SpiderLabs Anterior: Penetration Testing

Penetration Testing

17 January 2013

Defeating AES without a PhD

“Cryptography is typically bypassed, not penetrated.” – Adi Shamir

FAITH IN THE ARCANE

When I tell a developer that I broke their cryptosystem, there’s usually a pregnant pause in the conversation where they take it in, like a young child being shown a magic trick. As the initial wonder passes, though, they are not usually elated.

“I thought AES was safe. What should I use instead?”

Sorry, but AES isn’t the issue. AES, despite its very minor known flaws, isn’t considered unsafe as of this writing. 6-inch thick steel walls are difficult to break through, but that’s not generally how you get past steel walls. One goes around, under, above them, not through.

Continue reading "Defeating AES without a PhD" »

Posted by Dan Crowley on 17 January 2013 at 15:40 in Application Security, Cryptography, Penetration Testing | Permalink | Comments (0)

30 December 2012

Teaching Security Self-Defense

My background in IT comes mostly from a nomadic perspective. In my years of IT and InfoSec, I've had the makings of a career consultant - different client each week, different city, different nature of work. It's been a long and diverse journey, and I've loved just about every minute of it. I wake up every day and say "hey, I get to be a pretend bad guy and get paid for it!"

Some things are consistent, however, and I'm not talking about the flight delays or lost luggage - your most common adversary is a network run by an IT team. Most of the time that team is a wonderful, hard-working group of people, many of whom are forced to wear a number of hats on a daily basis to keep the clocks turning, the network up, and the users working. Of those hats, the most conspicuously absent is that of Offensive Security.

Continue reading "Teaching Security Self-Defense" »

Posted by Barry on 30 December 2012 at 21:10 in Payment Card Industry, Penetration Testing | Permalink | Comments (0)

19 December 2012

Fraud, Passwords, and Pwnage on the Interwebz

This past weekend I was lucky enough to attend Microsoft’s BlueHat Conference in Redmond WA and Security B-Sides Seattle. The combination of some of those talks succeeded in keeping some persistent issues alive in the hopes of finding a solution. We live in a world dominated by the Internet and rapidly changing technology. Most people regularly use at least some form of social media online whether it’s Facebook, Twitter, Reddit, etc., and it’s accessed and updated from a home computer, tablet device, or smartphone. And while the Information Security world is far more cognizant of what transpires online your average user really isn’t. And it’s sad to think they either don’t care, or have a “it will never happen to me” attitude. I’m not sure how much of my online life is made up of paranoia, anti-social behavior, or just that I feel what I do is none of anyone’s business but my own. I don’t have a real Facebook account, I have a “sock puppet” account. I have a twitter account, but if you look at it, it’s all angry rants. I try to minimize my web footprint as much as possible, but I love my email accounts. Yes, that’s right -plural. All are different user names, with different email services. Each is associated with various logins to different services on the Internet. So what about the average user?

Continue reading "Fraud, Passwords, and Pwnage on the Interwebz" »

Posted by Theresa on 19 December 2012 at 12:16 in Conferences, Passwords, Penetration Testing, Phishing, Physical Security, SpiderLabs News | Permalink | Comments (0)

14 December 2012

PCAP Files Are Great Arn't They??

One of the most important skills in anyone's armory responsible for looking after the security of a corporation's networks should be how to analyze network capture files (PCAP files) obtained from sniffers. Putting a sniffer on the network can not only help you investigate network issues, but also give you a great insight into the "unseeable" security vulnerabilities that are occurring on a daily basis.

This is probably one of the cheapest security tools you can use on the network, as it’s free, and can find a multitude of potential issues. This being the case, it is also one of the easiest attack vectors an attacker or disgruntled employee can use on your internal network to extract data, and not get noticed.

Continue reading "PCAP Files Are Great Arn't They??" »

Posted by David Kirkpatrick on 14 December 2012 at 20:25 in Penetration Testing, Tools | Permalink | Comments (0)

You down with LNK?

Oftentimes on an Internal pen test, I find myself with a limited-privilege domain user account. On a recent test, I got ahold of an account like this through various means of hackery. It didn't have local admin anywhere, it wasn't a member of any IT groups; it was just a super low privilege user from the Marketing department. The only real privilege it had was write access to the Marketing share. In a quest to gather more user accounts, I decided to abuse my write access to the share and drop a backdoored shortcut file.

