Most vulnerability scanners will allow you to configure an exception list. If an organization has an internal vulnerability scanning program in place they are probably aware of a few troublesome systems that don’t respond well to poking and prodding.  (That ancient VAX, those Dell DRACs, that crazy plotter, etc…)

It’s not uncommon to be asked by a client to “Avoid this list of systems during the Pentest…” But what if you have some nice custom tools that don’t have the ability to honor an exception list?  What if you have some tools that you point to an NT Domain and not an IP list?

On the surface the simplest solution would be to “just configure the firewall to block outbound to x.x.x.y….”  The problem is windows personal firewalls don’t make it easy to do that. In fact, most of these firewalls will break the scanning tools you’re trying to use. 

I’ve found that Peer Guardian 2 does an awesome job at fixing this problem.  Peer Guardian is mostly used by peer-to-peer users but you can easily make a custom “block list” that will prevent your computer from hitting IPs on your client’s exclusion list.  You can run Peer Guardian and not worry about it mucking up those funky packets that youre trying to send.

-higB

A lot of web applications use port 80 and 443, but don’t necessarily speak HTTP or live inside a web browser. Many of these web apps utilize rich content and compiled code, such as Flash/ActiveX/Java, that have the ability to open their own TCP sockets to remote servers, by-passing the browser’s network stack and any HTTP proxy the browser is configured to use.

All the JVMs I’ve used do let you specify a proxy for an applet to use, but in my experience, this process is sometimes a little clumsy. On top of that, this only helps if the applet is speaking HTTP, or some other known protocol for which a proxy exists.

Putting browser based applications aside for a moment, fat client applications (including those on mobile devices) will utilize port 80/443 as a sure-fire way through the firewall, even if they aren’t using a standard protocol like HTTP or SOAP/WS-Security.

WireShark, tcpdump, and other network sniffers can be helpful in these situations where you can’t get application data easily routed through a proxy. However, the ability to replay or modify data on the fly between the client/server is still a challenge. Add SSL encryption to the scenario, and typically you are S.O.L.

What we need is a socket based TCP proxy with SSL support. Such a proxy would capture traffic at the network layer, identify common protocols and accumulate requests/responses for MITMing, but also stream proprietary protocols while providing a mechanism for altering/fuzzing data on the fly.

Tools like WebScarab/Paros/Burp are great at what they do. But as soon as an application strays from a common protocol (security through obscurity anyone?) these tools lose some of their value.

I already have a proof-of-concept tool that has been invaluable to us in some recent pen-testing. Now, the plan is to tighten up the loose ends, add some features, and make it available for others to use.

I’d definitely be interested to hear what anyone has to say about such a tool. Do you think it would help you? Is there already something similar out there? Leave your comments below.

-Schmoilito

On Friday afternoon, I headed off to the airport for a trip to Chicago to visit a friend. I should have checked the flight status, because it turns out my flight was canceled. All other flights to Chicago were on time, and full. The über-helpful lady at Continental advised me to wait on stand-by. The end result was that I had to wait until 6AM Saturday for a flight to Detroit and a connection to Chicago. Damn. <sarcasm>On the bright side, my bag made it to Chicago by 11PM that night.</sarcasm>

I went home to sleep, and set my alarms for a 4AM wake up to make it back to the airport for my 6AM flight. I assumed I would get there in reasonable time, since I didn’t have to check in or check any bags. Unfortunately, I also didn’t pay any attention to the four S’s on my new boarding pass. At 5:50AM I was being molested by Boris, one of the TSA’s human pen-testers at Newark Liberty. Lucky me, I was selected for additional screening because I had made changes to my itinerary. Lady luck continued to shine on me since Boris, at 250+LB’s, is a gentle giant.

I don’t think my writing thus far as conveyed the anger and frustration I felt during this whole ordeal. And when I realized I had to endure additional security screening, my blood had begun to boil. However, at some point during my personal security assessment, my mind drifted into my happy place, and I had a moment of clarity.

Who else is more deserving of a more in depth security review then someone who is already pissed off at your airline, and could possibly snap with the next minor inconvenience or crying baby?

Any passenger traveling on an air plane is considered a threat. As individual passenger scenarios fluctuate, so does the individual passengers threat potential. In my particular situation, it was up to the airline to indicate to the TSA that I require additional screening, and they did this via the “SSSS” on my boarding pass.

