Reconnaissance, Scanning

April 20, 2010

Footprinting Tools

What information can you gather without informing the target that you are gathering information? What information can others gather about you?

Scanning Tools

  • nslookup with ls -d example.tld to simulate a zone transfer
  • dnsenum.pl to enumerate DNS information
  • Chaosmap is an information gathering tool and dns / whois / web server scanner written in Python. It can be used to lookup DNS names with a dictionary with or without using a salt.
  • sl, SuperScan windows utilities for ping sweeps, port scanning
  • Fping for ping sweeps
  • Fing is a tool for network discovery and scanning
  • nc, portqry for port scanning
  • nmap for ping sweeps, port scanning, OS mapping and more. nmap (“Network Mapper”) is a free and open source utility for network exploration and security auditing. [video] Fyodor – Advanced Network Reconnaissance with Nmap ShmooCon 2006, Nmap 5 cheatsheet [pdf]. PaulDotCom Episode 207 and PaulDotCom Episode 242, too.A stealth inventory, which requires nmap 5.51 or later:

    nmap -P0 -script=broadcast

    What’s That Web Server?

  • Frustrate port scanners using portspoof.

    The portspoof program is designed to enhance OS security through emulation of legitimate service signatures on otherwise closed ports. It is meant to be a lightweight, fast, portable and secure addition to the any firewall system or security infrastructure.
    The general goal of the program is to make the port scanning software (Nmap/Unicornscan/etc) process slow  and output very difficult to interpret,  thus making the attack reconnaissance phase a challenging and bothersome task.

  • amap (THC-amap) for application mapping (banner grabbing, penetration test) [video]
  • p0f is an advanced passive OS/network fingerprinting utility. [video]
  • Firewalk for port scanning
  • Hping is a command-line oriented TCP/IP packet assembler/analyzer (ICMP TCP UDP). [video]
  • Gobbler for spoofed source OS mapping, port scanning and Dynamic Host Configuration Protocol (DHCP)
  • Dsniff is a collection of tools for network auditing and penetration testing. [video]
  • SSLdump is an SSLv3/TLS network protocol analyzer. [video]
  • Tcpreplay is a suite of BSD licensed tools written by Aaron Turner for UNIX (and Win32 under Cygwin) operating systems which gives you the ability to use previously captured traffic in libpcap format to test a variety of network devices. [video]
  • Metoscan is a tiny tool for scanning the HTTP methods supported by a web server. [video]
  • DNSmap is a passive DNS network mapper and subdomains bruteforcer. [video]
  • SING is a tool that sends ICMP packets fully customized from command line. [video]
  • SIPVicioussuite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools:
    • svmap – this is a sip scanner. Lists SIP devices found on an IP range
    • svwar – identifies active extensions on a PBX
    • svcrack – an online password cracker for SIP PBX
    • svreport – manages sessions and exports reports to various formats
    • svcrash – attempts to stop unauthorized svwar and svcrack scans
  • Ip phone Scanning Made Easy (ISME) scans a VOIP environment, adapts to enterprise VOIP, and exploits the possibilities of being connected directly to an IP Phone VLAN. It seeks to get the phone’s configuration file directly from a TFTP server, enable SIP/SIPS (TCP/UDP), communicate with an embedded Web server and Web server banner, identify the editor by MAC address, and identify potential default login/password combinations which should be changed.
  • DHCPdump parses DHCP packets from tcpdump. [video]
  • TCPdump is a common packet analyzer that runs under the command line. [video]
  • Yersiniafor reconnaissance of layer 2 protocols:
    • Spanning Tree Protocol (STP)
    • Cisco Discovery Protocol (CDP)
    • Dynamic Trunking Protocol (DTP)
    • Dynamic Host Configuration Protocol (DHCP)
    • Hot Standby Router Protocol (HSRP)
    • IEEE 802.1Q
    • IEEE 802.1X
    • Inter-Switch Link Protocol (ISL)
    • VLAN Trunking Protocol (VTP)

    Yersinia is included on your BackTrack CD. See usage tips from Jimmie Ray Purser Yersinia: Coolest Layer 2 Hacking Tool

  • CHScanner is an ARP, IPv4 and IPv6 network scanner with 31 scan methods: it scans for open ports, protocols, NetBIOS information’s and Windows shares, SNMP information, and WMI (WBEM) information. CHScanner can turn on a remote Windows host (using Wake-On-LAN) or shut it down or reboot it. CHScanner an automatic (scriptable) working mode, a hunt mode, a passive mode, and the normal scanning mode.
  • SoftPerfect Network Scanner is a free multi-threaded IP, NetBIOS and SNMP scanner with a modern interface and many advanced features. It is intended for both system administrators and general users interested in computer security. The program pings computers, scans for listening TCP/UDP ports and displays which types of resources are shared on the network (including system and hidden).
  • Arp-scan fingerprint with ARP scans
  • ike-scan fingerprint VPN devices, learn IPSec (along with Steve Friedl’s Unixwiz.net Tech Tips An Illustrated Guide to IPsec)
  • WS_Ping ProPack
  • Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.

Using ICMP with a time-to-live (TTL) of 1. If the ICMP packet reaches a device and the time-to-live drops to zero, you get a response, you get to know something is there.

Port Assignments

IANA Port Numbers The well Known Ports (0 through 1023),
the Registered Ports (1024 through 49151), and
the Dynamic and/or Private Ports (49152 through 65535).
Neohapsis Ports List Consolidated list standard and exploited ports.
SANS Trojan Ports Port numbers of well known Trojans.
portsdb.org
ISS Exploit Ports

Banner Grabbing

What does the server or application say it is?

Generic form telnet example.com 80
HEAD / HTTP/1.0
What PHP version is running? http://example.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
http://example.com/index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
http://example.com/index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42
http://example.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42Note that “page not found” indicates PHP is used.
Telnet telnet host port
nc nc -v host port
FTP ftp host
Web #nc -v host 80
HEAD / HTTP/1.0
<cr>
<cr>
sl sl -b host(s)

OS Mapping

NMAP nmap -O host(s)
NMAP nmap -O -p port host(s)

Read the rest of this entry »


DNS Client Settings

December 16, 2009

DNS settings are typically ignored. Management of DNS settings is deferred to the Internet Service Provider (ISP).

Windows Vista IPv4 Configuration tab

Concerns:

  1. Malware can replace the DNS settings with its own settings. (One example: Trojan:Win32/Alureon.CO) When malware has made this change, a client who connects to a legitimate web site (such as their bank) tells the malware DNS server who they do business with (bank with). The malware DNS server collects information about web sites the client uses. At any time, the malware DNS server can substitute an IP address of their own choosing. There should be a certificate error when the victim connects, but certificate errors can be ignored. A prompt for user ID and password would collect use ID and password. To allay suspicion,  give the victim an “access denied” message. The bad actor now has with working credentials.
  2. DNS settings are typically ignored. When the payload is DNS settings, the payload is ignored. Anti-virus software would not detect an “infection” since these are configuration settings, not a file. This is one of the many reasons you should not rely upon “cleaning” a system to make it trustworthy. See Can You Clean a Virus?
    In a corporate environment, an inventory system which gathers DNS settings (such as Microsoft’s SCCM) can be used to reveal this payload. See Finding the DNS Hijacking Victims.
  3. DNS implementation can have security vulnerabilities; search US-CERT. A DNS service must be managed. In a corporate environment, internal server names should not become known externally, so internal DNS servers are required.
  4. DNS lookup history is an important intrusion detection mechanism. Review lookup requests to discover if malicious sites are being accessed.

At home, you want a vendor who pays careful attention to keeping the DNS service maintained and who you trust. You are not required to use the DNS servers your ISP maintains; there are other options. Configure your clients to use more managed, more secure DNS servers.

If you are using your router to provide IP and DNS addresses on your home network, consider providing more secure DNS servers.

Google Public DNS 8.8.8.8 8.8.4.4
OpenDNS 208.67.222.222 208.67.220.220

Windows assigns DNS settings for each network adapter. If you switch from a wireless connection to a wired connection, you may be using different DNS settings.

Some hotels assume that you do not specify DNS settings. Their DHCP solution delivers DNS servers that you are required to use. That is, specifying DNS settings breaks some hotel Internet usage.

The ESET SysInspector utility reveals the DNS settings you are currently using.
Read the rest of this entry »


Information Gathering

October 29, 2009

You don’t go directly to the web site. You start by reviewing the publicly available information. You decide upon a goal.

