Saturday, April 21, 2007
My Last Post on Security Stuffs
To all my dereast and loyal readers, i am sad to say that this might be the last post i make regarding network security or web security here. Why? Because i am off to something even more exciting and challenging. These 2 months of blogging had been really great with a vast amount of knowledge exchanged from the community. Its a short yet fruitful journey for me and thank you guys for all the support and emails you gave me. I can only say sorry here because i will not have the time to actually blog too much on security again. Instead something big and exciting is waiting ahead for me to accomplished. Nevertheless, you guys can still email me regarding security issues you have. I will try to response fast. Once again, thank you.
Wednesday, April 18, 2007
Windows Vista Forensics
I was reading articles and i happen to stumble a microsoft vista forensics article. In this article, Jamie Morris from Forensic Focus share his view on vista forensics and several new vista features. I think microsoft is really picking up on security these days compared to the past and their response to security incident is fast. Yes, you can agrue that vista is hacked and it is not secure, but still which softwre doesnt have bugs? Most importantly, they always release patches fast after certain exploits has been discovered and allowing end users like us to do update. Linux is powerful and has improved a lot over the years, but still i would prefer to use microsoft as my main OS and Linux as a VMWare image, why? Because i think Bill Gates is great. I give full support to this man 100%. Without Bill, you wont have a great OS like Windows for you to start your computer knowledge with. Well, this is just my point of view, but you can argue.
Tuesday, April 17, 2007
Tactical VoIP Toolkit Released
Guys, if you are into VoIP auditing, the Grugq has finally released his long waited Tactical VoIP Toolkit. I was using this tool at HiTB when he first released it to the students attending his training. It was written in Python and best of all, it is customizable. You can write your own VoIP security tools on top of the Toolkit. This makes it very portable and flexible in terms of the tool's function. Well, currently there is only siping and ravage but its sufficient enough to perform basic audit and analyzation.
"The Tactical VoIP Toolkit (TacVTK) is a collection of tools designed specifically for VoIP security assessment. The TacVTK's functionality will expand in as new tools are developed and integrated."
Please visit the Grugq's site at http://www.tacticalvoip.com to download this free and powerful tool. Hey Grugq, big ups to you. :)
"The Tactical VoIP Toolkit (TacVTK) is a collection of tools designed specifically for VoIP security assessment. The TacVTK's functionality will expand in as new tools are developed and integrated."
Please visit the Grugq's site at http://www.tacticalvoip.com to download this free and powerful tool. Hey Grugq, big ups to you. :)
Monday, April 16, 2007
Wapiti and proxmon
I was posting on Rsnake's forum about web penetration testing tools that most web application pentesters used. For me, i only use webscarab, XSS cheatsheet from Rsnake, wikto and firefox addons like tamper data and live http headers for my testings. These tools are good enough for me to get the job done most of the time. Sometimes, it depends how much i want to actually break into systems during a test. If the application has a lot of vulnerabilities during a simple scan, it is nuff said, please patch your system. Else if the application is robust enough, i am very determine to actually dig in further to uncover flaws.
The other night, jeremiah posted a topic on "Vulnerability Assessment, When do we stop looking? " and i commented that if the application is vulnerable to simple scans, then it is not worth to dig in further, else if the application is robust, it is worth every single effort to explore more flaws. And when do we stop? It all depends on how much you think the application has serious vulnerabilities. As i was commenting on his blog, i was thinking of a tool that can simplify my process of auditing and i happen to read on jungsonn comments. He recommended a very useful tool that i am going to test it once i finished my project over here. Yes its hectic here and sorry for the lack of updates guys. Here is a short excerpt.
Wapiti:
* File Handling Errors (Local and remote include/require, fopen, readfile…)
* Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
* XSS (Cross Site Scripting) Injection
* LDAP Injection
* Command Execution detection (eval(), system(), passtru()…)
* CRLF Injection (HTTP Response Splitting, session fixation…)
I managed to test it a little and it seems to be a good tool to use and the best of all, its open source which means it is free!! You will need python to use this tool. More can be found here: http://wapiti.sourceforge.net
As i was playing around his tool, i was thinking about blackhat. I want to see what is the latest exploits that security researchers found and i stumble across another web application pentesting tool. Its proxmon. It was written by Jonathan Wilkins and he presented in Blackhat Europe 2007, so i guess it wouldn't be a bad tool to use. A sample of the tool output is shown as below:
[*] starting ProxMon v1.0.15 (http://www.isecpartners.com)
[*] Copyright (C) 2007, Jonathan Wilkins, iSEC Partners Inc.
