Saturday, December 12, 2009
ASCII Chart
ASCII chart comes handy to me at times. So instead of searching for it when needed, I thought I should put it here. Might as well help smeone else.
Thursday, December 10, 2009
Meterpreter Post Exploitation -> Setting up a Netcat backdoor.
Using Metasploit Meterpreter to modify target's registry and configure a persistent netcat listener.
Comments & feedback are Welcome.
Best Regards.
Comments & feedback are Welcome.
Best Regards.
Installing Meterpreter as a Service VoD
Watch & learn how, post-exploitation, an attacker may choose to install Meterpreter as a service on the exploited host for ensuring access at a later point in time.
Comments & feedback are Welcome.
Best Regards.
Comments & feedback are Welcome.
Best Regards.
Meterpreter Post Exploitation -> Using ESPIA for Screen Capture
Using Meterpreter extension ESPIA post-exploitation to take screenshots of the victim's desktop.
Comments and feedback are Welcome.
Best Regards.
Comments and feedback are Welcome.
Best Regards.
Metasploit Meterpreter Pivot VoD
Using Meterpreter to identify and hack a directly inaccessible network using an exploited host as pivot.
Comments and feedback are Welcome.
Best Regards.
Comments and feedback are Welcome.
Best Regards.
Monday, December 7, 2009
Meterpreter Pass the Hash VoD
Watch how Metasploit meterpreter can be used to gain access to system hashes and re-use them for authentication without ever the need to crack the hash.
Comments and feedback are Welcome.
Best Regards.
Comments and feedback are Welcome.
Best Regards.
Meterpreter Client-Side Exploitation VoD
Watch & learn Client-side exploitation using Metasploit Meterpreter.
Comments and feedback are Welcome.
Best Regards.
Comments and feedback are Welcome.
Best Regards.
Indiscipline in Policy Enforcement -> Incidents.
Recently, I came across this post on DojoSec Blog:
http://blog.dojosec.com/2009/11/marcus-mailbag-policy-enforcement-and.html
For those who are not aware of DojoSec, I request you to know about them here -> DojoSec.
Marcus has shared his views n an email he received on the subject of Policy, Enforcement and Monitoring.
The email hits the right spot. But the observations are not really new. I believe the issue is more due to sheer Indiscipline & laxity in Top -> Down hierarchy.
The focus of mgmt & the IT in *most* (but not all orgn) is to bring in a brand product, get it configured n let it wave its magic wand to ward off attempts of all evil entities from their corporate network.
The management likes to talk a lot about how much they have sanctioned for this new f/w or that IDS and that these devices better do their jobs. But they are the same mgmt guys who ask (and get) unrestricted access for research purposes (whatever!) from the IT guys, ~off the record~,
(we know what you've been researching bout, pervs).
And it came as no surprise to me when I managed Enterprise Anti Virus solution, that I'd see frequent calls about their laptops showing errand behaviors or that li'l pop up on the corner coming up every third day in the week.
So policy planning is one thing & enforcing it from top -> down is totally different. This must get worked up from the policy makers to the ground.
This does not imply in any case, that IT admins are flawless. Minus the mgmt adherence to policy, things take shape accordingly in IT dept as well. Seldom will you ~not~ find that one system in the corner under the desk, which has its LAN port LED continuously blinking 24/7. I personally had come to know of one *large* orgn where dedicated ~research~ boxes were kept & maintained in the datacenter having a SAN storage with a direct Internet conn without any restriction (not my orgn, though).
I feel that at IT team levels, if the direction and adherence does not seep down from the mgmt, bypassing protocols in place n overlooking policies becomes a thrill n adventure. Not to mention the pride that comes with having control of the set up and being able to ~manage~ stuff. This can get *really* nasty, if you've been there, you'll know what I mean. I've been.
Hence, monitoring, rotation of duties, periodic auditing becomes essential to identify & rectify the broken processes. Which again should come as a result of osmosis from the management.
The issue is such violations continue to occur within organizations generally in the knowledge of managers, mgmt fellows etc. It is when an incident happens that everyone comes out of their trance and there the blame game starts. Of course, the information assets are hit, the damage is made & someone, usually at the IT team is going to bear its brunt, which sucks in its own way.
Not too far back, one *major* org, was breached, and the network set up for that project was all 'wr mem'd. It was not a pentest, by any chance, you'd agree. It'd been a 'getting back at ya' moment which I can't share much about. This never came to light given the whole network security team for that project was using pcAnywhere with weak passwords - from home, without any VPN!
Only when the blind, inherent belief in products - both commercial n open source - is shifted to the mentality of enforcing the policies first, it's going to make a difference & control scope of incidents n asset loss.
Best Regards.
http://blog.dojosec.com/2009/11/marcus-mailbag-policy-enforcement-and.html
For those who are not aware of DojoSec, I request you to know about them here -> DojoSec.
Marcus has shared his views n an email he received on the subject of Policy, Enforcement and Monitoring.
The email hits the right spot. But the observations are not really new. I believe the issue is more due to sheer Indiscipline & laxity in Top -> Down hierarchy.
The focus of mgmt & the IT in *most* (but not all orgn) is to bring in a brand product, get it configured n let it wave its magic wand to ward off attempts of all evil entities from their corporate network.
The management likes to talk a lot about how much they have sanctioned for this new f/w or that IDS and that these devices better do their jobs. But they are the same mgmt guys who ask (and get) unrestricted access for research purposes (whatever!) from the IT guys, ~off the record~,
(we know what you've been researching bout, pervs).