The idea here is that we can create a random shortcut file that goes nowhere, but pulls its icon image from a remote share. When a domain user visits the marketing share with the malicious LNK file in it, Windows tries to load up all the pretty icons for the files on the share. In our case, Windows tries to grab the icon for our malicious LNK file, sees that it's on another share, and attempts to auth to the remote share to get the icon file. That remote share just so happens to be our rogue SMB server (running static challenges for Rainbow Tables goodness, of course).

Lets get to work.

Continue reading "You down with LNK?" »

Posted by Nathan Drier on 14 December 2012 at 20:23 in Penetration Testing | Permalink | Comments (0)

12 December 2012

Abusing SAP Servers

During some recent penetration tests I have noticed that large companies have many similarities in their IT infrastructures. One of the things that caught my attention was that quite a few of these companies have SAP systems on their networks.

Two years ago at the You Shot the Sheriff (YSTS) security conference in Brazil, I gave a speech on penetration testing SAP systems. This older research and the recent encounters with these types of systems have inspired me to do this blog post on the evolution of the techniques on executing penetration tests in SAP systems.

Continue reading "Abusing SAP Servers" »

Posted by Joaquim Espinhara da Silva Neto on 12 December 2012 at 19:07 in Penetration Testing, SAP | Permalink | Comments (1)

My 5 Top Ways to Escalate Privileges

During a penetration test, rarely will the tester get access to a system with the administrator privileges in the first attempt. You are almost always required to use privilege escalation techniques to achieve the penetration test goals.

Several people have extensively discussed this topic, instead I decided to mention my top 5 favorite ways for accomplishing privilege escalation in the most practical ways possible.

I do not specify the escalation path, but the techniques below will fit most cases. For example: from SYSTEM to domain account; from restricted domain account to SYSTEM/domain administrator; anonymous to system account; and so on.

Continue reading "My 5 Top Ways to Escalate Privileges" »

Posted by Bruno Oliveira on 12 December 2012 at 19:04 in Penetration Testing | Permalink | Comments (0)

11 December 2012

How to Hack and Not Get Caught

The following thoughts on internal network penetration strategies are drawn from "OPFOR 4Ever," which I'll be presenting later this week with my colleague Chris Pogue at Microsoft's BlueHat Security Conference.

Network penetration testers love to complain about the unrealistic scope restrictions that get placed on our work. "Please exclude these IP addresses." "Please only test between 1 and 5 AM Pacific Time." "Layer 2 attacks are out of scope." These are familiar refrains. But we have only ourselves to blame.

Our clients place these restrictions on our work because at some point in the past they got burned. A penetration tester locked out user accounts, created an accidental black hole in the network, or brought down a production server.

But isn't it ironic that blackhats bent on data theft so rarely cause system outages? Especially since modeling blackhat behavior is the inspiration behind penetration testing in the first place? Blackhats place a high priority on stealth, naturally. But notice that stealth implies safety. If we return to our roots -- modeling real attack scenarios involving stealth -- we get safety for free. By conducting safe tests, consistently, we can build confidence in our clients to see the artificial constraints as no longer necessary, and our tests will better model real-world risks.

This isn't just a pipe dream. I've been doing it.

Continue reading "How to Hack and Not Get Caught" »

Posted by Tim Maletic on 11 December 2012 at 08:24 in Conferences, Penetration Testing | Permalink | Comments (4)

08 December 2012

Class 101 - Automating the process of fingerprinting Web Applications and Identifying Vulnerabilities.

First of all, this blog post is not for Web Application experts, instead I will cover some basic tools and approaches for beginners.

There are tons of nice Web Applications Scanners, both commercial and free, each of them with pros and cons. For example, there are Web Application Scanners that offer a huge database of well-known vulnerabilities while others are good at crawling a website and fuzzing parameters to find a issues such as SQL Injection, XSS, LDAP Injection, Remote Code Execution, etc.

While running a Web Application Scanner against your target website may give good results, you may want to try fingerprinting technologies on your target website while using fewer requests for better identification of vulnerabilities. There are different tools for this task; one that I like is called WhatWeb (https://github.com/urbanadventurer/WhatWeb).

From "README" file:

"WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb supports an aggression level to control the trade off between speed and reliability. When you visit a website in your browser, the transaction includes many hints of what web technologies are powering that website. Sometimes a single webpage visit contains enough information to identify a website but when it does not, WhatWeb can interrogate the website further. The default level of aggression, called 'stealthy', is the fastest and requires only one HTTP request of a website. This is suitable for scanning public websites. More aggressive modes were developed for in penetration tests.