[*] Proxmon comes with ABSOLUTELY NO WARRANTY;
[*] This is free software, and you are welcome to redistribute it
[*] under certain conditions; see accompanying file LICENSE for
[*] details on warranty and redistribution details.
[*] Loading support for: WebScarab
[*] Loading Checks ...
- Find interesting comments
- Find cookie values that also are sent on the query string
- Find HTTP Basic or Digest Authentication usage
- Identify frameworks and scripts in use by server
- Find dangerous functions in JavaScript code
- Find offsite redirects
- Find cookies with the secure flag that also get sent cleartext
- Find values set over SSL that later go cleartext
- Find values sent to other domains
- Find common undesirable directories
- Find files that indicate common vulnerabilities
- Find directories that allow directory listing
- Find SSL server configuration issues
- Find directories writable via PUT
[*] 14 checks loaded
[*] Finding available sessions ...
[*] Processing session test/webscarab in test
[*] Running in monitor mode
[*] Monitoring test/webscarab
[*] Parsing existing conversations ...
[*] Interesting comment: XXX in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Interesting comment: bug in http://www.bitland.net:80/ (TIDs: 532)
[*] Interesting comment: TODO in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Interesting comment: ??? in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Interesting comment: !!! in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Cookie value seen on QS: secret1 (Secure, SSL) (TIDs: 16)
[*] Cookie value seen on QS: secret2 (Secure, SSL) (TIDs: 9)
[*] Digest auth seen: Authorization: Digest username='jwilkins', realm='scratchdigest', [snip ...] (TIDs: 34)
[*] Basic auth seen: Authorization: Basic andpbGtpbnM6YXNkZmFzZGY= (TIDs: 31, 32)
[*] IDed framework: scratch.bitland.net:80 is using PHP/5.2.1 (http://www.php.net) (TIDs: 35)
[*] IDed framework: www.isecpartners.com:80 is using YUI/1.2.3 (http://developer.yahoo.com/yui) (TIDs: 16)
[*] Unsafe JavaScript found: eval at http://scratch.bitland.net:80/:15 (TIDs: 35)
[*] Unsafe JavaScript found: eval at http://scratch.bitland.net:80/:16 (TIDs: 35)
[*] Secure cookie value sent clear: secret2 (TIDs: 7, 9)
[*] Secure cookie value sent clear: secret1 (TIDs: 16, 36)
[*] Value set over SSL sent clear: secret2 as secure2 (TIDs: 7)
[*] Value set over SSL sent clear: secret2 as bar (TIDs: 9)
[*] Value set over SSL sent clear: secret1 as foobar (TIDs: 16)
[*] Value set over SSL sent clear: secret1 as asdf (TIDs: 36)
[*] Value (secret1) sent to multiple domains: bitland.net (TIDs: 5, 6, 36)
[*] Value (secret1) sent to multiple domains: isecpartners.com (TIDs: 16)
[*] Bad directory found: /backup/ on scratch.bitland.net:80 (TIDs: 0)
[*] Bad file found: /environ.pl on scratch.bitland.net:80 (TIDs: 0)
[*] Listing of /listable/ on scratch.bitland.net:80 succeeded (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: aNULL null cipher (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: Export strength ciphers (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: 40 bit Export strength ciphers (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: Low strength ciphers (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: SSLv2 protocol (TIDs: 0)
[*] Upload to /put/ on scratch.bitland.net:80 succeeded (TIDs: 0)
[*] Parsed 38 existing conversations
[*] Session is not active, no point in monitoring
The other night, jeremiah posted a topic on "Vulnerability Assessment, When do we stop looking? " and i commented that if the application is vulnerable to simple scans, then it is not worth to dig in further, else if the application is robust, it is worth every single effort to explore more flaws. And when do we stop? It all depends on how much you think the application has serious vulnerabilities. As i was commenting on his blog, i was thinking of a tool that can simplify my process of auditing and i happen to read on jungsonn comments. He recommended a very useful tool that i am going to test it once i finished my project over here. Yes its hectic here and sorry for the lack of updates guys. Here is a short excerpt.