The Passive Information Gathering whitepaper by Gunter Ollmann, Professional Services Director at Next Generation Security Software, Ltd., is good orientation. There may be useful information already leaked. It may not be reliable information, but there’s a good chance you can save yourself a lot of time without touching the web site.

Retain the information for future reference.

The Sam Spade utilities look up DNS and domain information. Frequently under revision, but one stable source is petri.co.il.

Use Maltego and Pipl to learn published information scattered across the Internet. Maltego uses nslookup, SecretSniff, Robtex. Pipl uses a different set of sources.

Collect and document information about the company’s Internet presence. This would include:

  • Internet Service Registration – The global registration and maintenance of IP address information
  • Domain Name System – Local and global registration and maintenance of host naming
  • Search Engines – The specialist retrieval of distributed material relating to an organization or their employees
  • Email Systems – The information contained within each email delivery process
  • Naming Conventions – The way an organization encodes or categorizes the services their online hosts provide and the email address conventions (which often reflect userid conventions).
  • Website Analysis – The information intentionally and unintentionally made public, that may pose a risk to security

hpHosts consolidates a lot of information about web sites. vURL can be used to review the company’s web pages through proxies.

AS Numbers Query (http://asnumbers.net/)

Retain the information for future reference.

What have others found? See Un1c0rn.

Does NTP report the hosts which have queried NTP? It could be used for further network enumeration.

– Border Gateway Protocol (BGP) Queries
– About BGP:12
AS numbers are used to identify the autonomous systems that a route has already passed through, which prevents routing advertisement loops; and to determine the origin of routes. Folks often use AS-PATHs in their route selection policy to, for example, use a particular transit provider that is known to have good connectivity to AOL; or not use someone who may have poor connectivity to them.
A good way to understand things in the real world is to use Looking Glasses by ISPs. For example, go to lg.he.net or lg.level3.net and do a bgp query with another providers IP as the argument. you will see how the possible paths to the specific IP, and you will see the AS numbers (networks) it has to go thru inorder to reach that IP.
www.arin.net (find target’s AS number)
neptune.dti.ad.jp (query BGP via web)

1. Reconnaissance
2. Scanning & enumeration
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks

nmap (the most utilized penetration testing tool)

Metasploit framework Metasploit: A Penetration Tester’s Guide

Don’t Pick the Lock, Steal the Key – Password Auditing with Metasploit

Armitage – A GUI for Metasploit

Maligno is an open source penetration testing tool written in python, that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS. The shellcode is encrypted with AES and encoded with Base64 prior to transmission.

SinFP3 is an operating system fingerprinting tool

Pushpin will identify every tweet, flicker pic and Youtube video within an area of a specific Geo address.  Example Usage:

python ./pushpin.py -c 42.3534688,-71.0611556 –all

For latitude and longitude, see http://itouchmap.com/latlong.html

Nessus

eEye Retina

Core Impact

netcat: an asynchronous port scanner (a load balancer can shape traffic and slow down scans; that is, has IPS functions)

For more specialized penetration testing tools, see http://wiki.remote-exploit.org/backtrack/wiki/Category

BackBox is a Linux distribution based on Ubuntu. It has been developed to perform penetration tests and security assessments.

And also consider this version of the steps for penetration testing with 10 (instead of 5) steps:

http://www.dba-oracle.com/forensics/t_forensics_network_attack.htm

http://www.ivizsecurity.com/network-penetration.html

http://www.ivizsecurity.com/application-penetration.html

Find open directories with Google by searching for ” Name Last modified Size Description”:

http://www.google.com/search?hl=en&q=%22+Name++++++++++++++++++++Last+modified+++++++Size++Description%22


Web Browser Forensics

October 7, 2009

What question were you trying to answer? Could it be:

  • Where did this malicious software come from?
  • What web sites has this person been visiting?

What access do you have? Could it be:

  • A single machine, and I have local access
  • Multiple machines, and I have remote access

Don’t forget that you may wish to search unallocated disk space for deleted web cache information. See Digital Forensics Links.

Is this actually a Forensics examination (where you care about preserving evidence) or is this an Incident Response root cause examination, where discovery (and not legally admissible evidence) is the goal?

The answers affect the tool you choose and how you use it. For example, in a “concerned parent” scenario there is a single Windows machine using Internet Explorer, for which you have local access, and  you want to learn the web sites visited. Use Mandiant Web Historian and inspect the C:\Users\<userid>\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat file. (A firewall log of successful web connections would be of more help.)

On the other hand, consider a large environment that investigates web-based malware alerts. Here the questions are: where was the threat encountered and what else arrived from that site or around that time. As part of the alert, you have the machine name and user id and the name of the malicious file.

An appropriate tool to collect web browser history and evidence would be CacheGrab and its companion interpreter CacheBack.

CacheGrab® is our standalone cache and history recovery tool that can be used on any logically mounted volume or virtual file system, including disks mounted using Physical Disk Emulation. CacheGrab does not require any purchase or licensing and may be used freely. Users should note that this version of the program only searches logical volumes at this time, and the ability to search physical disks and unallocated space will be available with the release of CacheGrab® Version 2, sometime in early 2010.

Note the features of CacheBack:

  • Multiple browser support. Rebuild cached web pages and examine Internet histories for Internet Explorer (ver. 5-8), Firefox (ver. 2-3), Opera (ver. 9-10), Safari (ver. 3-4), and Google Chrome (ver. 1-4).
  • View cached web pages and pictures in a single consolidated thumbnail gallery making it easy to zero in on artifacts of interest.
  • Comb through complex histories and large cache repositories using the powerful multi-tabbed, multi-functional WYSIWYG interface.
  • Combine the built-in Query Manager window, Quick Queries and compound query filtering options to drill down efficiently on large datasets.
  • Produce visually compelling, rich HTML reports of rebuilt web pages and picture evidence with valuable metadata.
  • Publish reports to any destination folder or removable media keeping the evidence intact and portable.
  • Display timestamps in any selected time zone and choose to observe daylight savings for any region. Completely system independent.
  • Powerful Link Analysis to identify matches between history URLs and hyperlinks found in web pages (e.g., which links might have been clicked or visited).
  • Multiple tabbed views of the same evidence (Browser, Text, Hex, Picture, Audit and Links).

These features may be more that you need.

If you only need to be concerned about Internet Explorer, then grab copies of the Index.dat files, saving them with names that make them distinguishable later. Use Pasco (http://www.sourceforge.net/projects/fast) to make tab-separated text files from the dat files.

A batch file to make this task easier:

@echo off
if (%2)==() goto ERR_SYNTAX
copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5\index.dat" "%1_%2_cache_index.dat"
attrib -s -h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
"%1_%2_history_index.dat"
attrib +s +h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
copy "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
"%1_%2_history_index.dat"
pasco "%1_%2_cache_index.dat" > "%1_%2_cache_index.txt"
pasco "%1_%2_history_index.dat" > "%1_%2_history_index.txt"
GOTO EXIT
:ERR_SYNTAX
Error - requires two parameters, machine name (or IP address) and userid
:EXIT

When loading the text separated text file into Excel, some columns won’t line up. Close enough for my purposes, though.

Note that this problem in Excel is because some of the original fields in the index.dat file contain tabs; using pasco to create a tab-separated text file when some fields contain tabs is problematic. If you wish to be consistent, fields rarely contain pipe characters; creating a pipe character-separated text file will produce a more consistently formatted Excel spreadsheet.

The questions again were: Where was the threat encountered and what else arrived from that site (or around that time).

Search the resulting text file for the detected malicious file. This turns up a lot of undetected malware. A malicious site rarely sticks to only one threat. A site typically hangs on to the older, already detected threats when breaking in a new, undetected threat. Get a sample of the new, undetected threat and submit it to vendors. You will also turn up a pattern of sites and ASNs. Report sites, blacklist sites, and the count of detected threats goes down.