And it came as no surprise to me when I managed Enterprise Anti Virus solution, that I'd see frequent calls about their laptops showing errand behaviors or that li'l pop up on the corner coming up every third day in the week.
So policy planning is one thing & enforcing it from top -> down is totally different. This must get worked up from the policy makers to the ground.
This does not imply in any case, that IT admins are flawless. Minus the mgmt adherence to policy, things take shape accordingly in IT dept as well. Seldom will you ~not~ find that one system in the corner under the desk, which has its LAN port LED continuously blinking 24/7. I personally had come to know of one *large* orgn where dedicated ~research~ boxes were kept & maintained in the datacenter having a SAN storage with a direct Internet conn without any restriction (not my orgn, though).
I feel that at IT team levels, if the direction and adherence does not seep down from the mgmt, bypassing protocols in place n overlooking policies becomes a thrill n adventure. Not to mention the pride that comes with having control of the set up and being able to ~manage~ stuff. This can get *really* nasty, if you've been there, you'll know what I mean. I've been.
Hence, monitoring, rotation of duties, periodic auditing becomes essential to identify & rectify the broken processes. Which again should come as a result of osmosis from the management.
The issue is such violations continue to occur within organizations generally in the knowledge of managers, mgmt fellows etc. It is when an incident happens that everyone comes out of their trance and there the blame game starts. Of course, the information assets are hit, the damage is made & someone, usually at the IT team is going to bear its brunt, which sucks in its own way.
Not too far back, one *major* org, was breached, and the network set up for that project was all 'wr mem'd. It was not a pentest, by any chance, you'd agree. It'd been a 'getting back at ya' moment which I can't share much about. This never came to light given the whole network security team for that project was using pcAnywhere with weak passwords - from home, without any VPN!
Only when the blind, inherent belief in products - both commercial n open source - is shifted to the mentality of enforcing the policies first, it's going to make a difference & control scope of incidents n asset loss.
Best Regards.
Thursday, November 5, 2009
Change is the only constant.
"Change is the only constant."
There have been changes going on. Steady changes. In my life, at work, in my mind mazes, et all.
Positive Changes. For Good, to the Better.
I had been toying the idea of putting my observations, experiences and analysis of life energy events, on web out from the notepad. And have decided to share them on an individual space.
I welcome your comments and experiences as well.
Best Regards,
KG
Saturday, October 31, 2009
Tuesday, August 18, 2009
SandCat v3.8 Released
About
Sandcat allows web administrators to perform aggressive and comprehensive scans of an organization’s web server to isolate vulnerabilities and identify security holes. The Sandcat scanner requires basic inputs such as host names, start URLs and port numbers to scan a complete web site and test all the web applications for security vulnerabilities
New features in version 3.8
Improved JavaScript/AJAX Support - Sandcat’s JavaScript emulator makes Sandcat behave as both Firefox and IE, simulating user interaction (such as key press and mouse click), AJAX calls and more. This feature complements the JavaScript analysis feature available since Sandcat 3.0
Multi-Layer Defense Evasion - Sandcat 3.8 attempts to detect and evate intrusion detection systems, web application firewalls, web honeypots and anti-XSS filters.
Multi-Thread Sessions (Pro version only) - Sandcat Session Launcher adds concurrent sessions support in Sandcat. Multiple host threads per session are also supported.
And more - A new, improved HTML parser, improved link detection, faster and more robust report generation, and many other enhancements greatly expand the Sandcat’s capabilities and make your life as a penetration tester a lot easier.
Download Free Release
Sunday, August 9, 2009
MonkeyFist v0.4 Released
Hexagon Security Group releases MonkeyFist, a dynamic Request Forgery attack tool. (http://hexsec.com/)
About
MonkeyFist is a tool that creates dynamic request forgeries based on cross-domain data leakage. The tool then constructs a payload based on data in the payloads.xml file and sends it to the user's browser. This may include session data bypassing protection mechanisms for Cross-Site Request Forgery.
Written in
It is written in Python which means it is cross platform. Many operating systems already come with Python installed. The only dependency as of now is that lxml be installed. Currently this is just being used for the fixation payload type.
Read the Dynamic CSRF paper here
http://hexsec.com/docs/Dynamic_CSRF_rev1.pdf/view
More Information
For usage or practical examples, check out the Neohaxor blog.
Best Regards.
Thursday, July 30, 2009
Presentation: Botnets
Delivered the session today. It was an interesting discussion and after some initial hiccups in the bot demo, it went fine.
Attaching the presentation in here.
Hope it would be helpful.
Best Regards.
Friday, July 24, 2009
RainbowCrack 1.4
RainbowCrack 1.4 is released
http://project-rainbowcrack.com/
This version focus on more effective rainbow table file format. New features:
- New compact rainbow table file format (.rtc) reduce rainbow table size by 50% to 56.25%
- New rt2rtc utility convert rainbow table from raw file format (.rt) to compact file format (.rtc)
- New rtc2rt utility convert rainbow table from compact file format (.rtc) to raw file format (.rt)
- The rcrack/rcrack_cuda program support both .rt and .rtc rainbow table file format
- Conversion from non-perfect to perfect rainbow table is supported by rt2rtc utility
Smaller rainbow table significantly improve table lookup performance!
Best Regards..
