security is as strong as the weakest link..

“Security is only as strong as your weakest link “

Am I a big fan of Penetration Tests?
Yup, I am, but not the way most companies do it or get it done.
Companies look at these assessments as a tick mark in a compliance checklist. No one wants issues to be there in the assessment reports. Every one fights to get the risk ratings from critical to medium and medium to low. I have often realized how hated I am in the organization and somehow concluded that more the IT guy is pissed with me the better work I have done!

So why do Penetration Tests fail & why I think these tests are useless.

Companies fail to understand what is critical for them and what needs to be checked. There are no targeted pen tests being done.
While getting their external router assessed for critical vulnerabilities they often fail to realize that they have a porous wireless network which would be piece of cake for a determined attacker.

One of my clients was after me to ensure that we reviewed his routers and firewalls multiple time while he had his wireless network secured by using MAC filtering only. It took me days to convince the client and his MNC wireless vendor to drive home the point that wireless network directly hooked in your server environment is a bigger risk, and somehow MAC filtering is not a security mechanism. I could show him that it was easier to walk into his premises and put a rogue AP in a conference room rather than working my way through layers of firewalls he had at the internet perimeter. In no way I am demeaning the value of having a secure perimeter, but not at the cost of having a network port open in a guest lounge.

Organizations would put cameras, security guards and turnsters at the main gate while keeping backdoors to lobbies and cafeterias open and unmanned. One other clients was not ready to accept that password guessing, even if I am able to guess his domain admin password was a successful hack and a serious issue, as he wanted something technically fancy, something that looked like those hacker movies we see, something which is magical and gives a shell. If someone can kill you with a hammer he doesn’t need to use his snipers. And death is death whether by cold or by cancer.

Clients come and tell me to perform external pen tests and shy away from including social engineering, client side testing, physical security and stolen equipment tests, without realizing the test would show them only one side of the coin, and not the actual picture. It would take someone minutes to launch such attacks and get the jewels of the organization.Getting internal Penetration tests for servers done without including clients, network devices, password brute forcing and social engineering test?
Come on stop kidding me.
Don’t create a security theater for yourself, a tester with his hands tied behind his back and eyes blinded could not hack your systems and you feel happy about it and feel like a winner! AAH!
Lets have a no hold bar test. Let’s level the playing field. Let’s have actual tests done. Let’s see where we are broken. Let’s check our small offices in sleepy towns.
Lets get ourselves hacked so as to be secure. Hackers do not follow rule books , they do not have an assigned budgets or time frames. They do not have time lines for compliance and do not have time slots to stick to. A determined hacker/tester would get in.
The world has now changed from people trying to catch the low hanging fruit to hackers who are professionals and know who and how to target. Lets stop preparing ourselves s against indiscriminate machine gun fire to more directed sniper shots.
Remember your
“security is as strong as the weakest link which is around the corner waiting to be exploited.”

Pen Test Lab

Aim of this Lab:

  • Provide a complete lab for Penetration Testing a Windows XP box, Linux box and a bit of Web Servers
  • This lab provides three different scenarios:
    • A fully vulnerable box with all kinds of vulnerabilities for a user to exploit.
    • A fully vulnerable system behind a firewall/IPS
    • A fully patched system fully patched and updated behind a firewall. While the vulnerable system will give the attacker a way to try out all the exploits and the tools, the firewalled system will give a real case scenario with the IPS/Firewall/Updates & Patches.
    • A domain is created on a Windows Server 2008, with a Windows XP being a part of the domain. All domain related tests can be performed on these systems.
  • Further expand it to include Web Application testing and Wireless Assessments

You Need:

  • Box 1: Attacking Machine
    • 4 GB RAM
    • OS: RHEL/Ubuntu
    • BackTrack 5 (Attack)
  • Box 2: Target Machine running multiple VMs
    • 8 GB RAM
    • OS: Ubuntu
    • Snort, iptables (Defence)
  • Plenty of HDD space in both
  • Pre-built VMs or ISO for installing OS (Ubuntu, RHEL, Windows, Metasploitable)
  • VMWare/VirtualBox/KVM … Any solution for a virtual infrastructure

Box 1: The Attacker System

  • 4/8 GB RAM
  • OS: RHEL/Ubuntu
  • IP Address For Physical: 192.168.205.3
  • Virtual Infrastructure: BackTrack 5: The Attacker
    • IP: 192.168.210.2
  • Virtual: Vulnerable Windows XP
    • IP: 192.168.210.3
  • Same Copy as Vulnerable Windows XP which is deployed on Box 2. This virtual machine is to attack the XP system without any Firewall/IDS/IPS in between

