PaulDotCom's Web Site

The the live stream should be active about 6:30 PM EST, Friday August 31st. We should begin recording the live show at about 7:00 PM EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream can be found at:

http://hydrogen.oshean.org:8000

Please join us, and thanks for listening!

- Larry

Posted by Larry Pesce at 03:24 PM | Permalink

General Excitement

The course has been written, w00t! The one day embedded device, OpenWrt, Linksys WRT54GL hacking extravaganza is complete! I am so excited to teach this course, and can't wait to start showing students how to hack embedded devices. The first time students rip open the packaging on a fresh, band new, WRT54GL, and then gratutiously violate the warranty will truly be a treat!

Current Offerings

I wanted to inform everyone that the September 11th and September 25th offerings of this coruse are still on for OSHEAN and Tech Collective members. The September 11th offering is just about full, however registrations will be accepted soon for the September 25th course. Check the Tech Collective and OSHEAN web sites for more information.

The September 25th course at SANS NS2007 in Las Vegas has been cancelled. It was a tough day to give a course (on the last day of all the 6-day tracks), but it means that people felt committed to their 6-day tracks, so at least thats a good thing :) However, we are one for a new offering on Friday January 11, 2008 in New Orleans! More information can be found here:

SECURITY 535, Embedded Device Hacking, Friday, January 11, 2008 : 9am - 5pm, Paul Asadoorian, Defensive Intuition

New Course Description

A new course description has been posted with more extensive information about the course, and more importantly why you would want or need to hack embedded devices. You can find it here:

SEC535 - Embedded Device Hacking

It really captures the heart of the course, and explains some benefits of using embedded devices for various networking and security problem solving tasks. The reasons include low cost, low engery, small footprint, a minimalistic approach to computing, and "Remoteness". So, go check it out!

PaulDotCom

Posted by Paul Asadoorian at 02:25 PM | Permalink

I did my best to improve the audio quality on this one, and spent way too much time doing it (so no complaining! :)

I wanted to thank Ed, Tom, and Matt from Intelguardians, it was a fun episode with tons of useful information!

• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program.
• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want some cool PaulDotCom Gear? Do you hack naked? Check out our Cafepress Store!
• Full Show Notes

Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

Posted by Paul Asadoorian at 05:38 PM | Permalink | Comments (1)

The audio quality on this one may be a bit off, Skype and Gizmo gave us problems during the interview. However, there is some great content, thanks in large part to Tim and Dwight from White Wolf Security!

• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program.
• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want some cool PaulDotCom Gear? Do you hack naked? Check out our Cafepress Store!
• Full Show Notes

Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

Posted by Paul Asadoorian at 09:20 AM | Permalink | Comments (2)

We've all seen Simple Nomad's presentation from Shmoocon 2006, [http://www.nmrc.org/pub/present/shmoocon-2006-sn.ppt Hacking The Friendly Skies]. And we all took notice secured our environments from this threat, right? WRONG! While traveling on a short flight recently (just over an hour) Bob wrote in and told us about an experience that he had while doing some hacking on the plane ("Hackers On The Plane" would be a cool sequal to the cinematic briliance that is "Snakes On The Plane").

It all started when Bob got bored on the plane. Bad things tend to happen when Bob get bored, so he decided to whip out his MacBook Pro and see what he could find and hack into in under and hour using the tools already installed on his laptop. Certainly this will be more interesting that talking to the person next to him or reading the airlines very own magazine. The first thing that Bob noticed was an ad-hoc wireless network called "Free Public Wifi" (Screenshot). "There must be something interesting there", thought Bob with an evil grin on his face. Associating to it yielded him an IP address on the 169.254.0.0/16 subnet, the range that you get when you can't pull a DHCP address. "Well, if there is another host on this subnet, it may take some time to scan and find it" Bob thought. But wait, why don't we just fire up a sniffer and see what I can find. Low and behold a couple if minutes later:

4v1lhax0r:~ root# tcpdump -i en1 -nn -X -s0 host 169.254.35.218
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
10:54:21.339837 IP 169.254.80.136.53349 > 169.254.35.218.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

Looks like the machine told me where it was all by itself. Sweet! Lets start with some light scanning with "nbtscan" to find out more about the NetBIOS configuration:

4v1lhax0r:~ root# nbtscan 169.254.35.218               
Doing NBT name scan for addresses from 169.254.35.218

IP address       NetBIOS Name     Server    User             MAC address      

------------------------------------------------------------------------------

169.254.35.218   CAMP9317     unknown unknown  00-19-e3-bd-15-fd

(NOTE: Names and MAC addresses were changed to protect the innocent, or not so innicent as teh case may be)

