Archive

Archive for the ‘Work related’ Category

Web servers are still vulnerable…

April 28, 2018 Leave a comment

In a survey published on an often referenced support site for developers (Stack Overflow), they recently confirmed that JavaScript is the most popular programming language for the 6th year in a row. Almost 70% of the respondents claim that they visit searching for help on this subject so it may not come as a surprise that JavaScript is also the primary cause of vulnerabilities on websites today.

In a blog post from the vendor that brings us one of the most popular tool for hacking websites and finding vulnerabilities, Portswigger writes a great article in which they detail a number of methods that can be used to abuse JavaScript and to bypass cross site scripting mitigation by most frameworks.

There are thousands of ways that can be used to bypass XSS in websites and web developers should already know this. XSS is the number one method to compromise a browser which, in combination with privilege escalation can allow an attacker to take over your computer. Even script kiddies can capture session tokens or cookies from websites without proper security controls that can be used to login as you without even knowing your password. Here is a list of the risks in order of importance for an attacker;

  1. Account hijacking
  2. Credential stealing
  3. Sensitive Data Leakage
  4. Drive by Downloading
  5. Keyloggers/Scanners
  6. Vandalism

Don’t ignore these risks on your websites, public facing or not. If you login to a website often in your organization and it is vulnerable to cross site scripting, teach your users how to identify security risks that could be used to harvest credentials and expose them to malicious attacks. You may also want to make sure that your sites are tested to ensure they are not vulnerable to this type of attack. With Phishing attacks being the number one method that pentesters gain access to your organization, xss is the primary method being used.

 

Categories: security, Work related Tags: ,

Playing with ASLR for Linux

November 5, 2016 Leave a comment

I recently completed a certification with SANS where we were taught to create our own exploits. A well behaved program should have a start procedure called a prologue, clean up and maintain itself and any objects it creates and finally an end. During our testing we assumed that Address Space Layout Randomization (ASLR) was turned on in order for our exploits to be successful but this is not always the case.

All programs have two different sections (instructions and data) and they need to be flagged differently in the memory. A section where only normal data is stored should be marked as non-executable. Executable code that does not dynamically change, should be flagged as read-only.

One of the tricks that hackers use to get control is to hijacking the stack pointer (a road map for where to go next). Evil programs are designed to perform a redirection in order to run their own malicious code. When any program is running in memory, if we want to protect it against evil programs we can use ASLR. Address space layout randomization is based upon the low chance of an attacker guessing the locations of randomly placed areas. Security is increased by increasing the search space.


Auditing

One of the easiest ways to find if a Linux server had ASLR turned on was to look at the proc filesystem for the variable ‘randomize_va_space’.

cat /proc/sys/kernel/randomize_va_space

If the value returned was a zero (0) then it was off, a one (1) then it was on for the stack. Ideally you want to use the value two (2) which will also randomize the data segments but all programs need to be built as a Position Independent Executable (PIE). It will also require that all shared object libraries (.so libraries) also be built as PIE.

Another way to see if ASLR has been activated is to run ldd against your executable and inspect the load address of the shared object libraries.

$ ldd -d -r demo
linux-vdso.so.1 => (0x00007fffe2fff000)
libc.so.6 => /lib64/libc.so.6 (0x00007f3e73cd8000)
/lib64/ld-linux-x86-64.so.2 (0x00007f3e74057000)
$ ldd -d -r demo
linux-vdso.so.1 => (0x00007fff053ff000)
libc.so.6 => /lib64/libc.so.6 (0x00007f82071ac000)
/lib64/ld-linux-x86-64.so.2 (0x00007f820752b000)

Notice the change in the memory address referenced by the C library and the dynamic linker (libc and ld-Linux-x86-64)? This indicates that ASLR is in effect.

