Improve your Firewall Auditing switches, routers and other infrastructure devices As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing sys- this could mean manually reviewing the configuration files saved from a wide variety of devices. tems installed and maintained by experienced people, often protective of their own methods and technologies. On Device Auditing Scanners Nipper Studio any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and firewall devices. Any security issues identiPassword Encryption Settings fied within those technologies will then have to be explained in a way that both management and system Physical Port Audit maintainers can understand. The network scanning phase of a penetration assessment will quickly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls,
enquiries@titania.com T: +44 (0)845 652 0621
Network Address Translation Network Protocols Time Synchronization Warning Messages (Banners)
*
Network Administration Services
*
Network Service Analysis
*
Password Strength Assessment
*
Software Vulnerability Analysis
*
Network Filtering (ACL) Audit
*
Wireless Networking
* *
* Limitations and constraints will prevent a detailed audit
infrastructure devices, you can speed up the audit process without compromising the detail. You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues.
Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve. With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other
Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.
www.titania.com
Editor’s note
07/2012 (15) Dear Readers!
TEAM Managing Editor: Malgorzata Skora malgorzata.skora@software.com.pl Associate Editor: Shane MacDougall shane@tacticalintelligence.org 2nd Associate Editor: Aby Rao abyrao@gmail.com Betatesters / Proofreaders: Johan Snyman, Jeff Weaver, Dan Felts, William Whitney, Marcelo Zúniga Torres, Harish Chaudhary, Tom Butler, Steven Wierckx, Richard Harold, John Borkowski, Stefanus N, Gareth Watters, Wilson Maronta, Wilson Tineo Moronta, Emiliano Piscitelli, Alina Klis, David Kosorok Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes.
All rights to trade marks presented in the magazine are reserved by the companies which own them. program To create graphs and diagrams we used by
Mathematical formulas created by Design Science MathType™
DISCLAIMER!
We decided to “go physical” this time. Why? One of our experts (to you Steven) wrote to me that physical pentesting is not so much popular and it is not very often requested. It seems that we get used to the fact that in IT business software is the treasure that should be protected with the utmost diligence and we forgot that even so prosaic thing as a bad lock on the server room door may have fatal repercussions. According to ADL (Anti-Defamation League), you should remember about one thing as far as physical penetration testing is concerned, people without a good reason to be on your premises should be excluded. Sounds easy. I would say it is easier said than done. There are number of ways how an unwelcome guest can intrude and cause great loss to one’s company. As pen testers you probably know that but do your clients know that as well? How do you convince them that important documents cannot be simply thrown on the scrap-heap? Or that making friends with a very nice but still too inquisitive person may lead to a leak of confidential data over a glass of wine? To redress the balance we decided to present articles dealing with importance and technicalities of physical pentesting. Four article will remind you about what you should not forget when asked to check physical security of your client’s company, how to do such testing, what is still popular among attackers and you will also have a chance to read about NISPROM (National Industrial Program Operations Manual) – this article you can treat as a good introduction to the upcoming articles of Marc Gartenberg. But as it is always with PenTest Regular there are more fish in this sea! Shohn Trojacek comes back with his unfading ironic look on the IT Security issues. This time his article is innocently entitled “Penetration Testing in the Cloud”. But please, do not let yourself be deceived. Apart from great technical points on input validation, flawed use of encryption, firewall usage and poor passwords you will meet Shohn as a master of wisecrack, talking not only with people but also with the friendly iPhone based speech text assistant named Siri. The absolute must are the two articles in the section Attack. One focuses on DOS and the second on wireless attack. Furthermore, we would like to introduce a column on exploitation frameworks. Dan Felts, the author, will take you to the world of exploits and this time he starts with Metasploit. Check it and be sure that the upcoming articles may become only better. There is a new one as well. In the section PenTester we feature a very short but thought-provoking article on young autistic pen testers. I hope we will be able to get back to you with more on this subject and we are curious about your opinions. Will this wave change the market? Will see. We couldn’t forget about the regular sections. Conference, PainPill and Read are of course in their places. PainPill this time deals with insurances and the neck of the author is at stake to convince you that ethical hacking is going to positively influence insurance. I hope that you will find this issue worthwhile. If you have any suggestions for us concerning topics, problems you want to read about or people you would like to know better thanks to PenTest please, feel free to contact us at en@pentestmag.com. Thank you all for your great support and invaluable help. Especially, we would like to thank our new testers who do a great job. But we don’t forget about those who are with us for quite some time now – Jeff Weaver and Johan Snyman – I wouldn’t do without your great assistance.
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
07/2012 (15) July
Enjoy reading! Malgorzata Skora & PenTest Team
Page 4
http://pentestmag.com
CONTENTS
Link
06
34
Penetration Testing in the Cloud by Shohn Trojacek
Warning: As is usual for him, this article will be filled with egregious use of sarcasm. Please, be careful navigating your way through this article as it can get a bit hazy at times.
Physical Pentesting
12
Taking the Physical Penetration Test: How to Recon a Physical Target for an Assessment?
You purchased a brand-new laptop, where you installed anti-virus software, a firewall and encrypted your most important files for safeguarding your private data. Now you may be thinking that your data is safe and secure. But what if your laptop itself is stolen?