Thursday, July 23, 2009
Hacking CSRF Tokens using CSS History Hack
Detailed write up on new CSRF Token hack using CSS History:
http://securethoughts.com/2009/07/hacking-csrf-tokens-using-css-history-hack/
Proof of Concept here:
http://www.securethoughts.com/security/csrfcsshistory/csrfscan.html
Best Regards.
Anatomy of a Twitter Attack.
A Good write up on the recent Twitter attack:
http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/
Best Regards.
Sunday, July 12, 2009
Quick update: Botnet lab test
It took quite a time to get this src up and kickin', and finally this seems to be working just fine, if not great. I had been planning to take up the botnet session, upon which I posted earlier here Botnet: The Silent Threat I and Botnet: The Silent Threat II. As most of us are already aware of the theory, it made little sense to me for just going ahead only with plain words and pics.
So I started setting up a test lab. And little had I known, this is going to be interesting; spent several nights up, and surrounded by dozens of bot sources. I checked out every source one by one. Public sources are usually broken, modules missing and need to be checked carefully. well, most of the src will compile smooth; but either they didn't connect back to the ircd, or start behaving undefined and in some cases, reached out to their respective mother ship.
As of now, I've been able to fix rx src, ago src runs fine but is backdoored. Some variants of rx, ago, phat etc n other private src absurdly starts up port scan of the ircd!!
I know rx is quite old, but I believe it is good enough for the lab test n video tutorial (rx variants are still out even today).
Anyways, this is what I have been able to test on rx 7.6 src:
1. DDoS - icmpflood, synflood, tcpflood, udpflood etc.
2. Spreader - dcom135 hitting a windows 2k box
3. Misc funcns - Keylogging, screen/webcam capture, remote shell etc.
I am using unrealircd for the irc server, wireshark/tcpview on the hosts for watching connections as they open and xchat client for attacker. I am hoping to add some new exploits to the rx src if I can get some time this week.
There's few other src here which I will focus on now that rx is up. These src have aim/msn and several other spreader functions besides common windows sploits. Hope to get these up before weekend.
Ok, I guess I'll take a break off for few hours now. The morning sun is about to rise and shine.
Best Regards.
Saturday, July 11, 2009
Back...
I know I haven't posted much lately. Been out on few projects and just couldn't take out time to blog.. :dunno:
Back today only.. so can now start working on the preso in progress..
Will be sharing some' soon.
Stay connected.
Best Regards.
Tuesday, June 30, 2009
SPAM Template...
Variables, links...fill in the blanks, anyone?
Ain't it Interesting :)
.....................................................................................................
From: Dwayne Mendoza [mailto:LonnierheostatVargas@aaaknow.com]
Sent: Tuesday, June 30, 2009 3:48 PM
To: XXX
Subject: %SI_subj
Importance: High
%SI_rnd10 the most %SI_rnd11 %SI_rnd12 of all men?
Does your %SI_rnd13 make it %SI_rnd14 for you to %SI_rnd15 yourself in %SI_rnd16?
%SI_rnd17 the %SI_rnd18 inside %SI_rnd19! Give your %SI_rnd20 the unlimited charge of %SI_rnd21 and desire!
You can %SI_rnd22 it simply by %SI_rnd23 one pilule %SI_rnd24! The perfect %SI_rnd25 of deisire-improving %SI_rnd26 with %SI_rnd27 of real life tests and thousands of testimonials!
Monday, June 8, 2009
Botnets: The Silent Threat - Part II
Protocols used by Botnet
+ IRC (Most prevalent)
+ HTTP (Increasingly prevalent)
+ P2P
+ IM (Instant Messenger)
Categories of Botnets
+ Centralized CnC
In Centralized CnC model, the bot herder controls his/her bots through a single Command n Control Server. All zombie computers reach out to this central server to report their status & fetch instructions. As only single server is responsible for managing & controlling bots, the bot herder has to take into account parameters such as available bandwidth, high processing capacity, ISP restriction(s) etc. in order to use this Command n Control model.
Since this model works on a single Command n Control server, it is acutely vulnerable to being identified & taken down. In case the Command n Control Server is hit, the bots in the botnet will not be able to communicate with the CnC & the botherder loses control over his/her botnet army.
Hence, it becomes crucial for the botmasters to define a different architecture for their botnet(s) which can ensure availability of their bots even if a certain Command n Control server is no longer available.
+ Distributed CnC
The Distributed CnC model enables a bot master to define a botnet structure where the communication is not dependent upon any single Command n Control server. In this model, the bot herder creates botnet segments. Each segment has 1 or more Command n Control servers. The bots communicate with & fetch instructions from their respective Command n Control servers & not from any single CnC. The botmaster only communicates with the Command n Control servers of the defined segments & sends control instructions further to the zombie computers using these CnCs.
In case a CnC server of a segment is no longer in use - due to ISP restrictions or getting disinfected - the bots in this segment can continue to attack & root vulnerable systems. These bots can also communicate with the other Command n Control server(s) of other segments. A bot from this segment can also start acting as the new Command n Control server. So, the botmaster can continue to control the zombie computers using this new CnC.
This also provides the botherder a layer of protection. In the event of zombie computers being identified by the security researchers or law enforcement, this distributed structure will make the task of finding the CnCs or the real bot owner very difficult as well as time consuming.
The distributed CnC provides the botherder/botmaster the ability to keep a low profile. Instead of the botnet controling hundreds of thousands of bots, creating a high traffic & visibility over the wire as in Centralized CnC model, the distributed segments control only a few hundreds or even lesser of bots.