To ensure that all of your Linux code is more difficult to bypass you will want to audit your systems and look for the value of 2 (assuming your other programs fully support PIE.

root@mybox:~$ sysctl -a –pattern “randomize”

kernel.randomize_va_space = 2


Bypass

I refer to ‘Bypassing ASLR’ on the Linux system as finding a way to defeat it as a security mechanism. If all shared libraries were compiled as PIE along with all executables (services if attacking remotely and all executables if granted console access) then ASLR would be very difficult to beat but that is not the case. The additional checks required to be sure that the attack footprint has been reduced to zero is to audit each of the services publically available to make sure that all libraries and executables involved are 100% position independent.

There is a great opensource tool out there for checking if your executables support PIE.

‘CheckSec.sh’ maintained by slimm609 (https://github.com/slimm609/checksec.sh)

Categories: security, Work related

Pwn2Own – its not just for browsers…

October 30, 2016 Leave a comment

pwn2own-2016-statsIn a spectacular effort rewarded with over $200,000, a Chinese security team that goes by the name of ‘Tencent Keen’ managed to breach most of the mobile challenges in Trend Micro’s  Masters of Pwn contest in Tokyo this week (Thursday Oct 27).

Miss spelled and often pronounced, the term ‘pwn’ refers to the verb ‘own’ and is generally regarded as the term that best describes domination of a rival. It comes from the online video culture and has been adopted by hackers as a way to describe taking control of a computer.

Both the Tencent Keen and MWR Labs teams (creators of the Drozer and Needle frameworks) were unable to successfully demonstrate the ability to remotely install a rogue application persistently but don’t think all you Smart phone users are safe just yet. Both teams showed some success earlier and were just not able to execute it during the 20 minute testing periods.

Trend Micro still paid out almost $400.000 to help understand how these bugs work so lets hope that these vulnerabilities will be mitigated in their newest mobile security software. Learn more about the event here

Categories: Mobile, Work related

0-day in every Linux system introduced by Linus himself.

October 28, 2016 Leave a comment

dirty-cow-logoLast week, in a self-proclaimed mistake made more than a decade ago, Linus Torvalds, the father of the Linux Operating system introduced a race condition that every version of Linux has today. Referred to as a Zero-day (0-day) this vulnerability affects all versions of Linux today and is described as a bug in the kernel that allows read write access to a read only memory location. More info here

Introduced to fix another bug in a system call called get_user_pages() this ‘fix by torvalds’ results in any server currently running an open service port being vulnerable to this attack. This represents a staggering amount of servers, routers, cameras, IP phones, Android Smart Phones, digital video recorders, The list is endless for the use of Linux today so swift patching is key. You may be surprised to learn that traffic control systems, high speed trains, nuclear submarines, robotic systems, fridges and stoves, play stations and even the Hadron collider runs on Linux and would also be vulnerable to this recent vulnerability.

The bug was witnessed by a keen observer who was inspecting his web server logs so there are known exploits for this 0-day publically available. The implications of this vulnerability is staggering and the press has not given this much attention. This affect EVERY Linux based system out there going back over a DECADE.

The real shame is that there are already millions of embedded devices out there that will never receive patches and will remain vulnerable to this attack!

 

Categories: Mobile, Work related

Exploits are Everywhere

October 15, 2016 2 comments

I recently went through and completed, what I consider to be the hardest and most informative technical course and examination out there, the GIAC Exploit Researcher and Advanced Penetration Tester known as GPXN. What I learned was that there is a lot of opportunity for the bad guys to get control.

As a White hat hacker, I am asked to engage in a variety of activities, most of which are network related. For some of the hackers out there, your goal is to utilize a wide variety of tools to identify weaknesses in the defenses and/or the applications that are running and to overcome the controls in place to protect the data.

To some of the security researchers out there, Exploit writing is the next logical step to transition. As an attacker, if you are fixated on a target and you have exhausted all of your tools and tricks, you are left with little else but to find some type of vulnerability and write an exploit for it. As we purchase and add more and more items to our digital world, the odds are stacked in favour of the bad guy.

Many people have surmised that we are finding so many bugs now because programmers are making so many mistakes but I disagree. I feel that we are finding so many bugs because there ARE so many bugs. Some of us just got better at finding them.