Physical Security Holistics by Emerson Lima
There are things about physical security that may still surprise the most experienced professional as well as the most self-assured business owner. In this article the author will not only remind about the most important questions a pentester and his client should ask themselves but also you will learn about PKI and biometrics, still “fashionable” phreaking and something that you may know as the “roaming threat”.
22
Physical Penetration Testing: Out of the Dark and Into the Light by Panu Lumme
“When I get access to the console, the game is over,” I have said this more often than not to the client and the response has almost always been glassy eyes or an innocent smile.
28
The Physical Aspects of Cybersecurity and Their Importance by Marc Gartenberg
Defense in depth is a common methodology upon which most security paradigms are based. Ensuring that the more important assets have greater controls associated with them, not only makes sense, but is the key to implementing an effective defense-in-depth strategy.
Attack
30
Anatomy and Mitigation of Different DOS Attacks by Steven Wierckx
A way to hide the identity of the attacker can be to work with spoofed IP addresses (this is actually a lot harder than most people think, I will come back to this point), spoofed email addresses or to use a botnet. It is also possible to have many people participate in a DDOS attack.
07/2012 (15) July
by Hitesh Choudhary and Pankaj Moolrajani
In the recent years, the proliferation of laptop computers and smart phones has caused an increase in the range of places people perform computing. At the same time, network connectivity is becoming an increasingly integral part of computing environments.
Exploitation Frameworks
by Ayan Kumar Pan
16
Wireless Eurynomus: A wireless (802.11) Probe Request Based Attack
38
Working with Exploitation Frameworks: Metasploit by Dan Felts
I can hear you saying: “This is cool but what good is it really for?” Well let me tell you. Imagine you are like me and my team, where we think a framework should be utilized to its fullest and at times making changes to certain modules and plugins that allow you to do your job better.
PenTester
42
Autistic Savant Penetration Tester: The Tsunami Is Coming... Will You Be Riding the Wave by Juli Miller
How old were you when you first tried to hack a computer? How would you react if I told you that a two-year-old boy can do pentesting faster and more effective than you. If you think this is a joke, you probably have not heard about Calvin.
Conference
44
2012 AT&T Cyber Security Conference by Aby Rao
Each year this conference focuses on security areas of importance to AT&T customers as well as other attendees. In the past couple of years, the areas of focus have been mobility and cloud. At AT&T we have a large expertise in both of these areas, as well as in other significant areas in security.
PainPill
46
Insurance
by Dean Bushmiller
Most people know how insurance works, but do they know how hacking affects insurance? More importantly, how is ethical hacking going to affect insurance in a positive way? This is going to take a few paragraphs, so you need to give me a lot of rope to hang myself.
Read
50
Page 5
Save the Database, Save the World – Chapter 5 by John B. Ottman
http://pentestmag.com
link
Penetration Testing in the Cloud Warning: As is usual for him, this article will be filled with egregious use of sarcasm and various literary devices that the author probably has no business using at his young age. Please, be careful navigating your way through this article on “Penetration Testing in the Cloud” as it can get a bit hazy at times.
M
om, I need to write an article about penetration testing in the cloud and am not really sure where to begin. Can you help?”. This article’s author’s mother’s sister retorted with a rather sly grin: “What is the Cloud?” He thought to himself: “Exactly, but I was speaking to my mother, not you. Performing a simple Google search for the meaning of the cloud revealed at least one definition, often attributed to Gartner: “A style of Computing where scalable and elastic IT capabilities are provided as a service to multiple customers using Internet technologies”. With the advent of various “private cloud” offerings, ultimately, it seems to be nearly anything that is not hosted locally and also scales. Performing a similar Google search for how to break into the cloud also revealed a number of articles to serve as background for this one.
Functions
For starts, maybe a definition is not as important as the function. Cloud related functions can range from storage of music and files, web based email, to hosting entire virtual server farms. To help provide some framework for discussion, the industry has narrowed down the various service offerings into several broad categorizations as follows: • • • •
Virtualization ParaVirtualization Platform as a Service Software as a Service
Virtualization seems to rely upon some combination of VMWare ESX, Xen, and other variants of virtualization
Figure 1. Virtualization in the Cloud
07/2012 (15) July
Page 6
http://pentestmag.com
Virscent Technologies Pvt. Ltd., Ltd. a Brainchild of a team of IIT Kharagpur Graduates, Graduates has been Incubated in E-Cell Cell IIT Kharagpur. Kharagpur It is an IT Solutions & Training Company, Offering ffering Web, Security and Network Solutions, IT Consulting and Support Services to numerous clients across the Globe. We provide the following services: a. b. c. d.
Penetration Testing Multimedia Services Web Development Training: a. Corporate Training b. Classroom Training c. Training programs for Educational Institutions.
Our Partners: 1. E-Cell IIT Kharagpur 2. Education Project Council of India
Website: www.virscent.com Blog
: www.virscent.com/blog
Physical Pentesting
Taking the
Physical Penetration Test How to Recon a Physical Target for an Assessment? You purchased a brand-new laptop, where you installed anti-virus software, a firewall and encrypted your most important files for safeguarding your private data. Now you may be thinking that your data is safe and secure. But what if your laptop itself is stolen? This shows that you neglected the physical security aspect for your dear data.
