PIG: Finding Truffles Without Leaving A Trace

Video thumbnail (Frame 0) Video thumbnail (Frame 11689) Video thumbnail (Frame 13087) Video thumbnail (Frame 14301) Video thumbnail (Frame 15573) Video thumbnail (Frame 17993) Video thumbnail (Frame 19894) Video thumbnail (Frame 20931) Video thumbnail (Frame 22244) Video thumbnail (Frame 23168) Video thumbnail (Frame 24275) Video thumbnail (Frame 25930) Video thumbnail (Frame 29420) Video thumbnail (Frame 32077) Video thumbnail (Frame 33250) Video thumbnail (Frame 39331) Video thumbnail (Frame 42376) Video thumbnail (Frame 44962) Video thumbnail (Frame 45896)
Video in TIB AV-Portal: PIG: Finding Truffles Without Leaving A Trace

Formal Metadata

Title
PIG: Finding Truffles Without Leaving A Trace
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
When we connect to a network we leak information. Whether obtaining an IP address, finding our default gateway, or using Dropbox there are packets that can be used to help identify more about our machine and network. This talk and series of demonstrations will help you learn to passively profile a network through a new Metasploit module by gathering broadcast and multicast traffic, processing it, and looking at how the bad guys will use it to own your network. Without sending a packet, many networks divulge significant information about the assets that are attached. These broadcast packets can be used to identify hosts, OS's, and other hardware that is attached. Any skill level can learn how to easily gather and use this information, how to protect your network, and talk about how to extend the framework for new protocols. Ryan Linn is a Senior Security Consultant with Trustwave's SpiderLabs who has a passion for making security knowledge accessible. In addition to being a columnist with the Ethical Hacker Network, Ryan has contributed to open source tools including Metasploit, Dradis and the Browser Exploitation Framework (BeEF).
Building Parsing Local area network Multiplication sign System administrator Numbering scheme Port scanner Database Public domain Client (computing) IP address Information technology consulting Neuroinformatik Front and back ends Different (Kate Ryan album) Arrow of time Software framework Process (computing) Information System identification Determinant Information security Parsing View (database) File format Open source Bit Instance (computer science) Numbering scheme Twitter Dynamic Host Configuration Protocol Type theory Data management Arithmetic mean Process (computing) Website Software testing Right angle Quicksort Information security Resultant Point (geometry) Slide rule Server (computing) Identifiability Disintegration Virtual machine Online help Shareware Twitter Prime ideal Architecture Broadcasting (networking) Goodness of fit Intrusion detection system Software testing Communications protocol Traffic reporting Plug-in (computing) Computer architecture Host Identity Protocol Information Forcing (mathematics) Projective plane Computer network Database Shareware Software Personal digital assistant Communications protocol Address space
Type theory Information Different (Kate Ryan album) Module (mathematics) Software framework Database Software testing Video game console Exploit (computer security) Number
Information Computer file Database Software bug Process (computing) Software Computer configuration Personal digital assistant Different (Kate Ryan album) Network topology Software framework Quicksort Data structure Table (information) Communications protocol Local ring
Revision control Broadcasting (networking) Type theory Software Information Different (Kate Ryan album) Computer hardware Source code Bit Line (geometry) IP address DVD-Rekorder
Addition Information management Randomization Information Moment (mathematics) Instance (computer science) IP address Number Broadcasting (networking) Type theory Software Software framework Address space Physical system
Parsing Root Information View (database) Electronic mailing list Database Bit Software framework Information Mereology Traffic reporting Shareware
Commutative property Server (computing) Proxy server Firewall (computing) Server (computing) Web page Computer Computer network Web browser Computer Number Root Address space
Area Information Different (Kate Ryan album) Electronic mailing list Password Configuration space Gamma function Task (computing)
Root Information Pi Password Structural load Interior (topology) Software testing Software framework Limit (category theory) Instance (computer science) Lipschitz-Stetigkeit
Addition Service (economics) Information Maxima and minima Bit Branch (computer science) Instance (computer science) IP address Dynamic Host Configuration Protocol Medical imaging Type theory Different (Kate Ryan album) Network topology
Server (computing) Service (economics) Information Plotter Multiplication sign Workstation <Musikinstrument> Public domain Web browser Revision control Type theory Uniform resource locator SQL Server Positional notation Software Query language Different (Kate Ryan album) Password Universe (mathematics) Computer network Configuration space Software testing Communications protocol Window
Default (computer science) Parsing Information Computer file Local area network Multiplication sign Database Bit Number Revision control Type theory Direct numerical simulation Goodness of fit Database normalization Different (Kate Ryan album) File viewer Software framework
Software Information Natural number Bit Instance (computer science)
Point (geometry) Statistical hypothesis testing Computer program Module (mathematics) Parsing Computer file Database Parsing Mereology Rule of inference Shareware Power (physics) Number Revision control Broadcasting (networking) Latent heat Internetworking Core dump Software framework Software testing Information Communications protocol Address space Module (mathematics) Plug-in (computing) Addition Parsing Information Venn diagram Building Software developer Core dump Parameter (computer programming) Bit Instance (computer science) Machine code Flow separation Parsing Shareware Backtracking Software Metasploit-Framework Series (mathematics) Module (mathematics) Normal (geometry) Communications protocol Library (computing)
