Hackin9

One of my favorite Python modules isImpacketby the guys at Core Labs. Among other things it allows me to create Python scripts that can speak to Windows computers over SMB. I can use it to map network drives, kill processes on a remote machine and much more. During an incident having the ability to reach out to allthe machines in your environment to list or kill processes is very useful. Python andImpacketmake this very easy. Check it out.

After installing Impacketall of the awesome modules are available for use in your Python scripts. In addition to the modules,Impacket also includes several sample programs. Awesome tools like psexec.py gives you functionalitylike Microsofts PSEXECplus pass-the-hash in an easily automatedformat. Have you ever wished you could run wmic commands from linux? Let use wmiexec.py to run a command on a remote windows machine from Linux. You just provide the tools with a username, password, Target IP address and a wmic command to run on the target machine. For example, this is how" />

WMIC from my linux server is awesome, but the best part is thatthis is Python!. So instead of running wmiexec.py I can import it as a module and use in a python script. Ill start out in the same directory as wmiexec and launch python. Then import wmiexec and create a variable to hold a WMIEXEC object. In this case Ill create a variable called wmiobjthat points to a WMIEXEC object. The first argument is the command I want to run. In this case I run a WMIC command that willthat finds the path of the executable for every copy of a process with cmd somewhere in the process name. The only other arguments are the username, password and share=ADMIN$." />

In this case one of the command prompts is running from a users temporary directory. That merits some additional investigation! With those 3 simple lines of Python code we were able to automate the query to a single host. Because it is Python we can easily use a for loop torun this on every workstation on our network, capture those result and compare them. Find the host with processes that arent running on any of the the otherhosts! Find the host with unique unusual network connections! Then, if the conditions are right, automate something to isolate it.

Interested in learning more? Come check out SEC573 Python for Penetration Testers. You will learn Pythonstarting from ground zero and learn how to automate all the things. Join me at CyberGuardian on March 2 or in Orlando on April 11.

Check out the courses here:

http://www.sans.org/course/python-for-pen-testers

Mark Baggett

twitter:@MarkBaggett

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Details of malware that may have been associated with the attack on Sony Pictures were disseminated in an FBI “Flash” earlier this week. A copy of the memorandum obtained by Ars Technica details “a destructive malware used by unknown computer network exploitation (CNE) operators” that can destroy all the data on Windows computers it infects and spread itself over network file shares to attack Windows servers.

Meanwhile, Re/code reports that Sony is ready to announce that the company has attributed the attack on its network to North Korea, according to sources at the company. Given the details of the malware and its similarity to an attack on South Korean companies last year, a tie to North Korea seems possible, though the people taking credit for the attack claim it was motivated by Sony Pictures’ alleged discrimination in the layoffs and firings of employees during a corporate reorganization started earlier this year.

The malware used in the attack, which has been described by a Sony spokesperson as “very sophisticated,” is almost certainly the same as that identified in the FBI memo. That malware uses Microsoft Windows’ own management and network file sharing features to propagate, shut down network services, and reboot computers—and files named for key Windows components to do most of the dirty work of communicating with its masters and wreaking havoc on the systems it infects.

Read 12 remaining paragraphs | Comments

 
Xen CVE-2014-8866 Denial of Service Vulnerability
 
Xen CVE-2014-8867 Denial of Service Vulnerability
 
[SECURITY] [DSA 3086-1] tcpdump security update
 
Apache 'mod_wsgi' Module Privilege Escalation Vulnerability
 

Posted by InfoSec News on Dec 03

http://www.nextgov.com/cybersecurity/2014/12/inspector-security-holes-found-irs-obamacare-system/100286/

By Aliya Sternstein
Nextgov.com
December 2, 2014

A core IRS system for calculating Obamacare fees for health insurers and
drug manufacturer has security weaknesses, according to an internal audit.

Under the Affordable Care Act, insurers must report their net premiums to
the tax agency annually, and pharmaceutical companies must submit...
 