Box 2: The Target System

  • 8 GB RAM
  • Ubuntu with Snort (Snort on RHEL is not advisable – http://www.snort.org/snort-downloads/rhel5/)
  • Install SE Linux and/or iptables
  • IP of Physical: 192.168.205.2
  • Windows XP SP3:
    • Fully Patched: This will give a sense of the systems which are deployed in production environment. Attacking this system would be fun! Make sure to change your wallpaper to the “Try Harder” from Offensive Security!
    • Make it a part of the Windows Server 2008 domain
  • Windows XP:
    • IP: 192.168.200.3
    • Not at all patched; Automatic Updates are Off
    • Windows Firewall Turned Off
    • Use “Simple File Sharing” (Control Panel)
    • Enable IIS and SNMP
    • Install Microsoft SQL Server 2005. Set a simple password. Ensure this is running on port 1433 (netstat -ano)
  • * Metasploitable:
  • * Windows Server 2008:
    • IP: 192.168.200.6
    • Install Directory Services
    • Enable DHCP, DNS, FTP
    • Firewall/Automatic Updates to be Enabled
  • * Ultimate LAMP:
    • IP: 192.168.200.7
    • Ultimate LAMP runs Apache, MySQL, PostFIX, and older versions of other services
PenTestLab

PenTestLab Network

Note:

* While networking the systems, ensure the VMs on Box 2 is reachable from Box 1, and all traffic is being monitored by the iptables and Snort.
* Secure both the boxes if connecting to the Internet. It is the VMs which are vulnerable, the host machines should be secured before connecting to the Internet.
* Enable some simple routes to make the BT5 on Box 1 to reach the VMs on Box 2 and vice versa. I leave this as a home-work.
* Ensure no sensitive/personal information is stored on either of the Boxes. This is a testing environment.

Available Resources:

Security is my birth right, via open source I will have it !

Ascending one step in the Maslow’s hierarchy when we go beyond the basic needs, we reach at the second step which entails security as the next basic need of mankind. But when it comes to business, security is the privilege of a few. Much of this is attributed to the cost incurred for securing an enterprise. At the same time, the technologies for implementing security are progressing by leaps and bounds. This kind of results in a vicious circle, especially for the small and medium industries.

Last year, during my summers I came across this concept of a Security Operations Center (SOC) and how it contributes towards securing an organization’s information boundaries, if implemented properly. Then I found a wonderful paper from SANS about log management and its relevance in a SOC [1]. There were a few commercial and open source tools listed here and there for setting up a SOC. OSSIM is the undoubted choice in open source software. It contains a combination of few wonderful open source tools which can aid in Incident Management. But one big gap which I as a management student felt in these open source tools was lack of compliance specific reporting capabilities. Compliance being one the major drivers for security, can prove to be a boon if introduced in the open source world. It can also help SMEs in cutting the cost of abiding by the mandatory compliances.

This chain of thoughts motivated me to combine the processes taking place within a SOC with open source tools which can help carry out these processes. And further I mapped these processes with a few compliances I knew at that time. I ignored a few factors like skills required to run these open source tools, cost of support and maintenance etc. These factors would surely add to the Total Cost of Ownership (TCO) if implemented in real, but for the sake of theoretical simplicity I’ve ignored them for a while.

The final sheet prepared, contains FIPS (Federal Information Processing Standards) domains as the classification criteria for the SOC processes. Open source tools (if any) to fulfil the process requirements have been listed alongwith the process. Finally these processes have been mapped with the following compliances/standards/frameworks:

1. ISO 27001 & 27005
2. GLBA
3. PCI-DSS
4. FISMA
5. HIPAA
6. COBIT

An overview of the mapping can be taken here: SOC_process_tool_compliance

Although I’ve tried to compile the list with the best of my knowledge, there’s still a lot of scope for correction. I’d be looking forward for reader’s comment on the same.

PS: Metasploit Pro is now coming with compliance capabilities. Hope they soon introduce the feature in open source version as well.

REFERENCES:

[1] NIST SP 800-92: Guide to Computer Security Log Management

Notepad Reverse engineering …

The bug of curiosity struck me again … and this time it was for reverse engineering, so got in depth of it. Started out with reverse engineering of a simple application like notepad.exe.

The tools used by me to reverse out notepad.exe are Ollydbg 1.10 and simple notepad.exe of windows XP (x86 architecture) as the notepad of 64 bit is not supported by Olly 1.10

The thing that I got into was injecting code to Notepad which would result to simple popping up of a message box stating that ‘Your System is Owned’.