Functional (mathematics) Parsing Information Electronic mailing list Instance (computer science) Exploit (computer security) Rule of inference Parsing Broadcasting (networking) Latent heat Software Different (Kate Ryan album) Communications protocol Traffic reporting Plug-in (computing) Social class
Scripting language Touchscreen Information File format Interface (computing) Structural load Flash memory Bit Maxima and minima Instance (computer science) Login Regulärer Ausdruck <Textverarbeitung> Raw image format Field (computer science) Web 2.0 Type theory Latent heat Personal digital assistant Object (grammar) Data structure Proxy server Resultant Library (computing)
Gateway (telecommunications) Group action System administrator Numbering scheme Open set Neuroinformatik Software bug Direct numerical simulation Computer configuration Different (Kate Ryan album) Core dump Information security Social class Physical system Collaborationism Namespace Electronic mailing list Bit Instance (computer science) Virtual machine Dynamic Host Configuration Protocol Virtual LAN Data management Telecommunication Order (biology) Module (mathematics) Quicksort Figurate number Spacetime Computer file Sequel Online help Process capability index Drop (liquid) Number Broadcasting (networking) Goodness of fit Data structure Namespace Communications protocol Address space Information Interface (computing) Plastikkarte Computer network Limit (category theory) Exploit (computer security) Uniform resource locator Word Software Personal digital assistant Function (mathematics) Network topology Revision control Wireless LAN Window Building State of matter Multiplication sign 1 (number) Port scanner Public domain Parameter (computer programming) Mereology IP address Mathematics Spherical cap Cuboid Software framework Logic gate Vulnerability (computing) Area Service Pack Physicalism Connected space Type theory Dynamic Host Configuration Protocol Computer configuration Configuration space output System identification Website Right angle Freeware Sinc function Server (computing) Functional (mathematics) Service (economics) Link (knot theory) Observational study Virtual machine Limit (category theory) Staff (military) Field (computer science) Revision control Gastropod shell Software testing Fingerprint Internettelefonie Projective plane Database Machine code Local area network Broadcasting (networking) Password Synchronization Communications protocol Address space
good morning hi i am ryan lynn and this is pig finding truffles without leaving a trace we are going to start off today
with a brief introduction and then talk about why we're here for those of us that are awakened here and this then after that we're going to figure out how this can help each of us and I absolutely hate slides so most of this is going to be demos we're going to talk a little bit about how the different stuff works and then we're going to go over the different protocols and plugins that the protocol for pig supports and we're going to talk about remediation so first of all i am ryan len i'm a senior security consultant at trustwave i also like to play with cool toys so I've contributed to medicine beef and other stuff and that's my website and twitter ID if you're interested in things i say so where are we here um well is looking at network traffic doing pen testing I was getting frustrated because looking at Wireshark data is really cool but it's kind of a pain because getting data out of that to prioritize and really get into some sort of manageable format isn't necessarily easy it's mostly a lot of down arrow and going oh that's interesting which isn't really interesting at all so I wanted an easy way to identify hosts and resources on a network and primarily what I'm talking about is local segments so for internal pentose frequently we hit a point where we're dropped on a local network segment and we want to know what's there you know there's we can port scan at all and you know let up host ids is and all that sort of stuff but it's usually good idea to start off by listening for a little bit and seeing what we see so I want an easy way to collect that data I wanted to be able to identify hosting in resources that are on a network and also profile individuals it's amazing how much information some people attached to their computer whether it be their name which I sort of accidentally did that and I realized it while I was working on the tool so you'll see a packet of me being stupid in a couple minutes also to be able to determine network architecture so looking at what devices are on a network in some cases how they're configured and other goodness also love the time it will give us machine and end-user naming schemes so if you're meaning to brute force a user someplace if they go ahead and give you the user ID without asking for it that's kind of hopeful but the big thing I wanted to do was be completely silent a lot of passive information gathering tools out there require you to essentially man-in-the-middle the network well that's good in men in the middle and a lot of situations is is very nice but I kind of think that that's the thing that you should do after you start listening so I wanted something that would allow me to do this with no IP address so I could look at the broadcast and multicast traffic on the network without actually you know participating in being able to for instance sending out a dhcp request I wanted to just be able to listen on the network and the men in the middle piece for me was important because again I wanted to make sure that this was the first step and once I had an idea of what i was looking at this will help me figure out which host i might be targeting for specific men in the middle activities where i would look at more traffic so why are we here