Wednesday, July 29, 2009

Using Metasploit's db_autopwn on the Security Onion LiveCD

UPDATE: This issue has been fixed in the Security Onion LiveCD 20090731 release.

I was testing the new Security Onion LiveCD yesterday and trying to use Metasploit's db_autopwn function. The first step of db_autopwn is to create a database to hold the information about your potential targets. This is done with the db_create command. When I issued this command, I got an error about sqlite3 (the default database driver for db_autopwn).

I had forgotten to install the sqlite and libsqlite3-ruby packages. If you're having this problem, you can fix it with the following command:
sudo aptitude -y install sqlite libsqlite3-ruby

This will be fixed in the next release of the Security Onion LiveCD.

securityonion@securityonion:/usr/local/bin/framework3$ ./msfconsole

=[ msf v3.3-dev
+ -- --=[ 392 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 168 aux

msf > db_create
[*] Creating a new database instance...
[-] Error while running command db_create: no such file to load -- sqlite3
msf > quit

securityonion@securityonion:/usr/local/bin/framework3$ sudo aptitude -y install sqlite libsqlite3-ruby
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
The following NEW packages will be installed:
libsqlite0{a} libsqlite3-ruby libsqlite3-ruby1.8{a} sqlite
0 packages upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 247kB of archives. After unpacking 811kB will be used.
Writing extended state information... Done
Get:1 http://archive.ubuntu.com jaunty/main libsqlite0 2.8.17-4build1 [176kB]
Get:2 http://archive.ubuntu.com jaunty/universe libsqlite3-ruby1.8 1.2.4-2 [51.3kB]
Get:3 http://archive.ubuntu.com jaunty/universe libsqlite3-ruby 1.2.4-2 [4042B]
Get:4 http://archive.ubuntu.com jaunty/main sqlite 2.8.17-4build1 [16.2kB]
Fetched 247kB in 1s (150kB/s)
Selecting previously deselected package libsqlite0.
(Reading database ... 118520 files and directories currently installed.)
Unpacking libsqlite0 (from .../libsqlite0_2.8.17-4build1_i386.deb) ...
Selecting previously deselected package libsqlite3-ruby1.8.
Unpacking libsqlite3-ruby1.8 (from .../libsqlite3-ruby1.8_1.2.4-2_i386.deb) ...
Selecting previously deselected package libsqlite3-ruby.
Unpacking libsqlite3-ruby (from .../libsqlite3-ruby_1.2.4-2_all.deb) ...
Selecting previously deselected package sqlite.
Unpacking sqlite (from .../sqlite_2.8.17-4build1_i386.deb) ...
Processing triggers for man-db ...
Setting up libsqlite0 (2.8.17-4build1) ...

Setting up libsqlite3-ruby1.8 (1.2.4-2) ...
Setting up libsqlite3-ruby (1.2.4-2) ...
Setting up sqlite (2.8.17-4build1) ...
Processing triggers for libc6 ...
ldconfig deferred processing now taking place
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done

securityonion@securityonion:/usr/local/bin/framework3$ ./msfconsole

=[ msf v3.3-dev
+ -- --=[ 392 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 168 aux

msf > db_create
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /home/securityonion/.msf3/sqlite3.db
msf >

Tuesday, July 28, 2009

Security Onion LiveCD 20090724

A new version of the Security Onion LiveCD has been released! Here's the changelog:

* All Xubuntu 9.04 updates as of 2009/07/24.
* Added a Security Onion section to the Applications menu.
* Latest Metasploit msf v3.3-dev as of 2009/07/24.
* Latest Nmap as of 2009/07/24.

The Security Onion LiveCD can be downloaded from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/

Please let me know if you have any questions or suggestions.

Saturday, July 11, 2009

Know Thy ISP

From http://www.pcworld.com/article/168160/ussouth_korea_cyberattack_lessons_learned.html:
"Investigators may not yet know who was behind a series of cyberattacks on the U.S. and South Korea, but analysts are getting a better grasp on where the nations' governments may have gone wrong. Numerous government Web sites in both countries have been hit by distributed denial-of-service attacks, starting on the Fourth of July and continuing into today. Dozens of high-profile sites have been targeted, including those of the Federal Trade Commission, the Department of Treasury, and other major federal agencies."
Quote of the day:
"'Too many federal agency security people did not know which network service provider connected their Web sites to the Internet,' explains Alan Paller, director of research at the SANS Institute, a security research organization."
Alan's statement is quite scary, but I'm sure quite true. When the killer clowns come knocking at your firewall's door, you need to be able to pull the plug in a hurry. Perhaps we should have Internet fire drills where we propose a mock DDoS attack and have our technicians play out the scenario. Who ya gonna call?

Friday, July 10, 2009

SANS Courses for the US-CERT GFIRST conference in August

Announcement from SANS:

"In August, SANS will be running 5 tracks in support of the US-CERT GFIRST conference taking place at the Omni Hotel at CNN Center (http://www.us-cert.gov/GFIRST/). SANS is pleased to present the following course offerings:

Security 501: Advanced Security Essentials - Enterprise Defender
http://www.sans.org/atlanta09/description.php?tid=2722
August 17-22

Security 504: Hacker Techniques, Exploits & Incident Handling
http://www.sans.org/atlanta09/description.php?tid=243
August 17-22

Security 441: Windows Forensics
http://www.sans.org/atlanta09/description.php?tid=3012
August 27-28

Security 553: Metasploit for Penetration Testers
http://www.sans.org/atlanta09/description.php?tid=3022
August 27

Security 517: Cutting-Edge Hacking Techniques
http://www.sans.org/atlanta09/description.php?tid=1927
August 28

This will be the first time we are offering Security 501 and a rare opportunity to take this course from Dr. Eric Cole in a small class setting. We are also offering 3 short courses which offer a great opportunity to get SANS content in only 1 or 2 days."