This allows the botherder to rent out or sale portions of his/her botnet. One portion can be used for Denial of Service attacks, one could be used for Spamming, or another could be used by the botherder himself to attack & recruit more bots.
Applications of an Attack
+DDoS
The primary use of botnet is to launch Distributed Denial of Service attacks. A Distributed Denial of Service attack is when multiple systems send continuous, huge number of connection requests with spoofed/real IP addresses to the victim. The victim server / device / application accepts the connection requests initially & waits for the response from the source(s). As the number of zombies increase, the available bandwidth to attack a target - web server, db server, ecommerce website, firewall, edge router(s), etc. - increases manifolds. Soon the maximum connection that the victim can handle is reached & it can no longer accept even the valid requests, hence resulting in a Denial of Service. Since the infected systems can be placed anywhere geographically, this attack allows an attacker to be almost invisible to the victim.
+Spamming
Botnets are also used by spammers to send mass mailers / spams out to the world. Since the infected systems are under complete control of the botmaster, these zombies are used as mail relay servers.
+Click Fraud
Click Fraud is one of the rapidly increasing potential domains where botnets are being used. A site owner uses Advertising programs on his/her site & when a visitor clicks on the Ad or completes a transaction using an Ad, a certain amount of $$$ is earned by the site owner. The higher the number of clicks on Ads, the more $$$ the site owner can make. So, here comes our botnet army. As botnets usually constitutes of hosts distributed geographically, a botherder programs his bots to go to the site & click on the Ads. Clicking on Ads can be scheduled for a specific time of day/week or duration, making the bot traffic to appear to be normal visitor clicks.
This is a profitable avenue for both the site owner and the botherder.
+Keylogging
Keylogging is extremely useful in targeted attacks. As the zombie is in complete control, the bot herder can chose to enable key logging on it. This would provide the bot herder or an attacker to get system login credentials, application login credentials, remote server login information, trusted system login details, critical mails etc. - practically Everything required for further penetration.
+Identity Theft
Identity theft is another critical avenue which gives an attacker increased scope of successful targeted attack. A bot herder / attacker can fetch the user details, system details, can turn on the webcam attached to the zombie, take the photograph of the end-user & can use it for social engineering, gather critical user information such as banking login ID & passwords & use these to leverage further attacks. Considering the new social networking sites such Facebook (http://www.facebook.com/), LinkedIn (www.linkedin.com/), Twitter (http://twitter.com) etc., Identity theft attacks can be used to target other users from the same organization neatly.
+Hosting warez/Illegal sites
The bot herder can also chose to host ftp / http servers on the zombie hosts. A FTP server or a web server can installed quietly which would run in the background, hidden from the task manager & can serve warez, porn, malware etc.
+CD Keys
Another useful area of botnet use is to gather licensed product details. The bot herder can instruct his/her bots to look into the zombie hosts' registry to locate the serial numbers & licensing details of prevelant, popular applications & products such as Microsoft, Oracle, IBM etc.
Elements of an Attack
A bot is spread using the traditional infection vectors - virus, trojans, worms etc. The attacker uses these vectors to drop the bot executable as the payload in the vulnerable systems.
+ An attacker first spreads a trojan horse, which infects various hosts. These hosts become zombies and connect to the Command n Control server in order to listen to further commands.
+ The Command n Control server can either be a public machine in one of the IRC networks or a dedicated server installed by the attacker on one of the compromised hosts.
+ Bots run on compromised computers, forming a botnet.
Stages of an Attack
1. Creation
+ Largely dependent on the skill & requirements of the attacker.
+ The attacker may chose to write a new bot code or may customize an existing one.
2. Configuration
+ Providing the IRC server & channel information.
+ Securing the communication::Bot Herder <-> CnC <-> Bots - passwords, encryption.
+ Securing botnets from other Bot Herders - Keys, allowed members.
3. Infection
+ Direct Techniques - Exploiting OS/Services vulnerabilities, using worms/virus.
+ Indirect Techniques - Web Attacks, Social Engineering, P2P, Trojans.
+ Each infected system continues the infection process.
4. Control
+ Involves actions after the bot is installed on the target host.
+ Windows registry key -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\.
+ Connects to the CnC & joins the control channel.
+ Bot is now ready to receive commands.
Detecting a Bot
+ A simple yet effective way to detect a bot is monitoring host traffic. This can be achieved using the 'netstat' utility:
netstat -an.
Netstat is a tool available both in Windows & *nix systems. The main function of this tool is provide information about active ports. Netstat examines listening TCP and UDP ports and provides detailed information on network activity. *nix system netstat displays all the open streams.
Possible connection states are:
ESTABLISHED – both hosts are connected
CLOSING – the remote host is closing the connection
LISTENING – the host is listening for incoming connections
SYN_RCVD – a remote host has asked to start a connection
SYN_SENT – the host is starting a new connection
LAST_ACK – the host must send a report before closing the connection
TIMED_WAIT, CLOSE_WAIT – a remote host is terminating the connection
FIN_WAIT 1 – the client is terminating the connection
FIN_WAIT 2 – both hosts are closing the connection
Watch for 'Established' connection on TCP ports in 6000-7000 range (IRC port: 6667). In case the system is compromised, take it off the network & take the necessary actions - anti-virus scan, etc.
+ Use Host Intrusion Detection Systems
A HIDS monitors the traffic originating from the host & creates a baseline i.e. a normal usage statistics. In case of a bot infection, an HIDS can watch for any deviation in traffic patterns & will report anomalies which can be used to identify bot infestation.