Most WhatWeb plugins are thorough and recognize a range of cues from subtle to obvious. For example, most WordPress websites can be identified by the meta HTML tag, e.g. '<meta name="generator" content="WordPress 2.6.5">', but a minority of WordPress websites remove this identifying tag but this does not thwart WhatWeb. The WordPress WhatWeb plugin has over 15 tests, which include checking the favicon, default installation files, login pages, and checking for "/wp-content/" within relative links.

Features:

Over 1500 plugins.
Control the trade off between speed/stealth and reliability.
Plugins include example URLs.
Performance tuning. Control how many websites to scan concurrently.
Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, MagicTree,
RubyObject, MongoDB.
Proxy support including TOR.
Custom HTTP headers.
Basic HTTP authentication.
Control over webpage redirection.
Nmap-style IP ranges.
Fuzzy matching.
Result certainty awareness.
Custom plugins defined on the command line."

Let's see WhatWeb in action.

Wendel-Henriques-MacBook-Pro:whatweb-0.4.1 whenrique$ ./whatweb -v -a 4 http://www.TestingMyTargetWebSite.com
http://www.TestingMyTargetWebSite.com/ [200]
http://www.TestingMyTargetWebSite.com/images/468x60.gif [404]
http://www.TestingMyTargetWebSite.com/readme.html [200]
http://www.TestingMyTargetWebSite.com/wp-includes/js/tinymce/tiny_mce.js [200]
http://www.TestingMyTargetWebSite.com/wp-layout.css [404]
http://www.TestingMyTargetWebSite.com/wp-content/themes/twentyten/style.css [200]
<Several Requests>
<Several Requests>
<Several Requests>
http://www.TestingMyTargetWebSite.com/serendipity_editor.js [404]
http://www.TestingMyTargetWebSite.com/cgi-bin/scada-vis/index.cgi [404]
http://www.TestingMyTargetWebSite.com/favicon.ico [200]
http://www.TestingMyTargetWebSite.com [200]
Apache, Country[UNITED STATES][US], HTTPServer[Apache], IP[AAA.BBB.CCC.DDD], JQuery[1.7.1], Kordil-EDMS, Lightbox, Script[JavaScript,text/javascript], Title[My Target Website], WordPress[3.3.1], x-pingback[http://www.TestingMyTargetWebSite.com/xmlrpc.php]
URL    : http://www.TestingMyTargetWebSite.com
Status : 200
   Apache ---------------------------------------------------------------------
    Description: The Apache HTTP Server Project is an effort to develop and
                 maintain an open-source HTTP server for modern operating
                 systems including UNIX and Windows NT. The goal of this
                 project is to provide a secure, efficient and extensible
                 server that provides HTTP services in sync with the current
                 HTTP standards. - homepage: http://httpd.apache.org/

   Country --------------------------------------------------------------------
    Description: Shows the country the IPv4 address belongs to. This uses
                 the GeoIP IP2Country database from
                 http://software77.net/geo-ip/. Instructions on updating the
                 database are in the plugin comments.
    Module     : US
    String     : UNITED STATES

   HTTPServer -----------------------------------------------------------------
    Description: HTTP server header string. This plugin also attempts to
                 identify the operating system from the server header.
    String     : Apache (from server string)

   IP -------------------------------------------------------------------------
    Description: IP address of the target, if available.
    String     : AAA.BBB.CCC.DDD

   JQuery ---------------------------------------------------------------------
    Description: A fast, concise, JavaScript that simplifies how to traverse
                 HTML documents, handle events, perform animations, and add
                 AJAX. - Homepage: http://jquery.com/
    Version    : 1.7.1

   Kordil-EDMS ----------------------------------------------------------------
    Description: Kordil EDMS - Electronic Document Management System -
                 Homepage: http://www.kordil.com/

   Lightbox -------------------------------------------------------------------
    Description: Javascript for nice image popups

   Script ---------------------------------------------------------------------
    Description: This plugin detects instances of script HTML elements and
                 returns the script language/type.
    String     : JavaScript,text/javascript

   Title ----------------------------------------------------------------------
    Description: The HTML page title
    String     : My Target Website (from page title)