first of all four passive information gathering is good to understand what's on your network what's talking what protocols you may have broadcasting that you don't intend to be broadcasting a lot of these are easily configurable through domain policies and so we're going to look at understanding what sort of packets are broadcast automatically also the packet parsing kind of sounds like fun but I wanted to make this information easier for everyone to access so like I said Wireshark is interesting sort of but having a way to automatically pull out data out of pcap or off the network and put it into something that is easy to manage it's important and so for this example since we have already more and more information gathering and metasploit I chose metasploit to use as the back end so what we're going to be looking at is how to pull information from the network through passive passive listening and then insert that into metasploit so that we can access it later but also we're going to look at how we can easily leverage that data afterwards for pen tests or 44 sort of easier reporting and you guys could just be here because you're waiting for the next talk but hopefully you're here for me so how will this help you so for assisted men it's good to know what information you're sending out want to make sure that you're not giving away more information about your server or resources than you want to if you're a network admin or you know client-side Edmond this is even more important because knowing that stuff helps you build good hardening guidelines for your clients so that when someone wanders into a Starbucks you're not giving away a great deal of information about how your company's assets are configured so for a pen tester obviously we want to know as much as possible about what's going on on the segment that we're on so that we can figure out which hosts are going to be prime targets for for attack so for for that aspect that really this project really is helpful for us and so for everyone not everybody wants to look through through Wireshark packets so this is mainly for people who are tech savvy and are interested in seeing what types of information or their machine is sending out if you want to know whether or not every time you connect to a wireless if everybody knows that your name is Jim Bob and you have an iPhone so that really helps with with that process also the metasploit database really does make it easier to manage data so this project is a step to hopefully encourage more people to be able to interface with that fer to pull some of this information also won a way to organize and manage results with dradis so dradis is a decent reporting framework it has the ability to treat each each entity is a node and so one of the things i did is i wrote a dradis plug-in that will allow us to pull all the the metasploit data that we have ended dradis so that we can look at it in an easier fashion this will also allow us to take the information we've gathered and add additional notes to it and correlate it with other information we've gathered and also this is a good way to stay quiet on the network if you're worrying about taking tipping off things that are watching whether it be in IPS or or hips or any of that stuff just listening isn't going to start triggering alerts so before you you start giving yourself blocked from things this is a good first step so talking us kind of boring so show me so the first thing we're going to do is on basic gathering data I was lucky enough to get some of the wall of sheep data from from Ryan at the wall of sheep desk and so we're going to look at a little bit of that right now
so first thing we're going to do is load up msf console which for those who are not familiar with metasploit msf console is the command line interface into the metasploit framework and metasploit framework lets us do a number of things including facilitates exploit does but also for pen testers gives us an easy place to have both a framework for running exploits as well as different types of auxiliary modules that will allow us to do everything from like this the possum information gathering to basic port scanning so mostly framework is very powerful what I'm going to do next is connect to a local database so we're going to DB connect actually DB create and the DB create will connect to
the local Postgres database that i have and go ahead and create the table structure that we're gonna use the next thing I'm going to do is use the muzzle that I created for the the passive information gathering which this is going to be released tomorrow morning because I fixed a bunch of stuff last night as I got the DEF CON Network traffic it turns out that not everybody since properly formed network traffic at Def Con who would have thought so I I sort of found some bugs in the process of getting the wall of sheep data so um this should be out tomorrow this information is stored in the auxiliary tree under sniffers and it's called Pig so from here we can look at the options
the two primary things we need to do is set a pcap file and in this case we're going to look at two different protocols CDP and ssdp which is network plug and play the other thing that we're going to do is a so i'm not sure why it's here but the sniffer framework for metasploit requires an our host which is typically designed for the host that you're going to attack there's also a filter which would be if you only want to listen to specific things but for right now until we get it fixed you still have to set in our host to something so it's completely ignored so just set it to whatever you want so right now when we look at the hosts that are in the database there's nothing
there and notes as well so when we run the plug-in we can see that it's pulling in host information for a couple of different things we see one ssdp host which is again the network plug and play and their CDP devices detected but they don't have IP addresses so we're seeing broadcast traffic from host that are actually multicast traffic from hosted aren't actually on the network so when we go back to DB hosts we see a new host was added the the one through network plug and play and we look at the DB notes we can see a couple different
