PaulDotCom

Creating Malicious Firmware with Firmware-Mod-Kit

Tue, 18 Jun 2013 14:22:17 -0500

Firmware-Mod-Kit to make Malicious Firmware

The intent of this tech segment is really to show how insecure devices are, and how we need to be cautious when rooting, modifying or updating firmware. Where it first starts is a tool create by Craig Heffner and Jeremy Collake ( download here ). It allows you to take firmware and strip it down to its root file system, Craig uses that and binwalk a lot in his blog for embedded device hacking devttys0 . The use of the collection of scripts is completely easy, however, it saves you tons and tons of time, doing any of it manually would take hours if not days. Lets dive right into it.

First, we need to extract the firmware we have. I am using a router that is running dd-wrt, so I figure that would be a good firmware to get and rip apart. First, we run the command ./extract-firmware.sh filename. This will decompress the firmware and put it nicely into a "fmk/" directory.

Next we extract the dd-wrt gui (web sites) by typing ./ddwrt-gui-extract.sh:

We then find our target page Info.htm, open it and add in our XSS beef hook:

We package it all up and with ./ddwrt-gui-rebuild & ./build-firmware. When its done, we flash our router with the new firmware. When we come back to the page... our browser is now hooked and expoited.

EPISODE 336 WITH GUEST PETE LINDSTROM & TECH SEGMENT WITH BRO IDS'S LIAM & SETH THURSDAY 6PM ET

Tue, 18 Jun 2013 10:25:37 -0500

Join us for PaulDotCom Security Weekly Episode 336. With guest Pete Lindstrom, Pete Lindstrom is Principal and Vice President of Research for Spire Security, an industry analyst firm providing analysis and research in the information security field. He has held similar industry analyst positions at Burton Group and Hurwitz Group. In his previous position as a security architect, Pete operated as the deputy to the Chief Information Security Officer for Wyeth Pharmaceuticals. Pete honed his finance and technology skills in the United States Marine Corps where he was one of two disbursing officers in theater during the First Gulf War. Also, for our tech segment we are joined by Liam & Seth from BRO IDS. Bro is a passive, open-source network traffic analyzer.

Sit back and enjoy the show live or participate in the live chat on our Ustream channel:

Streaming video by Ustream

NOTE: The video will play the most recent show up until we are live!

Breaking News!

Tue, 11 Jun 2013 19:03:11 -0500

Special Segment with Dave "Rel1k" Kennedy: Connecting the Dots on Bypassing AV

Dave Kennedy is CEO of TrustedSec, Former CSO of a Fortune 1000, Founder of DerbyCon, Creator of the Social-Engineer Toolkit and Artillery tools. Dubbed "The James Brown of InfoSec" for his work ethic, Dave *is* the nicest, coolest, bad-ass technical CEO on the planet*. Heavily involved with BackTrack and the Social-Engineer Framework, Dave works on a variety of open-source projects, such as AV Bypass. *Also, he is the subject of a man-crush by Executive Producer Mike Perez. (Totally understandable, Dave is awesome and inspirational in every talk i've seen.)

In addition we have JP Bourget and Bruce Potter on CycleOverride . CycleOverride is planning a series of rides over the coming years that revolve around information security and fundraising for organizations important to the infosec community. While we haven't chosen our charities yet, we're working on it and will have an announcement in the coming months. These rides are meant to be fun, but also meant to raise awareness of cyber security and hackerdom in general.

Make sure to join us on this information packed episode of PaulDotCom!

EPISODE 335 WITH GUEST BILL STEARNS & TECH SEGMENT WITH PHIL HAGEN THURSDAY 6PM ET

Sun, 09 Jun 2013 22:18:57 -0500

Join us for PaulDotCom Security Weekly Episode 335, With guest Bill Stearns. Bill is a Senior Research Engineer at CloudPassage, He also worked on Honeypot development and other network security projects. He is a content author and faculty member at the SANS Institute. His background is in network and operating system security; he was the chief architect of a commercial firewall and is an active contributor to the Linux development effort. His spare time is spent coordinating and maintaining an antispam blacklist. Bill's articles and tools can be found in SysAdmin magazine, online journals, and at http://www.stearns.org. Also, for our tech segment we are joined by Phil Hagen. Phil Hagen started his security career while attending the US Air Force Academy, but later shifted to a government contractor, providing technical services for exotic IT security projects. Most recently, Phil formed Lewes Technology Consulting, LLC where he performs forensic casework and infosec training. Phil will be introducing us the Logstash on this show.