Related articles:

Utilities:

Where to find browser history

Internet Explorer C:\Documents and Settings\<windows login>\Local Settings\History\History.IE5
index.dat
Internet Explorer C:\Documents and Settings\<windows login>\Local Settings\Temporary Internet Files
index.dat
Mozilla C:\Documents and Settings\<windows login>\Application Data\Mozilla\Profiles\default\bsczxlvc.slt\Cache\572222B7d01
history.dat
Netscape history.dat
Firefox C:\Documents and Settings\<windows login>\Application Data\Mozilla\Firefox\Profiles\ygeipybb.default
history.dat
Safari history.plist
Opera global.dat

Check query history

Google toolbar C:\Documents and Settings\[userid]\Application Data\Google\Local Search History

Where to find passwords

Firefox C:\>C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\vyzux15h.default\signons.sqlite
C:\Users\Russ\[username]\Roaming\Mozilla\Firefox\Profiles\vyzux15h.default\signons3.txt

Where to find chat logs

Trillian C:\Program Files\Trillian\users\default\logs
MSN Messenger post version 7.0 C:\Documents and Settings\\My Documents\My Received Files\\History
AOL Messenger C:\program files\users\default\log\AIM\Query
Yahoo Messenger 6.0 C:\Program Files\Yahoo!\Messenger\Profiles\\Archive\Messages
mIRC C:\program files\mirc\logs
GAIM *nix: ~/.gaim/logs
Windows: \Documents and Settings\user\Application Data\.gaim\logs
Look for the screenname under the protocol directory.
Miranda Messenger C:\Program Files\Miranda IM\Logs
Exodus 0.9.x C:\Documents and Settings\\My Documents\Exodus-Logs\<user>_<server>.html
iChat /Users//Documents/iChats

Tim Mugherini presents NTFS MFT Timelines and Malware Analysis


October 2009 is National Cyber Security Awareness Month

October 1, 2009

From InfraGard:

October 2009 is National Cyber Security Awareness Month (NSCAM), which the FBI endorses and participates.  The NSCAM event has been held every October since 2001, as a national awareness campaign to encourage everyone to protect their computers and our nation’s critical cyber infrastructure.

Cyber security requires vigilance 365 days per year.  However, the Department of Homeland Security, the FBI, the National Cyber Security Alliance, and the Multi-State Information Sharing and Analysis Center, coordinate to shed a brighter light in October on what home users, schools, businesses and governments need to do in order to protect their computers, children, and data.

Ultimately, our cyber infrastructure is only as strong as the weakest link.  No individuals, business, or government entity is solely responsible for cyber security.  Everyone has a role and everyone needs to share the responsibility to secure their part of cyber space and the networks they use.  The steps we take may differ based on what we do online and our responsibilities.  However, everyone needs to understand how their individual actions have a collective impact on cyber security.

Please read the Awareness Month Fact Sheet, Awareness Month What Home Users Can Do Tip Sheet, and the Awareness Month CSAVE Fact Sheet.

You can read more by visiting STAYSAFEONLINE.ORG.

Thanks,

John “Chris” Dowd
Unit Chief
Public/Private Alliance Unit
Strategic Outreach and Initiative Section
Cyber Division


Can You Trust That Web Site? (URL Shortener edition)

September 24, 2009

Regarding URL shorteners such as Bit.ly, 2k38.net and goo.gl (Google’s URL shortener services), is.gd, ow.ly and tinyurl.com, services designed to redirect to a different, typically longer, URL.

  • They are nearly mandatory when posting a URL via Twitter (or other microblogging site).
  • They can get your email dropped by a SPAM filter, since URL redirection (URL forwarding, URL obfuscation) is how malicious sites get past SPAM filters.
  • A URL shortener service takes links out of your control; many of the free URL shortener services have already shut down.

You want to know if you can trust that web site, and a meaningless link doesn’t help. Note that you should always treat any link you may see in an email or web page as meaningless; there is no reason to trust that what the link connects to the text displayed.

For all URLs, there are two facets:

  1. the text they display and
  2. the resource they actually locate.

There is no requirement that they match. Should ISC SANS be clicked? Should http://www.stopthehacker.com/ be clicked? Displayed text was always untrustworthy, and link shortening services make that obvious.

Whether you can trust the resource they actually locate is a difficult problem. URL shortening services introduce an extra layer of obfuscation which makes that problem more difficult. Techniques which rely upon an organization’s reputation (such as Web Of Trust) are ineffective when confronted with a shortened URL that obfuscates the organization. This leads to a desire for de-obfuscation approaches, such as Redirect Detective or the (currently unavailable) shuurl.com.

There are problems with relying upon an organization’s reputation to determine if a resource is trustworthy. Problems such as PHP code insertion add untrustworthy code to a trustworthy organization. These problems exist independent of URL shortening services, and are neither more nor less obvious through the use of URL shortening services.

URL shortening services introduce new problems in terms of reliability and stability. There is a trust than the shortened URL will consistently refer to the same resource; that the reference cannot be hijacked and the service provider will remain in business (see shuurl.com). These problems are not within the control of the person using the URL shortening service.

In conclusion, shortened URLs make:

  1. the text they display neither more trustworthy nor less trustworthy,
  2. the resource they actually locate neither more nor less trustworthy, and
  3. introduce availability issues which are outside your control.

Use URL shortening services only if necessary.

Instead of HpHosts as your first step (my advice from Can You Trust That Web Site?), go to vURL. vURL reveals and expands the redirected web site. You can learn what the obfuscated URL will lead you to (and examine the code) without directly connecting to the web site. Then learn if the revealed web site is trustworthy at HpHosts.


Lessons from the Heartland Data Breach

September 14, 2009

View “Lessons from the Heartland Data Breach” on Vimeo to hear from Robert O. Carr, the particular victim. Read his testimony before the United States Senate Committee on Homeland Security and Government Affairs. An apparently secure (even audited, pen tested and forensically examined) organization was breached. You can be PCI DSS compliant, and pay the penalties of an information breach.

My take-aways from the Heartland breach: Note that a SQL injection vulnerability was discovered, then remediated.  Too late, as it turns out; the damage was done. Previously undetected malware was running on the system. Even though an intrusion was suspected, this malware escaped the detection of auditors, pen testers and (for a long time) forensic examiners. In the end, forensics examiners found the vital clue that revealed that a security breach had occurred, was occurring and the intrusion response procedure needed to be invoked.

Why so long? Undetected malware is not the sort of problem auditors would look for. Pen testers would fail since the system had been hardened after the breach. A more efficient approach to a forensic examination would been to have a set of hash values of known good files, and compute the hash values of current files. Inspect the files that do not match the “known good” list. See Simple Malware Discovery Measures for additional approaches.

The Hannaford Brothers breach is also attributed to undetected malware.

My theory is that malware never (perhaps rarely) travels alone. Previously undetected malware is always (perhaps usually) accompanied by detected malware. Reliance upon anti-virus software to detect all malware is false confidence. Investigation of detected malware yields information you want to use. and that information may be about previously undetected malware or information about where malware is coming from. Was there detected malware that accompanied the undetected malware in the Heartland breach example?

I do agree that encryption of data is an additional defense, an additional preventative measure. There is also a need for readily available detective measures; reliable mechanisms to confirm or deny an incident quickly.

See also: Online Trust Alliance (OTA) 2011 Data Breach & Loss Incident Readiness Guide


Web Application Two Factor Authentication (and Two Way)

September 5, 2009

The three factors are:

  1. something you know (password)
  2. something you are (biometrics)
  3. something you have

“Something you have” is often out of the question for a web site. “Something you have” means you are managing (purchasing, assigning, distributing, inventorying, collecting, and destroying) devices. Similarly, many biometrics devices are out of the question. Fingerprint scanners and webcams are more entrenched than they were, but their resolution is outside your control.

How about typing pattern recognition? There are many products that can be used to implement this “something you are” as your second factor.

Don’t dismiss “something you have” too quickly. Consider DeepNet Security or PhoneFactor or Authentify; the something you have could me a cell phone. PayPal offers a PayPal Security Key for two factor authentication, in two mechanisms: security code generating device and text message to mobile phone.

“Two factor authentication” may not be your most important concern. Many people look at the problem of web application insecurity as a client authentication problem: “Can I trust that this person is who they say they are?” They increase their confidence with two-factor authentication. Actually, security breeches are often better prevented with two way authentication (mutual authentication). This is typically done business to business (“Can I trust you?” “Yes, but can I trust you?”). There is no reason a business shouldn’t recognize that it has an obligation to its customers. “Can I trust that the customer is actually connecting to my web application, not some man in the middle or impostor?” Extended verification of certificates (qualifying for the green bar in the URL box) is a partial measure. However, this relies upon the customer to manually enforce authentication. Extended validation relies upon the weakest link.

Two way authentication (mutual authentication) can be implemented using SSL See Entrust. See Sun Mutual Authentication for Web Services: A Live Example. At a minimum, be prepared to explain why you have chosen to not do mutual authentication.