Inside me there is a glimmer of hope that TSA folks have some ability to identify behavior patterns in people that could indicate an elevated threat potential in real time (like when I’m waiting inline to get screened). However, they most likely rely heavily on their technology/tools (metal detectors, xray machines, that crazy air blast thing, etc) for such dynamic analysis.

It’s really no different then a highly-skilled pen-tester being given a large number of applications to test in a very short period of time. In this case, the pen-tester would rely heavily on tools. There is no shortage of content on the Internet discussing the quality of such tools, so I’m not gonna go there in this post. However, I must ask the question, how good of an assessment can you perform on a web app using only the tools available on the market today?

What all this reminds me is that security in I.T. is no different then security in every other aspect of life. Threats are dynamic, and constantly in flux. Countermeasures deployed to protect us from threats must also be dynamic, and able to keep up with an ever changing threat landscape. If our tactics are static, threats will eventually go un-noticed, and we will get pwned.

At least, that’s what Boris softly whispered in my ear…

-Schmoilito

Someone beat us to the shmooball launcher.  It’s probably for the best since we were going to order parts from this company. We heard ambulances only take 180 seconds to get to the hotel.

The presentations were very hit or miss this year, with unfortunately a bit more of the latter.  I felt a lot of presentations would have fit a shorter turbo style time slot better than the hour long time slots.  For example, the ‘baffle’ application for wireless AP finger printing looks like a very cool first generation tool. Easy to use, hack around with, well researched, and makes pretty graphs. Score. Unfortunately they dragged out the presentation with the whole history of tcp finger printing and made us wonder what the students were IM’ing about as they sat on the stage trying not to look too embarrassed or bored.

Mad props go out to Brad Antoniewicz and Joshua Wright. Not only for releasing a cool tool for wireless PEAP/TLS client credential pwnage (FreeRADIUS - Wireless Pwnage Edition), but for fun presentation skillz and shmooball dodging.  Find the video for this one. It was probably my favorite talk of the con (not sure if the camera man caught the start of the talk though).

The guys at Vigilar also rocked with a new and improved version of VoIP Hopper; complete with practical usage scenarios and some good demos with a standard VoIP phone.  They showed how to get on to the corporate network bypassing vlans setup for the VoIP traffic. I could think of a number of locations I’ve been at where it would be handy to have this tool with me.

Our very own Jaime and Aaron got a lot of people thinking with their forced internet condom. They’re moving the web hosting provider, but there’s some good data about what ports ISPs are blocking over at portscan.us (and you can help add to the project as well).

I unfortunately missed h1kari’s (David Hulton) GSM talk due to train delays, but the word at the hotel bar was that it was one of the most techincal and interesting talks of the con.  His GSM rainbow tables may make things very interesting when the FPGAs complete in three months (anyone get a link to where that will be?).  Speaking of FPGAs, I’m proposing the FDA needs to start looking into these things since they’re basically giving every geek I know an erection that is lasting way longer than 4 hours.

And for more geek porn,  let me suggest the Solid State Drives Data Recovery Comparison to Hard Drives presentation.  Scott Moulton makes powerpoint look a commadore 64 next to his smoothly timed 3D graphics.  His guy also rocks for having them online for everyone to get jealous of… oh and teach us that deleting or wiping flash based drives is completely useless because of the wear-levelling process done by the controllers on these things. (and yes, I did sit there thinking of all the times I’ve futilely done PGP wipes of data on my flash drives). The good news though is that the recovery of that data sounds pretty damn hard at this time.  Also in good news, we can now write off a few power tools from home depot as business expenses since you’ll want a hammer now to “wipe” those drives.

A number of us caught the phishing talk by Syn Phishus. I think we’ll have a full follow-up post on that (but just to clear one rumor we heard, no, he does not work for or have anything to do with phishme.com). He obviously agrees with us that mock phishing exercises need to be done… but I’d say our approachs to this differ greatly.

-b3nn

I was adding a little special sauce to Phishme.com this past week and thought this might be fun to share. We have a few different ways a user can craft their phishing links. If he/she chooses the IP address option, then there is also the choice of encoding options. This lets you mask the IP address in an attempt to trick the user into thinking part of the sub directory is perhaps the host name. Or as in the case with my mom… she thinks it is just the phone number so the computer knows where to call. And it’s hard to blame her when you see a decimal encoded IP address.

http://2130706433/somecompany.com

The team over at Marshal has put together a good walk through of the encoding so you can follow along. If you would like to view the javascript, you can find it here. This may not work on all browsers, but it holds up pretty well on your corporate windows boxes with IE or Firefox. Want to test it out? Just put in an IP address below and click on the link it generates.