The first feel when I opened notepad in Olly was WOW, I’m to learn Greek now, as I got some thing like this:

Then I started with all the commands and operation of assembly. I was fascinated and started getting my hands dirty with it. So first point of attack was the code caves. It’s a block of assembly code filled with DB OO value where in not much value adding task is done so we can inject code on to it.

Take any part of the Code cave and select multiple lines of code and right click it and go to binary edit and write down any message that you wanna type down. Then do Ctrl+A to reassemble code.

Second point of attack was to insert the code which calls the Text and displays it using message box. This part can be used to inject malicious code or plant a backdoor on to the exe. The code that is being appended is displayed in the picture below.

Third  point of attack was to add the JMP pointer to the injected code at the starting of the application or to a specific function.  In this case used it at the starting of the exe.

Now copy all the modifications and a new set of ASM code would be generated. Save the new exe and when it runs it would pop up the message box before running…

Adios

Elliptic Curve Cryptography – Generation of Domain Parameters

“The transistor density of integrated circuits doubles every 2 years” – Gordon Moore

Let’s contemplate upon what Moore said. We live in a world where new advancements happen every fraction of second. Given the increase in processing power of the modern day computers and their successors, even unnerving problems can be solved in a matter of minutes. But on the other hand the same processing power has left many cryptographic algorithms – OBSOLETE.

Recently I came across the need of securing data in transit and storage by employing such a cryptographic algorithm which has no freely floating hacks. Since brute forcing is an answer to solve all kinds of cryptographic problems, the sole hope rests on making it computationally infeasible (in cryptographic terms). After breaking our heads on it for 2 days we came across Elliptic Curve Cryptography. The algorithm being relatively newer isn’t much in practice nor has any known mathematical attack (as of my writing Certicom has come out with one [1]). Further a key length of 160-bit in ECC is considered equivalent to 1024-bit in RSA.

I found an open source Java implementation of the algorithm on Sourceforge [2]. Free lunch! But alas it generated only static keys. So, I had to go through the entire process of generating the ‘Domain Parameters’ of ECC thereby causing a new key to be generated each time a new communication is initiated. Now there’s a whole lot of math involved (obviously) in ECC so I’ll discuss just a few major conditions which must be met while implementation. I worked only on the domain parameters for Prime Field as it was alone enough to overwhelm me. :D

Let’s start off with the equation for prime field and its variables:

y2 mod p =  x3 + ax + b mod p

  • a, b are such that 4a3 + 27b2 mod p ≠ 0 and p is a huge prime number.

For generating p one can either use the premade function getFieldSize( ) or use the Big Integer class to generate very large primes.

Now the values of a & b should be chosen so that the expression doesn’t result in 0 after the entire calculation is done. These values can also be made to generate automatically with any custom built algorithm. For eg. a can be 1/kth part of p while b can be 1/lth part of p, where k and l are so chosen that 4a3>0 and 27b2 > p.

  • Order of the ellipse is represented by n.
  • G is the generator point (xG, yG) on the elliptic curve chosen for cryptographic purposes.

  • The cofactor, h = E(Fp)/n, where E(Fp) is the number of points on the elliptical curve.

Now what about h? How do we go on calculating the number of point on the curve? There are quite a number of algorithms for that too. But talking of open source and simplicity these two can be used [3]:

  1. Naive approach
  2. Baby step giant step method

Once h is calculated check whether it satisfies the criterion: h <= 4 & h = [(√p + 1)2/n]

There are a lot more conditions to be satisfied, but they are already being taken care by the open source implementation. Once the domain parameters are generated dynamically the entire process of generation of keys becomes automatic. In ECC:

  • Private key = any random number
  • Public key = Private key X (Generator point, G)

The generator point can be any point lying on the curve. Since, we’ve already found out which all points lie on the curve using the naïve approach, we can select one of them for our purpose

Okay, I hear people heaving a sigh of relief there. I agree it’s seemingly complex but that’s the beauty of cryptography, isn’t it? :)

REFERENCES:

[1] http://sourceforge.net/projects/jecc/

[2] https://www.certicom.com/index.php?action=company,press_archive&view=307

[3] http://en.wikipedia.org/wiki/Counting_points_on_elliptic_curves

Firing the Anti Virus …

Below is a recount of a small, simple and a sweet hack done on a network. Even when they had a firewall installed and used to monitor the network regularly, the hack could take place!

