Register for PaulDotCom training at Blackhat USA: Defensive Countermeasures: Foundations for Becoming a Devious Defender & Offensive Countermeasures: The Art Of Active Defense July 27-28 & 29-30.
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Shameless Plugs & General Announcements
PaulDotCom Security Weekly - Episode 188 - For Thursday February 25th, 2010
- Community SANS: Sec 542 Web Application Penetration Testing - SANS is pleased to announce Community SANS Providence, starting March 28th. Larry will teach Security 542: Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University.
- Community SANS AUDIT 507 Auditing Networks, Perimeters, and Systems - SANS is pleased to announce Community SANS Atlanta, starting March 15th. Mick will teach Auditing 507 Auditing Networks, Perimeters, and Systems
- SOURCE Boston - Paul will be speaking at SOURCE Boston on April 22nd giving his new talk titled Embedded System Hacking and My Plot to Take Over The World
- QuahogCon - This will be the next conference that we will be attending. We will have t-shirts and other special things to give away and sell. No, we are not selling the interns (who will both be there, btw). So come and enjoy what's sure to be a great Con! [PaulDotCom] - Uhm, should mention that Larry is giving not one, but TWO talks!
- Mark Baggett teaches SANS 504 during SANS Raleigh 2010 on June 21st for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling!
- Also, please join our Mailing List, Forum, and sign up for the PaulDotCom Insider! New webcasts coming soon!
Guest Interview: Daniel Suarez
Daniel Suarez (a.k.a., Leinad Zeraus) is an author of two books, self-publisher, Hollywood consultant and has designed and developed enterprise software for the defense, finance, and entertainment industries. He is an avid gamer and technologist, and the author of the simply awesome books "Daemon" and "Freedom".
- It seems to me that the storyline is moving towards the "Man vs. Computer" that we've seen popularized in movies such as The Matrix and the Battlestar Galactica series. Is there some deeper meaning behind this storyline? Are we doomed by technology just like those plugged into the Matrix, fighting Cylons, or under the control of the Daemon?
- How have some of the characters evolved in the story? Has Loki grown up and gotten past running Raves to ruling the world?
- If you had to pick 3 things that you need in order to rule the world, what would they be?
- What kind of technology stories and examples in real life appear in Freedom?
- Will computers control us if we don't control them?
- What are some examples of how our dependence on technology have controlled our behavior?
- What types of security measures could be put in place to prevent the spread of the Daemon?
- Embedded systems security is an area of interest for me, what types of embedded systems are exploited by the Daemon? Which, in your opinion are most vulnerable?
- Will we essentially live in a world of purpose-driven computers? How will that change our society?
- As we evolve technically, does that have an inverse relationship on our privacy? If so why and what can we do about it?
- You used the copyright symbol for the word freedom in the title, do you believe that corporations with Patents and Copy Right Laws are abusing?
- Do you believe this is path we can change so the future will not be like the one presented in the book?
- With human greed and ego do you believe that the type of society presented where we use technology and resources for the good of people instead of commercialization is going to be possible with the current governments restraints or will they have to change?
- I took from the book as a point that having the freedom to innovate without the restraints of patents and controls that many companies and corporation take that we can advance in a much accelerated rate in technology terms as in the book with the darknet, am I correct?
- Can we assist and help with the technical part of your next book if it involves hacking? ;)
Tech Segment: DNS Enumeration
Brute forcing the subdomains is a great way to enumerate hosts on the target network. Its great stealthy recon if the records are hosted off the target's network (such as by the ISPs, because most ISPs are too busy to be concerned with security). A bunch of DNS lookups usually doesn't harm anything, and it lets you find hosts much quicker without portscanning. It may tell you something about the host as well, so don't name your servers "oldvulnerablewebserver.mydomain.com" or "iis4.mydomain.com". Thats bad. The greatest thing about this attack is that its tough to defend against (I supposed you could monitor your DNS servers for it, but most people have better things to do with their time).