   WordPress ------------------------------------------------------------------
    Description: WordPress is an opensource blogging system commonly used as
                 a CMS. Homepage: http://www.wordpress.org/
    Version    : 3.3.1 (from md5 sums of files)
    Version    : 3.3.1

   x-pingback -----------------------------------------------------------------
    Description: A pingback is one of three types of linkbacks, methods for
                 Web authors to request notification when somebody links to
                 one of their documents. This enables authors to keep track
                 of who is linking to, or referring to their articles. Some
                 weblog software, such as Movable Type, Serendipity,
                 WordPress and Telligent Community, support automatic
                 pingbacks
    String     : http://www.TestingMyTargetWebSite.com/xmlrpc.php

Basically we instructed WhatWeb to test http://www.TestingMyTargetWebSite.com being verbose (-v) and aggression level set to heavy (-a 4). Please, consult the "README" file for more options and usage examples.

As demonstrated above, WhatWeb identified the Webserver, resolved the IP address and country where the system is hosted and most important, different technologies available. These available technologies are interesting because they may be vulnerable to a different set of attacks.

For example, WhatWeb identified that Kordil-EDMS is available, with a fast search at Google this potential vulnerability was found:

Title: Kordil EDMS 'Password' Parameter SQL Injection Vulnerability
Affected Script: http://www.TestingMyTargetWebSite.com/kordil/global_group_login.php
Ref.: http://www.securityfocus.com/bid/56823/exploit

Based on my experience, this Electronic Document Management System (Kordil EDMS) is not popular, consequently, even if the target website is not vulnerable to the potential issue found we could download a copy and audit it. Since this software is not popular, it's very unlikely that an expert audited it and consequently a different set of simple web attacks may exist.

Another example and probably the most interesting attack vector is WordPress being detected by WhatWeb. At this point we could look for a set of different potential issues in the exploit-db database, however, there is another nice and small tool called WPScan that can automate part of this process.

WPScan is a black box WordPress vulnerability scanner, let's see WPScan in action.

Wendel-Henriques-MacBook-Pro:WPScan whenrique$ ruby1.9 wpscan.rb --url http://www.TestingMyTargetWebSite.com --enumerate
____________________________________________________
__          _______   _____
\ \        / / __ \ / ____|
\ \ /\ / /| |__) | (___   ___ __ _ _ __
   \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
    \ /\ / | |     ____) | (__| (_| | | | |
     \/ \/   |_|    |_____/ \___|\__,_|_| |_| v2.0rNA

    WordPress Security Scanner by the WPScan Team
Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________

| URL: http://www.TestingMyTargetWebSite.com/
| Started on Thu Dec 6 10:46:25 2012

[+] The WordPress theme in use is ffh v1.1
[!] The WordPress 'http://www.TestingMyTargetWebSite.com/readme.html' file exists
[+] User registration is enabled
[+] WordPress version 3.4.2 identified from meta generator

[!] We have identified 1 vulnerabilities from the version number :

| * Title: WordPress 3.4.2 Cross Site Request Forgery
| * Reference: http://packetstormsecurity.org/files/116785/WordPress-3.4.2-Cross-Site-Request-Forgery.html

[+] Enumerating installed plugins (only vulnerable ones) ...

Checking for 304 total plugins... 100% complete.

[+] We found 4 plugins:

| Name: adrotate
| Location: http://www.TestingMyTargetWebSite.com/wp-content/plugins/adrotate/
| Readme: http://www.TestingMyTargetWebSite.com/wp-content/plugins/adrotate/readme.txt
|
| [!] AdRotate plugin <= 3.6.5 SQL Injection Vulnerability
| * Reference: http://unconciousmind.blogspot.com/2011/09/wordpress-adrotate-plugin-365-sql.html
|
| [!] AdRotate plugin <= 3.6.6 SQL Injection Vulnerability
| * Reference: http://www.exploit-db.com/exploits/18114/

| Name: backwpup
| Location: http://www.TestingMyTargetWebSite.com/wp-content/plugins/backwpup/
| Readme: http://www.TestingMyTargetWebSite.com/wp-content/plugins/backwpup/readme.txt
|
| [!] BackWPUp 2.1.4 Code Execution
| * Reference: http://www.exploit-db.com/exploits/17987/
|
| [!] plugin BackWPup 1.5.2, 1.6.1, 1.7.1 Remote and Local Code Execution Vulnerability
| * Reference: http://osvdb.org/show/osvdb/71481