Sit back and enjoy the show live or participate in the live chat on our Ustream channel:

Streaming video by Ustream

NOTE: The video will play the most recent show up until we are live!

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand, Allison Nixon and Mike Perez.

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Hack Naked TV Episode 56

Wed, 05 Jun 2013 14:35:55 -0500

in this episode we talk about NetTraveler, P2P Botnets and how old software will destroy us all!!!

Links for this episode:

NetTraveler

P2P Botnets

Old Java

Offensive Countermeasures at Black Hat

-strandjs

Video Feeds:

EPISODE 334 WITH GUEST ANDY ELLIS & TECH SEGMENT WITH GREG HETRICK THURSDAY 6PM ET

Mon, 03 Jun 2013 12:09:32 -0500

Join us for PaulDotCom Security Weekly Episode 334, With guest Andy Ellis. Andy Ellis is Akamai's Chief Security Officer, responsible for overseeing the security architecture and compliance of the company's massive, globally distributed network. He is the designer and patentholder of Akamai's SSL acceleration network, as well as several of the critical technologies underpinning the company's Kona Security Solutions. Mr. Ellis is at the forefront of Internet policy; as a speaker, blogger, member of the FCC CSRIC, supporting Akamai's CEOs on the NIAC and NSTAC, and an advisory board member of HacKid. He is a graduate of MIT and a former US Air Force officer, the recipient of the CSO Magazine Compass Award, the Air Force Commendation Medal, The Wine Spectator's Award of Excellence, and the Spirit of Disneyland Award. He can be found on Twitter as @csoandy. Also, for our tech segment we are joined by Greg Hetrick. Greg is an Intern with Pauldotcom and a Senior Security Engineer for a financial services firm. Greg specializes in Vulnerability management, penetration testing and security architecture. Prior to his work in security, Greg was a unix/linux system administrator for a couple large organizations. Greg has been known to dabble in python development. Outside of his work in security Greg is an avid shooter competing in IDPA and BPCR matches. He currently holds the following certificates: GPEN, GISP, CISSP, RHCE .

Sit back and enjoy the show live or participate in the live chat on our Ustream channel:

Streaming video by Ustream

NOTE: The video will play the most recent show up until we are live!

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand, Allison Nixon and Mike Perez.

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Interview with Chris Truncer - Episode 333

Fri, 31 May 2013 16:21:08 -0500

Chris Truncer is a Penetration Tester at Veris Group where he performs a variety of assessments for Federal and commercial customers. Currently Chris is supporting DHS and their development of a operational Penetration Testing team to support civilian government agencies. He currently helps to develop the overall program while also leading pen testing teams for other customers. His specialties include wireless network assessments and network level penetration testing. Recently, Chris became interested AV evasion methods, which led to the development of Veil.

Episode 333 Show Notes

Episode 333 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Interview with Gunnar Peterson - Episode 333

Fri, 31 May 2013 16:12:07 -0500

Gunnar Peterson does security consulting, training and research on Identity and Access Management, Cloud, Mobile and software security. He is a Microsoft MVP for Application security, an IANS Research Faculty member, and a Securosis Contributing Analyst. He maintains a popular information security blog at http://1raindrop.typepad.com.

Episode 333 Show Notes

Episode 333 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

SSH over Stunnel for IDS evasion

Thu, 30 May 2013 10:48:09 -0500

A few weeks ago (Episode 329 http://pauldotcom.com/wiki/index.php/Episode329#Tech_Segment:_Free_Amazon_Socks_Proxy_by_Allison) Allison gave a great segment on avoiding firewalls using port forwarding and SOCKS proxy via ssh with a server on port 443 using free Amazon AWS instance. Something struck me:

1) you could have a proxy block SSH traffic going over 443.

2) you could haven IDS detect and, if inline, block since any IDS will detect SSH over non-standard ports.

So how do we fix this problem? Encapsulate SSH traffic inside SSL of course. In comes stunnel! Stunnel creates a SSL tunnel to pass almost any traffic through it. All you need is the same AWS instance that Allison talked about with stunnel installed and a client on the other end also with stunnel.