T
he million dollar question now is: What is the use of all the implemented logical security methods when your physical security can be easily breached? The billion dollar solution for this is to perform physical penetration testing. This composition sheds a light on the need for physical penetration testing, its benefits, and the methods to perform this task. First the penetration tester needs to find out the potential physical targets, and then evaluate targets a for their strengths and weaknesses regarding physical security. After that, the results of the analysis are documented and reported to higher management, so that suitable rectifying measures can be taken.
Physical Penetration Testing
Physical Penetration Testing is the process of examining the physical systems/equipment and physical controls to find out the security vulnerabilities that can be exploited by the attacker. The goal is to identify the security vulnerabilities before the actual attack. For this, a physical target is identified, then that target is analyzed for any risks or vulnerabilities, and finally the observations are reported to the concerned personnel. After that, if any security vulnerability are identified, they need to be rectified by the concerned authorities. 07/2012 (15) July
Benefits of Physical Penetration Testing • It identifies the security weaknesses and strengths of an organization’s physical security, thereby providing information on the exploitable physical targets. • It identifies the level of criticality of the identified vulnerabilities, thereby allowing the organization to rectify them accordingly. • It shows the impact factor of a physical security breach on an organization, to demonstrate how much a particular security breach can affect the organization and who are going to be affected by that breach. • If the risks can be identified and rectified beforehand, then the organization can avoid the costs resulting from business downtime. • It can fulfill the auditing of physical security aspects of an organization by examining whether the security components are functioning according to the regulations and policies, or not. • A physical security breach, such as theft of equipment or an important document, can result in direct loses for the organization that can lead to additional and unnecessary costs for the organization. Moreover, a physical security breach can result in indirect loses such as tarnishing of the reputation of the organization resulting in decrease in client trust, which in turn, can affect the sales. Physical Penetration Testing can help avoid these situations.
Page 12
http://pentestmag.com
Physical Pentesting
Physical Security Holistics There are things about physical security that may still surprise the most experienced professional as well as the most self-assured business owner. In this article the author will not only remind about the most important questions a pentester and his client should ask themselves but also you will learn about PKI and biometrics, still “fashionable” phreaking and something that you may know as the “roaming threat”.
S
ecurity is only as strong as the weakest link – a very old saying that’s still pertinent to today’s many IT security aspects including physical security. Many factors influence what “ideal” approach organizations should take when planning to implement an IT security policy that will really be effective to the enterprise so that it can achieve its goals and regulatory compliance. Among these factors you may think about some of them as: theft, espionage, sabotage, terrorism, vandalism, natural disasters, etc. An organization has to always ask itself some basic questions like, what goal am I trying to achieve? What am I trying to protect myself from? Am I complying with regulatory requirements? What is the scope? Such questions are very important because they will lead the security team along with all the corporate managers and directors board to a better understanding of the enterprise’s needs, and this will be the foundation of the physical security assessment. You have to keep in mind the most important goals of physical security: human safety, confidentiality, integrity, availability and continuity. Yes, continuity because physical security like any other type of security is a process and not a finished product. It should be treated as a high priority inside organizations. Unfortunately, most of them takes physical security for granted and end up suffering with the consequences for being negligent on this aspect (profit loss, brand embarrassment, bad rep07/2012 (15) July
utation, data leakage, to name just a few) hence there is a need of an always ongoing physical security process (Figure 1).
Plan, assess, quantify, test, deploy and maintain
All begins with scoping and sizing the physical security assessment. There are many approaches to that but there are some general guidelines that everyone should think of when beginning this phase. These are some basic questions a security team should ask to define the scope of an assessment: • Who and what are we trying to protect in our facility(ies)? Also, from what and from whom are we protecting ourselves? • List all the critical and non-critical assets and filter which should be protected and up to what level. • Defining levels are very important and practical (functional as well). From them you can rank your assets and establish priorities such as: low, medium and high. • By defining levels you have more control over what you are trying to protect. Based on that risk levels you have defined, apply countermeasures to lower the risks. • What are the threats and vulnerabilities to the physical security of your organization?
Page 16
http://pentestmag.com
Physical Pentesting
Physical Penetration Testing Out of the Dark and Into the Light
“When I get access to the console, the game is over,” I have said this more often than not to the client and the response has almost always been glassy eyes or an innocent smile. It is almost as if they are daring me to drop my fingers on the keyboard or pull a hard drive imager out from my bag.
W
ell, congratulations. You might be one of the whizz-kids, that finds zero-day exploits in a snap of fingers. But if you are like me, you could be doing it the other way. I have often said: The game’s over, when I get access to the console. The client has blinked, but more often I get back a pair of glassy eyes and an innocent smile. It is almost as if they are daring me to drop my fingers on the keyboard, or take out a hard drive imager from my bag. The thing is, more than often the client fails to grasp what ‘physical penetration testing’ really means, and if they know, the chances are they do not want to know how it’s done. Who would? And more importantly, why should they? Quite often they have hired you to do a vulner- ability assessment – instead of conducting a real pene- tration test. So you shut your mouth, and do what they asked. After all, that’s where next month’s rent is coming from. However, once in while, a client is actually interested in end-to-end security. And that should get your mind tingling not only from excitement, but also from fear.
