Episode204
From PaulDotCom Security Weekly
 |
 |
Contents |
Sponsors
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
"Thanks to our sponsors Tenable network security, the developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more."
"Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool. "
"and Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."
Now, Pull up a packet capture, pour a beer, and give the intern control of your botnet...."
Shameless Plugs & General Announcements
Welcome PaulDotCom Security Weekly - Episode 204 - For Sunday August 1, 2010.
- Sign up for "Advanced Vulnerability Scanning Using Nessus" being offered at Brucon!
- It is finished... The Official Metasploit class from John Strand and Ed Skoudis is now complete. Two full days of Metasploit insanity. Want 25% off? Use MET25 when you register for Boston on August 8th and 9th.
- John Strand will be teaching SANS 560: Network Penetration Testing at SANS Virginia Beach August 29th - Sept 3. Come get shell and crabs with strandjs.
- The Kansas City FBI InfraGard program is looking for some penetration testers to participate on the "Red Team" for an upcoming mock Cyber Warfare exercise. The event pits systems and security professionals from the community against each other in a live cyber attack on a replicated commercial network. We are looking participants with Pen-test experience, or someone who has some "daemons" they need to get out in a controlled environment. This is a community event, and all skill levels are welcome, please see http://cyber-raid.com for more info.
Tech Segment: How to Survive non-showering attendees at Cons
Soap
Tech Segment: HoneyPorts on Linux
Building on the concepts that we discussed last week with HoneyPorts on Windows we will now take a look at how to do roughly the same thing on Linux.
First, the setup:
[root@linux ~]# while [ 1 ] ; echo "started" ; do IP=`nc -v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1`; iptables -A INPUT -p tcp -s ${IP} -j DROP ; done
Once again, we are using netcat because it does a very good job of only logging connections when a full connection has been made. We do not want to have our block rule tripped and a system blocked simply based on a SYN packet. This would be disastrous because an attacker would be able to spoof traffic from a number of legitimate sources to cause your system to DoS itself.
Please note that the syntax of the cut commands may change based on the version of Netcat you may be using. This was a great tip provided by ByteBucket, who was a great help with this little project.
Lets see what the portscan looks like..
Nmap scan report for 172.16.30.191 Host is up (0.0012s latency). Not shown: 990 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 2222/tcp open unknown 3306/tcp open mysql
Please note that we are not running nmap as root. By default, when running an nmap scan as a non-root user the scan type will be -sT or a full connect scan.
Lets see what happens when we try the scan again:
Nmap scan report for 172.16.30.191 Host is up. All 1000 scanned ports on 172.16.30.191 are filtered Nmap done: 1 IP address (1 host up) scanned in 201.24 seconds
And our iptables rule is now in effect;
[root@linux ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 172.16.30.1 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT)
And now the scanner, and only the scanner,is blocked. Once again, remember this is effective because it is hard to spoof an ip address and the associated ISN numbers. It is even more difficult if the real system is alive and sending RST packets.
However, it is not impossible.
Please note that the rule I have used can be extend to add the use of the recent module in iptables so the drop rule will time out after a specified period of time.
A full write-up can be found here.
So there you have it. A nice little way to mess with attackers, pen testers and the pesky red-teamers you may have to face in the future.
-strandjs (Fr. John)
Stories For Discussion
1) Vuln scanning vs pen testing - do you need to exploit something to know you have to patch it? Does "exploitability" factor into a risk calculation? What if the vendor makes software that can;t be patched? some people are then trying to exploit it to gauge risk, I kinda think this is dumb.
2) IP6v - Its coming, large ISPs are already there because they are out of address space. So, given a typical network will be 1-10 million addresses worth of space, with only a small percentage of live hosts, how do we do host discovery? Arp is different in v6, you can't scan it like v4. Some thoughts are DNS, passive recon, sniffing, smb enumeration, we will have to be creative. I think we should apply these methods to v4 to be more stealthy and speed up our scans!
3) RFID, ATMs, and attacking daily life - I think we're going to see "hacking" start to trickle into the mainstream. As devices become computers, and everyday computers become devices we use daily, hacking life will be accessible to us and all those teenagers living in their mom's basements that we always talk about. The ATM hack was cool, and its still not fixed. RFID tags can be read from a mile away, stealing your personal information. I believe we will see these attacks get easier and digital and physical crimes will merge. Example, I will scan your wallet to get your pin number, then use ATM hacks to cover my tracks when I take out money.
