Please join us for a special live recording tonight at 7:30 EST from the Collegiate Cyber Defense Competition in Maryland for Episode 190 of PaulDotCom Security Weekly.

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Larry, Mick, Carlos, John, Darren & Paul

Episode 189 Show Notes

Top ten tips to socially engineer management into implementing security the right way, plus all sorts of interesting stories including the "porn detection stick"!

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

Please note: Instead of our regular Thursday debacle, PaulDotCom Security Weekly Episode 189 will be recorded on Friday at 21:00 EST (9:00 PM).

Also, there were rumors we won an award somewhere for something ...

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Paul, Larry, John, Carlos, Mick & Darren

By Mark Baggett

Proxychains is a Linux dynamically loadable library that will intercept any TCP and UDP traffic from a specific process and tunnel it over HTTP, SOCKS4 or SOCKS5 proxy. For this discussion I will be focusing on SOCKS4 proxies setup with the SSH -D parameter. Proxychains is already installed in Backtrack4 and configured to tunnel over a SOCKS4 listener on port 9050 on the local host. By default, proxychains uses the configuration file /etc/proxychains.conf. But Proxychains will look for a proxychains.conf file in the current working directory and use it if one exists. To illustrate how an attacker or penetration tester can use this powerful tool let us look at the following scenario. The attacker is attempting to gain access to the TARGET host at 10.10.1.2 on the following network. (Note the super 1337 Visio skills)

View image

The attacker brute forced valid credentials to the public SSH service on 192.168.100.13. Then they cracked passwords obtained from that machine and used them to find valid credentials on a second DMZ host at 192.168.100.15. That host, has two network cards and the second network interface straddles the corporate firewall and connect to the internal network where our target 10.10.1.2 sits. Note that for this attack to work the second host is not required to straddle the firewall, it just needs to have firewall rules in place that allow it to access the internal target.

The attacker starts his attack by connecting to the external SSH listener at 192.168.100.13 as follows:

View image

"-D 127.0.0.1:9050" causes a dynamic port forwarder to start on port 9050 of the attackers local host. Since the default proxychains.conf file already has an entry to proxy on port 9050 (tor's default) all the attacker has to do is launch a program and proceed it with "proxychains" and all its traffic will be shoveled to the host 192.168.100.13. If the attacker ran:

>proxychains wget localhost

They would get back the website listening on port 80 on host 192.168.100.13. But I want to bounce off that server and gain access to 192.168.100.15. So I could do this:

>proxychains ssh user@192.168.100.15

That would make an SSH connection into 192.168.100.15. On that host it would appear that the connection came from 192.168.100.13. In this case after I make the connection to 192.168.100.15 I really want to pivot a second time to get to the internal host. So I run the following:

View image

What is really awesome here is that this establishes a NEW dynamic port forwarder on the attackers localhost at port 8090. The attacker now has the multiple dynamic port forwarders listening on his host. The first port forwarder on 9050 takes him into 192.168.100.13 and the second on 8090 takes him to 192.168.100.15. The attacker can use proxychains again with a different configuration file to tunnel all the TCP and UDP packets from a program to execute on the second pivot point at 192.168.100.15. To do this I did the following:

>mkdir aconf
>cd aconf
>cat /etc/proxychains.conf | sed "s/127.0.0.1 9050/127.0.0.1 8090/g" > ./proxychains.conf

or you can use your favorite editor to change the port at the bottom of the configuration file. Then from the directory containing my new configuration file I ran this:

View image

Which started the NESSUS server daemon and allowed me to do a full vulnerability scan on the internal host. Nessusd worked great over proxychains! Nmap, Metasploit and others also worked well. To launch Metasploit using proxychains you'd simply run the following:

View image

Here is a quick video showing how quickly you pivot through hosts and capture the target.

SSH Gymnastics from PaulDotCom on Vimeo.

PREVENTION:
I hear you, "Dude... That is scary. How do I prevent this from happening?"
Well, first be sure to minimize the ports you open between hosts and don't have host that straddle your firewall. Second, you can turn off port forwarding in your sshd configuration files. Edit /etc/ssh/sshd_config and set "AllowTCPForwarding to NO". While your in there make all these changes. Remember that if an attacker has a shell they can install their own forwarders or use netcat so this is just one step in trying to preventing the host from being a relay. It does make the attacker job much harder when you turn off the DEFAULT mode of being a relay.