Lets take the recent SSL vulnerability that was exposed for many of the Internet of Things (IoT) devices ( https://www.wired.com/2016/10/akamai-finds-longtime-security-flaw-2-million-devices/). Akamai researchers would have you believe that this is somehow a recent find but there are references to the dangers of ssh port forwarding over a decade ago ( http://www.informit.com/articles/article.aspx?p=602977 ).

Earlier in 2016 we have reports that Gnu Lib C share library has a critical vulnerability ( https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html). Admittedly this is very hard to exploit but as more and more people learn how to looks for these types of bugs, we are going to find out about them.

My recently certification has taught me that bugs are everywhere, in the mobile devices we carry, in our cars, in our thermostats. We just have to get better at looking for them.

A word to wise, learn about all the electronics you own, keep them up to date if they are recent purchases and be prepared to give them up if they are not. As a pentester, I  am looking for older vulnerable devices that are connected to your Wi-Fi or cabled networks at home or in the office as a bulkhead to allow me to get a foothold. There has never been a better time to discard those older routers and VoIP phones.

 

Categories: Work related Tags:

Computer Breach and what you can do about it

May 18, 2015 Leave a comment

Security Breach can happen to you

Experts agree that 2015 will be a tipping point for most small to medium sized businesses when it comes to computer security. The average organization cost of data breach is now over 6 million dollars. For most of my clients their loss won’t be anywhere near those numbers but to understand the cost to you or your organization that is over $200 per record. Maybe it’s a list of your clients or your employee wages or perhaps it’s usernames and passwords for your organization. Do the math – these can add up to large scale loss for everyone.

Among the top 5 threats for computer networks today are;

  1. IoT – The Internet of things brings along convenience but those IP enabled devices are not without risk. As you purchase Wi-Fi enabled security systems, TVs, media devices, Network Area Storage, etc. we are seeing an increase in vulnerabilities that expose your network and help to increase your attack surface. They need to be monitored and maintained because they are not as secure as a computer or a server.
  2. DDoS – The abilty to overwhelm your network with traffic is quite common and can easily be done by most consumers with a home network connection. If you require the Internet to do business you should evaluate whether you can operate without it. If not then you should consider protecting yourself against the real possibility that it could happen to you.
  3. Social Media Attacks – If your business uses any cloud based or social media application you should review your authentication and user management policies to avoid a potential breach of your accounts. Hackers are now targeting online applications in order to infect your users and gain access to your networks through the use of Cross Site scripting vulnerabilities. All it takes to be infected is for an email to be clicked on and you can no longer rely that your AntiVirus will prevent any Trojans from getting through.
  4. Mobile Malware – The volume of mobile devices beginning to enter your workplace and the ability to use your internet connection add a very large possibility that malware on a mobile device can get access to your corporate network. If you already allow users to have access to your network with any computerized devices you are probably at risk. You should consider controlling the access or monitor all of the devices by using a Mobile Device Management platform or you risk a possible breach to continue without your knowledge.
  5. Third party Attacks – Many companies allow third party applications to connect with their own network assets but how safe are they? Large scale breaches have been shown to be caused by third party vulnerabilities and these occupy a ‘grey area’ when it comes to management (who is responsible to keep all applications up to date on those systems?). Many user agreements do not cover damages that can be caused by a lack of security practices and once the vulnerabilities have been exploited, hackers use those systems to pivot onto your networks and wreak havoc on your networks.

There are several methods you can implement that can help mitigate the risks.