things we can see under type passive CDP and under the the next line is a passive ssdp to be able to query the stuff directly you can just do a dash T and type in the type of information you want and so from this we can see that we have a CDP packet and obviously from just listening to the network we've gained quite a bit of information we know that it's a switch we know what port is connected we know what capabilities it has we know the full banner including version and type of switch and we even know the native VLAN so we've already just by listening for a second gotten quite a bit of information about probably what type of infrastructure is being run and and what type of hardware is out there so let's look at one other
so this is the broadcast traffic so you can see here there is a number of DHCP requests going out and a couple of other things so the DHCP packets have some very interesting information in them in addition to having the mac address typically they also have information in them that may indicate what type of operating system it is especially when you start looking at what information is requested so that makes these very valuable the bad thing is is you don't always have an IP address to go with the mac address so one of the things that I've changed about this is if we don't have a mac address we will create an arbitrary IP address based off of the last four octets of the mac address that will allow us to go ahead and capture that data for the metasploit framework one of the things I had to work around was that every asset for a note has to be associated with an IP address so I just randomly created IP addresses so if we look at our hosts obviously there's a lot of random IP addresses there but it allows us to when we look at the DHCP
actually be able to capture each individual piece of information so these for instance on the DEF CON Network seem to be a lot of people changing MAC addresses and just sending out requests to see what comes back so there's not a lot of information here but I'm going to show some stuff that is more interesting in a moment so that is the the basics of
actually gathering the data so we've
already looked at a little bit how to view the collected data with metasploit so let's look in and see what information we see through dradis real quick
so for those of you that aren't familiar
dradis is a reporting framework that is
written in rails so what we're going to do here is use the Thor command which is a gem that you install is part of as part of dradis to do a list to list all of the different things that we can run so when we we do the list we can see
that we can use Thor to back things up to reset portions or the server which is what actually run Stratos itself so
right now dradis is starting up and we see that it is started up on localhost we can see the port numbers 3004 so we will start up web browser
and we all log into dradis
so dradis has a couple of different areas one is over here where we will have all the nodes and then all of the information about the different things that we are reporting on will show up over here so now that dradis has loaded we have an import task which will allow
us to import all of the data into it so
I'm going to back around this and if we do a thorough list again and grep out MSF we can see that there is a command
to import all of the MSF configuration
information to do that it uses xml RPC so we're going to come over to our
metasploit instance and we're going to
load the xml RPC plugin we're going to specify a password of tests and so when that runs we can see that it is loaded on localhost on five five five five three and has username of MSF and a password of test so when we come back over here we can find our or command
again and so we do Thor dradis import MSF all and so what we should see here is beginning import of the nodes and then the filter ran successfully so when we come back to the dradis framework we
can it refresh in the tree we now have a metasploit branch and all of the IP addresses that we had show up before so before you know the it was kind of hard to get an image of what all of that information was but this is a little bit easier to navigate so for the passive dhcp data for instance we can just through double-clicking see all of the different information we were able to gather we can also expand all of these and look at all of the different types of information we have so in addition to gathering just the notes we also have some information
about what services are running through
the the queries that were through the packets that we were processed so DB services will show that it picked up two
different types of protocols so we're also getting some basic port scanning out at this as well so let me go back into dradis we can see that the notes
themselves this SNP browse note is associated with port 138 UDP so when we look at that we have some interesting information we get that we got this through an SMB browser its domain as workgroup we know the OS version and we also know what capabilities it has so it's a workstation it's not a server some interesting stuff comes up here so a lot of the times when we're doing pen tests people running their own version of SQL server is frequently a way in a lot of the time when people have SQL Server on their workstations it's not properly patched or has a bad password so Windows is really nice and if you have a SQL Server it broadcasts and tells everyone because everybody should use it because it's awesome so um this shows up here so if you're looking for SQL servers I'm going to look at how to programmatically pull some of this stuff in a minute and we can easily go through the notes to look for things like SQL servers so and then for the passive ssdp we're going to look for that in a minute again ssdp i think is simple service discovery protocol which is the awesome network plug and play so this device that is doing that work plug-and-play we know some cool stuff about it we know it's windows NT 5.1 and it's a universal plug and play and if we want to find out more about it the packet that gets sent out has an awesome URL we can go to you to find out everything we want to about how to connect to this OS to be a plug-and-play so while this itself doesn't give you an easy way to get all the information because you have to send out a separate requests to get it basically we can this plot the URLs and then run curl or whatever else we want to just iterate through all the plug and play devices to get their configuration information so this is a nice step forward with that so the next thing I am going to do is to