Additional References:
http://pauldotcom.com/2009/08/scanning-through-a-tor-network.html
http://netwarsplayers.googlegroups.com/web/SSH+Tunneling+In+The+Context+Of+Netwars.pdf
http://www.securityfocus.com/infocus/1816
http://proxychains.sourceforge.net/

Shout out to Jim Shewmaker and ace1 over at SANS Netwars. Ace1's excellent paper inspired me to take another look at proxychains.
Note: proxychains support CHAINS of proxies (imagine that). There is probably a more elegant way to do this using just one configuration file and a strict chain. Do you know how? Leave me a comment!

Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

You learned to live with IPv4's deficiencies. NAT doesn't scare you and your VoIP systems and VPNs can handle multiple layers of it. So why should you care about IPv6? The answer is: You should care because you may already be using IPv6 without knowing about it ... and knowing is half the battle!

On Wednesday, March 17th, please join DShield founder and SANS CSO Johannes Ullrich in a unique seminar at a tremendous discount to PaulDotCom listeners!

The IPv6 Survival Guide class will introduce you to the very basics of IPv6 and answer questions such as:
- What are those long addresses about and how are they assigned?
- What is the difference between different tunnel technologies like 6-to-4, teredo, isatap and more?
- Will IPv6 work with my systems?
- How do I filter IPv6 and how do I detect if I already use it?

Johannes will also go over some of the new features offered by IPv6 like mobile IP, jumbo packets and auto configuration.

Date: Wednesday, March 17, 2010
Time: 3:00 PM - 5:00 PM EDT
Cost: $20 with discount code ($195.00 retail)
Discount Code: IPV6PDC
URL: http://www.sans.org/vlive/details.php?nid=21504

Johannes will also be teaching Security 503: Intrusion Detection In-Depth, a 36-hr course, on vLive! beginning April 12.

NOTE: Use discount code 503PDC for a $250 discount on the above class!

- PaulDotCom Crew

PaulDotCom Security Weekly - Episode 188 - February 25, 2010

PaulDotCom's Web Site 3/1/10 1:34 PM Paul Asadoorian Security Weekly

[Note: We've given up on fighting iTunes and are now releasing both parts for each episode at the same time. Make sure you check your podcast application (most listeners use iTunes) and make sure you are getting both parts of each episode!]

Episode 188 Show Notes

Part 1: "Freedom TM"

The PaulDotCom crew interviews Daniel Suarez to discuss his new book Freedom TM, security, privacy, socialogy, and more!

188 Part 1 - Direct Audio Download

Part 2: DNS sub-domain brute forcing & Penetration

We discuss when penetration is important, how to talk to management, coolest WRT54G hack, and a technical segment on DNS sub-domain brute forcing.

188 Part 2 - Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

Please join us and Daniel Suarez, author of runaway hit Daemon to discuss his latest work Freedom(TM). The live stream should be active around 19:30 EST (7:30 PM), Thursday, February 25th. Please keep in mind that the recording time is an estimate.

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Live! - You can watch, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio (Audio Only)

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Paul, Larry, Carlos, Darren, John & Mick

By Mark Baggett

Lets face it, security guys love their password protected screensavers. I am no exception. Without it, many users would likely never lock their computers. This simple mechanism may slow down or in some cases completely prevented the attacker from accessing resources on a remote machine. A strong password on a screensaver was one of the hurdles that you had to overcome in the Christmas 2008 Ethical Hacker challenge, "Santa Claus is hacking to town". Santa really could have used this script.

The Relentless-coding blog recently posted a meterpreter script that bypasses the screensaver password protection. The script patches the lsass process running in memory where the codes check the validity of the password that was entered. After the patch is applied the attacker can enter ANY password to unlock the screensaver. The script works on Windows XP SP2, SP3, Windows Vista and Windows 7. Lets take a look at the script in action:

Meterpreter Screensaver unlock script from PaulDotCom on Vimeo.

The script isn't currently part of the metasploit distribution so you'll need to download it from the Relentless-coding site. Save it to your "scripts/meterpreter" directory in your Metasploit installation. In a Backtrack installation you'll find that directory under "/pentest/exploits/framework3/scripts/meterpreter".

Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

There are many ways for the attacker to insert themselves in the middle of a conversation. Just some of the tools at the attackers disposal include:

• DNS Cache Poisoning (metasploit)
• NETBIOS Names spoofing (nbtool at skullsecurity.org)
• Lie about the DNS,WINS and/or default gateway with a rouge DHCP server (yersinia, ettercap)
• deliver a WPAD file or otherwise reconfigure the browser proxy (metasploit)
• IPv6 ISATAP spoofing
• Attack routing protocols such as BGP MITM
• IP source routing attacks (netcat)
• ICMP Redirect messages (ettercap)
• ARP Cache Poisoning (yersinia, ettercap, cain)
• Switch Port Stealing (ettercap)
• Layer2 Mac Flooding* (yersinia, macflood, macof)
• Gratuitous Spanning Tree BPDU Root messages* (yersinia)

Some of these attacks work across the internet, but most of these are limited to the LAN and rely on Layer2. The good news is that many of these attacks can be mitigated with new features deployed in the latest version of Cisco's IOS (12.2 or better). BPDU Guard, DHCP Snooping, DHCP Snooping +Dynamic Arp Inspection , DHCP Snooping + IP Source Guard, ARP Rate Limiting, Mac Address port security, PVLAN Protected, Isolated, Community and Promiscuous ports and 802.1x can all be used to effectively limit many of these attacks. Listener Brian Almond (Infosec Samurai) submitted this PDF on layer two security. Give it a gander! Nice work Brian.

Download Brian Almond's paper here

Other resources

http://isc.sans.org/diary.html?storyid=7567

http://www.ciscopress.com/articles/article.asp?p=1181682

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dhcp.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/bcastsup.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/port_sec.html

Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

Last year on the show, Marcus J. Carey presented a tech segment about using memory analysis in penetration tests. Memory acquisition came into its own for incident responders a few years back. Even before tools like Volatility, Memoryze or HBGary's Responder were available, many incident responders, including me, used the strings command to perform rudimentary searches and "analysis" of memory artifacts.

Figure 1: strings output of a Linux VM's memory image. The highlighted "forensics" happens to be the root password.

Shortly after Carey's presentation, DarkOperator posted a Meterpreter script that would dump memory and save it offline for later analysis. Passwords are a high value memory artifact for penetration testers. As someone working in app sec and incident response, Carey got me thinking about other things that forensics practitioners may find commonplace, but that may be overlooked by penetration testers. Both disciplines inform each other.

Let's say you're a penetration tester (or an Amortized Perennial Threat as Shawn Moyer says he is) and you're working for a client who wants you to go beyond the shell. Your client has requested that you go after important company data. Databases are an obvious target, but companies also have critical information floating around in Microsoft Office documents (e.g. business plans, bid contracts, vulnerability remediation tracking information, etc.).

What is the best way to locate these documents? You could manually navigate the various common directories where people store documents, read the directory listings and copy down those files that look interesting. But this is a labor intensive process and you may miss something if the user has tucked important files in odd locations.

If only there were a place on the file system that held information about files, a place where we could look and see all of the files that had been opened on the system and that would map back to the location of those files, even if those files were on network shares or removable media. Fortunately for us, there is such a location, in fact, there are two well known ones.

Windows systems have a feature that creates shortcuts for common document types, including Office files when those files are opened by a user. The idea of using these shortcuts during a pen test is not new. In fact, it was mentioned before on Security Focus' Pen-Test mailing list, but I don't believe it's been ahem, weaponized until now.

These shortcuts or link files are created by Windows to facilitate the "Recent" document features of modern Windows operating systems. For Windows XP the default location for link files is under Documents and Settings\<username>\Recent with Microsoft Office files having their own location in Documents and Settings\<username>\Application Data\Microsoft\Office\Recent\. Vista and later versions of Windows have moved the recent link files to Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\ and Users\<username>\AppData\Roaming\Microsoft\Office\Recent. There may be other locations specific to other applications as well.

For the two common locations, I have created a Meterpreter script port of Harlan Carvey's lslnk.pl that is commonly used by forensics analysts to dump the contents of Windows' .lnk files.

dumplinks.rb can be used with the Meterpreter to dump the contents of Windows' .lnk files either to the Metasploit user's local file system, or to the console. By default, dumplinks.rb, runs in a less verbose mode than Carvey's lslnk.pl, in that it only reports the time stamps for the .lnk files themselves, then prints the time stamps contained within the .lnk files that are time stamps for the target file and finally, the target file's location is printed.

Enough drivel, here's a couple of screen shots:
Figure 2: dumplinks help screen

And one of the script in action, dumping to the console:
Figure 3: dumplinks sending everything to the console

Of course there are other tools and techniques that cross-over from forensics to penetration testing. I will be back with another, as soon as I can find the time. For now, enjoy the dumplinks.

Dave Hull describes his working life as on the Venns between incident response, forensics and web applicaiton security. He will be teaching SANS Forensics 508: Computer Forensics Investigation and Incident Response in Boston, March 15 - 20