The setup:

yum or apt-get install stunnel - Both server and client (there is a macport of stunnel as well as Android and Windows installers at stunnel.org)

Server side configuration, create file stunnel.config with the contents below:

cert=/path/to/stunnel.pem
pid=/tmp/stunnel.pid
[ssh]
accept = <serverip>:443
connect = 127.0.0.1:22

Create Self Signed certificate.

Create a key

$ openssl genrsa 1024 > stunnel.key

Generating RSA private key, 1024 bit long modulus
...........................++++++
........++++++
e is 65537 (0x10001)

Generate the self signed certificate.

$ openssl req -new -key stunnel.key -x509 -days 1000 -out stunnel.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Next up create the PEM file which just contains the key and the crt contents

$ cat stunne.crt stunnel.key > stunnel.pem

Now you can start the tunnel -- in Debian there is a perl wrapper for stunnel4 that is /usr/local/bin/stunnel -- when I envoked stunnel this way the tunnel would not start. When I bypassed the wrapper and called stunnel4 directly it worked fine.

$ stunnel4 stunnel.config

verify with netstat that the port is running (netstat -tanp) or you can test it with an openssl command: $ openssl s_client -connect <ip>:443

Now over on the client side copy over the .pem certificate from the server and place it somewhere. Then create your client configuration file stunnelclient.config

cert=/home/ghetrick/stunnel/stunnel.pem
pid=/tmp/stunnel.pid
client=yes
[ssh]
accept=2200
;protocol=connect
;protocolHost=<ip:port>
;protocolUsername=<username>
;protocolPassword=<pass>
connect=<ip: port>

*If you need to go through a proxy you can uncomment the "protocol" lines and fill out the information accordingly. Where protocolHost is the server you want to connect to, and connect becomes the ip and port of the proxy device. If there is no proxy present the connect line is the ip and port of the remote host to connect to.

Now fire up stunnel on the client machine

$ stunnel4 stunnelclient.config

netstat -tapn to verify it is running on the assigned local port, in this example it is 2200

Now you can simply use ssh to the localhost

$ ssh -p 2200 localhost

and you are on the remote server, all hidden in nice SSL packets. I was able to run through a web proxy on port 443 with this config and did not trip signatures on the IDS that was otherwise tripping without stunnel in the middle.

You should be able to follow Allison's documentation for getting port forwarding working properly for full enjoyment.

Go forth and evade.

-@gchetrick

EPISODE 333 WITH GUEST GUNNAR PETERSON & TECH SEGMENT WITH CHRIS TRUNCER THURSDAY 6PM ET

Tue, 28 May 2013 10:10:42 -0500

Join us for PaulDotCom Security Weekly Episode 333, With guest Gunnar Peterson. Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and insurance systems, as well as emerging start ups. Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, a contributor to the SEI and DHS Build Security In portal on software security, a Visiting Scientist at Carnegie Mellon Software Engineering Institute, and an in-demand speaker at security conferences. He maintains a popular information security blog at 1raindrop . Also, for our tech segment we are joined by Chris Truncer . Chris is going to be explaining a new python script that he created called Veil. Veil is used to crank out metasploit payloads to bypass all anti-virus companies. Sit back and enjoy the show live or participate in the live chat on our Ustream channel:

Streaming video by Ustream

NOTE: The video will play the most recent show up until we are live!

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand, Allison Nixon and Mike Perez.

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Thwarting Client Side attacks with Software Restriction Policy

Wed, 15 May 2013 09:00:38 -0500

A few weeks ago I started looking at Windows Software Restriction Policy (SRP) and using it to stop client side attacks. This is going to go over some of the options, setup and the results once enabled.

SRP is easy to setup via Group Policy Object (GPO). Inside GPO editor create New Software Restriction Policy. Once create the default will be setup. You can look around to see basic options. Here is my tested setup.

Enforcement: Select "All Software files" and "All users except local administrators"

Under Designated File types: Remove type LNK - this will make sure that shortcuts placed outside of the designated execution directories will run. When I initially tested what I thought would work none of the shortcuts on the toolbar or desktop would launch an application and I found this to be the issue.