Wapiti:
* File Handling Errors (Local and remote include/require, fopen, readfile…)
* Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
* XSS (Cross Site Scripting) Injection
* LDAP Injection
* Command Execution detection (eval(), system(), passtru()…)
* CRLF Injection (HTTP Response Splitting, session fixation…)
I managed to test it a little and it seems to be a good tool to use and the best of all, its open source which means it is free!! You will need python to use this tool. More can be found here: http://wapiti.sourceforge.net
As i was playing around his tool, i was thinking about blackhat. I want to see what is the latest exploits that security researchers found and i stumble across another web application pentesting tool. Its proxmon. It was written by Jonathan Wilkins and he presented in Blackhat Europe 2007, so i guess it wouldn't be a bad tool to use. A sample of the tool output is shown as below:
[*] starting ProxMon v1.0.15 (http://www.isecpartners.com)
[*] Copyright (C) 2007, Jonathan Wilkins, iSEC Partners Inc.
[*] Proxmon comes with ABSOLUTELY NO WARRANTY;
[*] This is free software, and you are welcome to redistribute it
[*] under certain conditions; see accompanying file LICENSE for
[*] details on warranty and redistribution details.
[*] Loading support for: WebScarab
[*] Loading Checks ...
- Find interesting comments
- Find cookie values that also are sent on the query string
- Find HTTP Basic or Digest Authentication usage
- Identify frameworks and scripts in use by server
- Find dangerous functions in JavaScript code
- Find offsite redirects
- Find cookies with the secure flag that also get sent cleartext
- Find values set over SSL that later go cleartext
- Find values sent to other domains
- Find common undesirable directories
- Find files that indicate common vulnerabilities
- Find directories that allow directory listing
- Find SSL server configuration issues
- Find directories writable via PUT
[*] 14 checks loaded
[*] Finding available sessions ...
[*] Processing session test/webscarab in test
[*] Running in monitor mode
[*] Monitoring test/webscarab
[*] Parsing existing conversations ...
[*] Interesting comment: XXX in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Interesting comment: bug in http://www.bitland.net:80/ (TIDs: 532)
[*] Interesting comment: TODO in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Interesting comment: ??? in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Interesting comment: !!! in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Cookie value seen on QS: secret1 (Secure, SSL) (TIDs: 16)
[*] Cookie value seen on QS: secret2 (Secure, SSL) (TIDs: 9)
[*] Digest auth seen: Authorization: Digest username='jwilkins', realm='scratchdigest', [snip ...] (TIDs: 34)
[*] Basic auth seen: Authorization: Basic andpbGtpbnM6YXNkZmFzZGY= (TIDs: 31, 32)
[*] IDed framework: scratch.bitland.net:80 is using PHP/5.2.1 (http://www.php.net) (TIDs: 35)
[*] IDed framework: www.isecpartners.com:80 is using YUI/1.2.3 (http://developer.yahoo.com/yui) (TIDs: 16)
[*] Unsafe JavaScript found: eval at http://scratch.bitland.net:80/:15 (TIDs: 35)
[*] Unsafe JavaScript found: eval at http://scratch.bitland.net:80/:16 (TIDs: 35)
[*] Secure cookie value sent clear: secret2 (TIDs: 7, 9)
[*] Secure cookie value sent clear: secret1 (TIDs: 16, 36)
[*] Value set over SSL sent clear: secret2 as secure2 (TIDs: 7)
[*] Value set over SSL sent clear: secret2 as bar (TIDs: 9)
[*] Value set over SSL sent clear: secret1 as foobar (TIDs: 16)
[*] Value set over SSL sent clear: secret1 as asdf (TIDs: 36)
[*] Value (secret1) sent to multiple domains: bitland.net (TIDs: 5, 6, 36)
[*] Value (secret1) sent to multiple domains: isecpartners.com (TIDs: 16)
[*] Bad directory found: /backup/ on scratch.bitland.net:80 (TIDs: 0)
[*] Bad file found: /environ.pl on scratch.bitland.net:80 (TIDs: 0)
[*] Listing of /listable/ on scratch.bitland.net:80 succeeded (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: aNULL null cipher (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: Export strength ciphers (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: 40 bit Export strength ciphers (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: Low strength ciphers (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: SSLv2 protocol (TIDs: 0)
[*] Upload to /put/ on scratch.bitland.net:80 succeeded (TIDs: 0)
[*] Parsed 38 existing conversations
[*] Session is not active, no point in monitoring
Sunday, April 15, 2007
Cisco Catalyst 6000, 6500 Series and Cisco 7600 Series NAM Vulnerability
"Cisco Catalyst 6000, 6500 series and Cisco 7600 series that have a Network Analysis Module installed are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that run Internetwork Operating System(IOS) or Catalyst Operating System (CatOS)."