Enemy never sleeps
If you just have mastered penetration tools such as: Dig, Nmap, Nikto, Burp, Metasploit and Cewl. You might not have even started about the physical side of the business. And the reason is that your mind is just too full of software exploits. But here’s a thing; you can almost be 07/2012 (15) July
sure that the enemy is up the game. Script kiddies profit from button clicks, but you might be sure that there are number of unknowns out there that are gearing up for the game. And not all of them want to expose their stacks. The zero-days are valuable commodity, and not every hack needs them. After all zero-day can be zeroday once. Then it’s day one and so on. So it’s not advisable to do that, even if you playing for the good guys. Therefore, if you start to think like them, you’ll start seeing benefits in such tools like lockpicking sets, wireless access points, mini laptops, a janitor’s uniform, etc. etc. And it’s not because you can’t, but because it might be easier to penetrate the targets premises physically. Seriously. Just look back in the history of physical attacks, and you’ll see that infamous Kevin Mitnick did this sort of thing for a very, very long time. Of the all tools that are available, he made art out of deception, by taking his social engineering skills to another level. The media is screaming loudly over the groups like Anonymous and Lulzsec, while in same time forgetting that the groups has stepped off the pedestal in the underworld rankings. And it’s not always them, that the client should be worried about, right? If you don’t get what I mean, think for a moment Assange’s Wikileak. They have often published highly classified material, but if you’re like me, you might think about where that stuff came from.
Page 22
http://pentestmag.com
MOBILE SECURITY ONLINE SUMMIT
LIVE 11th JULY Join this free summit to hear industry experts and experienced practitioners share how your business can profit from the mobile phenomenon without being exposed to threats such as data leakage, malware attacks and unauthorised data access.
FIND 8 thought leadership webinars LEARN about the latest industry trends SHARE the knowledge
To register for free and view the full lineup go to http://www.brighttalk.com/r/rmC
Physical Pentesting
The Physical Aspects of Cybersecurity and Their Importance
Defense in depth is a common methodology upon which most security paradigms are based. Ensuring that the more important assets have greater controls associated with them, not only makes sense, but is the key to implementing an effective defense-indepth strategy.
L
ike all good security, defense-in depth emphasizes the hard and crunchy outside with the soft chewy center approach. This is the simplistic framework for effective security from a high level. Just as this model holds true for assets of cyber value, personal information, strategic corporate data, and other relative information that affords strategic advantage, it also holds true when considering and developing an in-depth strategic protection strategy based on physical security. Fortunately, the domain of physical security has been in place for probably the longest period of time, even well prior to 9-11. Simple fences around a home, a lock on the front door, a guard dog in the yard, booby-traps to protect the diary from parents or snooping brothers. For as long as there has existed anything of value, there have existed contrived ways to protect “assets of value” from unwanted intrusion – essentially guns, guards, and gates. Keeping the bad guys away from the stuff that mattered – in its simplest context. As the world became more sophisticated as far as “high value” assets are concerned, the ways and means for protecting these assets developed to. Let’s take a look at some of the practical materials that are available for anyone interested in establishing a defense-in-depth strategy for the physical security and 07/2012 (15) July
protection associated with ensuring that the right people have access to the right places or areas, where the “crown jewels” reside. In the United States, significant time and energy was spent developing a specific control set for physical protection of classified materials at sites and the criteria for those sites. This document, NISPROM (National Industrial Program Operations Manual) delves into the mandatory criteria that an enterprise needs to have in place before they can process classified materials. Classified materials can range from documents to samples of mechanical prototypes to anything else which may fall under the category of “classified in accordance with Presidential Executive Order 12958”. NISPOM is essentially a document developed by the military and National Intelligence agencies so there’s a high level of certainty that it’s comprehensive and constantly being updated and revised. A simple Google search can lead you to the document, since interestingly, as any good security document there’s no need to classify it, since a) that would limit the availability to only those individuals having clearances, and 2) processes should be simple, straightforward, and easily accessible, with no magic or need to hide from the public. Besides, the documents that need protections are well-taken care of already by secrecy and other covert means.
Page 28
http://pentestmag.com
attack
Anatomy and Mitigation of Different DOS Attacks
A way to hide the identity of the attacker can be to work with spoofed IP addresses (this is actually a lot harder than most people think, I will come back to this point), spoofed email addresses or to use a botnet. It is also possible to have many people participate in a DDOS attack. In most cases this is a form of hacktivism. The LOIC tool by Anonymous falls under this category, people voluntary join a botnet for a certain duration and supposedly they are removed from the botnet when they stop the LOIC tool.
I
n this article I will explain the anatomy of a DOS attack. DOS is the acronym for Denial Of Service. In many cases it is technically more correct to call it a DDOS which means a Distributed Denial Of Service, this just means the attack is coming from many sources at the same time. As the name itself indicates, the purpose of this attack is to deny a certain service to the intended audience. Recently this name is mostly used for attacks happening on the Internet but there are examples of DOS attacks against physical installations. The most known example is the bomb threat: in case there is a bomb threat at an airport for example, all air traffic might be halted thus causing a DOS attack against an airfield.
How does it work?