Again, see DeepNet or products of its ilk. Just as an example, not an endorsement. But focus on the problem of two way authentication; it could easily be the problem you need to solve.

  • Physical One Time Password (OTP) Generators (“Security Tokens”)
    • Allow for anytime-anywhere login.
    • Are vulnerable to Man-in-the-Middle attacks.
    • A sync issue might occur between the token and the Radius server.
  • Soft One Time Password (OTP) Generators
    • Need to be locally installed, or run from a USB requiring specific user rights.
    • Are vulnerable to Man-in-the-Middle attacks.
    • A sync issue might occur between the token and the Radius server.
  • Mobile Phone SMS One Time Password (OTP) Generators
    • Are vulnerable to Man-in-the-Middle attacks.
    • Cellphone traffic encryption is not as secure as it was considered. (Although cracking encryption relies upon long conversation, with pauses.)
    • SMS delivery may be delayed
  • Phoneline One Time Password (OTP) Generators
    • Voice synthesis “reads” password to be typed.
  • Common Access Cards/smartcards
    • X.509 is formal standard.
    • Strong authentication during the RA process, and a PIN to remember.
    • Protects against Man-in-the-Middle attacks.
    • Requires hardware reader.
    • Expensive to deploy, expensive to revoke.
  • User certificates
    • X.509 is a formal standard.
    • Can be hard to deploy and revoke.
  • Hybrid approaches
    • Options range from solutions which create a tamper proof tunnel between user and target server, to SSO portals requiring different combinations of login authentication, to solutions which combine any type of existing authentication with unique user device authentication resulting in time limited secure access tunnels with SSO capabilities enabled.
    • May require a hardware or software client component, therefore costs, deployment and revocation difficulties.
    • May be SaaS-based and remove troubleshooting and support from local control.

SSL Vulnerability Debriefing

August 23, 2009

Note that Ron Rivest reported MD4, MD5 and SHA-1 were “clearly broken,” and recommended migration from MD2 in 1996 [pdf]. See also Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD by Xiaoyun Wang et al. This leaves SHA-256, SHA-384 or SHA-512 and AES.

Fake certificates

See Creating a rogue CA certificate by Alexander Sotirov (December 2008). It is possible to create an MD5 hash collision; with that technique one can create a certificate that appears to have been issued by a trusted certificate authority but which specifies a URL of your choosing. As long as certificate authorities issue certificates signed with an MD5 hash code and client software (typically a web browser) accepts MD5 as a hashing algorithm, “the certificate was confirmed” cannot be sufficient reason to trust the other party.

Null characters

Black Hat USA 2009 presentation [pdf] by Moxie Marlinspike: Certificates can contain null characters that client software does not treat as a terminator. A person can see a expected text and be deceived into accepting an untrustworthy certificate.

Black Hat USA 2009 presentation by Dan Kaminsky, Len Sassaman et al: Also reported null character vulnerability. Reminded attendees that MD2 is not to be trusted (see, for example, Frédéric Muller, The MD2 Hash Function is Not One-Way, ASIACRYPT 2004, pp214–229). We can soon expect MD2 to be “broken;” that is, an attacker with sufficient resources could create a collision. The attacks upon MD2 are not yet practical, but should be soon. Many web sites still use certificates that use MD2. Browsers will soon report such certificates as untrustworthy.

July 29, 2009: Busy day at Black Hat is Tim Callan (Vice President of Product Marketing at VeriSign) response to Moxie Marlinspike’s and Dan Kaminsky’s presentations at Black Hat. Denies that Verisign certificates can contain null characters and agrees that the problem is with the certificate interpreters (the client software) not the (non-Verisign) certificates. Suggests EV SSL or code signing as mitigation measures.

… sites have the power to defend themselves against null character attacks and in fact all attacks using sslstrip.

SSL Strip refers to an earlier Moxie Marlinspike utility that intercepts the browser’s switch from http to https. See HTTPS Web Hijacking Goes From Theory to Practice by George Ou. See Verisign’s whitepaper “Spoofing Server-Server Communication: How You Can Prevent It” by Larry Seltzer [pdf].

August 1, 2009: Versions 3.0.13 and 3.5 of Firefox contain fixes for null characters in certificates.

August 27, 2009: Version 2.0.172.43 of Google Chrome will no longer connect to HTTPS (SSL) sites whose certificates are signed using MD2 or MD4 hashing algorithms.

September 29, 2009: Jacob Appelbaum releases a trick certificate with a null character as the leading character.  In effect, this can be used (in an unpatched browser) to match any domain.

September 30, 2009: Research in Motion releases updated software to clearly indicate the mismatch in names when the Blackberry browser encounters a null character in certificates. Misreported as SMS attacks against BlackBerry certificate flaw possible in SearchSecurity.

Implementation

The least expensive SSL certificates, domain-authenticated certificates, don’t authenticate an organization. They authenticate an internet domain. Users cannot discover with whom they are doing business.

Fault-Based Attack of RSA Authentication [pdf]

March 5, 2010: Power faults can be used to discover a server’s RSA private key. A patch for OpenSSL is forthcoming.

Bottom line

The success of eCommerce relies upon SSL which relies upon customer diligence. That is not a reasonable expectation. This expectation is further jeopardized when vendors establish an SSL connection, then use it only when encrypting form data. Form data is all that must be encrypted and encrypting everything would be slow. However, selective encryption removes the possibility that the customer can be diligent and you are relying upon the customer’s diligence.

If you have been attending to SSL, these announcements should not alter your plans. If you have been neglecting your SSL implementation, then these announcements are reminders that SSL needs periodic review.

It is more likely that your web site will be compromised through a poor implementation of SSL, than through an exotic compromise. See “A study of what really breaks SSL” by Ivan Ristić. See Qualys SSL Labs Threat Model.

An EV SSL appears as a green bar in the browser’s URL window. As a consumer, you want to watch for the green bar; as a merchant, you want to offer the green bar. While this guideline is not a guarantee (there can be EV SSL man-in-the-middle attacks), not observing this guideline is a more dangerous practice.

There are certificates that are not trustworthy. You want to be off MD5 and MD2 hashing as soon as possible. A check of my certificates reveals they are signed with SHA-1, not with MD5 or MD2. MD5 and MD2 are deprecated (that is, to be avoided by using alternatives).

Possible reasons you were relying upon SSL:

  1. You provide an eCommerce service. You use SSL to give consumers confidence that you are legitimate.
  2. You consume eCommerce services. You use SSL to gain confidence that the web site you connect to is legitimate.
  3. You connect two applications (such as IIS and SQL Server) and want to assure that no third application spoofs one or the other; that is, as a defense against man-in-the-middle attacks.

SSL should be implemented as part of a Public Key Infrastructure (PKI) service. There are ways to do this poorly. There are ways that may have appeared trustworthy, but did not foresee problems (such as enhancements in cryptography that found weaknesses in MD2). MD2 was optimized for 8-bit machines. Certificates that used MD2 were highly compatible with older technologies. We should feel comfortable sacrificing 8-bit machine support and feel uncomfortable relying upon MD2.

Extended Validation SSL (EV SSL) provides additional assurance that the web site you are communicating with is legitimate. Generating a certificate with extended validation requires the certificate authority (CA) to collude with the requester when creating a malformed certificate. Offer EV SSL and watch for EV SSL when doing disclosing personally identifiable information (including eCommerce).
Read the rest of this entry »


Web Application Testing

August 2, 2009

Application Software Security is Critical Control 18.

Use the OWASP Application Security Verification Standard, don’t just focus on the OWASP Top 10 Vulnerabilities.

Maybe I should just say w3af and let it go at that. Or refer you to “H.O.T. | Security” [pdf] by Luis Rocha for hands-on training.

Application availability, confidentiality, integrity and authenticity (collectively: security) are best addressed by organization procedures; see Framework. Implementation reviews are not the time to introduce the topics of availability, confidentiality, integrity and authenticity; that is, implementation reviews are not the time to ask “how do we secure the application?”

Web applications are a portal into your business, and should be reviewed for availability, confidentiality, integrity and authenticity issues. Web applications are also hosting platforms for malware (see the Web Hacking Incident Database). A business presence which hosts malware risks loss of business.

