Nicholson Security

Metasploit 3.2 drops commercial license restriction

It seems that Metasploit 3.2 will be sporting a BSD 3-Class license.  That basically means that MSF can be forked or modified and repackaged and sold by commercial entities.  The 3-Class license basically means that the source code and binaries keeps the copyright but they can’t say the mutant product is endorsed by HD.

DarkReading has an article about it and one of the ideas tossed around is Core Impact integrating MSF into their tool.  Aside from the thousands of dollars that Core cost,  the lack of reporting functionality is one of the reasons MSF is kept in the shadows with researchers and pen-testers.  MSF is awesome and I’m a big fan of it and look forward to all it’s bastard children.  But, if someone can take MSF and create some awesome reporting tools that would rock.  I have always thought someone should build some reporting plug-in’s for MSF maybe someone will now.

I would like to know what you think about the MSF license change in the comments.

Book Review: Fuzzing | Brute Force Vulnerability Discovery

I really enjoyed reading Fuzzing. The book has a ton of really great information.  The majority of the content I was interested in pertained to the application and web application fuzzing.  The book starts with a background on vulnerability discovery methods.  It then covers the different methods and types of fuzzer’s.

The good stuff starts in the second part of the book on, “targets and automation.”  The chapter on “web application and server fuzzing automation” has some interesting ideas I hadn’t considered.  I also liked the chapters on network protocol fuzzing on Windows and UNIX.

Throughout the book it shares tools, code and examples available for download from the fuzzing.org website.  I have been working a lot recently with Samurai Web Testing Framework Live-CD creating some video tutorials, that I hope to release soon, and I used some of the examples in the book.  I also played with a little C# and created the generic fuzzing tool that was given in the book.  I am adding some features to work in a few class activates I would like to implement.

Overall I think the book is great for anyone that is in development, system administration or pen-testing.  I learned a lot and I think others would to, but be warned this book is intense.  I spent about 8 or 9 weeks with this book because every time I learned something new I wanted to try it out.

If you have read this book or others like it I would like to read your comments.

Clickjacking PoC was released yesterday.

Yesterday a PoC of the Clickjacking exploit was released.  Today Adobe released a workaround to fix the Clickjacking vulnerability in Flash.  Here is a video of the PoC.

httpv://www.youtube.com/watch?v=gxyLbpldmuU

Since I shared this with my students last month I wanted to share the details now that they have been made public.  The whole Clickjacking exploit has had a lot of people on edge.  I even had a student that thought his site was effected by Clickjacking.  He sent me the Flash files and it was actually a CSRF.  I will post a summary of what the problem was and how I was able to identify it in a future post.

If you aren’t already, now would be a good time to add-on NoScript and Flashblock in your Firefox browser.  Make sure you “forbid <IFRAME>” in the NoScript configuration.  I would also make sure you keep any cameras and/or microphones diconnected when not in use to play it safe.

UPDATE: More details from one of the founders of Clickjacking.

Jumping on the bandwagon “EPIC FAIL” OK not really…

I make a conscious effort not to blog on topics that others have already discussed, unless they impact me directly.  So to add to the pile of “FAIL” account resets, which I refuse to call “hacks,” I have another one to add.

Yesterday, I tried to login to an online software stores but I couldn’t remember the password.  Not a problem I clicked the “forgot password” link.  I get to the part that allows me to write a message explaining the problem.  I write them that I can’t remember the password for the account and that the email address on file isn’t valid, since I have switched ISP’s.  I give them my new email address and ask nicely that they update it so I can reset my password.  The new email address has the same name as the old address but with a different domain.

Well I get an email today that they updated my account, changed my email address (which is also the login) and set a temporary password. WTF?

Let me go over this again slowly.  I email the company and say my email address on file is old.  I give them a new email address.  They reset the account and send me the temp password?  No verification, no last 4 digits of my social, no secret question, nothing.

Now true once logged in someone would still need to pay for the software ordered.  But, what if I had an open line of credit?  In my case I get academic pricing so you get Windows for $200 I get it for $5.  That would be worth creating a fake free email account and trying to get access?

Anyways not sure this fits the “EPIC FAIL” but I’ve always wanted to write that.  Something I have taken away from all of this is I am now checking all my important online accounts to see what the “forgot password” procedure is and contacting those with weak challenges and verification.  I guess my first stop will be my software store.

I would liket to know if anyone else has tried to see how easy it is to “reset” their own personal accounts?  Post in the comments if you have any tips on improving the “forgot password” procedure.

fwknop: Single Packet Authorization and Port Knocking

Port Knocking is something I consider to be, “security through obscurity,” so I haven’t really paid any attention to it aside from mentioning it in my lectures when it comes up.  I see to many flaws in the idea to even consider it feasible.