+ Control outbound network connection from the host
Applications such as Cisco Security Agent control the network connections initiated by any software, process or application from the host outbound. Host systems should be setup with control measures to monitor & restrict unauthorized outbound network access. If the bot cannot communicate with the Command n Control, the damage it can do is reduced significantly.
Defending against Botnets
+ Educate End-users: Do not click links in email or IM. Verify the pictures & videos sent in IM, verify the sender first & then only proceed. If the email/IM contains a URL, copy n paste the URL to access the URL.
+ Do not download untrusted software: Verify the source of the download. Use only reliable site(s) for download. Ensure that the software MD5 shown on the site & the one you download match.
+ Do not use Administrator account: Ensure least privilege for daily operations.
+ Ensure HTTPS:// in the URL while doing any electronic transactions.
+ Disable Scripts by default: There is a firefox plugin - NoScript (http://noscript.net/) which ensures all scripts are disabled on all sites. Enable the scripts only for sites which are really needed.
+ Use Host-based firewall(s) & host-based IDS.
+ Use Anti-Virus software & keep the definitions updated.
+ Ensure regular timely patches for your OS.
+ Use sandbox environment(s) such as Sandboxie (http://www.sandboxie.com/). Sandboxing ensures an isolated space which prevents the programs (browsers, IM clients, email clients, any applications that access internet) from making permanent changes to other programs and data in your computer.
+ Shut down your system when not in use.
+ Report suspected botnet activity & spam.
Botnets are an interesting subject considering their utilization & the role they can play in a cyber war and / or controlling critical servers such as those of nucleus power plants, electric power stations, airlines, banks etc. of a nation.
This brings us to the completion of this article on Botnets.
I hope you found the information useful. Please feel free to share your inputs/feedback.
Thank you for reading.
Wednesday, June 3, 2009
Botnets - The Silent Threat
I had been planning for delivering a training. And I had to decide on a subject. So, here it is - Botnets.
Topics I will cover here:
+ What is a Botnet
+ Top Botnets
+ Why Botnet?
+ Elements
+ Features
Topics I will cover here:
+ What is a Botnet
+ Top Botnets
+ Why Botnet?
+ Elements
+ Features
+ Protocols used
+ Categories
+ Applications of an Attack+ Elements of an Attack
+ Stages of an Attack
+ Detecting a Bot
+ Defending against Botnets
What is a Botnet
Botnet - bot-net - is a network of bots. A bot is a program which can perform autonomous actions in response to instructions. The bots reside on the systems which have certain vulnerabilities that are successfully exploited by an attacker. The objective of the bot is primarily to report to a central server controlled by the attacker & wait for further instructions.
The infected system is also known as a zombie. Why? Because these exploited systems work normally & the users / owners do not see any changes in the activity or performance of the systems. The Zombie rises only when commanded by its Control server. As soon as it receives the command(s), it springs into action & starts serving his master dutifully.
Top Botnets
With every passing year, there have been several botnets that were identified as the Top contenders of their times. The severity & efficiency of these botnets is usually measured by the bot's defending controls against reverse-engineering and/or prevention & the rate of increase of their bot network.
These are only a few botnets that have shown the power of the human mind & the efficiency of a smart botnet:
Sl. No. Name Botnet Size Spam CapacityIt would be interesting to realize that these are just a very, very small tip of the iceberg. Conficker had been on hunting spree for so long even after it was identified. There are many which haven't even yet been found, and remember with each passing moment that a system is on the Internet, the possibility of it being successfully hit increases.
1. Conficker 10,000,000+ 10 billion/day
2. Kraken 495,000 9 billion/day
3. Srizbi 450,000 60 billion/day
4. Bobax 185,000 9 billion/day
5. Rustock 150,000 30 billion/day
Why Botnet?
So why would someone use a Botnet if systems can be exploited remotely, with new & old attack vectors improving with technology - viruses, worms, trojans, client-side exploitation, web attacks and what not?
True, the attack vectors are present & they can do their job neatly. But in order to fully utilize the individual systems exploited via these vectors, these systems must be under some sort of centralized or intelligent control. The botnet is a consistenly increasing network of infected systems that is under direct control of the attacker. With one command from anywhere in the world, for example, an enterprise can be brought down to its knees.
That's the true power of botnet.
Elements of Botnet
+Bot herder
A bot herder is the creator of the botnet. The bot herder controls the bot remotely usually using IRC or HTTP. The bot herder ensures security over his bots, tracks progress & maintaines the CnC.
+Command n Control (CnC)
Command n Control usually runs on an IRC or HTTP server. This is primarily responsible for tracking & updating bots and sending attack launch instructions to bots.
+Bots
A bot or a bot code is the program / malicious payload which resides on & controls the host and performs the instructions sent by the CnC.
Features of A Bot
Just like any other executable, a bot has a source code. The source code defines the structure & the function(s) that a bot can perform.
Some of the functions integrated in a bot are:
1. Hidden presence - hidden from task manager, process explorer, anti-virus, IDS, host firewalls.
2. Killing Anti-Virus processes.
3. Killing rival bots - yes, the war is all around!!
4. Covert communications - using http or irc or IM protocols to communicate with the CnC.
5. Auto Run
6. Automatic Update
The bot usually have a modular structure. It enabled the bot writer or the bot herder to dynamically add or update or remove the functions or exploit codes to the bot source code. After this modification, the bot source code is compiled & built to generate the new version. And with a single command through CnC, all the bots can update the changes immediately.
