces somewhere. I bought a shiny new Dlink Dir-655, but after about a year it crapped out on me, actually the wireless radio itself died, which turns out to be a common problem. So, I wanted to build something myself out of really good hardware, and use real software like pfsense, and have an access point that would just kick ass.
All hardware for this project came from www.netgate.com:
- ALIX.6F2 Kit Black Unassembled - $188 - This kit comes with the board, power supply, CF card, and enclosure.
- Atheros WLM54G-HP mini PCI Card, U.FL to RP-SMA pigtails (two), 5.5 dbi rubber duck antennas (two) - $88 - This is the wireless card, with all the fixings!
- 2.4 GHz 9 dBi Rubber Duck Omni Antenna RP-SMA - Bigger is better, right? I want to cover my entire house with one 802.11g access point.
Total cost: $305.77
Get pfSense and Install on CF Card
For the embedded version, make sure you get the NanoBSD images.
Important, verify that you are installing the operating system on the correct disk image:
# df -h Filesystem Size Used Avail Capacity Mounted on /dev/disk0s2 465Gi 425Gi 40Gi 92% / devfs 185Ki 185Ki 0Bi 100% /dev map -hosts 0Bi 0Bi 0Bi 100% /net map auto_home 0Bi 0Bi 0Bi 100% /home /dev/disk1s1 7.5Gi 805Mi 6.7Gi 11% /Volumes/AVST
On OS X, for example, the OS disk is "disk0", try not to overwrite that one (even though you'd likely get an error that its already in use, however I did not test that!). Then use the following command to dump the image on the CF card:
# gzcat pfSense-2.0.1-RELEASE-2g-i386-nanobsd.img.gz | dd of=/dev/disk3 bs=16k
Now go get a cup of coffee, it takes a while. Notice I used the image labeled "2g", for 2 gig, which is the size of my card.
Configure an IP address in the Serial Interface
I used OS X for this, and used the following tools:
- zTerm - Excellent serial interface software, works well.
- Plugable USB to RS-232 DB9 Serial Adapter (Prolific PL2303HX Chipset) - USB serial adapter was $11 on Amazon, handy to have. I had to connect another serial cable to it from some of my old Cisco gear (those connectors should say "Terminal" on them).
- Prolific drivers for OS X Lion - I had to get updated drivers to work with the serial adapter that have been updated to work with OS X Lion.
Once you have all that, Follow Mike's instructions located here on setting up the LAN IP address.
Setup the Wifi Interface using the Web UI
Technical Segment: DNSRecon
The current version of DNS Recon is a full re-write of the old tool in python using the Dnspython library. The tool can be found in DNSRecon GitHub and instruction for installing the Python dependencies can be wound in the GitHub Wiki
dnsrecon carlos$ ./dnsrecon.py Version: 0.6.0 Usage: dnsrecon.py <options> Options: -h, --help Show this help message and exit -d, --domain <domain> Domain to Target for enumeration. -c, --cidr <range> CIDR for reverse look-up brute force (range/bitmask). -r, --range <range> IP Range for reverse look-up brute force (first-last). -n, --name_server <name> Domain server to use, if none is given the SOA of the target will be used -D, --dictionary <file> Dictionary file of sub-domain and hostnames to use for brute force. -t, --type <types> Specify the type of enumeration to perform: std To Enumerate general record types, enumerates. SOA, NS, A, AAAA, MX and SRV if AXRF on the NS Servers fail. rvl To Reverse Look Up a given CIDR IP range. brt To Brute force Domains and Hosts using a given dictionary. srv To Enumerate common SRV Records for a given domain. axfr Test all NS Servers in a domain for misconfigured zone transfers. goo Perform Google search for sub-domains and hosts. snoop To Perform a Cache Snooping against all NS servers for a given domain, testing all with file containing the domains, file given with -D option. tld Will remove the TLD of given domain and test against all TLD's registered in IANA zonewalk Will perform a DNSSEC Zone Walk using NSEC Records. -a Perform AXFR with the standard enumeration. -s Perform Reverse Look-up of ipv4 ranges in the SPF Record of the targeted domain with the standard enumeration. -g Perform Google enumeration with the standard enumeration. -w Do deep whois record analysis and reverse look-up of IP ranges found thru whois when doing standard query. -z Perforns a DNSSEC Zone Walk with the standard enumeration. --threads <number> Number of threads to use in Range Reverse Look-up, Forward Look-up Brute force and SRV Record Enumeration --lifetime <number> Time to wait for a server to response to a query. --db <file> SQLite3 file to save found records. --xml <file> XML File to save found records. --csv <file> Comma separated value file.