Today in one of my feeds I read a post over at Darknet about an implementation on Port Knocking that uses SPA and integrates with iptables and ipfw.  Now I can say it has my attention, for at least the 15 minutes that lasts.  You can get more info on fknop, which stands for “FireWall KNock OPerator” on the CypherDyne site.  It’s a Perl script that was release back in 2004. I know using SPA with  Port Knocking isn’t new but it’s new to me.

If you get Hacki9 Magizine, fwknop was discussed in the September issue.  Which is the reason it has been brought back into the light.  Per the Port Knocking Website you can find about 50+ implementations of Port Knocking.

The author of the tool is Michael Rash a Security Researcher and the guy who wrote “Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort”, No Starch Press.  fwknop and a few others implementation will be added to my “round-to-it folder” of things to demo. More »

National Cyber Security Awareness Month - Top Ten Ways to Stay Safe Online

The Internet is supposed to make our lives better, and for most of us, that’s exactly what it does. But the Internet has a dark side, and unless we take the proper precautions, this wonderful tool can end up causing us more harm than good.

October is National Cyber Security Awareness Month, and it’s a good time to take a hard look how our online behaviors may be putting us in harm’s way.
You don’t have to be a computer genius to protect yourself online and you don’t have to spend a lot of money. By following a few common sense tips, you can make the most out of your Internet experience, while protecting you and your family from online threats.

1) Protect your computer: The best thing you can do to keep the bad guys out of your computer is to use three inexpensive technologies: anti-virus software, anti-spyware software and a firewall. Some security companies provide all three in one easy-to-use package.

2) Protect your identity: On the Internet, your personal data (social security number, birth date, etc.) is extremely valuable and can be used against you. Keep it protected.

3) Protect your children: Children face unique risks on the Internet, and require unique rules and safeguards. Monitor your kids’ online activities closely. There are many tools available to help you protect them from online threats.

4) Stay up to date: Those security tools won’t do any good unless you keep them up-to-date. You should be able to set them to update automatically. The same goes for your computer itself. It should be set to automatically install security updates.

5) Email safely. Email is a favorite tool of online crooks. Even legitimate-looking messages can be scams. Learn how to filter for “spam” and spot the signs of scam emails. More »

Book Review: Build Your Own Security Lab

The Good

I have had this book on my bookshelf for a few months and recently, due to some textbook changes in my Windows Security class, I decided to read it.  The book covers the usual ground you would expect, network hardware, virtual machines and various OS and network software.

The first chapter talks about getting used Cisco gear, to get IOS experience.  Some information was mentioned about VMware, for installing operating systems to use and virtual networking.

After the first two chapters the author jumps into the various activities you can perform in the security lab.  Each chapter included notes with a little additional information about the topics discussed in each chapter. At the end of each chapter is a list of “Exercises.”

The Bad

I could tell in the first chapter that this book has been sitting on the shelf of the publisher for a while.  I could also tell that the author had a hard time filling the 400+ pages in the book.  When I got to chapter 2 “Building a Software Test Platform” and it mentioned ReactOS, Knoppix-STD, and Virtual PC, I knew things were going to get bad.  The author goes into detail about installing and running ReactOS. More »

Security News Links

• NYC AppSec Infosec Conference Event - Summary
• Myths, Misconceptions, Half-Truths and Lies about Virtualization
• Malware Challenge begins October 1st!
• MindshaRE: WinDbg Introduction
• World’s electrical grids open to attack
• BSQL Hacker - Automated SQL Injection Framework
• After Fake Blogs Come The Fake Forums
• (IN)SECURE Magazine Issue 18
• Fun with WiFu and Bluesniffing
• Maltego 2 and beyond - Part 2
• Modern Exploits - Do You Still Need To Learn Assembly Language (ASM)
• All Roads Lead To Rome

HowTo: Hack your DBT-120 to run in RAW mode.

Dre from TS/SCI Security wrote a post yesterday “Fun with WiFu and Bluesniffing.” In his post he mentioned the lack of clarity on “how to” hack USB Bluetooth dongles due to the number of posts about problems. I posted in the comments that I have a D-Link DBT-120 Wireless Bluetooth 2.0 USB Adapter and hacked it to work in RAW mode. He asked if I could share how I did the hack on my Bluetooth dongle and provide the details. Here are the steps that I used to get my DBT-120 to run in RAW mode using the directions provided by Dr. Gr33n.