Part II: coming up...
CISSP: My Study Plan
I sat for the CISSP exam on May 16, 2009. The exam was not easy, but I was prepared. And had the positive energy to complete it successfully. It was a long exam - 6 hours. Equally mentally exhaustive as much as physically demanding. Add to that the constant slight buzzing sound (read noise!!) of something in the hall.
All these in place, I took the whole 6 hours & completed & checked, rechecked the question paper & checked, rechecked the bubbles in the answer sheet. Someone must be wondering why would I check & recheck the question paper.
Please read on to know why.
My Study Resources:
+ Clement's CISSP introductory video (www.cccure.org/flash/intro/player.html/)
+ Shon Harris All-in-One (AIO) 4th Edition
+ ISC2 Official CBK Guide (www.amazon.com/Official-ISC-Guide-CISSP-Press/dp/0849382319)
+ Shon Harris CISSP CBT/DVD (www.cccure.com/cissp/shon-harris-cissp-dvd-tutorial/prod_2.html)
+ www.cccure.org CISSP forum
+ www.freepracticetests.org CISSP Quizzer
+ Notes/Aide Memoire available on cccure.org CISSP forum
+ CISSP Gold Edition Questions & Answers
+ Shon Harris AIO Quiz (in the CD)
Time Duration for Preparation:
January last week - March end 2009 -> 3-5 hours after work. Weekends -> 5-6 hours - slowly tasting the subject matter & letting it seep in.
April 2009 - May 15, 2009 - > 7-9 hours every day - Time to pace up & complete the preparation.
During this time, I completed 2 other certifications & 1 training that definitely helped me be comfortable with the domain content.
My Study Plan (in that order):
+ Finished Shon Harris CBT/DVD
+ Completed one 100-question quiz for each domain as I completed the domain from SH CBT
+ Read Shon Harris AIO 4th edition
+ Complete Q&A at the end of each AIO Chapter.+ Revise each domain through Notes/Aide Memoire available at www.cccure.org CISSP forum.
+ Read cccure.org forum posts, questions & responses, the reasoning behind the solution!
+ Complete Full Length quizzes for individual domain(s)
+ Read OIG
+ Complete Gold Edition Advanced Sample Q&A
+ Complete 10 Full Length quizzes (group of 3 & 4 domains)
+ Read my notes
Important points that will help you:
+++Pre-Booking+++
+ Be mentally prepared before you begin preparation.
+ Share your plan with your family or friends or both. At a point in time of preparation, you may find yourself face-to-face with high work load at office, unexpected but important official/unofficial events, & may lose focus/direction from the task. This is the time your family/friends will be of great help.
Remember, it is extremely important to keep yourself motivated to go on.
+ Book the exam after 2 weeks of preparation. This will help you understand what you have to complete & how long can it take for you to prepare.
+++Exam-Preparation+++
+ Complete all domains. No matter how many years you have been in the industry, you should always complete all the domains.
+ Complete all domains. No matter how many years you have been in the industry, you should always complete all the domains.
+ Think from the Management perspective. Remember this is not a 100% technical exam. You need to know technical stuff but it tests your decision-making using your knowledge of technical concepts.
+ Do quizzes from different sources. And know the reason why the correct answer is correct & the incorrect answer is incorrect.
+++Day before the Exam+++
+ Organize all the documents required for the exam day & keep it in your bag - Admission Ticket, ID cards - Driving Licence / Passport, Company ID etc.
+ Ensure that you have 2 HB #2 pencils, 2 dust-free erasors, a sharpner, 2 pens (not required though) & a jacket / a light woolen-wear for the exam - temperature may be too cold or tool warm for you to feel comfortable.
+ Do NOT Smoke before or during the exam. You must be relaxed all this while and smoking isn't going to help you.
+++Day of Exam+++
+ First Rule of tackling this Exam - Attempt All Questions.
+ Read through 25 questions first and then take the second round answering them.
+ First Rule of tackling this Exam - Attempt All Questions.
+ Eliminate the choices & then apply the concepts on the final 2 choices - from the Management perspective.
+ Mark the 25 answers against the respective 25 questions - in the question sheet. Once you have completed 25 questions, start filling in the bubbles on the answer sheet.
+ Be very careful while filling in the answer sheet. You will agree it's been a long time when you last filled those bubbles with a pencil. Your fingers will start aching if you decide to fill in 50/100 questions in one go. So choose to complete 25/30 questions in one go.
+ Mark the questions you are unsure of, or finding tough to answer or taking too long to answer. Come back to them once you are done with all other questions.
+ Once you complete all questions, go to the first page & start reviewing the questions you marked above. You should be able to solve them now. If not, refer to the Ist rule of tackling this exam above.
+ After you have completed all questions including marked ones, it's time to review. Go to the first page of the question sheet & start reviewing each question one-by-one.
+ By this time, after review, you will have most certainly changed some of your answers. Do a review now of your answer sheet to make sure that you filled 'correct answers in the correct bubble.'
+ After you submit the Answer sheet, go & get fresh. Wash your face to get freshen up, & go eat something. I am sure you will be damn hungry by now.
+++Post Exam+++
+ Catch up with your family, friends.
+ Relax & enjoy coz you have done your part.
+ The most important of all: Think Positive.
Best Regards.