show you a little bit more different types of data so we've we've seen two pieces so far and I wanted to keep it small for the purposes of looking at dradis because dradis as you start getting larger and larger by default it uses sqlite3 the more data you shove into the sqlite3 database the slower it gets so if you're going to be doing dradis with a large number of hosts go ahead and edit the files to switch it to postgres otherwise you will be very very sad so we're going to set our pcap file this time thank you and so here when we run this one we see a couple of different other things that you can read that fast so here we're seeing information from Dropbox we're seeing mdns packets which mdms is awesome mtns is multicast DNS which allows you to do some dns see things on your local network one of the things that I hope to do for the next version is to eliminate a lot of this redundancy for the the packet parsing I wanted to do it as quickly as possible but the downside is is when you start searching for notes before you post them into the framework everything starts slowing down a lot so right now basically every note it sees goes in which is kind of good and kind of bad but it's it's good to see what what some of this information is so if we look at our DB host again we
have quite a few more hosts and quite a
few more notes so looking at some of the interesting things sorry I also have to make this a little bit more consistent apparently so for mdns
we can also see that for instance all of the information about the photosmart printer that was attached to the network and so we have quite a bit of information about it just by nature of it being on the network
so one of the other things I wanted to talk about was the home plug so for those of you who have not have not seen them before this is a poem plug it's relatively small has has USB port if you want to connect it to wireless has internet if you want to connect it to that to ethernet but it's basically the size of just any power brick so if you put something interesting on it like co2 detector or have something else coming out of it so that it looks like it's just a normal power cord somebody may not even notice that it's there so there's a lot of development being done for for these guys so that you can use tools like the passive information-gathering there's another talk I think yesterday on doing transparent bridging with one of these guys so that you can bypass some of the knack restrictions but these are becoming more and more popular as pen test tools because you can easily get them in somewhere and they probably won't go noticed very very often especially if you dr. them up a little bit I mean if you have like a great big antenna hanging off of it and you know Rick pen test device on it people go huh I wonder if that's supposed to be here but it's easy to dr. up said that it looks like it's supposed to be somewhere so something along the lines of of the Pony Express is is a good way to to get some of these tools on to a network so is trying to get a demo together for this but I don't have one yet but basically this is running a cut down version of backtrack so you have a lot of the same tools that you would have with with backtrack including if you have wireless being able to join wireless networks and in sniff traffic there's even a 3g version that you can combine with with typical wireless so if you don't have an easy egress method out of the network you can go ahead and call it have it go back to you through ssh over 3g and so at that point you can bridge your you can get on to the network or be able to at least listen to network traffic without directly being there so the the 3g is interesting because it bypasses you know obviously you don't have to worry about what someone's Eagers filtering is like if it's going over 3g so um now that we've seen the stuff we're going to talk a little bit more about code and how all of the stuff fits together so if you're not interested in that stuff most of the demos are done we're going to look a little bit more about how to build some of these things so if your interests in the programming part we're going to talk about some of that too but this is basically a metasploit framework plugin it does an exhilarating module that does that accesses the the sniffer library that allows us to follow this information in the the module that we're using for most of the parsing is racket unfortunately racket doesn't have all the protocols that we're doing so for instance this has its own mdns parser and some other things that hopefully will be able to contribute back to racket in the future once I get this stuff stable enough so that everybody can parse Indian a spark it packets pretty easily from the core sniffer portion there's a number of helper modules these helper modules lets you define the protocol parsing for each individual protocol that you want to look at into a separate file in addition you set rules for when those files should be triggered so you're not running every filter against every single package you see so a lot of the things for like the multicast traffic we're listening to specific multicast broadcast addresses so that we don't have to just send things to every filter so we're going to look at one of these real quick