The theory of a DOS attack is simple: if you can overload any part of the system under attack so that it responds very slowly or not at all to regular users, then the attack is successful. For a DOS attack to work, the attacker needs to overload one component. In practice, this means the attacker will try to get the service to accept incoming data that will overload one of the components. There are many components of a service that can be attacked. Most of the time we see attacks against the network connectivity but any component could be overloaded. The CPU and Database are also prime targets for certain services. 07/2012 (15) July
Multiplication effect
In many cases an attacker will be looking for a way to generate a large load with a very small request. Most attackers will only have a small bandwidth to start an attack (i.e. the upload bandwidth limit of his internet connection). There are two ways to do this: • Distribute the attack over many attackers (DDOS) • Find a way to multiply the load of the request send An example will clarify this. Suppose there is a website that an attacker wants to make unavailable. This website might belong to a large organization of government agency. The network bandwidth of these organizations is many times larger than the one of the attacker and thus he cannot bring the website down just by requesting a certain webpage. The attacker will look for a way to have the website generate a huge amount of data with a minimal request from his side. These are some of the methods that can be used: • Search pages: a small request can return many results, this might overload the database server or it might fill up the outgoing network for the website • Large files: these will also fill up the outgoing network for the website • Errors in caching mechanisms: this is often done for PHP websites. Each request to a PHP page will
Page 30
http://pentestmag.com
Develop for the Next Big Platform! Attend the Windows Phone Developer Conference and get the best developer training!
October 22-24, 2012
Hyatt Regency Burlingame, CA www.WPDevCon.net
Learn from the top experts at the Windows Phone Developer Conference, including 12 Microsoft MVPs!
50+ Classes and Workshops focus on a variety of important topics: Darrin Bishop
Michael Cummings
Nick Landry
Jose Luis Latorre
n Design implementation
n User experience
n Location intelligence services
n Application design
n Rich data visualization and implementation Chris Love
Colin Melia
Walt Ritscher
Lino Tadros
n Cloud-based mobile solutions n Development leveraging HTML5
n HTTP protocol n Building reusable components n Microsoft push notification service n Creating custom animation n and many more!
Kelly White
Shawn Wildermuth
Chris Williams
Chris Woodruff
Learn, network, and seize the
opportunities that Windows Phone represents.
WPDevCon™ is a trademark of BZ Media LLC. WindowsŽ is a registered trademark of Microsoft.
Produced by BZ
Media
@WPDevCon
Visit WPDevCon.net for a full list of speakers, bios, classes, workshops, and special events!
Register Early for the
biggest discounts!
at www.WPDevCon.net
attack
Wireless Eurynomus A Wireless (802.11) Probe Request Based Attack
In the recent years, the proliferation of laptop computers and smart phones has caused an increase in the range of places people perform computing. At the same time, network connectivity is becoming an increasingly integral part of computing environments.
A
s a result, wireless networks of various kinds have gained much popularity. But with the added convenience of wireless access come new problems, not the least of which are heightened security concerns. When transmissions are broadcast over radio waves, interception and masquerading becomes trivial to anyone with a radio, and so there is a need to employ additional mechanisms to protect the communications. In this article we want to focus on some of the hidden flaws that were never taken seriously. Auto-connect is a
simple and one of the most conniving facility provided by all the clients of wireless Access Points. This feature can also be used to compromise a client and the attack is counted as one of the deadliest silent attacks.
Target Audience
This attack can affect any of the technical and non technical users of the 802.11 interface. But the technical details of this attack require usage of Wireshark, a little understanding of packet details over wireless and some of the details about the probe and beacon frames.
Figure 1. Non-data transfer
Figure 2. Data transfer to the Internet
07/2012 (15) July
Page 34
http://pentestmag.com
Exploitation Frameworks Working with
Exploitation Frameworks Metasploit I can hear you saying : “This is cool but what good is it really for?” Well let me tell you. Imagine you are like me and my team, where we think a framework should be utilized to its fullest and at times making changes to certain modules and plugins that allow you to do your job better. You do not want to make changes to your framework source because if you update it, it might get over written and you lose all your changes.
A
fter reading PenTest Magazine for a while, I have always felt that more articles should be written on exploitation frameworks. The existing frameworks today help the tester better organize the information needed to conduct a penetration test in a manner that can mimic almost any type of testing methodology. There are many articles on the Internet that explain testing methodologies and how to utilize the tools to fulfill such testing. What however still seems to be missing is how to extend those frameworks and work within those frameworks in a proficient manner to make your testing easier. That is what this column is about. It is my personal opinion that the most widely used exploitation framework in the world is metasploit. Although the column I will write will be full of metasploit tricks and tips to better utilize it, this column will not only focus on it. In the future I will also add helpful advice on using Core Impact and (if I can get funding) Immunity Canvas and other frameworks that are out there.