-b3nn

If you’ve been noticing a little silence on the blog recently, it’s been because a lot of the ranting has been going into developing what we think is a great anti-phishing user awareness tool. Take a peek at our main site at www.PhishMe.com

Conducting ethical phishing attacks has never been easier. User awareness will be improved, enforced, and for the first time for many users, easy to measure and trend over time. You can sign up for the mailing list right now that will let you know when the full blown service is launched. We will be offering free trial accounts that will allow you to get a taste of the features and test out if a few of your users will bite.

Another key feature of PhishMe is the built in templates to make your job of crafting phishing attacks simple yet effective and modern. How do you think your employees would respond to a message about a “virus outbreak”. Will they just follow the instruction in an email without verifying any of the information? What about a message to update their HealthCare information on a new third party site? The number of people that fall victim to these types of attacks will make you wonder why hackers even bother with anything that isn’t social engineering.

There is more to come in the future but for now, check out www.PhishMe.com

-b3nn

As a security consultant with exposure to many large enterprises I admit I’m biased to RSA SecurID tokens. During penetration tests, our company has cracked tens of thousands of passwords. When I’m standing in front of a customer explaining why their password policies failed, they want to believe that changing this policy will help them. Secretly I know that humans will defeat the spirit of any password policy and that the best approach is to take the responsibility of password composition away from the end user. (When you stare at thousands of clear text passwords you develop a cynicism.)

August2007, you’ve been a good password, but it’s time I move on to owning enterprises with September2007.

The other day a friend asked me if there are any other products like SecurID he should be evaluating for his company as part of their plan to introduce two-factor authentication. Apart from SecurID the only other device that left me thinking “Hey this thing works” is Vasco’s Digipass. Any two factor system worth its weight in salt should provide authentication hooks to the popular services. If you plan to use the solution with custom web applications, you may need to dig a little deeper…maybe a lot deeper. Most solutions have hook-in APIs, but it takes some effort to piece it all together.

If you are evaluating two factor authentication devices make a list of the top services you need authentication for:

• Network devices
• Windows authentication
• Unix authentication
• VPN users
• Wireless user authentication

If a solution can cover 80% of your authentication needs and is cost effective, go with it. 80% coverage is 80% better than letting humans pick passwords; chances are with a little effort and creativity you can put something together to rein in the residual 20%. If you don’t have a two-factor solution, evaluate Vasco with the others.

-higB

I have a few big boxes of computer crap that I haven’t been able to part with. (because you never know when a ZIP drive will come in handy) The other night I was rummaging through one of these boxes and stumbled upon my Radioshack pocket tone dialer modified with a 6.5536mhz crystal. The memory floodgates opened and I reminisced about the days of BBSes, Tradewars 2002, ANSI art packs, The Jolly Roger’s cookbook (remember thermite? good times), and countless phreaking texts. I got my initial fix via 1200 baud. After mowing lawns for a summer I was able to hook up the leet 2400 US Robotics.

Back in high school I was quite the ladies man. I had an 85meg hard drive and leech status on all the local bulletin boards. After girls found out I had an SVGA monitor, sound blaster 16, and a 1x CD-ROM, they all wanted me. I used to think it was because I could draw boobs on my TI-85 graphing calculator but it the real reason for the XX chromosome attention was my crazy mad-ill tight soldering skillz.

Just like all teenage boys growing up I had an unhealthy infatuation with the phone company. (that’s normal right?) I read on a BBS text about making free phone calls from pay phones by simulating the sounds that are transmitted when coins are dropped in. (more about redboxes and phreaking here) So with a soldering iron, a 6.5336mhz crystal, and a radio shack 43-141 pocket tone dialer I went to work and built a working redbox.

After spending 30 dollars in parts I couldn’t wait to defraud PacBell of 25 cents. I remember the nervous feeling I had riding my bike over to a local church try out my new babe-magnet redbox.

There was one small problem with my plan, for some reason, I didn’t have any friends outside of my area code to call.