so the individual plugins are kept under
the data and then exploits and then I have created a subdirectory called pig in here so these are the listing of all
of the different protocols that we support so for instance or grieve we have the basically we have to define a new pig parser we call it pig groove every one of these different protocol parsers is prefixed with pig so that we know exactly what it is as far as classes go so the register rules tells us what rules it should trigger on so it's your trigger on a destination UDP port of 12 11 and a network broadcast basically so from there um when it sees something that matches that it passes to the parse function which we go ahead and break out the ethernet and IP portions of the packet and assign those but rocket will let us take the IP portion and get a UDP packet out of it and then from there basically we can parse all of the different pieces and everything pretty much ends with the report node which reports the different pieces in so the two important pieces of information are the host and the port as far as the report note goes and the protocol as well because basically when you specify those it binds the note to a specific port into a specific IP if those don't exist it goes ahead and registers that information so as far as port scanning goes and knowing what things are listening on as this runs this will go ahead and populate that information so as far as pulling some of the stuff out programmatically one of the things that I also wanted to show was we looked at
we looked at for instance the CDP information so this is a basic Python script that will allow us to pull data from metasploit through the xml RPC interface again the xml RPC interface is the same thing that dradis uses to pull in the data so basically we use the xml RPC lib and then the base metasploit xml-rpc is not typical web xml-rpc it is a null-terminated xml-rpc kind of like what flash uses so we had to sort of write a fix for that so the MSF transport is a transport that basically just null terminate stuff instead of tries to do web requests which makes it a little bit easier so to set up something to be able to query we basically just create a proxy object connect it to the same port that we set up and we saw when we did the load xml-rpc the local host on 55 55 3 with a transport of MSF transport so here we set the type of note that we're looking for and basically we start off by doing an off log in the off login gets us a token and then for the next ten minutes we can continue to use that token to query any other data we want so if we got a result of successfully logged in otherwise we looked at notes and so basically for this we're we're only taking the notes that have the type of information we want and printing it out to the screen so from here we can see
that we can directly pull that now we can manipulate this however we want basically it spits out the raw data structure so if you depending on how you want to do this you can either convert the data structure into a Python data structure from the Ruby format or in a lot of cases I've just been parsing out where I know fields are and so doing pearl regex max it matches to pull the specific piece of piece of information that you're looking for so for instance
for the ssdp all you're really looking for is the URL so when we look at that
we can just go ahead and get all of the different URLs and this makes it pretty easy and then take those and then fire off a separate process to pull all of the the XML configuration files through that so as far as what is
currently in each filter I wanted to talk for a couple minutes about what types of information we're actually gathering so CDP we looked at for a second it's got the OS version IP address information feeling information where all of this really comes into andy is if you're doing a pen test a lot of the times you will get things like what the voice over IP VLAN is and other information that can help lead to further compromised so for instance since you're going ahead and getting all of the OS versions if there's a vulnerability in a certain version of iOS this will certainly help you it also aids in VLAN hopping because it frequently lists all of the vlans that are available and it will also frequently give out the management VLAN information so the the hosts that are the IP address that will accept typically SNMP traffic or an ssh connection is frequently given away in CDP as well so this can sort of unveil other areas of attack just by listening to to the CDP traffic dhcp inform so there's a couple more things that I want to do with this but for right now it will pull out the mac address hostname the vendor class and request list where a vendor class and request list come in handy is each different version of Windows and many of the different versions of Linux have the vendor classman request list in different orders through using these two things together we can fingerprint the host pretty effectively so we won't know for instance the difference between Windows XP service pack 2 and 3 well know the difference between Windows XP Vista 2000 and Windows 7 which you know if you have Windows 2000 out there that's a lot of the time a tip that maybe a host that you want to look more carefully at or you know if you accidentally find like a a Windows me box then that's certainly something you want to look at a little closer or shoot so through this together there are some slight differences between service pack that some people have have done some research on so we do have the ability to get a little bit finer grain but you lose a little bit of the guarantee isn't quite as strong you can definitely figure out specific version but going down to the individual service packet sometimes stuff so Dropbox is very cool there's been a number of Dropbox vulnerabilities that have been released and one of the cool things about Dropbox is it goes ahead and spits out