Register for PaulDotCom training at Blackhat USA: Defensive Countermeasures: Foundations for Becoming a Devious Defender & Offensive Countermeasures: The Art Of Active Defense July 27-28 & 29-30.
This episode is sponsored by Core Security Technologies, helping you penetrate your network. Now version 7.6 with IPv6! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.
This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!
Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.
One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.
Announcements & Shameless Plugs
Welcome to PaulDotCom Security Weekly, Episode 130 for November 13th, 2008. A show for security professionals, by security professionals.
- PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
- RI Linux Installfest - December 6th!
- Thanks to robjective for giving Larry "the stuff"
- This week we have a Book Giveaway from No Starch Press, a copy of Hacking VoIP, this time, Karl, let's give someone else a chance!. E-mail the answer to our question to firstname.lastname@example.org. First correct answer, with supporting documentation to that address wins! Yes, the winner of the first 3 books has been Karl.
Tech Segment: Pass The Hash, Hold The Salt
We've mentioned it on the show before, referenced it several times in various publications, SANS covers it in many courses (SEC560 has almost an entire day on password cracking), but here's a little tutorial on how to put it all together. What am I talkin' about? Windows hashes, either LANMAN or NTLM, they are literally the keys to the kingdom. First, you need to collect them by:
- Sniffing them off of the network
- Gaining SYSTEM level access to a system and grabbing the SAM database
- Gaining user level privileges to a system and grabbing the backup
I won't go into a lot of detail about the above, because well, we've been there before. So, lets say for example you compromise a system on the internal (or external) network. The first thing you should do (After your happy dance of pwnage) is to grab the SAM database. You can do that with:
- Metasploit - Meterpreter.dll "hashdump" command (Episode 106 has an example)
- Core IMPACT - "Dump Passwords From SAM"
- fgdump - Excellent tool for dumping passwords (I upload it to NT 4.0 systems because Core doesn't support them for password dumping)
So, you go along and try to crack those hashes with john, which can have sexy results most of the time. However, remember you can also pass the hash too! But first, you must choose which hashes to pass. I try to determine if there is a shared local administrator password amounst systems. If I've compromised a bunch of systems I will review the hashes and look for similarities. Remember, no salt, so if some systems have a username of "administrator" and others a username of "tom", one can deduce that an admin may have gotten sneaky and changed the local administrator username. So, grep, sort, and uniq are your friends, do some analysis of the hashes. To pass the hash, I've had great success using Core IMPACT's module "Install Agent Using SMB", as shown below:
You will need both the LANMAN and NTLM hashes which will serve as the password. I take this module and run it against all of the hosts on a particular subnet, and really make a point that you should never use the same local admin password on several different systems!
Stories For Discussion
Stephen Northcutt's Security Predictions Page - [PaulDotCom] - Experts from the field weigh in on security predictions. You know, I've changed my mind about predictions. I've decided that they are fun to make because you can think big and outlandish, and hey, its just a prediction. I make some more serious predictions, as do Josh Wright, Eric Cole, Rob Lee, and several others..
What's your TwitterRank? - [Larry] - Do you know? Yes? Good, go change your password. Twitter rank is an app that finds out how popular you are by analyzing "@" replies to your messages. The only way to do so is by being authenticated. So, the app developer asked for your username and password. You've now just given this info to some random schmoe on in the internet. If you look at the comments in the HTML, it gives you an evil warning. So, How does this differ form giving your username and password to some of these other web pages to get access to your accounts - facebook for friend gathering, and what about those online bill management places that you give them direct access to your checking account?
Tcpdump and Libpcap Updates - [PaulDotCom] - I have to tell you, while wireshark is all sexy, gui, and pretty, I MUCH perfer tcpdump. There is something just so familiar to me and comfortable about the command line (in fact, I have been actually enjoying windows by using more of the command line). I also found it interesting in the release notes when it mentions "Add support for Bluetooth Sniffing", really?
Metadata, PDF files, and watching attackers - [PaulDotCom] - I don't recommend actually watching hackers. For one, most are not super models (nor are many of them actually females), second, its pretty boring to watch someone type, even if they are doing cool, sexy hacking things. But here is a way to look into how an attacker created a malicious PDF, how long it took, what version he used to create it, etc... I like this idea, using metadata techniques against the attackers! [Larry] - Didier Stevens termed this as shoulder surfing a PDF malware author. I've been looking into this metadata business for a bit, and have been focused on looking at revisions of word documents and what they can reveal. Now, we have to be careful about incremental update metadata stuff in PDF documents as well. At least in this case it was helpful for looking at the development of an attack, but how would we take this further to look at general PDF revisions? Check out PDF-Tools, because you know I am!
SOHO Router Wireless Security Report - [PaulDotCom] - This paper details some attacks against SOHO routers. First, they go over the DHCP name XSS vulnerability, which can execute XSS vulns against an administrator. Another attack, which I thought was neat, what that they registered their hostname with DHCP as "www.google.com", and got the router to update its DNS cache accordingly so that www.google.com resolved to a local IP address. So, if you have a Linksys WRT160N, D-Link DIR-615, Belkin F5D8233-4v3, or ActionTec MI424-WR you want to read this paper :) [Larry] - a good analysis of a few common routers, and how they fall down on security. Including the nice new Actiontec router on my FIOS install... It is surprising that this stuff doesn't get tested, although they get rushed to market, and they think about the common market, that probably doesn't care too much about this, especially at a low price point.
MS08-068 - [Larry] - It only took MS, 7 years to patch this flaw reported by SirDystic...
Caller-ID Spoofing = Voicemail access - [PaulDotCom] - Voicemail can contain sensitive information (never leave passwords on someone's voicemail). Also, information gathering potential is huge. Set a pin!
Would you like SPAM with that? - [Larry] - McColo taken off line (looks like a de-peering form the upstream providers), as there was significant issues with botnet command and control channels, as well as child porn there. So the C&C servers are down, and SPAM drops 60% world wide, as the spam bots aren't receiving orders. That's great! Why did it take so long? But, the bots are still out there, an the bad guys will just stand up new serves, and SPAM will rise!
I <3 Protocol Attacks - [PaulDotCom] - The main reason I love design flaws is that they stick around a lot longer than software vulnerabilities. Simply because they are harder to fix :) SMBrelay was great, and let me tell ya, you can have a FIELD DAY with it :)
Google Chrome needs some polish - [Larry] - I'm not sure ow these things keep coming out on Chrome. Sure, it's fast, nothing works with it, and it is based on Webkit...but why haven't they learned from years of browser vulnerabilities?
Campaign Computers For Obama and Macain Hacked - [PaulDotCom] - I wanted to weigh in on this one and say that targeted attacks will most often be successful.
I-Card form Equifax - [Larry] - The Over 18 I-Card is a token based authentication system that can prove that you are over the age of 18 over the internet - only those that are over 18, and can prove it can get one. I'd like to see a token that can prove that I'm not a dog. How about a stolen identity to get thee little bad boys?
Tech Tip: Scan For MS08-067 With Nmap!
Note: You must use the current svn version to make this work ' svn co --username guest --password "" svn://svn.insecure.org/nmap/ '
nmap -oA 114subnet-08-067 -sS -p445 --script smb-check-vulns.nse 10.1.114.0/24
Its freaking fast too:
Nmap done: 256 IP addresses (156 hosts up) scanned in 83.53 seconds