  1. Implement Monitoring – It is no longer safe practice to just implement a firewall you need to monitor all traffic coming into and out of your network. Hundreds of breaches in any network design have been traced to a failure to see IOC (Indicators of compromise). Not only do you need to record reams of data but you need to review them in order to determine what is normal behavior and what indicates a potential breach. There are devices available that can help you do that and although they can be complicated to implement, once properly deployed they can help you become aware of details that help you find attacks before they become too big.
  2. End User security awareness – If you don’t already have a program in place you should consider a large scale awareness campaign surrounding security at your organization. It can be as simple as a regular talk over lunch or it  can involve testing to be sure that your employees have taken the necessary steps and understand your policies. You need to train your users about the do’s and don’ts of all aspects of your security. Physical security, passwords, email questions, sharing account credentials, staffing questions, etc. You need to protect all aspects of information leakage whereas hackers only need one of them.
  3. Inventory all equipment – If you do not have an active list of your equipment, anything that is or was connected to your network, then take the time to make one and keep it up to date. Many organizations are leaking information that can be critical to your operations. Network devices that no longer are connected should be properly disposed of and /or their configurations need to be wiped. Improperly configured devices and anything with wireless access remain the largest risk to any organization – all of these devices need to be audited on an regular basis to manage the risk.
  4. Review your Protection – Make sure that you update ALL software (this includes Operating systems and any third party applications) that are actively used on all networked computers. Update any firmware on devices that connect to your networks. Implement and maintain Antivirus software on any computer that is actively used to open emails or browse the Internet.

There are many different ways you can help protect yourself from attack but I wanted to point out the clear methods to avoid them. If you are aware of all of the different methods that can be used to gain access to your company or it’s information then you can help manage them. A failure to see them coming is a sure fire way to enable the attack over an over again.

Categories: Work related Tags:

Imagine a single tool that hackers could use to break into your network…

March 12, 2015 2 comments

…and you are probably thinking about Metasploit.

As a security specialist I am saddened to think how easy it is to break into what was once considered a pretty safe way to conduct your business online. Years and years ago we all touted the necessity of a firewall with it’s ‘allow nothing in – allow everything out’ stance. Most sysadmins believed that if you had a crunchy outer shell it would be enough to protect you from the bad guys outside of your organization who are knocking on your proverbial door. We, as sysadmins then debated about the merits of network segmentation and egress filtering and a lot of us agreed that it would be a lot of work to implement and administrate compared to the risks associated with simply leaving the network topology flat and open. Then came along WiFi and for most of the users – it made connectivity easier but as sysadmins we knew that it would require some additional brain power to make it work securely. First WEP got cracked and when WPA-Personal and -Enterprise was introduced and at that time, it represented a pretty safe and uncrackable method to secure the wireless network. WPS made it easy to setup but we found shortly after that WPS has it’s flaws.

Today any user with a computer and extremely fast graphic card could crush a short password in a matter of hours. Now we tell users to make their password longer and to choose better passwords. Then would-be hackers build faster computers to crack longer passwords in a shorter period of time. It all begins to seem to me more like when the bad guys get in rather than if they get in.

It’s time to ask yourself about how well your assets are protected? Does your network topology resemble a cookie (hard on the outside and soft on the inside) or have you taken steps to limit the damage that can be done once your walls fall? It’s hard to believe that you could come in one Monday morning and find out that your network is having a really bad day; all the result of a little tool like Metasploit in the hands of a few skilled people. There are literally thousands of known vulnerabilities, at least one for any number of hardware devices that make up your network and they are all contained in and ready to be unleashed on all of your devices by this tool once they get in. Network switches, IP phones and phone systems, routers and firewalls, printers, etc. Lets not forget the laptops, workstations, servers, tablets, ipads and oh yes the smart phones that we all know and love?

You home users are just as vulnerable with your Thermostats, IP cameras, wifi adapters, home alarm systems, all web enabled. Every day we hear about some vendor that has IP enabled another appliance in your home and do you think they are worried about the safety of the device while you own it? As a consumer I am pleased when my new fridge can show me a picture on my cell phone of what is inside while I am standing in my local super market but as a security researcher – I am horrified of all the possibilities that could happen as a result of poor security. On the flipside and as a white hat (someone who hacks stuff to make it better) I am thrilled that there will soon be more things to test and ensure that the vendor has created a safe secure product for my fellow users to enjoy. The question that is raised in my mind by these likely events is just who is quality controlling these devices – them or you?

Categories: Work related Tags: ,

Still using short passwords in your organization…

February 5, 2015 Leave a comment

With email turning 40 years old recently we though it was a good time to visit ‘password length’ and how choosing one factor above all can make the difference in your online security for you and your organization.