Web application vulnerabilities can fall into two categories:

  • Logical vulnerabilities or problems with application design
  • Technical vulnerabilities or problems with application implementation

For example, changing an HTML form element to a value that the application expects (frequently called a “valid” value) such as changing “FALSE” to “TRUE” could result in gaining access to data you should not have access to. This would be a problem with the application design (a logical vulnerability, assuming you can trust the supplied values) resulting in information disclosure or information integrity issues due to privilege escalation. Logical vulnerabilities are difficult to test for with automation. Watchfire produced a clear explanation [pdf].

Technical vulnerabilities arise through unexpected HTML form element values (frequently called “invalid” values). A telephone number should not contain Javascript code, for example. Cross-site scripting and SQL injection vulnerabilities would be examples of technical vulnerabilities. Automated application testing has a good chance of detecting technical vulnerabilities.

Opportunities for error, server side:

  • Injection
  • Authentication (see OWASP ASVS 2014 v2.18 and v2.20)
  • Access Control
  • Vulnerable libraries
  • Forge HTTP headers
  • Abuse business logic
  • Security configuration
  • Accept forged requests

Opportunities for error, in transit:

  • Steal Cookie
  • Guess Cookie
  • Reuse Cookie
  • Steal Data

Opportunities for error, client side:

  • Malicious JavaScript (XSS)
  • Generate forged requests
  • Stolen clicks (clickjacking)

Pre-production, test environment web application testing should not be treated the same as production web application testing. Pre-production, your goal is to discover problems with the application before anyone else does. (“Can the application misbehave, be abused, expose information that we had not intended to expose?”) Post-product, your goal is to discover if anyone has discovered problems which you have missed. While “security is transient” and testing approaches improve, you cannot perform the same pre-production tests when using production data. These pre-production tests might corrupt a database or cause the database to become unresponsive. Information integrity and information availability are two goals of information security.

At this point you should be wondering “isn’t trying exploits against production data how you do penetration testing? Don’t you need to do penetration testing? Doesn’t PCI DSS require penetration testing?” All are good questions, all are worth a special rant. All are reasons why penetration testing starts with a contract.


Learn how to make web apps more secure. Do the Gruyere codelab.

Tip: You want a change control policy. You want to review changes before they are made. This goes for web page content as well. This is your opportunity to catch the information disclosure problems. Containment after publication is at least difficult and arguably not possible.

Tip: Check each input value to make sure it is an expected value, and assign input values to local variables for use. Specifically, PHP developers should never use anything like $_GET or $_POST. Filtering all data from external sources is the most important security measure a developer can take when coding an application that requires input from the URL. This can be as easy as running some simple built-in functions on your variables. Further coding tips at Gruyere Lessons On Secure Application Development.

Some Best Practices:

  • Disable PUT and DEL on your web server.
  • Explicitly set [HttpGet] and [HttpPost]
  • [Authorize] at controller level
  • [RequireHttps]
  • Beware [AllowAnonymous]
  • HTTPOnly, Secure on custom cookies
  • CustomErrors mode on
  • httpruntime enableVersionHeader=”false”
  • maxInvalidPasswordAttempts=”5″
  • passwordAttemptsWindow=”10″
  • Encrypt and hash Viewstate (Webforms)
  • Headers (see OWASP’s List of useful HTTP headers):
    • Secure
    • Strict-Transport-Security (enforces HTTPS)
    • X-Frame-Options (anti-clickjacking)
    • X-XSS-Protection (anti-reflected XSS)
    • Content-Security-Policy (Anti-XSS, etc.)
    • X-Content-Type: “nosniff” prevents the browser from guessing a content type

Tip: You want a testing framework. I want a testing framework. The role of a framework is to specify, at a high level, the concerns and questions you need to address. Break the high level questions into successively lower level questions. Develop procedures and tools to address these lower level questions. Review you framework and its questions. So where do you find such a framework? There’s the OSI model. Not too helpful when we’re already focusing on web application testing. Don’t forget that there are six other layers. Surely there’s a more fleshed-out framework to build upon. Perhaps one of the following resources will prove useful.

  • Web Security Testing Cookbook
  • Core Security Technologies Research Projects Upcoming: the automated SQL injection vulnerability assessment process. Currently:
    • A Penetration Testing Research Framework
    • Attack Payloads with applications to Botnets
    • Attack Planning
    • Attack Simulation
    • Automated Tracking of Malicious Data in Web Applications
    • Bugweek and Security Vulnerabilities
    • Core Grasp
    • Core Truss and Secure Triggers
    • Core Wisdom
    • CoreTex
    • Development of an Information Security Research Community
    • Gfuzz
    • MD5 considered harmful today
    • ND2DB Attack
    • NERDS – A Public-Key Encryption Scheme
    • Non-Euclidean Ring Data Scrambler (NERDS) public-key encryption
    • Open Brainstormings
    • Practical and Theorical Research Topics in Information Security
    • Protocol Design Flaws
    • Public-Key Cryptography Based on Polynomial Equations
    • Security Event Visualization and Analysis
    • Security Vulnerability Research
    • Software Protection and Licence Enforcement
    • Source Code Auditing Techniques
    • SQL Agent
    • Teaching Penetration Testing
    • Timing Attacks for Recovering Private Entries from Database Engines
    • Using Neural Networks for Remote OS Detection
    • XSS Agent
    • Zombie 2.0 – A web-application attack model
  • OSSTMM – Open Source Security Testing Methodology Manual
  • BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking.
  • The Samurai Web Testing Framework (SamuraiWTF) is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites.
  • SOAP UI Getting Started with Security Testing
  • BURP Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Edit BurpSuite.jar –> burp –> PayloadStrings –> *.pay to extend the set of strings in assessments.

  • WATOBO – Web Application Toolbox is intended to enable security professionals to perform highly efficient (semi-automated) web application security audits.
  • Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.
  • Web Application Security Consortium features a security scanner evaluation criteria
  • Qualys FreeScan allows small to medium businesses (SMBs) to scan their web sites for of malware, network and web application vulnerabilities, as well as SSL certificate validation, helping web site owners identify risk before hackers do in order to prevent data beaches and protect online visitors from infections.
  • PCRisk free online website malware scanner
  • Venafi Assessor is a downloadable, easy-to-install, free software solution that scans an organization ’s network to locate and analyze deployed digital certificates and the associated encryption keys.
  • Building a Web Application Security Program [pdf] by Securosis, L.L.C.
  • The Web Application Hacker’s Handbook
  • Google’s Browser Security Handbook
  • Let Google notify you if you are hosting malware
  • WPScan is a vulnerability scanner which checks the security of WordPress installations using a black box approach.
  • NTO SQL Invader gives the ability to quickly and easily exploit or demonstrate SQL Injection vulnerabilities in Web applications. With a few simple clicks, you will be able to exploit a vulnerability to view the list of records, tables and user accounts of the back-end database.
  • Netsparker (from Mavituna Security) promises to provide false positive free web application security scanning.
  • TwoLogs offers Test your web form.
  • DOM XSS Scanner is an online tool that helps you find potential Document Object Model (DOM) based cross-site scripting (XSS) security vulnerabilities. To get started simply enter a URL to review the source code of the corresponding resource with DOM XSS sources and sinks being highlighted on the results page. In addition HTML and XML documents will be searched for included external scripts, most likely JavaScript files, that will be fetched in turn and subsequently displayed on the results page.

Note: This post needs to be re-written, split-up and re-organized. Lots of content, little framework.

  • Prevention
    • Secure Application Coding
    • Secure Application Testing
    • Input Filters
    • Patching, or Web Application Maintenance
    • Vulnerability Assessment (including can PHP code be added remotely)
  • Detection
    • Compute Digests of Static Pages and Monitor for Changes
    • Monitor Blacklists
    • Monitor for Malware
    • Monitor for Unintended or Unauthorized Modification (including has PHP code been added remotely)
  • Containment
    • Automated Quarantining
  • Recovery
    • Identify root cause attack vector
    • Patch vulnerable applications
    • Use wrappers or “virtual patching” or “web application firewalls” to make the application appear patched
    • Install clean copies of infected files
    • Install clean versions of infected databases (or clean infected databases)

Prior to implementation, you are testing for application vulnerabilities. See the National Vulnerability Database, The Open Source Vulnerability Database, CVE, Secunia and SecurityFocus. Be reckless, be ruthless. Try lots of exploits. See the Neohapsis Archives, SecurityFocus, Exploits Database, 1337 Exploit Database and the Intelligent Exploit Aggregation Network for leads to such exploits. Post-implementation, avoid disrupting production applications. Focus on testing test for signs that application vulnerabilities have been exploited. Be ruthless with test environments, but cautious with production environments. “Security” is a transient state, meaning people learn about vulnerabilities that that had not thought to test for. If you find signs that a compromise has occurred it does not necessarily mean your earlier testing was lax. If possible, repeat the pre-implementation tests for application vulnerabilities. This may not be possible when testing uses credentials with elevated privileges. You risk corrupting the database of a production environment.