Congratulations!! You passed the CISSP examination.
Finally, the much-awaited mail arrived this early morning at 1:02 am. It went straight to the archive & got labeled to ISC2. I didn't noticed & had slept waiting for it yesterday. And as I opened my eyes & logged on, I hurried to check if there is any email there looking for me. Ah, there it was - 1 unread in ISC2.
Suddenly, the excitement turned to nervousness & the mouse pointer stopped before it could click on the label. It was there & I wouldn't click on it. I stopped there for a moment. Unsure if I must open it now that it's here. So I chanted on the higher energy & opened the email. Many successful candidates had shared that the Pass mail has a word 'Congratulations' in the subject line. Well, my mail didn't had one! So, a bit anguished, I decided to look for the 'Areas of Improvement' in the mail body. And what did I find:
:)
So there I sat on my bed, Joyous & all smiles. This has been THE most exhaustive preparation AND the most exhaustive exam I've taken till now. The 5 months preparation had been demanding, & took consistent efforts & hard work. And today, I love every moment of all the nights spent since January 2009.
I will be sharing my study plan & resources used for preparation in my next post. I hope it will be useful for you.
Best Regards.
Suddenly, the excitement turned to nervousness & the mouse pointer stopped before it could click on the label. It was there & I wouldn't click on it. I stopped there for a moment. Unsure if I must open it now that it's here. So I chanted on the higher energy & opened the email. Many successful candidates had shared that the Pass mail has a word 'Congratulations' in the subject line. Well, my mail didn't had one! So, a bit anguished, I decided to look for the 'Areas of Improvement' in the mail body. And what did I find:
Dear Karn Ganeshen:
Congratulations! We are pleased to inform you that you have passed the Certified Information Systems Security Professional (CISSP®) examination - the first step in becoming certified as a CISSP.
:)
So there I sat on my bed, Joyous & all smiles. This has been THE most exhaustive preparation AND the most exhaustive exam I've taken till now. The 5 months preparation had been demanding, & took consistent efforts & hard work. And today, I love every moment of all the nights spent since January 2009.
I will be sharing my study plan & resources used for preparation in my next post. I hope it will be useful for you.
Best Regards.
Monday, May 25, 2009
sslstrip: HTTP session hijack
About:
sslstrip provides a demonstration of the HTTPS stripping attacks presented at Black Hat DC 2009. It transparently hijacks HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.
How to Use it?
Configure the attack machine to allow traffic forwarding.
Setup iptables to redirect HTTP traffic to sslstrip.
Run sslstrip.
Run arpspoof to convince a network they should send their traffic to you.
That should do it.
How does this work?
First, arpspoof convinces a host that our MAC address is the router's MAC address, and the target begins to send us all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example).
At this point, sslstrip receives the traffic and does its magic.
For more info & the Black Hat DC 2009 preso, click here:
Sunday, May 24, 2009
Friday, May 22, 2009
SQL Injection: A primer II
In continuation with my earlier post, SQL Injection: A primer (http://ipositivesecurity.blogspot.com/2009/05/sql-injection-primer.html), I will be covering the following in this post:
a. Blind SQL Injection
b. Remediation Measures
About:
Blind SQL Injection is used when a web application is vulnerable to the SQL Injection but the results of the malicious input strings are restricted or not visible to the attacker.
Attacking using Blind Injection involves observing the variations in the page output after the malicious query input is feeded into the application. The page with the vulnerability may be different than the page which displays data. The output display is different depending on the results of the logical statement(s) included with the legitimate SQL statement for that page.
Since the output varies with the attack strings, this attack can be time-intensive.
Types of Blind Injection Attacks:
1. Conditional Responses
This attack involves observing the output from the database by appending different evaluative strings. For example:
select uname from employees where deptID = 'a500' AND 1=1;
will result in a normal output / page display. And if:
select uname from employees where deptID ='a500' AND 1=0;
results in a different result / page display, it would be clear that the page is vulnerable to SQL Injection.
The reason behind this inference is the the behavior of database for the appended query string -> AND 1=1 / AND 1=0. The output must not have varied & the queries would have resulted in the same output regardless of any appended strings as input, had the input validation been in place.
2. Conditional Errors
This attack differs from Conditional Responses by attempting to force the database to evaluate a statement which would eventually throw an error when the query returns TRUE. For example:
select 1/0 from employees where uname='Victor';
1/0 will be evaluated only when the record 'Victor' is found & would then result in an error. This would provide a confirmation to the attack of the existence of the uname 'Victor'.
3. Time Delays
Another important type of Blind SQL attacks is the Time duration taken by the database to execute a long running query or a time delaying statement depending upon the query. The attacker would observe & measure the time taken for the page to load & attempt to determine if the query executed successfully as TRUE.
Remediation / Preventive Measures Against SQL Injection Attacks:
1. Using Parameterized Statements
In this technique, SQL BIND variables are used as the placeholders for the user input. A BIND variable is a question mark for each input parameter.
The SQL statement is created using these BIND variables, it is compiled (prepared) into an internal ready-to-use form, only awaiting the value of the placeholder now. Once the parameter value (placeholder) is received, this prepared statement is executed & the resultset is presented to the front-end.
For example, in Java:
PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE USERNAME=? AND PASSWORD=?");prep.setString(1, username);prep.setString(2, password);
Here, the value of the 'username' & 'password' is passed as positional parameter - the question (?) marks, referenced by 1 & 2, respectively. The content of these variables do not have any impact on the final query because it is treated as 'plain data.' Hence, the application is now greatly immune to SQL Injection as against a normal query.