There are very few applications left that require short eight character passwords (known as legacy apps) so you should be thinking of different ways to create and recall your passwords. There are several methods I have heard over the years and whichever method or combinations you choose to employ, security experts all agree, length is the most important one of all  (at least that what the ladies are saying :-))

I wanted to show how anyone who plays games on a computer can use that graphics card to guess your password. Typically it is the main Central Processing Unit (CPU) that is responsible for the ‘heavy lifting’ in your computer but for our purposes we need a Graphics Processing Unit (GPU) to do the tedious task of computing.

Now typically password guessing has involved a wordlist, a list of common passwords that is used to compare against what your password *might* be. This was necessary because of the permutations of each place holder. If we wanted to check every combination of upper case, lower case, number or special character in each of the 6 positions it would take an enormous amount of time. You could thwart the risk of someone guessing your password with a good password rotation policy but as processor power increased this is quickly becoming a concern.

Password-guessing-6      Here we show how fast we can brute force any password to a length of 6 characters. This is the default password length of a windows password. In as little as 2 minutes someone with about a $1000.00 computer can crack your password files on your computer or in your organization.

Here we see how easy it is for that same person to try every possible combination of characters if you change the minimum length to 7.

Password-guessing-7In as little as 3 1/2 hours we can use the power of a single video card to examine every combination of characters you can possible use to create a password of 7 characters or less.

How about 8 characters? This same user would take approx. 2 days to try all possible passwords and compare them with the password file that stores your hashes. All anyone needs to do is run a tool on your computer or on your domain controller to exfiltrate your password hashes and they can use the power of the GPU to guess your passwords. How about 9 characters? Well the amount of time it takes for a single medium priced GPU to tackle 9 characters is quite high (almost 4 years). So why not just make the minimum length of passwords to be 9 characters? Well these results were derived using a single $400.00 video card. We can buy a more expensive card and increase our processing power another 20%. We could even buy a more expensive computer that is capable of running 4 or even 8 video cards in the same system! A machine like this would probably reduce the amount of time it takes to brute force 10 character passwords to a few hours (this is an estimate – YMMV).

The days of simple dictionary passwords may not be here anymore and you might feel that it is impossible to remember all of these long passwords so I wanted to point out a few methods you should adopt that can help you. I hope I have shown you how trivial it is to guess your password and failure to adopt a longer password could result in compromise of your accounts. All it would take for a hacker to get access to your information is to use a ‘free’ wifi hotspot and your computer could be owned.

1. Use a longer password – add dots, dashes, your phone number, anything that will take your password length beyond 12 character Security professionals have forecasted that 12 characters is the minimum length we should be using with todays technology.

2. Use an online password manager – these systems can generate random passwords of various lengths and you only need to remember one password (the password to log you in).

If you are interested in finding out just how easy it could be to guess your current password you can visit https://www.grc.com/haystack.htm

Categories: Work related Tags:

I am betting that 2015 will be the year of security…

January 31, 2015 Leave a comment

Last year was a banner year for old school hacks – remember HeartBleed and ShellShock – those were missed by a lot of us because it was stable code (or so we thought). Hundreds of thousands of us just focused on the newest apps and how we could exploit them. A few researchers went back over some of the mainstream code that we all used for years and found some ‘features’ that we added a while back that could be exploited today. I am willing to bet that more and more people are taking the gloves off and trying all sorts of applications to find that 0-day that will make them famous.

As a self proclaimed whitehat, I am interested in find flaws for profit. Let me be clear, I am not interested in exploiting them or selling them to blackhats – no, for I am a security researcher. My intention is to help users identify weakness in the communication devices we use on a daily basis so that we can feel safe. There are a myriad of individuals who would love to collect anything about you from advertisers who want to sell you things to our governments who want to monitor what you do with your time. When you add to that the kids that come home after school and just want something to do along with the legitimate users who hack for profit you have a lot of reasons to protect your online privacy.

Recently I put together a small computer that could be used to identify weak passwords by scanning your wireless networks. First we were able to install Linux on a single board computer and connect a wifi adapter that is used to ‘listen’ to your wireless. After a short amount of time (minutes if you have active traffic) we collect the traffic from your wireless network and package it up to be sent to our master server.