Enjoy the video I posted on youtube: http://www.youtube.com/watch?v=AXZMgHKhefk

–higB

Spot the Reporter anyone? It was another good adventure out in Las Vegas last week. Obviously the best part of any con is the people who are there. It was great seeing old friends and meeting new ones. I typically ask everyone “what was the best presentation you saw?” I thought I’d turn the table and give my view on that question. I know I missed a few good ones (it would be hard to make a 9am talk in Las Vegas even if it were held in my hotel room) but here are the highlights from what I did catch.

EVDO Hacking (King Tuna) - I suspect most people found this talk more entertaining than educational and King Tuna wins for best Ricky Gervais character impersonation. I found myself cringing in my seat for his unfortunate first time presenter problems, however we walked away with two kick ass pieces of info. First, you can read files from your EVDO card with BitPim (or QPST if you have loose morals and bittorrent skillz) and the Kyocera KPC650 card’s firmware is unlocked. Tasty.

SQL out-of-band Channeling (Patrik Karlsson) -No SQL error messages being returned? No problem. I’ll just take my query results over DNS. Yup, that’s right. Over DNS (I had to double check I hadn’t just walked in the Kaminsky talk.) The short version is there’s a number of database functions that will trigger DNS lookups. Craft the “hostnames” which are really the data and request them from a domain for which the attacker owns. Check the slides cause it goes into depth on properly encoding and breaking up the data. This would get through just about any network architecture and firewall egress filter I’ve seen. Can you live without DNS lookups on your database server? Probably. Time to add that to your hardening checklists.

WEP Cloaking Exposed (Vivek Ramachandran) - Hopefully just reading the explanation of “WEP Cloaking” will make your security stomach feel like you’ve had sushi straight from the Chicago river. But if you’ve ever seen sales people, you know they can suck down anything and then try to sell it on the way out. Thankfully the Air Tight group came to the table with strong examples of how flawed this security through obscurity “WEP Cloaking” idea is. While the rest of us don’t have a tool just yet to automate the same process which was shown, it’s only a matter of time. A point to remember, they said, was that a WEP cloaking/chaffing product still won’t make a wireless WEP network PCI compliant.

Extrusion Scanning (Matt Richards) - In the past, giving a customer a report about how many different ways we could tunnel data out of their internal network would be equivalent to giving them a graph about how wet water is. The good news is we have started to see customers that are taking the steps towards decently restricting out bound connections. Hopefully the talked about eescan tool maybe a way of quickly testing this out from an internal network.

Active Reversing/Virtual World Hacking (Greg Hoglund) - I’m so not logging on to WoW if this guy is online. Caught sections of both Greg Hoglund talks and was impressed with the ideas and examples. This is not my normal cup of h4×0r tea, so I’m not sure how invovative these tools and techniques are, but I like the over all idea. The more someone can understand and trace a program without having to go break point by break point in IDA Pro sounds like a good idea to me. Lets lower the bar and get more people disassembling. Greg demo’ed some HBGary tools to quickly and easily isolate parts of a binary program that contain functions of interest.

Hack Your Car (higB) - Sure, may have a little bias here, but still was one of my favorite talks. You own the car, shouldn’t you own the computer on it? Pretty shocking to hear emissions tests often rely just on the info the computer tells it and not on actual tailpipe output. Maybe we need to take this talk to an EPA convention next.

-b3nn

Those of us at the PhishMe blog would like to remind everyone of a very important lesson from our parents (and restaurants bathrooms). “Wash your hands”. The motto should be repeated by the camera man of those Harry Potter pictures reported on earlier in the week. Looks like a little Exif meta data wasn’t cleaned off the photos… or was it? What’s better than washing your hands? Setting up someone else to look like the dirty one; two Exif editors quickly came to our attention. While it’s much more plausible that someone would just shoot pics and forget about the Exif data attached to them, it’s not impossible that the data may have been edited to incriminate someone else. 

Simply reading the Exifer home page though reminds me of another important lesson: “Know your tool”… (maybe that was also in a bathroom somewhere too though). In short, tools often leave a footprint -  whether it’s a user-agent tag in the popular Paros tool, or not so steathly NMAP scans. If you have a way to dig deeper and see what the tool is doing, you should.  In this case, don’t just relay on a EXIF viewer. Use a hex editor and get a different view of the picture. When it comes time to track down the bad guys, keep a look out for tell-tale signs.

What a difference a tool makes.

-b3nn 

Update:
More fun with EXIF data. Looks like RSnake (who we worship for XSS and WebApp goodness) left an untampered thumbnail behind on one of his posts. The story also links to a nice online EXIF Viewer… anyone checking out our EXIF data?