its version number so if any versions are vulnerable it goes ahead and cuts down on the research for you I guess but it also shares all the shared namespaces the namespaces with the drop boxes that you have access to so if you have a networking you have three people who are on a network that share the same Dropbox and two of them are fully patched and one of them is running sequel server then you know which one you want to go after the one that doesn't maybe have a password on the sequel server and so you can look at who has maybe sensitive information or who you may want to attack through some other type of method and figure out who's sharing data back and forth to figure out where relationships are and so all of this is broadcast freely with Dropbox so groove which is I think called like SharePoint collaboration or work spaces or something like that now is a pretty interesting protocol it goes ahead and gives you lots of information about the person who's sitting in front of the computer including whether or not they're online or offline if the the group session is connected or not so if somebody is as actively connected and hasn't been logged out then you can tell that they're there it'll also give you the the Porsche group is listening on but the most interesting thing that I found is that as part of the Lansing protocol that it uses it lists out all of the interfaces IP addresses so where this really becomes interesting is if you're trying to figure out for instance what hosts may be running vm or you're looking for credit card data a lot of the tests that we do or PCI related and you know you hear things like I've got a VPN so you'll never be able to get to my credit card data well if you're running workspaces and I can tell which people are connected to the VPN then that's certainly an avenue of attack those are the people that I want to try to target to use their host as a relay through the VPN so this gives out in my opinion sort of one of the the worst pieces because it really tells you which targets are most interesting but it also gives you the GRU version so that if there are group exploits you know which ones are most interesting mdns is my favorite one so it can give you everything from a list of the open ports so it's basically a free port scan for mac and a lot of cases and and a lot of the ones that i see for this are our mac related as far as listening open ports so basically just from hanging out and listening to mtns data you can figure out what porch and running whether or not sharing is enabled and all sorts of other goodies and the only thing that I can figure out is that my mac must be a whore because it wants everybody to know what's open so of course everybody names their mac ryans mac which I accidentally did and so the first thing when you set up your mac probably want to go through and and change some of that information so that it's not as open but is an easy way to get people's names also the active state of machine there's a presence protocol or there's a presence field and a lot of these that shows whether or not someone is actively doing things on the computer so if someone is actively working on the computer it might not be the time to mess with it one make at home may be the time to mess with it also for things like printers it gives out some really interesting information I mean if you want to know which front are soft staplers or whatever in case you really like staplers you can use this SMB is you know it's Microsoft so it's trying to be helpful and stuff so it'll go ahead and just tell you the exact version of windows and the hostname and frequently will go ahead and give you the domain information as well so if you're just like I could figure out the domain but I'm just going to hang out it'll be like hey here's my domain so this really cuts down on figuring out what the windows infrastructure looks like the windows naming schemes and because it's pulls it all in automatically it just makes it really easy when I said before the SQL Server stuff ssdp is also very cool this is where you show people all of their security cameras so apparently the infrastructure IT security guys and the physical security guys don't work together because there seems to be a lot of corporate security cameras that the physical security guys are using that still have plug-and-play enabled and so they're just screaming out hey come look at my feed and a lot of places you also may find that they forgot to do things like I passwords so if you want to watch the front gate or you know secretary or whatever you can you can do all of that from from here you'll get information about printers cameras and frequently network gateways so if you're trying to figure out more about the network topology this is also a good way to to do that it doesn't give you a whole lot of information straight up it usually gives you a URL and then from that URL you can pull another XML configuration file and usually that gives you a lot of information there are even devices it will be so friendly is to give you things like the admin username and the the URL to do different other things on the system so you can see the URL just to give you the camera or the URL to do admin functions and URL to change the IP address all of those things and so ssdp is sort of a gateway to more interesting stuff so um we know how to steal lots of cool stuff now so how do we fix it for netbios one of the ways to do it is disabled netbios over tcp most places now have a pretty robust dns structure so netbios isn't overly necessary so one of the things that is worth testing is if your company is still using that BIOS over tcp look at what happens when you start disabling that and whether or not problems occur if you still have a windsurfer you're you're probably okay and if you're pretty good with Auto registering DNS and those sort of things you're probably okay for ssdp disabling network plug and play is a an excellent plan for most of the stuff is not necessary most places have you know