The live stream should be active about 6:30 EST, Thursday, December 4th. We should begin recording the live show at about 7:00 EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

This week we have a special guest, Andre' M. Di Mino "SemperSecurus" from the Shadowserver Foundation.

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: http://ustream.tv/channel/pauldotcom-security-weekly

Icecast: http://radio.oshean.org:8000

Please join us, and thanks for listening!

- Larry & Paul

In the past on the podcast we've talked about a number of tools for document metadata gathering and how we can use them for gathering good information.

I've talked about EXIFtool for examining and deleting metadata from JPEGs. This was helpful for some info, but only on images.

I've covered Metagoofil, where we use it to download all sorts of common data and word processing type documents and analyze them for interesting information. Unfortunatley, Metagoofil only will produce download from the web and process. We have no ability to process from our store on disk.

By accident I discovered that we can get much of the same information by using EXIFtool not on JPEGs, but on Word, Excel and PowerPoint documents! EXIFtool has the ability to parse metadata as defined by the FlashPix standard, introduced in 1996 developed by Kodak, Hewlett-Packard and Microsoft. Microsoft still uses the format for documents and storing data. We can use EXIFtool to gather usernames from the documents.

Note: This will only work on Office documents were not created with Office 2007 (.docx), as the new version relies on a different metadata storage format. I'll have a solution for this one soon!

We can start down and dirty with getting the information on Office documents. In the directory that contains our supported office documents, we can execute the following commmand:

$ exiftool -r -h -a -u -g1 * >output.html

This will execute EXIFtool to extract all EXIF metadata recursively in the current directory (-r), with all output including duplicates (-a), organizing by EXIF tag category (–g1), for all files, with HTML friendly formatting (-h), into a file named output.html in the current directory (>output.html). With this we get a handy little report HTML report!

But, we may only want just the info on usernames/authors. We can trim the output information down to jsut the appropriate data elements:

$ exiftool -r -a -u -Author -LastSavedBy * >users.txt

We've removed the HTML and sorting options, as they will only serve to make any additional processing difficult. I've also only grabbed the Author and LastSavedBy tags, as these are the most common places for usernames. Now we can take our users.txt, and remove all of the extra information with some unix text processing:

$ strings users.txt | cut -d":" -f2 | grep -v "\=" | grep -v "image files read" | tr '[:space:]' '\n' | sort | uniq  >cleanusers.txt

Now all we are left with is a list of potential user names one per line. We've dropped all of the extra text up to the first delimiter (:), dropped the lines that start with "=" and "image files read", coverted spaces to newlines, sorted alphabetically and removed the duplicates. This will introduce some need for a manual culling, as sometimes the author is listed as "Firstname Lastname", and they get kept as each name individually. However, in some smaller companies just a first or last name is perfectly acceptable as a username, so you may not want to to cull your list at all.

Now, we are left with a list of potential usernames that we can utilize for password brute force attempts for other services, such as VPNs or web based applications.

by Paul Asadoorian

It has been a few weeks since the release of patches (and exploits) for MS08-067. We all should have had plenty of time to deploy patches to our systems and reboot for them to take effect.

How about we make sure?

Don't have one of those expensive scanning tools? How about Nessus? Sure, Nessus is great, but how about something more lean and mean?

Nmap to the rescue!

Note: You must use the current svn version to make this work, so go get it with the following command:

svn co --username guest --password "" svn://svn.insecure.org/nmap/

Ok, now let's make Nmap work for us! We'll tell Nmap to output the results to a file named for our subnet (in all 3 file formats no less), perform a SYN Scan on port 445, and execute the SMB vulnerability checking NSE script against the discovered hosts on the 192.168.1.0/24 network:

nmap -oA 192168-filename -sS -p445 --script smb-check-vulns.nse 192.168.1.0/24

Now we can take these results and verify which Windows hosts on our network require a little extra attention in the patch department.