| Name: dynamic-widgets
| Location: http://www.TestingMyTargetWebSite.com/wp-content/plugins/dynamic-widgets/
| Readme: http://www.TestingMyTargetWebSite.com/wp-content/plugins/dynamic-widgets/readme.txt
|
| [!] Dynamic Widgets <= 1.5.1 Cross Site Scripting
| * Reference: http://packetstormsecurity.org/files/112706/

| Name: relevanssi
| Location: http://www.TestingMyTargetWebSite.com/wp-content/plugins/relevanssi/
| Readme: http://www.TestingMyTargetWebSite.com/wp-content/plugins/relevanssi/readme.txt
|
| [!] Relevanssi 2.7.2 Stored XSS Vulnerability
| * Reference: http://www.exploit-db.com/exploits/16233/

[+] Enumerating installed themes (only vulnerable ones) ...

Checking for 137 total themes... 100% complete.

[+] We found 1 themes:

| Name: unite
| Location: http://www.TestingMyTargetWebSite.com/wp-content/themes/unite/
|
| [!] XSS vulnerability in Parallelus premium WordPress themes
| * Reference: http://jannefi.blogspot.fi/2012/10/xss-vulnerability-in-parallelus-premium.html

[+] Enumerating timthumb files ...

Checking for 1561 total timthumbs... 100% complete.
No timthumb files found :(

[+] Enumerating usernames ...

[+] We found the following 4 username/s :

| id: 1 | name: admin       | nickname: empty
| id: 2 | name: backup      | nickname: backup admin
| id: 3 | name: asmith      | nickname: empty
| id: 4 | name: test        | nickname: empty

[+] Finished at Thu Dec 6 10:58:51 2012
[+] Elapsed time: 00:12:26

Basically we instructed WPScan to test http://www.TestingMyTargetWebSite.com (--url) and to run all enumeration tools (--enumerate). Please, consult the "README" file for more options and usage examples.

As demonstrated above, WPScan identified:

The theme available and a potential vulnerability.
Fingerprinted the WordPress version and identified one CSRF vulnerability within WordPress.
Tested for available plugins and listed several potential vulnerabilities.
Finally, 4 usernames were enumerated allowing brute-force attacks.

There are tons of other options, but the goal of this blog post is not to exhaust them all. I hope that readers that are beginners with Web Application Security could understand how important is to fingerprint available technologies and how they could be used to compromise a target website.

Posted by Wendel Guglielmetti Henrique on 08 December 2012 at 07:39 in Application Security, Penetration Testing | Permalink | Comments (1)

06 December 2012

CCCDC Blue Teams vs Corporate Blue Team Comparision

This weekend was the Community College Cyber Defense competition at Iowa State University. I had the opportunity to be on the Red Team and as it was my first time to participate on the Red Team as part of one of these competitions, I was eager to see how the Blue Team’s defense compared to what we see in industry.

The scenario for the event was a common one that we see in industry all the time. Each team was given an already existing server that was running a number of services on it. Each team was to be part of a rejuvenated security program whose task it was to implement proper security policy on the systems and secure the data. These students had a hefty budget where they could implement new servers, upgrade systems, and harden configurations in order to protect their systems from compromise by the Red Team.

What we found when we started assessing the systems was fairly representative of what we see in corporate security. The teams broke down into three distinct groups. The first group of teams had done basic hardening, but software wasn’t upgraded and there wasn’t a lot of additional hardening put in place. The second group had patched all their operating systems, but the software running on the machines still had flaws. The third group spent time and did a better job engineering their environment, moving from older software to the latest version, ensuring all software was patched, and deploying OS hardening beyond what was default out of the box.

The results from the competition reflected what would be expected, the teams that went above and beyond with their hardening and architected security into their environment faired the best. Even though the Red Team had valid credentials for systems in the environment, the target data couldn’t be compromised, and by the end of the game, two teams had created environments that remained uncompromised by the end of the competition.

Continue reading "CCCDC Blue Teams vs Corporate Blue Team Comparision" »

Posted by Ryan Linn on 06 December 2012 at 10:53 in CTF, Penetration Testing | Permalink | Comments (1)

SpiderLabs Anterior

Official Blog of Trustwave's SpiderLabs - SpiderLabs is an elite team of ethical hackers, investigators and researchers at Trustwave advancing the security capabilities of leading businesses and organizations throughout the world.

Search

Categories

Security Advisories

Trustwave Press Releases