Awesome, now we know its NetBIOS name, although Bob was hoping to get more information. We can assume that this is most likely a Windows host (What are the chances that someone on the plain is on an ad-hoc wireless network with a Linux laptop running Samba querying the network with SMB packets?). Now, lets try our trusty friend "Nmap":

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-28 10:39 EDT
Interesting ports on 169.254.35.218:
Not shown: 65530 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
6129/tcp  open  unknown
32981/tcp open  unknown
MAC Address: 00:19:D2:AF:04:DC (Unknown)
No exact OS matches for host (If you know what OS is running on it, see 

The standard TCP ports open for NetBIOS and CIFS, and some other interesting ports on 6129 and 32981. Hrm, lets do a services scan just on those two ports because they look interesting:

4v1lhax0r:~ root# nmap -T4 -p6129,32981 -sV 169.254.35.218
Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-28 10:41 EDT
Interesting ports on 169.254.35.218:
PORT      STATE SERVICE    VERSION
6129/tcp  open  damewaremr DameWare Mini Remote Control
32981/tcp open  unknown
MAC Address: 00:19:D2:AF:04:DC (Unknown)
Service Info: OS: Windows

Interesting, either someone has already 0wned this machine, or its some weird service that is throwing a false positive on Nmap's service fingerprinting. Too bad we didn't have a copy of DameWare installed on our Parallels instance of Windows. Instead, Bob used the remaining time to throw every available exploit for Windows SMB at the target in both framework versions 3.0 and 2.7. In between exploits, attempts were made to connect to smb://169.254.35.218/c$ as administrator using various common passwords and then...."This is your captain speaking, please return all seat backs to their full and upright position, and lock all tray tables....." Blah, blah, oh well, more hacking to be done for the next flight.

Recommendations

There are many lessons to learn from this fictitious story:

1) Disable your wireless adapter when you are not using it. Not only does this improve battery life, it keeps the "Bobs" of the world away when you are traveling.

2) Enable the built-in firewall in your operating system. By simply disallowing all connections initiated from the outside, all of the above scanning and attacks could have been thwarted immediately.

UPDATE: While this recommendation is good for general wireless network usage, I am told that ad-hoc networks bypass the local windows firewall. Anyone know of any good windows client firewalls that will block connections via ad-hoc networks? Add in here that you should configure you wireless adapter to never connect to ad-hoc networks, nor create them.

3) Scan your system regularly. Systems should be scanned at least on a weekly basis for open ports. This can be easily scripted with Nmap, or even done with Nessus. If your client or server machines have dropped shields and show they now have DameWare installed (and you don't use DameWare) you want to know about it for sure! I Nessus scan my servers weekly and review the reports to be certain that my firewalls are working and configured properly, that there are no new vulnerabilities on my servers, and that I don't see any new listening programs. The same can be done for clients...

4) Disable the administrative shares. I know, this breaks all kinds of stuff. At least if you are not going to disable them, put in a local account and password policy so that the LOCAL administrator account gets locked when you try different passwords. Also, do your clients really need to be sharing out files with NetBIOS locally? Make certain you have a good network storage facility to curb users from having to share files between workstations, and more importantly share them with the hackers on the plane.

PaulDotCom

Posted by Paul Asadoorian at 03:23 PM | Permalink | Comments (4)

All:

We would like to announce that the next two weeks we will be conducting two interviews with some very special guests:

August 16, 2007, 7:00PM EST (Streaming Link) - Interview with Tim Rosenberg and Dwight Hobbs from www.whitewolfsecurity.com, who will be providing the tecnical "arena" for the upcoming ICE games

August 23, 2007, 7:00PM EST (Streaming Link) - Interview with Ed Skoudis, Tom Liston, and Mathew Carpenter from Intelguardians to talk about VM Escaping and the research that they have been doing on this topic.

The above two recordings will serve as the podcasts for those weeks. Moving into September, we will be discussing the happenings at Black Hat and Defcon hopefully in some more detail, discussing current events, and providing you with even more fantastic technical segments (we have a great one we are working on called "Just Plane Fun")!

PaulDotCom

Posted by Paul Asadoorian at 02:18 PM | Permalink

"Not Your Typical Episode"

I apologize we were light on the show notes, a bit light on the content, and there were no technical segments. We will return in the coming weeks to bring you feature packed episodes, and some awesome interviews!

• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program.
• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want some cool PaulDotCom Gear? Do you hack naked? Check out our Cafepress Store!
• Full Show Notes

Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian, Joe "Mr. C" Conlin, Tyler, and Martin Mckeay

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

Posted by Paul Asadoorian at 06:55 AM | Permalink | Comments (3)