You want fast? Fyodor will give you fast! In a live network, Nmap was able to perform the scan in just over a minute:

Nmap done: 256 IP addresses (156 hosts up) scanned in 83.53 seconds

[Editors note: Paul, what a great use of a free, simple to use tool. I'm really liking the focus on NSE expansion for Nmap! -Larry]

This webcast is Part I of a two part series I am doing in collaboration with Core Security Technologies. The presentation is full of tips, tricks, process, and practical knowledge about performing penetration testing within your own organization. Whether you are a third-party doing penetration tests or want to penetration test your internal network, this webcast is for you! In Part I I cover such topics as finding rogue access points, processes for creating a successful penetration testing program, identifying targets, and more! Information and resources are below:

Audio: Zen and The Art Of An Internal Penetration Testing Program - Webcast (Registration Required)

Slides: Zen and The Art Of An Internal Penetration Testing Program - PDF Slides

Forum: Online forum discussion and other related information.

I released a new version of the Perl script that can be used to detect Rogue Access points in your environment:

Rogue AP Detect Script v0.02

Its a good example of some of the more powerful things you can do with Nmap, and if you're on a budget its a perfect technique for finding those pesky rogue APs. What does this have to do with internal penetration testing? You will just have to listen to the webcast to find out :)

Paul Asadoorian

PaulDotCom

By Paul Asadoorian

This is a nice, easy way, to build a custom dictionary for your target. I got some of the original code from SANS Security 560 by Ed Skoudis. With his permission, I've published some of my enhancements. The first step is to grap the entire web site:

wget -r -l 2 www.targetwebsite.com

I'm going two levels deep here, you can adjust that with the "-l" flag. How many levels deep depends on how big of a dictionary you want and how big your target site is. [Editors note: This can take you outside of the target website by following links to other sites. As Paul pointed out, this may be valuable. If the sites are linked, there is something in common and valuable between them] Next, we replace the spaces with new line characters and produce a uniq list:

grep -hr "" www.targetwebsite.com/ | tr '[:space:]' '\n' | sort | uniq > wordlist.lst

Next step is to remove the weird characters. Don't worry, we can put them back. This primarily removes the HTML tags and such:

egrep -v '('\,'|'\;'|'\}'|'\{'|'\<'|'\>'|'\:'|'\='|'\"'|'\/'|'\/'|'\['|'\]')' wordlist.lst | sort -u > wordlist.clean.lst

Note: I do not remove the parentheses characters "()". We probably need to move to perl regex or something similar to do that. I get a syntax error when I try to remove the "(" or ")". Also, different versions of grep (and wget) will behave differently, so you might have to tweak. Below, we append the default John the ripper password list to our custom list:

cat password.lst >> wordlist.clean.lst

Now, we might have duplicates and since we removed all special characters (Well, most of them anyhow) we need to put them back. Below we run John to re-generate our unique wordlist, apply some rules, and output to standard out:

john --wordlist=wordlist.clean.lst --rules --stdout | uniq > final.wordlist.lst

For bonus points you can modify the rules so that it does a better job of adding in special characters (such as replacing all "i" with "1"). We'll leave this exercise up to the reader.

Passwords are just so easy to abuse...

- PaulDotCom

Paul & Larry talk security with special guest John Strand!

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Astaro, download a free trial of the Astaro Security gateway today!
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

The live stream should be active about 6:30 EST, Thursday, November 20th. We should begin recording the live show at about 7:00 EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

This week we have a special guest, Josh Wright wireless hacker extraordin"air"!

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: http://ustream.tv/channel/pauldotcom-security-weekly

Icecast: http://radio.oshean.org:8000

Please join us, and thanks for listening!

- Larry & Paul

This is just my advice, and is actually a very nebulous thing to answer. I'll tell you what has worked for me over the years. I'm just breaking the surface, and still learning from my own advice.

My (sage?) Advice

* Read all you can find! - the Internets have exploded with all sorts of information on electronics projects, kits, you name it. I'll have some stuff in the reading/websites section below with some specifics

* Find a mentor - One locally is great and is also a way to meet new people and get ideas. Consider your local 2600/Defcon/Maker group. At a minimum, stop in on the local HAM radio club. For what it was worth, my mentors ended up being my Dad, who was an EE and my grandfather who was a swamp yankee/inventor.

* Take something apart - Now certainly you might not want to take apart that nice $3000 flat panel TV, but find something appropriate. Check yard sales for cheap electronics, or even on trash day. For beginners, stay away from TVs and Microwave ovens (when you get some smarts they are full of good parts...). Don't discount kids toys; they can take you down the road of circuit bending! With these scenarios you won't feel bad if you break something that was broken, cheap or free. Explore! You own the hardware! Figure out what all those unknown little bits do by looking up spec sheets on the internet.