Installing Metasploit
As this article is going to be about metasploit it is important to have it installed. My personal way of installing metasploit is through “subversion”. Now these simple instructions for installation is for installing metasploit on a Linux (Ubuntu) environment, 07/2012 (15) July
your mileage will vary on other systems. First the required libraries: Prompt:$ sudo apt-get install ruby libopenssl-ruby
libyaml-ruby libdl-ruby libiconv-ruby libpq-dev libpq5 libreadline-ruby irb ri rubygems subversion
build-essential ruby-dev libpcap-dev postgresql-8.4 nmap
Next we need to add the ruby gem for postgresql: Prompt:$ sudo gem install pg
Now lets build our source directory for metasploit and get it from metasploit’s subversion server. Prompt:$ sudo mkdir /opt/framework4/ Prompt:$ cd /opt/framework4/
/opt/framework4:$ sudo svn co
https://www.metasploit.com/svn/framework3/trunk/ msf
The next thing we need to do is to install the raw socket extensions. There are a few extensions in metasploit, but for right now lets just install the pcap extension. Prompt:$ cd /opt/framework4/msf/external/pcaprub
/opt/framework4/msf/external/pcaprub:$sudo ruby extconf.rb /opt/framework4/msf/external/pcaprub:$sudo make && sudo
Page 38
make install
http://pentestmag.com
Now that we got metasploit installed and the extensions installed, we need to create the database that metasploit will use. First lets create the user: Prompt:$ sudo -s
Prompt:$ su postgres
postgres:$ createuser msf -P
Answer the questions about the password and a safe option for the other questions with “no”. Next we need to create the database: postgres:$ createdb –owner msf msf
Now you have the database setup and metasploit should be installed. Exit out of the postgres user. Before you test the installation, add the metasploit msf files to our my command line: Prompt:$ sudo ln -sf /opt/framework4/msf/msf* /usr/ local/bin
And now lets test it all: Figure 1 and Figure 2. Special Note – If this is the first time you connect to the database, metasploit will create the database structure automatically upon connection. Now that we have metasploit installed, lets take a look at some inner workings.
Their is a .msf4
As you might have guessed, this first article is about utilizing metasploit. Now, there is no way I can tell you
everything there is to know in this one article, because as you can imagine, that much information can fill volumes. As you might have also guessed, I am going to be talking about the “.msf4” directory. I know a lot of the people reading this article are saying: “Are you a newbie?”. No really, believe me a lot of people that actually utilize metasploit do not even know that a .msf4 directory gets created in their home directory. Lets take a look at this directory. One of the first thing you will notice in the Figures 3 and 4 is that they look like the folder structure of your metasploit source directory. Although there are differences, there are two things that are the same, the “modules” and “plugins” directories. I will tell you about those two directories shortly. You will also see the history file. This file will show you the history of commands typed into the console. You will also notice the “loot” directory. The “loot” directory, as you can imagine, is where all the loot s are stored once you gather loot from an engagement. Now lets get to the meat. As mentioned earlier, the two directories that are the same as your framework install are the “modules” and “plugins” directory. Just so you know how many auxiliary modules you started with, start up your msfconsole. You should see an image similar to Figure 5. As you can see in the Figure 5, there are 482 auxiliary modules loaded. Let’s see what happens if we add our own modules and plugins. Let’s say for example you wanted to make changes to the portscanner script “tcp.rb”. Now this script is located in <FrameworkPath>modules/auxiliary/scanner/ portscan directory. Now go ahead and create the module directory structure “auxiliary/scanner/portscan” under your .msf4/modules directory and copy the tcp.rb to that directory under a different name. On my test system I named the file tcp_new.rb. Once you do all the above, do a reload_ all from the metasploit prompt and you will see that the auxiliary modules loaded went up by one to 483. Now if we try to use that new module it is found and used in the same way: Figure 8.
Figure 4. Framework directory structure Figure 1. First time running metasploit
Figure 5. First start of msfconsole Figure 2. Connecting to the database
Figure 3. .msf4 directory structure
07/2012 (15) July
Figure 6. reload_all
Page 39
http://pentestmag.com
Exploitation Frameworks I can hear you saying now: “This is cool and all, so what good is it really for?” Well let me tell you. Imagine you are like me and my team, where we think a framework should be utilized to its fullest and at times making changes to certain modules and plugins that allow you to do your job better. You do not want to make changes to your framework source because if you update it, it might get over written and you lose all your changes. By doing it this way you can add, develop and update your own sources without the fear of losing all your hard work. Another reason the .msf4 directory is important is because of the msfconsole.rc file. If you are looking for this file you will not find it in your .msf4 directory because you have to create it. This file is important because when you run msfconsole it looks in your .msf4 directory for this file to run that resource script. I know I have not explained what a resource script is and what it does, but for clarity, let’s just say it is a way to control msfconsole and to do mundane tasks within metasploit in a automated fashion. I could write a book on the use of resource files alone within metasploit, and in my next column I will go into more detail on the subject, but for now we should focus on the msfconsole.rc.
Figure 7. Metasploit with the added auxiliary module
Figure 8. Showing that our module is in the path
Figure 9. Text in a simple msfconsole resource file
Figure 11. Metasploit running our msfconsole.rc file
msfconsole.rc
Like I said, when you run msfconsole it looks in the .msf4 directory for the msfconsole.rc file. A good use for this file is to setup your testing environment within metasploit. I use this file to load all my plugins and start off the tasks of my testings. For example, I always connect to my database, load nessus, nexpose and msgrcp plugins, create my workspace and start off my simple host identification tasks. For a very simple example launch your favorite text editor and type the commands you would normally use in msfconsole. Once the resource file is created, just do your $sudo msfconsole and let it work: Figure 10. What happens is msfconsole reads the resource file and begins to run the commands one by one, line by line until the commands are finished. As you can imagine this is a lot of power. Believe it or not, the team at metasploit also made it where you can add ruby into your resource file so you can have more control, but that is for the next article. Well, not to bad for a simple resource file. Resource files will give you a lot of power and take care of a lot of mundane tasks and help automate those tasks so you or your team can concentrate on the import aspects of your testing. Also we covered some of the reasons why the .msf4 directory is important and reasons why you should utilize it. In my next column I will go further in depth on the use of resource files and the power they give you and the power of metasploit once you use them. We will come up with a resource file that will help automate some of your scanning tasks for information gathering as well as some other tricks. Until next time, happy testing.