Live Hacking CD is a free Linux distribution packed with tools and utilities for ethical computer hacking, penetration testing and countermeasure verification. Based on Ubuntu this ‘Live CD” runs directly from the CD and doesn’t require installation on your hard-drive. Once booted you can use the included tools to test, check and ethically hack your own network to make sure that it is secure from outside intruders.

The CD includes hacking tools for DNS, reconnaissance, foot-printing (gathering information about computers on the network), password cracking, network sniffing, spoofing (or masquerading) and wireless networking utilities.

WebSurgery is a suite of tools for security testing of web applications. It was designed for security auditors to help them with the web application planning and exploitation. Currently, it uses an efficient, fast and stable Web Crawler, File/Dir Brute forcer, Fuzzer for advanced exploitation of known and unusual vulnerabilities such as SQL Injections, Cross site scripting (XSS), Brute force for login forms, identification of firewall-filtered rules, DOS Attacks and WEB Proxy to analyze, intercept and manipulate the traffic between your browser and the target web application.

Slowhttptest (developed by Sergey Shekyan, Developer Web Application Scanning at Qualys) sends partial HTTP requests, trying to get a denial of service from the target HTTP server. Slow HTTP DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service. Slowhttptest actively tests if it’s possible to acquire enough resources on an HTTP server by slowing down requests to get denial of service at the application layer.

Slowhttptest is configurable to allow users to test different types of slow http scenarios. Supported features are:

  • Slowing down either the header or the body section of the request
  • Any HTTP verb can be used in the request
  • Configurable Content-Length header
  • Random size of follow-up chunks, limited by optional value
  • Random header names and values
  • Random message body data
  • Configurable interval between follow-up data chunks
  • Support for SSL
  • Support for hosts names resolved to IPv6
  • Verbosity levels in reporting
  • Connection state change tracking
  • Variable connection rate

Detailed statistics are available in CSV format and as a chart generated as HTML file using Google Chart Tools.

Test the application and the environment it is installed upon. nmap (“Network Mapper”) is a free and open source utility for network exploration and security auditing. Nmap 5 cheatsheet [pdf].

ZeroDayScan is a web site to test your web site. Note that I am not endorsing them. You cannot test just any web site; you must be able to place a text file in the root directory of the web site before you can test it. This offers some assurance that you are not using ZeroDayScan for nefarious purposes. The persons behind ZeroDayScan wish to remain anonymous.

Qualys SSL Labs offers an SSL Server Test.

Context Application Tool (CAT) is a free application testing tool that runs on Windows. It runs as a proxy. Features:

  • Complex authorization models
  • Ability to test complex multi-phase forms e.g. single sign-on (SSO) systems
  • Fuzzing forms protected by cross-site request forgery (CRSF) tokens
  • Supporting different encodings used by web services, Ajax and to leverage complex vulnerabilities
  • Ability to perform sensitive timing attacks
  • Heavy Ajax applications

Note: In my configuration, this fails with an installation error:

Error Creating master certificate: The system cannot find the file specified.

DEFENSICS™ Universal Fuzzer is a file fuzzer that can generate security tests for any file structures based on a set of templates. These files can be samples of pictures, videos, documents, or even data packets from traffic captures.

Browser Exploitation Framework (BeEF) will demonstrate the collecting of zombie browsers and browser vulnerabilities in real-time. It provides a command and control interface which facilitates the targeting of individual or groups of zombie browsers.

Enhancements in the latest version include:

  • Integration with Metasploit via XMLRPC
  • Mozilla extension exploitation support
  • New browser functionality detection modules
  • Tiered logging for module actions and results

BeEF is a professional tool to demonstrate the real-time impact of XSS browser vulnerabilities. Development has focused on creating a modular structure making new module development a trivial process with the intelligence residing within BeEF.

Browser Rider is another web browser exploitation framework.

What about a Web Application Firewall (WAF)? A WAF may be a preventative measure, if the action is “block based upon input.” The WAF may be a virtual patching appliance, if it modifies and forwards input, or monitors output, or matches output with input to mask application errors. Akamai offers a WAF [pdf] where “Rules detect and prevent generic threats and exploitation techniques such as SQL Injection and Cross Site Scripting (XSS) attacks, among other Layer 7 attacks.” The Web Application Security Consortium hosts a Web Application Firewall Evaluation Criteria. The criteria is a list of good questions. Use the criteria as a “cheat sheet” to supplement your original question.

Use of “software wrappers” to compensate for application deficiencies began with presenting an approachable interface to one or more legacy applications. You may wish to review the Generic Software Wrappers Toolkit prototype if this a task you ere expecting a WAF to perform.

The small, mom-and-pop web sites cannot assume they will be ignored because larger targets are more attractive. Many web server attacks are random and opportunistic. Search for “Hacked By GHoST61” to see dramatic examples of web sites defaced for no financial advantage. (This is a person who wishes to make known how vulnerable web sites are.) Malicious persons run programs which search for vulnerable web sites. Web sites are found and attacked regardless of size. While the web site itself may not be the direct source of the malicious person’s income, it becomes one of the hundreds of thousands of trustworthy websites which happen to be hosting malware.

Currently in beta: The Infosec IslandTM SMB Security Toolkit.

This suite of tools will allow you to assess and maintain the security of certain portions of your organization’s security that are often overlooked and easy to address. It will also allow you to compare your organization’s security posture with other similarly-sized organizations in your industry.

The Production release of the toolkit will contain the following tools:

For further threat awareness, aee Imperva’s SQL Injection whitepaper [WP-SQL_INJECTION_2.0-1208rev1]. Tools such as Priamos, Power Injector and SQL Ninja automate SQL Injection attacks. SQL Map uses Google to find SQL databases and automatically attack them.

  1. Find an application with an exploitable vulnerability. For this, the Open Source Vulnerability Database can be a useful resource to exploitable vulnerabilities in technologies you are familiar with, as well as sample exploit code.
  2. Find web sites using the identified application or which are misconfigured. SHODAN shows you how little effort this requires. A search for “http://318x.com” will reveal how widespread a single attack has been.

SHODAN is collected server and router information from web presences. This information can be sifted and searched looking for credentials, vulnerable versions of applications.

To find Use Returned
Unsecured HP JetDirect adapters Password is not set port:23 7 in the United States
1 in Germany
1 in the Netherlands
Open FTP servers “331 Anonymous login ok” port:21 488 in the United States
75 in the United Kingdom
74 in Japan
48 in China
Open FTP servers granted port:21 316 in the United States
25 in Norway
23 in Germany
20 in Japan
IIS 6.0 running on Windows 2000 in the United States Microsoft IIS os:”windows 2000″ country:US 82,859 n the United States
Cisco IOS devices with web authentication disabled “cisco-ios” “last-modified”
WatchGuard Firewalls web management console “WatchGuard” “Firewall”
Power management web interface WWW-Authenticate: Basic realm=”APC Management Card”

Note that you can learn about these network presences without actually visiting them. In summary, don’t rely upon the size or nature of your web presence to prevent unwanted information disclosure. This information will be gathered and distributed without regard to the entity hosting the service. Review your systems and the information you disclose.

Larger environments need to be concerned about these random attacks, but they must also recognize that they can expect to be singled-out.  There are other attack approaches which are more targeted. A determined malicious persons will attempt more involved mechanisms to identify information they can put to their advantage.

PAPAS is an automated system that scans web-sites for HTTP Parameter Pollution vulnerabilities.

Google’s Webmaster Console and Microsoft’s Webmaster Tools are free support. Use Google’s Webmaster Console to be alerted when their web crawling detects issues (such as malware) on your website.

Google also has the DOM Snitch extension for Chrome to identify unsafe practises in client-side code.

Michal Zalewski has released SkipFish (read more, download, review by Felix ‘FX’ Lindner):

  1. High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
  2. Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
  3. Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

Use SkipFish to collect information about the web application’s “surface” about test those surfaces with other tools.

If you suspect that your web site is hosting malware, you may be able to confirm your suspicions with one of the following. (Hosting malware is only one payload of a successful compromise.)