Ignore trusted publishers, this is used if we are limiting applications based on the certificate authority.

Select "Additional Rules"

The default execution directories will be selected.

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

Since mine is 64bit Windows I added

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%

Security level for these are all going to be "Unrestricted" I want them to be able to execute as normal.

Now back under "Security Levels" the default setting is Unrestricted, since we are changing users over to defined execution directories I want to set anything not specifically allowed in the Additional Rules section to "Disallowed." So we change the default to Disallowed.

Save this and run gpupdate /force on the target machine.

Now to test a client side attack using SET. I am going to use the java attack method. 1 -> Social-Engineering Attacks, 2 -> Website Attack Vectors, 1 -> Java Applet Attack Method, 1 -> Web Templates, 1 -> Java Required, 2 -> Windows Reverse_TCP Meterpreter, 16 -> Backdoored Executable - Enter port of listener (default 443)

Fire it up and wait till it starts the payload handler.

Once the handler is started you are ready to test the attack. Go ahead and run the unsafe java applet.

You will notice that the the site is responding but the java applet is unable to execute the payload.

After attempting this and being successful, I tried running SET with PowerShell Injection and to my surprise the attack succeeded. I realized with PowerShell the payload was running from the C:\Windows\sysWOW64\WindowsPowerShell directory which by default is explicitly allowed. To defeat this attack I added the path to the list of Additional Rules and set it to "Basic User", retested the attack with PS Injection and the attack failed as expected. I tested this with multiple payloads and encoding methods and everyone of them did not result in a successful attack.

I ran two other tests, the first was using EXE embedded PDF and an older version of Adobe Reader (9.3). SRP was able to successfully stop this attack.

Finally I tested a physical attack using a USB Rubber Ducky Human Interface Device (HID) from the folks over at hak5 (www.hak5.com). I used a great little payload generator found over on google code (https://code.google.com/p/simple-ducky-payload-generator/ ) It is pretty slick and simple, I used a meterpreter powershell injection payload that didn't attempt to elevate privileges. SRP was able to successfully stop this attack. If the user had admin privileges and entered in creds in the UAC window it would have worked since I allow Local Admins unrestricted access.

In Production the are likely other directories where code needs to execute, those will need to be added to the allow list. As the config is done, administrators will be able to bypass these rules for installation of software etc. Administrators will also need to ensure that ACLs are properly set since a curious user could move executables into the approved directories and run them. While this is like a bit tough to implement in a very large organization this is a very effective method for stopping client side attacks.

To find other executable directories in use in your environment enable SRP with defaults (fully unrestricted) and set the following registry key:

"HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
String Value: LogFileName, <path to log file>

This will log the executable and the directory it was run from a little data mining can determine were applications need to execute from. Also Inventory Collector from Application Compatibility toolkit can assist in this task.

Update:

One PDC reader noted that the configuration would allow a PowerShell attack from SET to work on 32bit systems since the path on 32bit is C:\Windows\System32\WindowsPowerShell - Also this directory exists on 64bit machines as well, a modification to the SET Payload could allow the attack to succeed.

A fix for this is to also add "C:\Windows\System32\WindowsPowerShell" to the locked down policy under "Additional Rules"

This methods above would work for the given attack vector, there may be other vectors that need additional rules depending on the environment.

-Greg

Episode 332 with Guest Brian Snow & Tech Segment with Tim Conway Thursday 6PM ET

Mon, 13 May 2013 08:03:03 -0500

Join us for PaulDotCom Security Weekly Episode 332, With guest Brian Snow. Brian spent his first 20 years at NSA doing and directing research that developed cryptographic components and secure systems. Many cryptographic systems serving the U.S. government and military use his algorithms; they provide capabilities not previously available and span a range from nuclear command and control to tactical radios for the battlefield. He created and managed NSA's Secure Systems Design division in the 1980s. He has many patents, awards, and honors attesting to his creativity. Also, for our tech segment we are joined by Tim Conway. Tim is the Technical Director of the Industrial Control Systems and SCADA programs at SANS, where he is responsible for developing, reviewing, and implementing technical components of the ICS and SCADA product offerings. Tim was formerly the Director of Compliance and Operations Technology at the Northern Indiana Public Service Company (NIPSCO).

