Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 291 for Friday June 8th, 2012
- Register today for Offensive Countermeasures: Defensive Tactics That Actually Work at SANSFIRE July 7, 2012 - July 8, 2012 with the freewheeling, piano playing & swim suit modeling John Strand!
- Episode 300 of PaulDotCom Security Weekly will be recorded and streamed live on Friday August 31st in support of of a cure for Breast Cancer. We will broadcast live from 10am until 6PM Eastern time and the show will feature tech segments, round table discussions and special guests. Mark it on your calendars today!
- Larry is teaching SANS SEC 617 on Wirelss Pwnage, check out Larry's very own dedicated page on the SANS web site for a complete list, Next up NYC @ Pace University in June!
- Larry will be delivering the Keynote at Hack3rcon^3 Doomsday Eve. Hackers and prepping, what could be better?
- Episode 292 will feature a Tech Segment by Tim "LaNMaSteR5" Tomes of the LaNMaSteR53.blog
Tech Segment: Larry Pesce: Software Defined Radio on the cheap for pentesting.
Remember a while back we talked about using a "police scanner" to monitor POCSAG and Flex pager traffic, as well as listeneing in to 900 Mhz baby monitors and cordless phones. Well, that was pretty fun, but it took a couple hundred dollars in gear AND a laptop. What if there was a better way?
Well there is! How about a Software Defined Radio? Before we had to venture down the road of the USRP hardware form Ettus (which rocks by the way), but won't pass muster for my CFO at about $3000 after all the fixins. $20 woul dbe more my speed. Turns out some folks discovered that the RT2832 and E4000 chipsets in some USB DVB TV tuners could be used as low cost SDRs as all of the tuning and demodulation was all done in the assocoated software, ansd allow us to tune form about 50Mhz to 2.2Ghz. For a list of compatible devices check out this list. I picked mine up from e-Bay for about $25 (with shipping form China) and it took about 3 weks to come in. That means if we can gain access to the hardware with our own drivers we can do the same! Well, maybe not me, but some other really smart folks. Enter the OSMOCOM SDR project, and the Spench setup
The Spench folks have streamlined the Installation process for us under Windows. Yeah, I said it, windows. While the Spench folks have done a great job at documenting the install process I still had some issues. I'll give the quick review:
Go and get the  integrated installer from Spench and install, as part of the install process (or even after) start Zadig to install our USB drivers. In my case I needed to select Options -> List All Devices to get mine to show up in the Device pulldown, listed as Bulk 0 and Bulk 1. You'll want Bulk 0 in all cases. Next it will list the current installed driver for the tuner, but we want to change it to the WinUSB driver as the target, and click install. This will install our "open" driver to allow for us to directly controll the hardware instead of the defailt driver and application.
Next up is the install of HDSDR the tuning and recording application. The defaults here are good, and you don't want to start it up right away. Why, even though it is the integrated installer, it still "misses" a few things.
During the install process, we will be asked for a directory to unzip some stuff to. You remember where that was, right? I picked c:\SDR. In this directory you'll find a bunch of .DLLs. All of these DLLs need to be copied into the install directory where HDSDR was installed - mine was in C:\Program Files (x86)\HDSDR. These DLLs are the interface between the USB driver to enable ExtIO (External I/O interface) to attach to our TV Tuner with custom driver.
Once we have the DLLs copied over, start up HDSDR. I picked the default for the sound options, and mine worked just fine.
Now we're cookin' with gas! Now we can use the interface to tune to various channels, record audio, etc. We can also use either windows stereo mix or Virtual Audio Cables to pipe the audio to PDW (the best pager decoding app).
Additionally, we can use the OSMOCOM source blocks that they have created for use with GNUradio under linux of course)! This means that we can use GNUradio to tune the radio to all sorts of signals, and then leverage the built in demodulation blocks to examine traffic - POCSAG (without PDW), GSM, GPS, APRS, and whatever may be in thee bands that demodulation blocks exist for. I'm still setting up my system for this one, so stay tuned.
Also, the antenna that comes with the card blows goats. I added my own with a PAL to coax adapter, then Coax to BNC, which allows me to connect my cheap (but good) scanner antenna. Then I've also added a BNC to PL-259 adatper to I can attach it to my two G5RV antennas.
Tech Segment: What's That Web Server?
- DerbyCon Call for Papers and Ticket Registration is: available online. If you have not yet registered or submitted a talk, please do so now.
Have you ever run a scan of a giant network and found lots of HTTP and HTTPS servers? While the results are interesting you often find yourself asking, "What is running on that web server?". Then you have 36 browser tabs open, and things get ugly. With some help from a couple of wicked awesome bloggers, there is a better way. These scripts will take Nmap output, grab all the HTTP(S) services, take a screenshot, grab headers, and then make a web page which displays the screen and information gathered.
You just never know what you may find, such as:
- File directories
- Embedded systems (printers, fax, CCTV, and more)
- Source code repositories
Below are some examples.
Just port 80:
$ nmap -sV -oA network -p80 192.168.1.0/24 $ grep open network.gnmap | cut -d" " -f2 | ./webscour.pl network
More than port 80:
$ cat dca.gnmap | ./gnmap.pl | cut -d, -f1,2 | tr ',' ':' | ./webscour.pl webservers.htm
One liner for CVS results:
$ cat output.csv | grep http | cut -f 1,2 -d "," | tr "," ":" | ./webscour.pl webservers.htm
Make it shorter:
$ grep http output.csv | cut -f 1,2 -d "," | tr "," ":" | ./webscour.pl webservers.htm
- Security BSides everywhere: Cleveland, Las Vegas, Los Angeles more. http://www.securitybsides.com/ - We have 5 BSides tickets (only 3 left) to give away! Listen to the instructions at the end of Episode 282 for complete details, or submit a technical segement!
- Podcast 292 will feature Matasano's Thomas H. Ptacek, a self described Software Abuser.
- Print bomb? - Malware then overloads the printer! Just think how this will impact IT, tons of calls to the help desk, its like a DoS for the entire company. Sure scanners could do this, but most have managed workarounds at this point. Its nice to see malware getting back to just plain fun, rather than stealing your bank creds, which is boring and no one pays attention to, but if I can't print, good God sound the alarm!
- How Does A Data Breach Affect Consumer Behavior? - My thinking is none, and we've seen this time and time again. Would you stop shopping at Amazon if they had a breach? Maybe for a while, but then it would be business as usual. Its ab out being resilient, both for the company and the consumer. This means good password planning, not using your debit card, and so much more.
- VUPEN Breach? Tempest In A Teapot - So there are 200 exploits out there now, does this change anything? Likely not, if you're not patching or prepared for 0day, then you are already pwned.
- Spear Phishing Attempt - Nice spear phishing attempt, what can we do to prepare for this type of attack?
- Homeland Security as Security Theater Metaphor - I will not tell my story of how I got my revenge on TSA this week.
- LinkedIn dials 911 on password mega-leak hackers - Holy passwords batman!
Jack's Tales of Woe
- Everybody DRINK! Cyber War! An unusually balanced look at "Cyberwar" even if the definition is somewhat restricted. Too bad it is $36.00 for a 30 page doc. More war profiteering.
- Linux Rocks! Windows Sucks! How's that for fanboy baiting? The US Navy is buying Linux after the Windows drone malware fiasco. Because misconfigured and unpatched Linux is more secure? For $29 million in no-bid contracts it better be. (Thanks to Producer Mike for this story)