More information can be found here:
http://www.cisco.com/warp/public/707/cisco-sa-20070228-nam.shtml
"NAMs communicate with the Catalyst system by using the Simple Network Management Protocol (SNMP). By spoofing the SNMP communication between the Catalyst system and the NAM an attacker may obtain complete control of the Catalyst system."
More information can be found here:
http://www.cisco.com/warp/public/707/cisco-sa-20070228-nam.shtml
"NAMs communicate with the Catalyst system by using the Simple Network Management Protocol (SNMP). By spoofing the SNMP communication between the Catalyst system and the NAM an attacker may obtain complete control of the Catalyst system."
Friday, April 13, 2007
Cisco PIX PFM plaintext password revealed
For those who are using PIX Firewall Manager to configure and manage your firewall, you are at risk of your firewall password being obtained by an intruder or an insider. Why? Because after the PFM software makes an initial connection to the PIX Firewall, the administrative password is stored in plaintext on the local management workstation. I am not too where is it stored, but it might be in the registry or search for the PFM installation directory for log or text files. It might be inside. So, to avoid that, cisco recommends using PIX Device Manager(PDM) instead. Well, for me, i never use PDM or PFM to configure the firewall, the IOS itself is good enough for me. Also, always practice logging your PC after finished using. The default username and password for the PFM is as shown below:
Administrator username: pixadmin
Administrator password: cisco
Normal user username: pixuser
Normal user password: cisco
Change your default user accounts to avoid compromisation.
Administrator username: pixadmin
Administrator password: cisco
Normal user username: pixuser
Normal user password: cisco
Change your default user accounts to avoid compromisation.
Thursday, April 12, 2007
NACAttack BlackHat Europe 2007
Last night i blogged about the possible of NAC attack. Today, i found out that this had already been presented. Ok, i know i am slow catching up but both the german researchers managed to spoof the posture validation between a Cisco Trust Agent to the Cisco ACS (Access Control Server), and to gain access to the network even if the element is not compliant with the posture validation checks. To download the presentation and whitepapers, go to: http://www.blackhat.com/html/bh-media-archives/bh-archives-2007.html#eu
Wednesday, April 11, 2007
Hacking Cisco NAC - NACATTACK
Dror-John Roecher and Michael Thumann who were able to hack the Cisco NAC solution by exploiting a fundamental design flaw. In this video they illustrate how they worked towards this discovery and give us some exploit details. It is not their intention to simply release a tool, they want the audience to understand how Cisco NAC works and why it is not as secure as Cisco wants us to believe.
Tuesday, April 10, 2007
Defeating Evil Twin
The other day i was discussing with thrill about detecting and defeating Evil Twin and what are the best options beside using WEP or WPA. For folks who still don't know, both WEP and WPA can be broken and is not considered secure. Check my previous post and you will find the tools needed to break those keys. Apparently, it boils down to two options, but i will let you guys decide which one is more secure.
Thrill was suggesting about placing an Access Point in the DMZ area and make the IP a private one. A VPN server would also be needed to be setup in the DMZ area for listening to clients who wants to connect to the AP and use the wireless service. In that manner, an attacker who tries to setup an Evil Twin will not have access to the DMZ area because he would first need to use a VPN client to connect to the VPN server before any surfing can continue. This has several advantages and disadvantages and it all depends how you looked at it. The advantages being that all the traffic will be encrypted because it will be tunneled through a VPN server first before going out to the internet. Second being that SSID can be broadcast and no WEP/WPA security is needed. Of course if you are being paranoid, you can also include WPA key as an option. And third, it will defeat most Evil Twin. Below is a diagram which depicts the whole scenario.