Doing a standard query for records:
loki:dnsrecon carlos$ ./dnsrecon.py -t std -d pauldotcom.com [*] Performing General Enumeration of Domain: pauldotcom.com [-] DNSSEC is not configured for pauldotcom.com [*] SOA ns1.pauldotcom.com 188.8.131.52 [*] NS ns1.pauldotcom.com. 184.108.40.206 [*] NS ns1.pauldotcom.com. 2001:470:1f0e:98c::2 [*] NS ns2.pauldotcom.com. 220.127.116.11 [*] MX ASPMX5.GOOGLEMAIL.com 18.104.22.168 [*] MX ASPMX.L.GOOGLE.com 22.214.171.124 [*] MX ALT2.ASPMX.L.GOOGLE.com 126.96.36.199 [*] MX ASPMX2.GOOGLEMAIL.com 188.8.131.52 [*] MX ASPMX3.GOOGLEMAIL.com 184.108.40.206 [*] MX ASPMX4.GOOGLEMAIL.com 220.127.116.11 [*] A pauldotcom.com 18.104.22.168 [*] AAAA pauldotcom.com 2001:470:1f0e:98c::2 [*] Enumerating SRV Records [*] SRV _jabber._tcp.pauldotcom.com xmpp-server4.l.google.com. 22.214.171.124 5269 0 [*] SRV _jabber._tcp.pauldotcom.com xmpp-server.l.google.com. 126.96.36.199 5269 0 [*] SRV _jabber._tcp.pauldotcom.com xmpp-server1.l.google.com. 188.8.131.52 5269 0 [*] SRV _jabber._tcp.pauldotcom.com xmpp-server2.l.google.com. 184.108.40.206 5269 0 [*] SRV _jabber._tcp.pauldotcom.com xmpp-server3.l.google.com. 220.127.116.11 5269 0 [*] SRV _xmpp-server._tcp.pauldotcom.com xmpp-server4.l.google.com. 18.104.22.168 5269 0 [*] SRV _xmpp-server._tcp.pauldotcom.com xmpp-server.l.google.com. 22.214.171.124 5269 0 [*] SRV _xmpp-server._tcp.pauldotcom.com xmpp-server1.l.google.com. 126.96.36.199 5269 0 [*] SRV _xmpp-server._tcp.pauldotcom.com xmpp-server2.l.google.com. 188.8.131.52 5269 0 [*] SRV _xmpp-server._tcp.pauldotcom.com xmpp-server3.l.google.com. 184.108.40.206 5269 0 [*] 10 Records Found
Expansion of SPF Records:
loki:dnsrecon carlos$ ./dnsrecon.py -t std -d google.com -s [*] Performing General Enumeration of Domain: google.com [-] DNSSEC is not configured for google.com [*] SOA ns1.google.com 220.127.116.11 [*] NS ns1.google.com. 18.104.22.168 [*] NS ns2.google.com. 22.214.171.124 [*] NS ns3.google.com. 126.96.36.199 [*] NS ns4.google.com. 188.8.131.52 [*] MX alt4.aspmx.l.google.com 184.108.40.206 [*] MX aspmx.l.google.com 220.127.116.11 [*] MX alt1.aspmx.l.google.com 18.104.22.168 [*] MX alt2.aspmx.l.google.com 22.214.171.124 [*] MX alt3.aspmx.l.google.com 126.96.36.199 [*] A google.com 188.8.131.52 [*] A google.com 184.108.40.206 [*] A google.com 220.127.116.11 [*] A google.com 18.104.22.168 [*] A google.com 22.214.171.124 [*] A google.com 126.96.36.199 [*] TXT v=spf1 include:_netblocks.google.com ip4:188.8.131.52/31 ip4:184.108.40.206/31 ~all [*] Performing Reverse Look-up of SPF ipv4 Ranges [*] Performing Reverse Lookup from 220.127.116.11 to 18.104.22.168 [*] PTR thdtironport01.doubleclick.net. 22.214.171.124 [*] PTR thdtironport02.doubleclick.net. 126.96.36.199 [*] PTR thdtironport03.doubleclick.net. 188.8.131.52 [*] 3 Records Found [*] Enumerating SRV Records [*] SRV _xmpp-server._tcp.google.com xmpp-server.l.google.com. 184.108.40.206 5269 0 [*] SRV _xmpp-server._tcp.google.com alt1.xmpp-server.l.google.com. 220.127.116.11 5269 0 ... [*] SRV _jabber-client._tcp.google.com alt3.xmpp.l.google.com. 2a00:1450:8005::7d 5222 0 [*] SRV _jabber-client._tcp.google.com alt4.xmpp.l.google.com. 18.104.22.168 5222 0 [*] SRV _jabber-client._tcp.google.com alt4.xmpp.l.google.com. 2001:4860:8006::7d 5222 0 [*] 30 Records Found