* Think of ways to make something better - You know all that crap, I mean valuable electronics, you just picked up? If something works, how would one of them be made better or how could it be made to do something else? For example, we picked up a "baby boom box" at a yard sale for a quarter. My daughter LOVES it, but it is loud, and doesn't have an off switch. See? Take it apart and add a (baby proof) switch to disconnect the positive battery lead, and add a potentiometer (variable resistor; sort of like a dimmer switch) in line with the positive speaker wire. When she's done with it in a few years, take another look at how you could have improved that design; instead of the potentiometer what about replacing an output resistor. This can get even more fun, as you can start circuit bending!

* Mind your voltages - ...and of course your positives and negatives. Don't swap them, and don't over power them (unless you read all about those power regulation chips). Making these mistakes is a great way to let the magic smoke out of your electronics. Double (even triple) check your wiring. With higher voltages (such as direct mains power), they can easily let the magic smoke out of you. Start small.

* Don't be afraid to follow in the footsteps of others - Read someone else's projects and recreate them, or in many lucky cases, build them from a kit. It is a great way to learn how to solder/desolder and learn the principles and about the parts. Learn from someone else's experience and mistakes and even improve on the design. Eventually your path will drift, and you'll be on your own road, even if it is just a slight deviation at first. Modify your kit!

* Learn to solder - Yeah, you had to figure that was coming. Also, learn to de-solder. Use all of those valuable electronics you picked up to practice both; you aren't learning on your project this way. Practice makes perfect! Yes, re-solder the pieces you just practiced removing. When you are done, you can even be left with a bunch of parts to use in another project, that are often worth more apart then the sum of the free/cheap whole. A great way to build an inventory of bits and wire.

* Start with the basics - Learn basic electronic principles; completing a circuit, switches, etc. Even though they are old, don't hesitate to use analog devices like 555 timers, transistors, capacitors, resistors and so on. Venture into microcontrollers such as Arudino and PICs as you get more comfortable. Learn how to read schematics - even the basics will take you along way.

Tools

You'll need a few things to get started of course. Start small. Go ahead and buy just what you need to work on your first project. See if you can borrow some from a friend (but return them!) for a bit. Certainly, try out the moderately priced soldering iron from Radio Shack to get started...

Here's what I find is most helpful:

* A multi-meter - I don't know how I missed this on the podcast, but this one is a must. Even a cheap digital one would be good. My Grandfather would suggest going analog to start in order to learn the basics and the tool itself.

* Dremel with grinding and cutoff wheels

* Drill press and bits, in a pinch, a hand drill (electric or otherwise) will work.

* Soldering station - I like Weller, but I have a generic. Variable temperature is best. Note, don't file down new, modern tips. They are caoted and filing ruins them.

* De-soldering iron. A "solder sucker" is Ok, but tends to be frustrating. De-soldering wick is good too.

* Small screwdrivers, jewelers screwdrivers, torx, and any other security screw bits. It is all about having the right tool for the job. This coming from a guy who just upgraded the hard drive in his MacBook Pro with a jewelers flat head screwdriver for phillips screws, and a filed down jewelers flat head to remove #25 Torx screws.

* Set of small metal files (for sharpening your cheap soldering iron, and filing down flathead screwdrivers.)

* A pair of "extra hands". A magnifying glass or head mounted loupe (both in conjunction with a good light source) is also a huge plus.

* Pliers and wire cutters are also a great idea. As are a pair of wire strippers (your teeth get tired after a while).

Reading/Websites

There is tons of info out there. Here are some of the places I learn and take inspiration from:

Paul & Larry discuss security, hash, rubber chickens, religion, politics, and American history (Yes, I'm convinced no one reads what I type here ;)

• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Astaro, download a free trial of the Astaro Security gateway today!
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
• Be sure to check out "Maltego" from Paterva, try the community edition for free!
• Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
• Full Show Notes

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

The live stream should be active about 6:30 EST, Thursday, November 13th. We should begin recording the live show at about 6:00 EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: http://ustream.tv/channel/pauldotcom-security-weekly

Icecast: http://radio.oshean.org:8000

Please join us, and thanks for listening!

- Larry & Paul