Posted by InfoSec News on Dec 03

http://www.computerworld.com/article/2854434/whitelisting-project-helps-industrial-control-systems-owners-find-suspicious-files.html

By Lucian Constantin
IDG News Service
Dec 2, 2014

Industrial control systems have been at the center of some scary security
stories recently, but investigating malware infections in such
environments isn't easy because analysts often having a hard time telling
good files from suspicious ones.

Security...
 
LinuxSecurity.com: An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Firefox could be made to crash or run programs as your login if itopened a malicious website.
 
LinuxSecurity.com: Updated qemu-kvm-rhev packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
 
LinuxSecurity.com: Updated openstack-neutron packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]
 
LinuxSecurity.com: Updated openstack-neutron packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
 
LinuxSecurity.com: Updated mariadb-galera packages that fix multiple security issues are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 on Red Hat Enterprise Linux 6. [More...]
 
LinuxSecurity.com: Updated openstack-trove packages that fix two security issues are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
 
LinuxSecurity.com: Updated mariadb-galera packages that fix multiple security issues are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 on Red Hat Enterprise Linux 7. [More...]
 
LinuxSecurity.com: New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security [More...]
 
LinuxSecurity.com: Updated nss, nss-util, and nss-softokn packages that contain a patch to mitigate the CVE-2014-3566 issue, fix a number of bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5, 6, and 7. [More...]
 
Wireless N ADSL 2/2+ Modem Router - DT5130 - Xss / URL Redirect / Command Injection
 
WordPress Unspecified Security Vulnerability
 
Re: [The ManageOwnage Series, part IX]: 0-day arbitrary file download in NetFlow Analyzer and IT360
 
[slackware-security] mozilla-thunderbird (SSA:2014-337-01)
 

Posted by InfoSec News on Dec 03

http://www.csoonline.com/article/2854672/business-continuity/the-breach-at-sony-pictures-is-no-longer-just-an-it-issue.html

By Steve Ragan
Salted Hash
CSO
Dec 2, 2014

I'm going to make a prediction.

The breach at Sony Pictures has nothing to do with North Korea, aside form
the fact that the destructive malware believed to be present on Sony's
network is similar to the malware used in South Korea in 2013 - an
incident that was...
 

Posted by InfoSec News on Dec 03

http://www.wired.com/2014/12/top-ten-card-breaches/

By Kim Zetter
Threat Level
Wired.com
12.02.14

The holiday buying season is upon us once again. Another event that has
arrived along with the buying season is the season of big box retailer
data breaches.

A year ago, the Target breach made national headlines, followed shortly
thereafter by a breach at Home Depot. Both breaches got a lot of
attention, primarily because the number of bank...
 
WordPress 'comment' Field HTML Injection Vulnerability
 

Help Net Security

Training kids to become infosec superheroes
Help Net Security
This is what motivated three cybersecurity professionals to create The Cynja, a new comic series teaching infosec concepts in a way that kids can grasp, and why they've launched The Cynja Field Instruction Manual, an activity book for “trainee ...

 
[SECURITY] [DSA 3085-1] wordpress security update
 
Multiple Yokogawa Products CVE-2014-5208 Remote Security Weakness
 
Mozilla Firefox/Thunderbird CVE-2014-1593 Buffer Overflow Vulnerability
 
Apple Mac OS X CVE-2014-1314 Remote Arbitrary Code Execution Vulnerability
 
Mozilla Firefox/Thunderbird CVE-2014-1594 Security Vulnerability
 
Mozilla Firefox/Thunderbird CVE-2014-1590 Denial of Service Vulnerability
 
Mozilla Firefox/Thunderbird CVE-2014-1592 Use After Free Memory Corruption Vulnerability
 
ESA-2014-156: EMC Documentum Content Server Insecure Direct Object Reference Vulnerability
 
ESA-2014-160: RSA® Adaptive Authentication (On-Premise) Authentication Bypass Vulnerability
 
F5 BIGIP - (OLD!) Persistent XSS in ASM Module
 
Internet Storm Center Infocon Status