Scene : Target compromised through a User Account having default password. Thanks to Social Engineering :D

Cast: Batman and the Joker (The compromised User Account). But the Joker is just an normal employee, not a top manager! Would be difficult to get escalated! (Attacker = Batman, Attacked = Joker)

Motive : Batman wants to plant a Key logger in to the target, but the bloody anti virus detects it as a virus and is deletes it!

Flashback:
Joker: Hey dude, what doing man? Are you free for a few minutes? This f*****g internet doesnt work on my system!! Batman: yeah, let me see. (after a few minutes) You seem to have entered the wrong credentials for the cyberoam! Whats your username …?
Joker: abcdefgh
Batman: … and your password?
Joker: sorry sir, cant give it! (he enters the password)
(Batman then clicks “login” and firefox pops up a message to save the password. Batman saves the password using the keyboard shortcuts w/o Joker knowing!)

To make the long story short, Batman is able to find out the password of Anil for the Cyberoam through the firefox saved password list! It seemed to be a default password set for all the users!!

Present: Batman is still trying to access the drives of the target system to deploy the key logger! No drives are shared and no simple passwords work; tried out all possible combination.

He then remembers the password Anil entered for Cyberoam and it works!! He is able to get into the system and access all the drives and files! Then another idea struck him. He tried the same password for the Admin account; and guess what, it worked too!! Awesome!

Now, the only thing to be done is to install a key logger. No other hacks to be done, strictly; we are good people :P. But, to his dismay, he finds out that a Symantec Anti Virus is installed which is deleting the key logger (bloody, all free key loggers are detected by the anti virus!!) Idea! Go to the Symantec drive and delete all the Symantec anti virus files (other than the ones in use) and your work is done!!! This was really surprising at that time that a high fundu security tool like Symantec could be shut down just by deleting its files!!

Restarted the system using the command “shutdown -r -t 01” (look up the man page). As was expected, Symantec did not run since there were no supporting files/dlls! Using the psexec command from the “pstools“, the key logger was installed remotely, after which a restart was required, which was easily done! Through this we got hold of a lot of sensitive information.

Through this, I was convinced that a successful hack does not require the use of any vulnerability assessment tool or any high fundu tools/scanners; that Social Engineering/Shoulder Surfing/etc is pretty simple and can mar the effect of the best of the networks and learnt one more way of bypassing firewalls.

The biggest learning from this project was about the Anti Virus. A tool which was supposed to safeguard us is vulnerable in such a simple way! The Anti Virus guys could any day afford to add a File Integrity Monitor!! As a friend said “So much so for companies that supposedly pour millions of dollars into R & D!!!

Using Visualization in security…

Visualization as mentioned is the art of ploting any complex series of events on to simple graph for ease of understanding.

Taking the concept of Visualization on to Information security where complex structures of exploits,  malaware,  traffic of bot-nets etc. can be mapped to simple and comprehendable graphs. Looking it from the other perspective Security visualization could be used for to make business sense like for making threat maps for an organization as a part of VA and executing them in the Pen-test or making a tree map for various compliance. On the lighter and practical side these methods could be used to ease down the burden of reporting.

Recently when I was working on a project of nepenthesfe I stumbled upon afterglow a perl based tool afterglow to make graphs from CSV files (using some tweek up ) and to my daze i found it can take in any sort of data let it be pcap files (in CSV form) to binaries or even logs and convert the output to the mapped link-graph.It firstly creates a .dot file which can be used to convert to jpg or png file using graphviz. And using graphviz u can create various types of layout namely twopi, circo, dot and neato. Ya all sound greek/ geek.

Firstly i started out making simple bash based script to test making some simple graphs but later while goin in depth of the rabbit hole, I found that a simple tcpdump can be used to generate graph based on variour parameters like source, dest, port, count, traffic, usage etc etc (using the simple play of regex). But as the rabbit hole of afterglow grew more  deeper i found that it would be easier to find unique attack vectors for a log analysis and detailed mapping of logs is possible based on count.  Lastly the most amazing one was use of pefile to convert a detials of binary to csv file and then make a map of the binary. Moreover afterglow structure can be modified just by changing the colors.properties file based on the type of input required.

And all this using just one single command.

cat csvfile.csv | perl /pathtoafterglow/afterglow.pl | neato -Tjpg -o outputfile.jpg

( Provided the csv file has valid data )

(have been tested on Ubuntu with graphiz package as a preqreuisite)

Adios for now as getting my head on Treemap (JAVA my nightmare )

Follow

Get every new post delivered to your Inbox.