loki:dnsrecon carlos$ ./dnsrecon.py -t std -d google.com -w [*] Performing General Enumeration of Domain: google.com [-] DNSSEC is not configured for google.com [*] SOA ns1.google.com 22.214.171.124 [*] NS ns1.google.com. 126.96.36.199 [*] NS ns2.google.com. 188.8.131.52 ... [*] 30 Records Found [*] Performing Whois lookup against records found. [*] The following IP Ranges where found: [*] 0) 184.108.40.206 - 220.127.116.11 Google Inc. [*] 1) 18.104.22.168 - 22.214.171.124 Google Inc. [*] 2) 126.96.36.199 - 188.8.131.52 Google Inc. [*] What Range do you wish to do a Revers Lookup for? (number, comma separated list, a for all or n for none)
Identification of DNSEC Types:
loki:dnsrecon carlos$ ./dnsrecon.py -t std -d nist.gov [*] Performing General Enumeration of Domain: nist.gov [*] DNSSEC is configured for nist.gov [*] DNSKEYs: [*] NSEC3 KSk RSASHA1NSEC3SHA1 03010001cc87ad5394d53857e8eef0d7 b95f6c9d5191741299ae9071aa1d69d2 705284e42bb622c902a83f15414870f9 d2bb532f0708b1ea0662951f28761c88 3b7297bdd41731778fe75cf43d8fda2e 00b9efd5cb0572c649bb916fc261a201 2bb9960bd7604c39ad6068b105815dba 2637deaf63e76eb91a024f61f00553f8 29eddd1f162db7b57eee65520ab1a8ae 57566138733d6a68e33d563b94406e34 efad4698b3545077893d8bc206bfd870 363376ac2664af472a6145e2412685c5 59adbf95fb494f1da8bf2bd8850aeda9 aee73b4e0c54f3f5cbb31b13fef7dd5b 5b9b21dddcfe9f0bef048680942cf97a d4e767109a0d36316f969db04dff5588 e9e19485 [*] NSEC3 ZSK RSASHA1NSEC3SHA1 03010001b5bb1c89e7baa71fabca28c8 966b2c158b8e802176e76fbc8dab04c7 fea29942e7fd1678c73cab38dad3730e 0064ab9d1ef062816bb01b8027b2a346 7360fd23c943fdd7499144250601ae61 86d29838b6bfa18db4c2d1163f41d2b1 fee36223a1874bff0963830e35566fb0 3f41ca5adabc6060e81e756eeb5cf852 5834a77d [*] SOA ggm.nist.gov 184.108.40.206 [*] NS dns-w.boulder.nist.gov. 220.127.116.11 [*] NS gdnsea.nist.gov. 18.104.22.168 [*] NS gdnsef.nist.gov. 22.214.171.124 [*] MX ridley.nist.gov 126.96.36.199 [*] MX spamav1mx.nist.gov 188.8.131.52 [*] MX spamav2mx.nist.gov 184.108.40.206 [*] MX boulderspamav1.boulder.nist.gov 220.127.116.11 [*] A nist.gov 18.104.22.168 [*] Enumerating SRV Records [-] No SRV Records Found for nist.gov [*] 0 Records Found
loki:dnsrecon carlos$ ./dnsrecon.py -t std -d pauldotcom.com --xml pauldotcom.xml [*] Performing General Enumeration of Domain: pauldotcom.com [-] DNSSEC is not configured for pauldotcom.com [*] SOA ns1.pauldotcom.com 22.214.171.124 [*] NS ns1.pauldotcom.com. 126.96.36.199 [*] NS ns1.pauldotcom.com. 2001:470:1f0e:98c::2 [*] NS ns2.pauldotcom.com. 188.8.131.52 [*] MX ASPMX4.GOOGLEMAIL.com 184.108.40.206 [*] MX ASPMX5.GOOGLEMAIL.com 220.127.116.11 [*] MX ASPMX.L.GOOGLE.com 18.104.22.168 [*] MX ALT2.ASPMX.L.GOOGLE.com 22.214.171.124 [*] MX ASPMX2.GOOGLEMAIL.com 126.96.36.199 [*] MX ASPMX3.GOOGLEMAIL.com 188.8.131.52 [*] A pauldotcom.com 184.108.40.206 [*] AAAA pauldotcom.com 2001:470:1f0e:98c::2 [*] Enumerating SRV Records [*] SRV _jabber._tcp.pauldotcom.com xmpp-server3.l.google.com. 220.127.116.11 5269 0 [*] SRV _jabber._tcp.pauldotcom.com xmpp-server4.l.google.com. 18.104.22.168 5269 0 [*] SRV _jabber._tcp.pauldotcom.com xmpp-server.l.google.com. 22.214.171.124 5269 0 [*] SRV _jabber._tcp.pauldotcom.com xmpp-server1.l.google.com. 126.96.36.199 5269 0 [*] SRV _jabber._tcp.pauldotcom.com xmpp-server2.l.google.com. 188.8.131.52 5269 0 [*] SRV _xmpp-server._tcp.pauldotcom.com xmpp-server3.l.google.com. 184.108.40.206 5269 0 [*] SRV _xmpp-server._tcp.pauldotcom.com xmpp-server4.l.google.com. 220.127.116.11 5269 0 [*] SRV _xmpp-server._tcp.pauldotcom.com xmpp-server.l.google.com. 18.104.22.168 5269 0 [*] SRV _xmpp-server._tcp.pauldotcom.com xmpp-server1.l.google.com. 22.214.171.124 5269 0 [*] SRV _xmpp-server._tcp.pauldotcom.com xmpp-server2.l.google.com. 126.96.36.199 5269 0 [*] 10 Records Found [*] Saving records to XML file: pauldotcom.xml loki:dnsrecon carlos$ msfconsole ... msf > load dnsr_import [*] dnsr_import plugin loaded. [*] Successfully loaded plugin: dnsr_import msf > import_dnsrecon_xml -h OPTIONS: -f <opt> XML file to import. -h Command Help msf > import_dnsrecon_xml -f /Users/carlos/Development/dnsrecon/pauldotcom.xml [+] Importing host 188.8.131.52 [+] Importing service dns for host 184.108.40.206 [+] Importing host 220.127.116.11 [+] Importing service dns for host 18.104.22.168 [+] Importing host 2001:470:1f0e:98c::2 [+] Importing service dns for host 2001:470:1f0e:98c::2 [+] Importing host 22.214.171.124 [+] Importing service dns for host 126.96.36.199 [+] Importing host 188.8.131.52 [+] Importing service smtp for host 184.108.40.206 [+] Importing host 220.127.116.11 [+] Importing service smtp for host 18.104.22.168 ... [+] Importing host 22.214.171.124 [+] Importing service xmpp-server for host 126.96.36.199 [+] Importing host 188.8.131.52 [+] Importing service xmpp-server for host 184.108.40.206 [+] Importing host 220.127.116.11 [+] Importing service xmpp-server for host 18.104.22.168 msf > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 2001:470:1f0e:98c::2 msf > services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 126.96.36.199 25 tcp smtp open 188.8.131.52 25 tcp smtp open 184.108.40.206 5269 tcp xmpp-server open 220.127.116.11 5269 tcp xmpp-server open 18.104.22.168 25 tcp smtp open 22.214.171.124 25 tcp smtp open 126.96.36.199 5269 tcp xmpp-server open 188.8.131.52 25 tcp smtp open 184.108.40.206 5269 tcp xmpp-server open 220.127.116.11 53 udp dns open 18.104.22.168 53 udp dns open 22.214.171.124 25 tcp smtp open 126.96.36.199 5269 tcp xmpp-server open 2001:470:1f0e:98c::2 53 udp dns open
- Flying the Fraudster Skies - So for all of you "cyber criminals" out there, or maybe even just regular criminals (are they like non-cyber crimanls or analog criminals?). Anyway, you can get a plane ticket by proxy and travel as someone else, if you're into that sorta thing.