DISCLAIMER:
This post is provided for educational and testing purposes only. I am not responsible for any damaged BT adapters. I had issues trying to do this in BackTrack 3 VMware, so I used the USB version for this How-To.

REQUIREMENTS:
bt3final_usb.iso SHA1: 3aceedea0e8e70fff2e7f7a7f3039704014e980f
D-Link DBT-120 Wireless Bluetooth 2.0 USB Adapter I have a DBT-120 Rev. C1

UPDATES: I have been told that this procedure, using the 5x version of software bricks the dongle.  Tom Bicer found a dongle recovery procedure on the Evil Genius blog.  I have read that using the 5x software is a known problem so only follow this procedure if you have the 4x firmware.

DIRECTIONS:
Boot your BackTrack3 environment and after it’s up and running connect your DBT-120. Follow the steps shown below.

CONSOLE:
bt ~ # hciconfig hci0 up
bt ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:17:9A:2B:45:2C ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING
RX bytes:217 acl:0 sco:0 events:0 errors:0
TX bytes:169 acl:0 sco:0 commands:12 errors:0
bt ~ # hciconfig hci0 down
bt ~ # dfutool -d hci0 archive dbt-120_backup.dfu
bt ~ # dir
Desktop/ airsnifferdev46bc4.dfu
dbt-120_backup.dfu
bt ~ # hciconfig hci0 up
bt ~ # bccmd psget -s 0×0000 0×02be
USB vendor identifier: 0×0a12 (2578)
bt ~ # bccmd psset -s 0×0000 0×02be 0×0a12
bt ~ # bccmd psget -s 0×0000 0×02be
USB vendor identifier: 0×0a12 (2578)
bt ~ # bccmd psget -s 0×0000 0×02bf
USB product identifier: 0×0001 (1)
bt ~ # bccmd psset -s 0×0000 0×02bf 0×0002
bt ~ # bccmd psget -s 0×0000 0×02bf
USB product identifier: 0×0002 (2)
bt ~ # hciconfig hci0 down
bt ~ # dfutool upgrade airsnifferdev46bc4.dfu
bt ~ # hciconfig hci0 up
bt ~ # hciconfig hci0
hci0: Type: USB
BD Address: 00:17:9A:2B:45:2C ACL MTU: 0:0 SCO MTU: 0:0
UP RUNNING RAW
RX bytes:217 acl:0 sco:0 events:0 errors:0
TX bytes:169 acl:0 sco:0 commands:12 errors:0
bt ~ #


CREDITS:

• Andre Gironda (Dre) from TS/SCI Security I would have never posted this if he didn’t ask for clarification and proof that it was possible.
• Dr Gr33ns from Drgr33ns Blogs, Tutorials and Info. He posted directions and a video showing how to do this. I copied 99.999% of his work. I did this to show proof that his directions do work in my situation using my DBT-120.
• I would also like to thank all the bluetooth hackers that make this possible.

Bluetooth Headset Vulnerabilities Reminder…

As I find another one of my hands-free bluetooth headsets in the washing machine again (yes, again, I think this is #11 or #12) I wanted to remind everyone about the risks associated with using bluetooth devices.

With the new laws here in California that require drivers to use hands-free devices while driving, I’m starting to see more and more people using bluetooth.  I see them on the road, in restaurants, at work (sometimes connected to work phones) and I wonder if the “wireless” freedom is worth the risk that comes with bluetooth.

Most of you know that bluetooth hacking isn’t anything new.  We all remember reading about celebrities cell phones getting hacked, and having all the contacts and SMS messages stolen.  What I don’t think we all remember is that were are all at risk too.  With smartphones and PDA’s becoming cheaper, everyone is getting one.  I see teenagers to soccer moms with Blackberry’s.  I see students and business professionals with iPhones.  Now you don’t need a smartphone to have all your contacts and SMS data stolen.  Any cell phone with bluetooth enabled is open for attack.  What smartphones adds is the access to more sensitive and private data.  All that useful information you keep on your smartphone or PDA?  Well if you have bluetooth enabled it might be open to attack.

So as I sit here wondering if I am going to go and get another bluetooth headset, I’m thinking about about what I use it for and what the pro’s and con’s will be if I switched to a wired headset.  Oh, and if you think that the only risk is someone stealing SMS messages from your spouse or you mom’s phone number, watch this clip.  That cool bluetooth headset is also a bug that can broadcast everything you say and hear even when your not on a call.  All I have to say is forget Big Brother worry about that innocent looking guy with the backpack and PDA.

httpv://www.youtube.com/watch?v=1c-jzYAH2gw

I would like to know how many of you enable bluetooth and if your worried about privacy or data theft?  Please post your thoughts and ideas in the comments.