First, you will need some wordlists. There are lots of places to find them, however check out this link:
Awesome collection! I like that they have categories, such as "Science", "movies", and "places". This is typically how people will name their servers (this may come in handy for internal testing as well, I meam come on, who hasn't named all their servers after star trek characters?). I like the following two the best:
(TIP: Use the "uncompress" command to decompress the above files)
One for movies, and another geared towards hosts. Now we can run dnsmap:
# ./dnsmap mydomain.com -r mydomain.com -w etc-hosts dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org) [+] searching (sub)domains for mydomain.com using Movies [+] using maximum random delay of 10 millisecond(s) between requests email.mydomain.com IP address #1: 188.8.131.52 mail.mydomain.com IP address #1: 184.108.40.206 ns1.mydomain.com IP address #1: 220.127.116.11 ns2.mydomain.com IP address #1: 18.104.22.168 [+] 4 (sub)domains and 4 IP address(es) found [+] regular-format results can be found on mydomain.com [+] completion time: 322 second(s)
The "-r" flag is where you specify the results file, and the "-w" switch lets you specify a wordlist. This is a great way to kick off host discovery! Run this first, then peel off the results. Give the obvious web servers to the web app testing team. Let Nmap do its thing on only the hosts that are returned.
Stories For Discussion
- Android Controller on WRT54GL to control a door - [PaulDotCom] - Such a cool project! Using the pins set aside for the "cisco button" smart hardware/software engineers were able to trigger a door opening remotely. Very neat hack!
- DNS Brute Forcing to find embedded systems - [PaulDotCom] - So, because linksys cameras have specific DDNS services, you can do domain name brute forcing and discover tons of systems INternet facing. The results are facinating, and its much quicker than port scanning and more accurate than Google hacking.
- Are Exploits Neccessary? - [PaulDotCom] - Okay, everyone just relax. I know, I know, the podcaster meetup was sort of a train wreck. Andy calls it "a waste of time". I beg to differ, there was a lot of entertaining stuff and some intelligent debate. More importantly, we're working on a much better format and schedule for the Defcon meetup. Let's get one thing straight, I DO NOT want the podcaster meetup to get a bad rap and we WILL do 100x better next time. I've already sent email to Tim Krabec, and we've already begun planning. We (PaulDotCom) are putting a lot more resources into this and playing a more active role in the planning and execution. So, if you have a gripe, complaint, suggestion, or comment, take it up with myself and Tim Krabec ASAP. Now, on another note, there was a spectacular debate (argument? not sure which) that took place. There were two main themes, one being "don't run exploits against my system because they crash things" and two "pen testers don't know how to talk to management". Lets get another thing straight, there are many successful penetration testing companies that know how to properlay analyze risk (Without crashes) and talk to management (ourselves included). Now, Andy also states, "If you find a vulnerability that there are known exploits for why do you need to take the extra step to exploit it?". He then makes an arguement that you don't have to exploit it, and I disagree. Its not about exploiting the vulnerability, its what you can do to the network and systems once you've exploited it and how you can build multiple "exploits" and "vulnerabilities" on top of each other to expose risk. Then, AND ONLY THEN, can management make the BEST decisions. For example, lets say you are using a PHP application that is critical to your business. You may accept the risk that everyone has theoretically talked about. Then a pen tester comes along, enumerates the weaknesses, exploits them, performs SQLi, gets a shell on the database server, escelates privleges, compromises more user accounts, and obtains a copy of all your data. Now you know the risk, and its the pen testers job to tell you how to prioritize and fix it, including the processes that need to be implemented to secure your web environment.
- How does a consumer report PCI violation - [PaulDotCom] - Or "Pwned by the pizza guy" and no that is not a pr0n movie title. Many are aware that their credit card may get stolen because they use it on the Internet, or a data breach occurs in a mjor retailer. However, they happily hand it over to a waiter at a resturant and slide it in the gas pump. In this case the CC #'s were being emailed! Nice, makes me think that attackers have it easy if they are after credit cards these days, retail is a huge target and has a track record of poor security and a high volume of credit card transactions. Think about a fast food chain that has all of its stores connection, processing thousands of transactions per day. Yikes.
- Scanning From The Cloud - [PaulDotCom] - This is one of those double edged swords, cloud computing is great. Take Amazon EC2, setup a system in minutes. Minutes later, start scanning the Internet and build a botnet. Complain to Amazon that someone is scanning and building a botnet, Amazon says, "Oh yea, we'll look into that". This is a great place for attackers to hide, in the cloud. If I were to scan the Internet, I'd do it from the cloud. Worst case they shut me down and I move to a different cloud. This is yet another case where the ISP, or ASP, is not taking responsibility and enforcing policy. It makes the Itnernet an even crappier place.