Dan Felts
Figure 10. Starting msfconsole
07/2012 (15) July
Dan Felts is the senior manager of Xerox’s penetration testing team With over 20 years of experience in information security and Computer Science disciplines. When he isn’t working or coding on some tool, he is either on his Harley or boat.
Page 40
http://pentestmag.com
Get prepared. We are Expanding Security, a Pen Testing and Training Company. We’ve been preventing deer-in-headlights look since 2006. We offer Pen Testing services plus our Live On Line training classes for ISSMP, ISSAP, CISSP, and Certified Ethical Hacker. We give you online access to materials wherever you are.
You need to keep your job secure, your business strong, and your staff on top of the game. See how good and fun training can be. Our courses are current to changing technology, and our training is the fastest, easiest way to master the relevant data you need NOW.
Sign up for our free weekly PainPill and come to a free class. http://www.expandingsecurity.com/PainPill …with Freedom, Responsibility, and Security for All ™ www.ExpandingSecurity.com
scanning isn’t enough Cyber Security Auditing Software • Device information remains confidential • Settings that allow you to hide sensitive information in the report • Low cost, scalable licensing
Device Auditing
Scanners
Nipper Studio
Audit without Network Traffic Authentication Configuration Authorization Configuration Accounting/Logging Configuration Intrusion Detection/Prevention Configuration Password Encryption Settings
• Point and click GUI or CLI scripting
Timeout Configuration
• Audit without network traffic
Routing Configuration
Physical Port Audit VLAN Configuration Network Address Translation
It was refreshing to discover Nipper and to find that it supported so many devices that Cisco produces. Nipper enables Cisco to test these devices in a fraction of the time it would normally take to perform a manual audit. For many devices, it has eliminated the need for a manual audit to be undertaken altogether.
Cisco Business Benefits to Cisco • Nipper quickly produces detailed reports, including known vulnerabilities. • By using Nipper, manual testing has been altogether eliminated for particular Cisco devices.
Multi-Platform Support for
Network Protocols Device Specific Options Time Synchronization Warning Messages (Banners)
*
Network Administration Services
*
Network Service Analysis
*
Password Strength Assessment
*
Software Vulnerability Analysis
*
Network Filtering (ACL) Audit
*
Wireless Networking
*
VPN Configuration
*
* Limitations and constraints will prevent a detailed audit
Nipper Studio reduces manual auditing time by quickly producing a consistent, clear and detailed report. This report will; 1. Summarize your network’s security 2. Highlight vulnerabilities in your device configurations 3. Rate vulnerabilities by potential system impact and ease of exploitation (using CVSSv2 or the established Nipper Rating System) 4. Provide an easy to action mitigation plan based on customizable settings that reflect your organizations systems and concerns. 5. Allow you to add previous reports and enable change tracking functionality. You can then easily view the progress of your network security.
for free at enquiries@titania.com T: +44 (0)845 652 0621
www.titania.com
Conference
2012 AT&T Cyber Security Conference Conversation with Gus de los Reyes, Executive Director of Security Technology
Each year this conference focuses on security areas of importance to AT&T customers as well as other attendees. In the past couple of years, the areas of focus have been mobility and cloud. At AT&T we have a large expertise in both of these areas, as well as in other significant areas in security. We assemble speakers from AT&T as well as outside experts, including industry analysts.
Aby Rao: AT&T Cyber Security Conference is an annual day-long conference offered by the AT&T Chief Security Office, what is the role of the AT&T Chief Security Office within the organization?
Gus de los Reyes: The Chief Security Office is responsible for real-time security protection of the AT&T network infrastructure, computing environment and telecommunications services. Our sophisticated network monitors, probes, and algorithms to identify known or suspected viruses, worms, and other Internet attacks. AT&T delivers a broad portfolio of security services to help assess vulnerabilities, protect the infrastructure, detect attacks, and respond to suspicious activities and events. AT&T’s “in the cloud” approach to managed security delivers some of today’s most powerful weapons to combat cyber security attacks. Our network security solutions rely on three key ingredients: our scalable, reliable global IP network; our security experts who have in-depth, hands-on experience; and the innovation and research of AT&T Labs.
AR: How does this conference compare to other security conferences?
Gus de los Reyes: Each year this conference focuses on security areas of importance to AT&T customers as well as other attendees. In the past couple of years, the areas of focus have been mobility and cloud. At AT&T we have a large expertise in both of these areas, as well 07/2012 (15) July
as in other significant areas in security. We assemble speakers from AT&T as well as outside experts, including industry analysts.
AR: How many attendees registered this year and what background did they come from, can you share any statistics with us?
Gus de los Reyes: This year we had 1,500 total attendees split almost evenly between in-person and online. AT&T customer attendees are often upper-management including CIO/CSO.
AR: Are there any benefits of attending this conference if you are an AT&T customer?
Gus de los Reyes: For the last few years, a large focus of the conference has been on AT&T customers. They benefit by seeing the types of security work that AT&T is doing that may impact their business. In many cases, they can also see in which areas they should be focusing their security attention.