2. Using Stored Procedures
Stored Procedures provide encapsulation to rules for specific actions - Select, Insert, Update, Delete, etc. - into a single procedure. Business rules can be enforced so that if cond. A is TRUE, Allow Action A, else Deny Action A. For example, if a customer is a VIP, then allow him/her to avail a discount, else, apply full amount.
Stored procedures help prevent SQL Injection attacks by limiting the type of SQL statements that can be passed to their parameters. However, they are not the complete solution against SQL Injection.
3. Input Validation
Every input parameter & the value must be validated before the input reaches the database. The input fields could be input box, drop down box, check box, hidden fields, a Button, etc.. The important thing is to understand and chose the validation scheme.
There are 2 validation schemes-
1. Reject known blacklist
2. Accept known whitelist only
Using Blacklist as the sole criterion for filtering & validating the input is not a good idea. This is because of the availability of different schemes available, to convert the form of input, - Unicode, hex, base, etc.. A developer cannot & must not base his validation checks based on the Blacklist sets for it is bound to be incomplete, always.
Instead, Using Whitelist is an effective solution. Whitelist specifies the characters only which would be allowed to pass through. Period.
This allows a developer to exercise better control in defining the positive validation checklist for the input. And it is good for the security tester too :)
Besides these 3 mitigating techniques, there are other methods as well which are helpful in controlling the attack surface available for exploitation.
4. Code Reviews
The Code Reviews checks the source code of the application for flaws with respect to security. A Security professional or a developer with good knowledge & experience on Secure coding practices should do a code review. This is a manual process & hence it is time-consuming process. There are automated tools now available for this purposes. Few of them are: Checkstyle (http://checkstyle.sourceforge.net), JNorm (http://www.jnorm.org), Perl::Critic module, Parasoft (http://www.parasoft.com/jsp/solutions/application_security_solution.jsp?itemId=322) etc.
5. Control Database Error Leakage
As important it is to use Stored Procedures or Parameterized Queries, equally important is to configure the error messages thrown by the database on receiving an expected or invalid input. Think of it - an attacker being able to gather table, database, column name info, or related 'joined' table info through error messages. All your SPs, Parameterized queries, code reviews are no longer effective. Hence, configure the database errors to restrict the details or the debugging information meant to help the developers. Put a generic custom messages, whereever possible.
6. Securing the Web Server
All the code reviews, automated assessments, & manual security assessments CANNOT ensure a 100% security. It is, therefore, essential to balance the web application security measures with a secure network design. Employ a defense-in-depth approach while planning for securing the server:
- place the server in a tier-ed architecture, or at least in a hardened DMZ.
- use Web Application Firewalls (WAF) - though OWASP 2009 showed us bypassing WAFs, it's still good enough. (I will have a post coming on WAF soon.)
- And, Log monitoring.
This concludes the second & final post on SQL Injection: A primer. Please note that this is not complete even now. SQL Injection is a vast topic in itself. I have tried to present the concepts here as clearly as possible, the attack methods, query strings, steps taken to recon & penetrate a target; all may vary from applications & their implementations.
I hope someone finds this useful.
Please feel free to share your feedback.
Thanks for your time.
SQL Injection: A primer
About:
SQL Injection is a query / code injection technique which exploits a vulnerability in the database of an application. The database back-end can be Microsoft SQL Server, Oracle, or mysql; i.e. any database which understands the Structured Query Language (SQL: http://en.wikipedia.org/wiki/SQL).
The vulnerability is present when the user input is not filtered properly for string literal escape characters. This user input usually is acting as the variable for constructing a SQL query when it reaches the back-end.
How do I test it:
In order to test if a field may be vulnerable to SQL Injection attack, there's a Magic String. The magic string is a simple string of SQL which always results in a TRUE condition. Although several variations are used to verify the vulnerability, the simplest string is mostly used on Login pages. The string is:
' OR ''='
String variations:
' or 1=1--" or 1=1--or 1=1--' or 'a'='a" or "a"="a') or ('a'='a
In case of a vulnerable login page, a successful attack will log you in as the first user in the table.
Keeping it Simple:
A simple example is of an input box which takes a numeric value as input. This value is passed as a parameter to the back-end & record(s) are returned from the table corresponding to the SQL query.
Let's say, if the variable recordNumber is used in a query as:
select * from secureTable where recordNumber = (userInput)
Giving a value to this variable as:
recordNumber = a' or '1'='1
will create the final query as follows:
select * from secureTable where recordNumber = 'a' OR '1'='1';
The resultset from the WHERE clause will always be TRUE ('1'='1'), thereby resulting in all the records from the secureTable.
A serious query could be:
recordNumber = a';DROP table secureTable ; select * from data where uname like '%
This would result in the following query:
select * from secureTable where recordNumber = 'a'; DROP table secureTable ; select * from data where uname like '%';
This query results in all the records from the secureTable AND then drops the table 'secureTable ' AND fetches the recordset from the table 'data'.
Note that some sql server APIs like php's mysql_query do not allow for such multiple statements to be executed within one call.
What Next?
This post covered the basics of SQL Injection & discussed first order SQLi attacks. Another type of attacks are second order / Blind Injection attacks & I will cover them in the coming post(s) along with the remediation / preventive measures for the SQL Injection attacks.
Thanks for your time.
Subscribe to:
Posts (Atom)