[0:08:20] starting wpa handshake capture on “BELLxxx”
[0:08:18] new client found: C4:62:EA:xx:xx:xx
[0:08:08] new client found: E8:61:7E:xx:xx:xx
[0:07:58] listening for handshake…
[0:00:22] handshake captured! saved as “hs/BELLxxx_34-8A-AE-xx-xx-xx.cap”

After approx. 10 minutes I was able to capture traffic from this WiFi AP that contains the pairwise transient key (PTK) that are exchanged when you authenticate using WPA2. If you are busy using your wireless we can capture it even faster!

Next we use GPUs (not CPUs) to check the passwords against a large database of millions of passwords. Normally this process would take days and days but by using the large processing power of video cards we are able to shorten that time frame to mere hours. When used together on one computer, multiple GPUs would take just minutes to try every possible combination.

Now with just one computer and an expensive video card we can test the combinations of pairwise master keys (known as PMKs) at an astounding rate…

Connecting to storage at ‘sqlite:///WPAcrack.db’… connected.
Parsing file ‘Xxxxx_20-AA-4B-xx-xx-xx.cap’ (1/1)…
Parsed 13 packets (13 802.11-packets), got 1 AP(s)

Attacking handshake with station e4:ce:8f:xx:xx:xx
Tried 144668765 PMKs so far (12.7%); 62770 PMKs per second.

At a speed of approx. 4 million per minute I can compare your authentication passphrase against my database of WPA passphrases. If you are not careful, someone just like me could guess your passphrase and connect to your network and you may not ever know it!

Now how important is it for you to patch your laptop, download new updates for your routers or cell phones or even verify that all your devices have the latest code (called firmware)? You have all of these devices that you need to make sure are patched, updated and not vulnerable to attack and all the hackers have to do is compromise just one of them!

Gives you a whole new lookout on ‘The Internet of Things’ doesn’t it?

Most of you might be asking yourselves ‘what can we do to protect ourselves’ right about now. There is a nice campaign put forth by the folks at SANS to help ‘secure the human’. (http://www.securingthehuman.org/)

There is also a nice poster that you can print and pass along to your family and friends – http://www.securingthehuman.org/media/resources/STH-Poster-CyberSecureHome-Print.pdf

For those of you who are serious about security (physical or virtual) you can hire a professional, we can help you evaluate your risk and then make suggestions on how best to focus your efforts to help remove it from your homes or offices.

Let’s hope 2015 isn’t the year you get hacked…

Categories: General, Work related Tags: ,

Hey dude – pass the hash…

May 27, 2014 Leave a comment

I wanted to share my experience with a client recently and mention a great tool that helped us resolve an issue that many IT admins probably face on a regular basis. It is my hope that it can help someone as it has helped me and my client.

We recently took on a client who has a Windows 2003 SBS server and did not have the current password for the Administrator user. We used several methods to try and crack the existing password and they were all failing. I even used a method to remove the SAM and system registry to begin to crack it offline (a process that took almost 8 hours to setup). After an hour or two of running a tool to try and brute force the password I thought I would try to ‘pass the hash’ (a method that windows uses when a password is used to access resources across the network on remote shares).

Image

Mimikatz in action

Mimikatz is a tool written by Benjamin DELPY who also goes by Gentle Kiwi (https://github.com/gentilkiwi/mimikatz) and this tool can setup and impersonate a session that can be used to authenticate to your system. All you need is the ntlm hash, the domain (which is found on the login screen) and the username (also found in the hash – usually ‘Administrator’). When used correctly it can setup a session that will impersonate the user and the password without knowing what the password is!

Image

PsExec in action

Once you open a new command prompt you can use another fantastic tool from Mark Russinovich called PsExec (http://msdn.microsoft.com/en-us/library/bb897553.aspx) to connect using the authenticated command window to your target machine as if you have a local login with those credentials and run a remote command window on your target – viola.

Now we have a remote shell on the target we can add a new user and make them administrator.

We have installed our remote software and all completed before the second hour of cracking the password has begun.