Sit back and enjoy the show live or participate in the live chat on our Ustream channel:

NOTE: The video will play the most recent show up until we are live!

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand, Allison Nixon and Mike Perez.

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Drunken Security News - Episode 331

Sat, 11 May 2013 22:54:10 -0500

It's time for another Drunken Security News. Much of the gang was on the road this week so Patrick Laverty sat in with Paul and Engineer Steve for the show, plus Jack's epic beard called in via Skype from lovely Maryland.

First, Paul admitted it was a stretch to bring this into a security context but he wanted to talk about an article that he found in The Economist (via Bruce Schneier) about one theory that if the US would simply be nicer to terrorists, release them from Guantanamo Bay, Cuba and stop hunting them down around the world, that they would in turn be nicer to us. Also, fewer would pop up around the world. The thinking is that jailing and killing them turns others into terrorists. So here's the leap. Can the same be said for black hat hackers? If law enforcement agencies stop prosecuting the hackers, will they be nicer and will there be fewer of them? I think we all came to the same conclusion. "Nah."

Paul also found an Adam Shostack article about how attention to the tiniest details can be important to the largest degree. The example given was the vulnerability to the Death Star in the original Star Wars movie was so small and the chances of it being exploited were so remote that the Empire overlooked it, Grand Moff Tarkin even showing his arrogance shortly before his own demise. The same can be said for our systems. It might be a tiny hole and maybe you think that no one would look for it and even if they do, what are the chances they both find it and exploit it? In some cases, it can have quite dire consequences. The Empire overlooked a small vulnerability that they shouldn't have. Are you doing the same with your systems?

Did we happen to mention that Security BSides Boston is May 18 at Microsoft NERD in Cambridge, MA and Security BSides Rhode Island is June 14th and 15th in Providence, RI. Good seats and good conference swag are still available. We all hope to see you there!

The Onion's Twitter account was breached by the Syrian Electronic Army and they handled it a way that only The Onion can, making light of both themselves and the SEA. Additionally, possibly for the first time ever, The Onion published a non-parody post about exactly how the breach occurred.

Additionally, the National Republican Congressional Committee (NRCC) web site got spam hacked/defaced with Viagra ads. The only thing we were wondering is, are we sure it was hacked and not just a convenient online pharmacy for their members?

A new whitepaper was released from MIT talking about "Honeywords". The problem being solved here is creating a way for server admins to know sooner when a passwords file has been breached on a server. In addition to the correct password, this new system would add a bunch of fake passwords as well. When the attacker starts trying usernames and passwords, if they use one of the fake passwords, the server admin would be notified that someone is doing that and it is very likely that the passwords file has been breached. It's an interesting concept to ponder.

Jack had an article from Dennis Fisher at Threatpost, asking the question about what's the point of blaming various people for cyberespionage if we don't have a plan to do something about it.

The NSA also has its own 643 page document telling its members how to use Google to find things like Excel documents in Russian that contain the word "login". Wait, I feel like I've heard of this somewhere before. Oh yeah, that's right. Johnny Long was talking about Google Hacking at least as far back as 2007. It's just interesting some times to see things that the media gets wind of and without the slightest bit of checking, thinks something is "new".

That's it for this week. As always, check in each Thursday night at 6 pm Eastern time to catch PaulDotCom Security Weekly!

Episode 331 Show Notes

Episode 331 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Interview with Kurt Baumgartner - Episode 331

Fri, 10 May 2013 11:38:48 -0500

Episode 331 Show Notes

Kurt Baumgartner of Kaspersky Labs joins us to talk about Red October, a research paper that he co-authored, along with the other areas that he works on at Kaspersky.

Episode 331 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Interview With Rob Cheyne - Episode 331

Fri, 10 May 2013 11:10:51 -0500

Rob Cheyne is a highly regarded technologist, trainer, security expert and serial entrepreneur.

He was the co-founder and CEO of Safelight Security, a leading provider of information security education programs. He has taught information security training classes to tens of thousands of developers, architects, and managers for industry-leading organizations. He has over 20 years of experience in the information technology field and has been working in information security since 1998.

Rob regularly speaks at security and training conferences, and frequently presents to the local chapters of various security organizations.

Episode 331 Show Notes

Episode 331 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.