- How Come My Blog/Podcast Wasnt Nominated? - I had this whole thing about this for the show, but Alan summed it up. If you have a security related blog or podcast, you can vote, so get out and vote! If your favorite blog or podcast is not listed, you can write in on certain nominations, or just email Alan directly.
- Best Book Bejtlich Read in 2011 - I always make it a point to go out and get this book and read it, as every year its usually really good.
- An example of likejacking (Facebook clickjacking) - If you enclose your clickjacking in a circle, is it "circleclickjacking"? I hate the Facebook like feature, its for lazy people who don't want to think of something to type. In any case, attackers are using it, to, well, jack your likes.
- Google Renews Push Into China - Remember how this started APT? Okay, after you drink, think about all those people that are like "oh well Google should pull out of China". Yea right, this is business, and Google is back in business in China, because business decisions based on the fact that China is one of the strongest world economies usually win, even if you did get pwned.
- [Honeypot Alert Extensive ‘setup.php Scanning Detected] - Some people are scanning for setup.php. Its a good scanning strategy as most CMS will have a setup page. And likely you will be able to log into it with a stupid username and password or SQLi vulnerability. This means you can change content on the web site, which means you can plant malware, and, so on.
- Show me your SSID’s - Neat little script that looks for SSIDs and counts the packets, script included!
- How a Baptist pastor in Florida became the go-to IT guy - Gotta be one of the hardest jobs on the planet, IT security for a small shop. You'll need more than awing and praryer, how about some MS small business software and a cloud? What's wrong with this picture? I believe that folks in this situation have some short-term wins, but in the long run the attackers are victorious.
- Robot Makers Not Thrilled To Be Stuck Next To Justin Bieber ≈ Packet Storm - The worst part is, he's stuck next to Justin Beiber. The best part is, he tried to navigate his robot over the the Beib, and it was removed by security, I hope he got it back :)
- Apple To RIM Indian Backdoor? - I'm really confused about this story.
- You know what really grinds my gears? - [Larry] - Not truly security related, but I think that the response from Stratfor was , well, strained. They claim that Anonymous is creating censorship, some of that based on the fact that there is no accountability on the internet. Hrm, no accountability. I seem to recall hearing several raids and arrests. I'd also argue that the lack of accountability goes both ways. I mean who was holding Stratfor accountable for having poor security and cleartext CC numbers? Discuss.
- Social Engineering on the rise - [Larry] - yeah, no kidding. Why, oft times we find that the internal network is still of the very chewy variety. Best way to get there? Have some code you want there? The human is the last frontier, weakest link and I'd argue, the hardest to secure.
- Hacking SCADA going mainstream? - [Larry] - In a politically motivated event, Anonymous publishes IP addresses and login details for Israeli SCADA systems after being branded as terrorists. My argument is that is Anonymous can do it, it has hit the big time.
- Shark? We jumped that shit. - [Larry] - Oh, that module that you use to prevent XSS, due to a flaw ALLOWS XSS. Ugh.
- Koobface OSINT - [Larry] - Dancho Danchev puts together the pieces to identify the alleged Koobface author. How? The author got sloppy and registered a domain with a phone number used elsewhere in ads for kittens and a BMW for sale. It just goes to show, if you don't want to get caught you need to be meticulous. It also proves that there is no such thing as a perfect crime.