Arachni is a feature-full and modular Ruby framework that allows penetration testers and administrators to evaluate the security of web applications. Arachni is smart, it trains itself with every HTTP response it receives during the audit process. Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while travelling through each path of a web application’s cyclomatic complexity. This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.

Static reports

See Metawebsites for additional web sites that may have information about your web site.

Active test utilities

  • vURL Desktop Edition and vURL Online
  • cURL is a command line URL utility (HTTP, HTTPS, FTP). Use cURL to send “malformed” URLs as well.
  • Wget is a command line HTTP, HTTPS and FTP utility.
  • thug is another command line URL utility. If you are attempting to access malware, the target site may refuse to deliver it through cURL or Wget, so use thug. Similarly, the target site may refuse to deliver malware to the same IP address twice.
  • Qualys SSL Labs SSL Server Test
  • Comodo SSL Analyzer for a summary of web server security levels

Cheatsheets

Know your software, know your platform, know your application’s entry points (the intended and the unintended entry points) … know your attack surfaces. Consider the padlock: an obvious attack surface is where you would insert the key (or select a combination), you could pick the lock (or feel the dials). More fruitful is the use of a shim to extract the shackle from the body. Cutting the shackle or body is a third attack surface, but this may have the least probability of success. Know your attack surfaces.

You need a methodology. You need to be able to perform a methodical review of of the web application. You need to be able to look at the web application from many aspects. You need to be able to identify the aspects so you don’t leave the review with an “I forgot to check such-and-such” event. Being caught by surprise by a vulnerability that surprises everyone is one thing (and also the reason you have multiple layers of security) but being caught by surprise by something you forgot to check is another.

Be aware of what threats look like; see Web Security Threat Videos from Imperva. Be aware that threats have been successful; see Industry Data Breach Security Statistics.

Veracode released results (their “State of Software Security Report” subtitled “The Intractable Problem of Insecure Software”) of application code analysis.

Cryptographic Issues Most Common In Applications

Cross-site Scripting Most Prevalent

Microsoft’s Security Development Lifecycle may help you develop your methodology. Note that it is geared toward building in security from product initiation to delivery, which would be the preferred approach. You, on the other hand, may be faced with testing as a final phase. Knowing how development could have been done is still of some help. Additional, there are useful testing tools available.

Test your exposure; there are many web application testing tools that will display your exposure to you, end users and attackers. Call it “penetration testing” (or “pen testing”) is you like. Test changes before implementation; test again after implementation. Test with many utilities. Know your exposure.

Blaming end-users for infecting your servers is not the appropriate attitude. Your end-users want your service, they don’t want to interrupt your service. Expect that your end users run a Trojan horse (a true virus is very rare) and deny that Trojan an attack surface. Expect malicious persons to attack you. Deny them an attack surface, detect them, inform law enforcement.

Be aware of newly announced exposures in your platform by subscribing to vendor and public announcement services. Mitigate those exposures quickly.

“Don’t run Windows” is a short-sighted approach to knowing your attack surface. Denying access to the file system and OS is your continuous monitoring of the attack surface. Virtualization changes your attack surface. The common theme is to identify and mitigate any vulnerabilities in that attack surface.

While you’re busy examining the web-facing threats, don’t neglect to look in other directions. If you’re on a shared hosting service, less vigilant sites on your host could be compromised, and you need to consider any shared processes or shared files systems as additional attack surfaces.

Do not do intrusive web application testing across the Internet. Even with the express written consent of the application owner, hacking a web site across the Internet is illegal (in many countries). The Computer Misuse Act 1990 (UK) and Computer Fraud and Abuse Act 1984 1986 (US) (amended many times, including PATRIOT Act 2001) and US Code Title 18 Chapter 47 Fraud and False Statements places restrictions on unauthorized access or modification of digital material. Reading electronic mail messages exchanged over public e-mail systems by anyone other than the sender and receiver is a felony under the Electronic Communications Privacy Act (ECPA, 18 U.S.C.A ss 2510 et. seq. (1988)). If the application owner wants intrusive web application testing, it should be performed on their side of the firewall. With consent, it is application testing or penetration testing. Without consent, it is illegal (in many countries).

OWASP’s Zed Attack Proxy (ZAP), HttpWatch and Microsoft Fiddler are protocol analyzers (HTTP “sniffers”) which can capture the interactivity with a specific web site and allow you to analyze it (see how it loads and performs). Normally you would not put a protocol analyzer on the Internet. With a network adapter in promiscuous mode, a protocol analyzer or “sniffer” would enable you to see network traffic not intended for you. If email traffic should happen by, you have committed a felony. The Fiddler post-install (congratulations) web page has some information you may wish to know before installing.

x5s is an XSS security testing plugin for Fiddler. Exercise all legs of your application with Fiddler and x5s to find likely XSS vulnerabilities. “All legs of your application” can require human interaction, not a mechanical crawl; see Leveraging User Interactions for In-Depth Testing of Web Applications.

The Open Web Application Security Project (OWASP) consolidates information about how applications are being attacked and how applications can be tested. The OWASP WebGoat Project is a deliberately insecure J2EE web application designed to teach web application security lessons. Join your local chapter of OWASP. The Web Application Security Consortium provides news.

Test skills against (a better list is at IronGeek):

EricLaw’s IEInternals A look at Internet Explorer from the inside out

Unlike other Live CDs, the De-ICE project has no known vulnerabilities; instead, it presents a more real world situation in which system administrators neglected recommended practices.

Among the things you are looking for are error messages. Informative error messages are helpful during testing. In production, informative error messages reveal the technology behind the application (“footprinting”). Organized criminals (previously called “hackers”) collect lists about which targets use which technologies. In this way they are prepared for the next vulnerability. The SHODAN site provides a catalog of technologies and where they are used. For example, a Google search for “Apache/2 Server at” will reveal a large number of web sites using Apache 2.x. This information, along with the availability of a working exploit of a vulnerability in Apache 2.x, effectively means that you advertise that your system is available to whoever would like it. Organized criminals can map the vulnerability to a technology; map the technology to a target; then go after the target before they can mitigate the vulnerability in a planned and tested fashion. You may call this “security through obscurity” is you like, but “security through obscurity” is part of your layered defense. Eschew “security through obscurity” when it is your only layer, but embrace it as part of a multi-layer design.

Getting started: You want to use one of the automated testing tools. Before you do, get an understanding of what the tests are doing. Start with Firefox and a set of plugins: Web Developer, Switch Proxy (use a proxy, such as SPIKE ProxyRatProxy (Google’s testing proxy), burp, webscarab, Paros proxy, or ZAP (Zed Attack Proxy, a fork of Paros proxy) to intercept and monitor your local application traffic), LiveHTTPHeaders and User Agent Switcher (tell the application you are using a different browser or “user agent”), Add N Edit Cookies (modify application state information). Achilles [mavensecurity.com, digizen-security.com] is a free Windows proxy that allows user to examine and modify web content on the fly. A general-purpose web application security assessment tool. Achilles acts as a HTTP/HTTPS proxy that allows a user to intercept, log, and modify web traffic on the fly. Use these tools to manually evaluate your web application and learn the value of automated testing. Use these tools to demonstrate the findings of the automated tools.

See also: How to Setup RatProxy on Windows

An interesting user agent is “Googlebot/2.1+”. How, you might ask, does the Google web crawler find content when you have to log in to view the content? Is Google logging in?

Test your tools and abilities using the NTO Hackme test site / hackme.mightyseek.com. Test using HackThisSite.org. Test using Heorot.net. Practice your testing using a machine on your local network, running XAMPP and Damn Vulnerable Web App. Learn to use the Metasploit Framework with free training from Offensive Security. (Alternate ideas: CoreImpact or Canvas.) Knowing what problems look like builds confidence that you can recognize problems.

Review your applications for well-known vulnerabilities at Secunia.

If additional testing is required, then with written consent or in a laboratory environment, through the book at it: a web application testing tool like WebInspect or Cenzic or Qualys or burp or Core Impact Pro or Netsparker would be your minimal tool. IBM participates in this market through IBM Rational AppScan. You want to test all known methods of exploiting a web application, such as use of certificates, cross-site scripting (XSS) vulnerabilities, information leakage, and buffer overflows. While you could do the same tests with other tools (such as netcat and Nessus), you will be performing these tests repeatedly. You need to address testing the application when the user is logged in. You want consistent testing and reporting. Your testing tool should also make recommendations about next steps or additional reading.

Note that the PCI 6.6 requirement, is not particularly demanding.