According to thrill, its not necessary to implement a DMZ zone. It could be another extra network card on the VPN server that is going to have itself and the AP connected to it. Thrill quoted: "The trick is to not allow routing through this interface, and to set up a VPN server on that machine listening ONLY on that interface. And maybe a DHCP server on that interface as well. This is how this network becomes secure, and someone setting up an Evil Twin wouldn't be able to duplicate. And even if they did, the VPN client can be set up to authenticate a server side certificate easy enough." I wont say this is 100% secure, but it is the best solution he can think of and i do agree that it is good solution. The downside of this setup is every user needs to install OpenVPN client software on their machine and needs to be notified of the setup. That's a hassle.
On the other side, thrill also quote: "using 802.1x authentication along with using a Radius server for logging in the user. Some of you may have already heard of the technology, it's using the Odyssey client by Funk Software, along with their Steel Belted Radius. Using Cisco APs we were able to enable rotating WEP keys that were only given to the client if their Certificate could be authenticated, once they were connected to the wireless network, they then needed to authenticate their user/password via the radius which pointed to the LDAP portion of AD. The trick for rotating SSID/WEP keys is using a certificate to authenticate to the actual AP. The AP is set up to point to a radius server which has the certificate on it, then the client sends the AP the supplication requesting the SSID/Key, the AP forwards the request to the Radius server which authenticates the certificate and sends an OK to the AP, who in turn sends the client the SSID/Key to authenticate." Below depicts the scenarion:
Whichever is better, if something becomes too hard to use or requires too many steps, most people will be lazy and don't care about it. But then again, it all depends on the organization on how they want to implement their systems. Just my opinion.
Thrill was suggesting about placing an Access Point in the DMZ area and make the IP a private one. A VPN server would also be needed to be setup in the DMZ area for listening to clients who wants to connect to the AP and use the wireless service. In that manner, an attacker who tries to setup an Evil Twin will not have access to the DMZ area because he would first need to use a VPN client to connect to the VPN server before any surfing can continue. This has several advantages and disadvantages and it all depends how you looked at it. The advantages being that all the traffic will be encrypted because it will be tunneled through a VPN server first before going out to the internet. Second being that SSID can be broadcast and no WEP/WPA security is needed. Of course if you are being paranoid, you can also include WPA key as an option. And third, it will defeat most Evil Twin. Below is a diagram which depicts the whole scenario.
According to thrill, its not necessary to implement a DMZ zone. It could be another extra network card on the VPN server that is going to have itself and the AP connected to it. Thrill quoted: "The trick is to not allow routing through this interface, and to set up a VPN server on that machine listening ONLY on that interface. And maybe a DHCP server on that interface as well. This is how this network becomes secure, and someone setting up an Evil Twin wouldn't be able to duplicate. And even if they did, the VPN client can be set up to authenticate a server side certificate easy enough." I wont say this is 100% secure, but it is the best solution he can think of and i do agree that it is good solution. The downside of this setup is every user needs to install OpenVPN client software on their machine and needs to be notified of the setup. That's a hassle.
On the other side, thrill also quote: "using 802.1x authentication along with using a Radius server for logging in the user. Some of you may have already heard of the technology, it's using the Odyssey client by Funk Software, along with their Steel Belted Radius. Using Cisco APs we were able to enable rotating WEP keys that were only given to the client if their Certificate could be authenticated, once they were connected to the wireless network, they then needed to authenticate their user/password via the radius which pointed to the LDAP portion of AD. The trick for rotating SSID/WEP keys is using a certificate to authenticate to the actual AP. The AP is set up to point to a radius server which has the certificate on it, then the client sends the AP the supplication requesting the SSID/Key, the AP forwards the request to the Radius server which authenticates the certificate and sends an OK to the AP, who in turn sends the client the SSID/Key to authenticate." Below depicts the scenarion:
Whichever is better, if something becomes too hard to use or requires too many steps, most people will be lazy and don't care about it. But then again, it all depends on the organization on how they want to implement their systems. Just my opinion.
Monday, April 9, 2007
Rsnake and Jeremiah new XSS book
Ok guys, i need to show some love for my man Rsnake and Jeremiah. They are releasing a new book call Cross Site Scripting Attacks: Xss Exploits and Defense and of course, i am all out to go get it. This is definitely one not to be missed. Get it while its hot.
Subscribe to:
Posts (Atom)