DCP will usually give you the information you need as far as network devices go and I really see I mean to use the network plug-and-play features CVP is tough because from a network admin standpoint it's really helpful to see what's attached on what port and unfortunately it's really a pain to turn it on selectively so um kind of my feeling on that is for edge devices you probably don't need it but for core devices it certainly makes it easy to figure out topology so if somebody is at your core in a place where they can sniff that traffic then you have probably already screwed up so enabling at the core usually isn't too problematic but enabling on edge devices certainly gives away a lot of information so DHCP cisco has the concept of a DHCP helper DCP help helpers can help limit where the DHCP information goes and that will cut down on your ability to link information via DHCP Dropbox disable the Lansing protocol and this doesn't happen basically you can still get a lot of that same communication that you need and may generate a little bit more traffic but it certainly won't give away as much information about what you have and since Microsoft is so helpful I haven't found a way to stop Microsoft in helping me I've been trying for a number of years and generally they're just that helpful um so if anybody figures out a good way to stop groove from telling everybody about your stuff I'm certainly be interested and MP is disabled with one possible but it may not always be an option some things that talk mdns don't really have an off button but you know obviously if you don't want everybody connecting to your iTunes you can disable some of those features and and get away with a little bit more security so as far as ways to help one of the things that I'm interested in is seeing more types of data obviously the DEFCON traffic helped quite a bit because there are lots of weird things going on here also the DHCP how study stuff I'm partially the way through it but I'm hoping to get a little bit more effort so that I can get more specific with the different types of boxes as far as a network fingerprinting with the DHCP parameters and then also i'm looking at more traffic to just figure out more protocols in general there's a lot more stuff out there that's broadcasting that what we listed but hopefully i can get some more of those out there for the next release and for the future might repertory has sniffing capability to and with a new way that they did meterpreter modules some of this stuff is going to be able to be ported so that you can actually do it through sniffing on a box that you have already rooted so as you attack a new box get in your shell this may be something that you can look at to gather information on new segments as you start progressing in pivoting through a network again also more protocols because collected and profit and I some quite figured in all the question marks but I'm sure we can configure that out and then again the better OS identification so if you want to get the code itself there is where the code is the as far as working with metasploit goes there's a book metasploit website which which links to metal in each class which is excellent if you were interested in learning metasploit and then i'm also releasing a coding for pen testers book which is in October that is going to go over a lot of the Ruby skills that you may need if you're interested in picking up the Ruby and also talking about how to build metasploit modules in general so if you're interested in sort of helping out with the metasploit project you think it's cool those are some resources that can help you out so um questions no questions that's kind of awesome well thanks for attending um and Oh question word so the question was uh pictures it was I using live networks or test networks and do not run into questions where do you not run into problems where people are filtering broadcast and multicast traffic and the answer is yes because Def Con has actually filtering broadcast and multicast traffic through through their networks a lot of the stuff was tested with live network data and some of the stuff was loose test but most of the bug fixing was done with with real stuff that I saw on the network and for wireless networks more more people are filtering but for internal corporate networks I don't see a lot of that it seems like good Network segregation is still a problem for corporate networks a lot of the time it's just convenient to give out you know a a / 16 for a network just to make sure you don't run out of IP addresses so that really extends the broadcast domain and we may only get you know certain portions of a network which you still typically see quite a bit of broadcast traffic anybody else have any questions mr. Shaw the question was so for some of the packets um they didn't have an IP address so the mac address was shown and that's right so as part of the dhcp stuff you don't necessarily have to have an IP address to be sending dhcp information out so for that i basically created one because of limitation with the metasploit framework it doesn't really let you very easily stick in notes without it being associated with something um since a lot of the the database portions are relational so I the mac address seemed like a good one to use to make it up so to determine which mac addresses are passively watching an hour so there are but they require the question was is there a way to tell who's sniffing the network and there are but it requires sending out traffic I believe that eater cap has a way of looking at who's doing men and milling and who is doing sniffing on the network and there are some some packet tricks to do that I think that I think that eater cap is probably the best place to look and if anybody else has any recommendations maybe they can help out but I think that that's in four questions right now we're going to the question-and-answer room afterwards so if you're interested in chatting more please feel free to join us thank
Feedback