  • scan to detect vulnerabilities in web-facing application code,
  • prioritize, manage, and remediate vulnerabilities,
  • scan to validate and document that vulnerabilities have been corrected

Since security is transient (meaning people regularly discover new ways to abuse trust), this procedure should be repeated periodically. Since scanning tools assist you with your evaluation, they should supplement human evaluation, not replace it.

Develop your test suite while you develop your application. It is best to plan to test. Note conditions to remember to test for during development.

Get a baseline, then pound away at it: Fuzzing tools or fuzzers should be used to try variations that you and the testing tool wouldn’t have thought to try. You’re looking for whatever breaks (crashes, slows down) your application. Fuzzing tools for various development environments are available at ThreatMind.

Developers notes: Use a structured exception handler like try {} or catch {} instead of function-based error handling. Do not display default error messages. Remove all debug error handlers before the code goes into production.

The Open Web Application Security Project has instructions and tools for improving the security of application software.

Websecurify is a web and web 2.0 security initiative specializing in researching security issues and building the next generation of tools to defeat and protect web technologies. Caveat:

The tool was designed to provide baseline security assessments only. More advanced and in depth tests require human intervention.

For example, a missing human intervention is the login.

Note specifically security tools at WebScale: Site Timer allows you to analyze some of the most critical aspects of webpage performance. Engine Viewer to view your webpage in the same way a search engine does.

Web Hacking 2.0 – This is BIG Web application testing

Rendezous (optimized for Internet Explorer) is a toolkit for authorized web application testing, from Hidetake Jo. See owasp documentation [ppt].

What are we looking for?

  • Operational Errors
    • Failure to look for known vulnerability issues
    • Information disclosure
  • Configuration Errors
    • Insecure setup of otherwise safe products
  • Implementation Errors
    • Lack of knowledge
    • Lack of correctness
    • Lack of due care, or negligence
  • Design Errors
    • “The Big Fail”

“The Big Fail,” the design error, is often the focus of most security programs, ignoring the other problems.

  • Sufficient authentication controls
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Phishing
  • Information leakage
  • Injection flaws
  • Information integrity
  • Sufficient anti-automation
  • PCI 6.6 compliance

js
swf
pdf

  • Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files. Choose to analyze the PDF in its expected context; that is, web-based PDFs would open in a browser.
  • When analyzing a file (rather than a URL), Jsand [wepawet component] does not examine external resources, such as iframes and scripts. In addition, properties such as document.location, document.referer, and document.cookie, which are sometimes used by malicious scripts, are not set.

Remote and Local File Inclusion Vulnerabilities 101 [pdf]

Microsoft provides lots of secure development assistance; try their Security Development Lifecycle blog, for example.

Lots of good web application security information at CGISecurity.com.

Use .htaccess.

IBM offers a Web application security e-Kit.
HTTP REQUEST
============


GET /prototype03/vulnerable.php?vid=zJrt&act=viewed&page=0.01 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
Host: www.victim.com
Authorization: Basic dTI0Y29tcGg6PCEzIzw3PjlBQnVu
Cookie:
PHPSESSID=b4499547c0c4f399ba649181d5e67f5c;vid11=6512bd43d9caa6e02c990b0
a82652dca;vid2=c81e728d9d4c2f636f067f89cc14862c;vid4=a87ff679a2f3e71d918
1a67b7542122c;vid8=c9f0f895fb98ab9159f51fd0297e236d;vid9=45c48cce2e2d7fb
dea1afc51c7c6ad26;vid7=8f14e45fceea167a5a36dedd4bea2543
Connection: Close
Pragma: no-cache

HTTP RESPONSE
=============

HTTP/1.1 200 OK
Date: Fri, 29 Aug 2008 10:00:08 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html

Suggestions: Disable Apache product tokens. Disable PHP reveal self directives. Headers appear to give away lots of potentially sensitive information.

“Authorization: Basic” is a Base64-encoded representation of a username:password pair, and is reversible (u24comph:

—–

Simple “has PHP code injection attack occurred?” test.

  1. Create baseline list of URLs (where example.com is your site) by doing a Google search for:site:example.com inurl:php
  2. Periodically create new list of URLs and investigate changes.

Cons: This is post exploitation and perhaps long after exploitation. This can be tedious.

Pros: Cheap. Does not require server access.

Not mechanically tested: Credentials. Do not neglect the security of credentials. Malware searches drives for credentials and sends them to a central site. If someone has stored the account credentials (with a browser’s “remember” feature, for example) malware can collect the credentials. Check Prevx to see if your ftp server account credentials appear on one of the malware sites they are aware of. Not finding your account does not mean the credentials are unknown. If no one seems to have used them so far, that does not mean the credentials are unknown. ScanSafe reports manipulated Google Search Engine Result Pages (SERPs) used to install malware that collects ftp credentials; the Gumblar malware spread quickly when it was suddenly added to many web servers using stolen ftp credentials, according to Websense. Change your passwords, use strong passwords.

Not mechanically tested: “Googledorks,” those “what were they thinking?” pages that appear when an organization allows a search engine to crawl pages with information that should not be public. Don’t search for the proprietary information itself, that query is passed in clear text. Search for somewhat unique text that would also be on the page.

Not mechanically tested: Some application might escape your testing because it has not been identified. With so many devices adding web interfaces for ease of maintenance, it is easy to focus upon your web servers and their applications while ignoring embedded devices and their applications.

How would your testing detect a “RansomWeb” attack? Continuous file integrity monitoring would detect this attack. Quarterly penetration testing would miss it.

See also:

IBM Web Application Security e-Kit

Third-Party Web Widget Security FAQ

CORE Security TechnologiesAcunetix Web Vulnerability Scanner. Manual, FAQ

The demo version allows you to scan any web site, operated by you, for Cross Site Scripting Vulnerabilities. Acunetix WVS will report the vulnerabilities’ location and will suggest techniques to fix them. Note that this edition does not allow saving of the reports.

The demo version you can also test all aspects of the product (including scanning for SQL Injection, Google hacking, and directory traversal attacks) against these Acunetix test sites:
http://testphp.acunetix.com
http://testasp.acunetix.com
http://testaspnet.acunetix.com

XSSploit

Cross Site Scripting cheatsheet from ha.ckers.org

XSS (Cross Site Scripting) Prevention Cheatsheet by OWASP

Azim Poonawala (QUAKERDOOMER) (winAUTOPWN author’s) website: http://solidmecca.co.nr winAUTOPWN and bsdAUTOPWN are available at http://winautopwn.co.nr

winAUTOPWN is an auto (hacking) shell gaining tool. It can also be used to test IDS, IPS and other monitoring
sensors/softwares.Autohack your targets – even if you have consumed and holding a bottle of ‘ABSOLUT’ in one
hand and absolute ease (winAUTOPWN) in the other.

The improved GUI extension – WINAUTOPWN ACTIVE SYSTEMS TRANSGRESSOR GUI [ C4 – WAST ] is a
Systems and Network Exploitation Framework built on the famous winAUTOPWN as a backend.
C4 – WAST gives users the freedom to select individual exploits and use them.

A complete list of all Exploits in winAUTOPWN is available inside MISC\CHANGELOG.TXT
A complete list of User Interface changes is available in MISC\UI_CHANGES.TXT

BSDAUTOPWN has been compiled, like always for various flavours. BSDAUTOPWN is now at version 2.2
The file bsd_install.sh can set chmod on all applicable BSD compiled binaries.

WINAUTOPWN requires PERL,PHP,PYTHON,RUBY and its dependencies alongwith a few others too for smooth
working of exploits included in it.

A complete Document explaining : How to use winAUTOPWN/bsdAUTOPWN, How to add your own exploits using
WELF (winAUTOPWN Exploit Loading Framework), other advanced command-line options and everything else
related to WINDOWS AUTOPWN is available at the Downloads Section.
It is also available online at:
http://resources.infosecinstitute.com/vulnerability-testing-winautopwn/

WINDOWS AUTOPWN – [ C4 – WAST ]
Crafted by : Azim Poonawala (QUAKERDOOMER)

winAUTOPWN and bsdAUTOPWN are available at http://winautopwn.co.nr
Alternative location: http://www.c-4.in/winautopwn

Author’s website : http://solidmecca.co.nr
Blog : http://my.opera.com/quakerdoomer

Web 2.0 Threats Illustrated

PaulDotCom episode 227 discusses WebLabyrinth and counter-webcrawler measures.

Read the rest of this entry »