AR: What can small businesses and start-ups gain by attending the conference?
Gus de los Reyes: With more limited budgets, small businesses and start-ups can get a better idea of where they may want to focus. Also, the conference provides an excellent opportunity for them to network with other companies and security providers.
Page 44
http://pentestmag.com
PainPill
Insurance Most people know how insurance works, but do they know how hacking affects insurance? More importantly, how is ethical hacking going to affect insurance in a positive way? This is going to take a few paragraphs, so you need to give me a lot of rope to hang myself.
B
usiness people think my service is a cost, not cost-neutral and certainly not a money maker. Security is thought of as a cost of business. Every day I work to convert the attitude from Security is a detractor to Security can increase profits. The intermediate goal is security should be cost neutral. This means every project that I am a part of should add value to the organization. How can testing truly be a saving tool or a cost reduction tool? This is going to take a few paragraphs, so you need to give me a lot of rope to hang myself. Hopefully, at the end of this article I will be standing on firm ground with my neck still intact. Hopefully, you will have a tool to convince your customers that you can save them money or even increase profits in the future via penetration testing. A few months ago, I completed a security assessment of an organization. While I was going over the finer points of the assessment, the director of marketing sat down to discuss the implications of this assessment on the customer. He thought these tools we were implementing were going to slow business down. He asked how he could â&#x20AC;&#x153;spinâ&#x20AC;? this as a positive. By the end of a 15 minute conversation, he said there was no spinning needed; this was going to drive more business to their company. His goal was to incorporate the tools into the next revision of the marketing message. 07/2012 (15) July
Those are the days I love. Birds are singing: the sky is blue: marketing is helping me get my next assessment approved.
What does this have to do with insurance?
Most people know how insurance works, but do they know how hacking affects insurance? More importantly, how is ethical hacking going to affect insurance in a positive way?
Disclaimer
I am not an insurance professional. I do not play one on television. This is data that I have collected by discussing with Steven Haase and other insurance professionals who do these types of insurance. My interpretations have worked well with a few of my clients to save them money.
Insurance is a contract to pay
We need to talk about the basics of insurance first because everyone thinks they know how this works and that is where they get into a great deal of trouble. When you try to relate hacking insurance to car or health insurance, you lose. They do not work the same way. The idea of insurance is fundamentally risk management by a collective. If we spread risk over a large enough population, the impact is insignificant. As an insurance company the goal is to make money by collecting a large enough population that pays into
Page 46
http://pentestmag.com
ITOnlinelearning offers Network Security courses for the beginner through to the professional. From the CompTIA Security+ through to CISSP, Certified Ethical Hacker (CEH), Certified Hacking Forensic Investigator (CHFI) and Security Analyst/Licensed Penetration tester (ECSA/LPT).
Tailored Advice and Discounts 0800-160-1161 or Please Call one of our Course Advisors for help and Tailored Advice -during office hours (Mon-Fri 9am-5.30pm)
Telephone: 0800-160-1161 International: +44 1795 436969 Email: sales@itonlinelearning.co.uk support@itonlinelearning.co.uk Registered Office: 16 Rose Walk, Sittingbourne, Kent, ME10 4EW
read
Save The Database, Save The World! Chapter 5 USER RIGHTS
“If you had unprecedented access 14 hours a day 7 days a week for 8+ months, what would you do?” –Private First Class Bradley Manning
F
or large institutions, rapid organizational change and growth leads to greater and greater employee anonymity as individuals fade into the masses. Such anonymity can conceal the actions of malicious hackers and challenge modern security controls. Professor M. Eric Johnson at the Tuck School of Business at Dartmouth studied how organizational complexity creates security challenges. From field research conducted while embedded in the security teams at several large banking institutions, he found that these financial services companies offer a “vivid example” of access control complexity as these firms merge and consolidate to create massive collections of people organized globally into hundreds of functional domains. As financial services firms operating large-scale, complex systems struggle to configure the right levels of data access and to restrict access to sensitive and privileged information, Johnson describes “a toxic combination” where weak system access controls may allow users “to break the law, violate rules of ethics, damage customers’ trust, or even just create the appearance of impropriety.” Johnson cites the following sobering example:
There are many ways for toxic combinations to occur. Sometimes it is a mistake of not terminating access following a promotion or transfer; other times it is a fault of entitlement design. An example of toxic combinations occurring from a promotion could be as seemingly innocuous as an accounts payable clerk retaining the access to write checks once they have been promoted so they can fill in at busy times, while 07/2012 (15) July
Page 50
http://pentestmag.com
Keep up to date on the latest developments in the world of digital forensics Read Feature Articles on:
/ Training and Certfication / Management issues / Tools and Techniques / eDiscovery/eInvestigation / Incident Response/First Response / Hardware and Software / Network Forensics / Cyber Forensics / and much more...
Apple Autopsy:
/ A Digital Forensics look at all things Apple
From the Lab:
/ In depth technical articles on products and techniques
Legal Section:
/ In-depth articles on legal matters affecting Digital Forensics along with the latest legal news from around the world
Visit digitalforensicsmagazine.com
for the latest news and views from the digitalforensic community with special articles for registered users.
NEXT ISSUE OUT SOON SUBSCRIBE NOW Prospective authors should contact editorial@digitalforensicsmagazine.com for information on submissions.
In the Upcoming Issue of
Malware Available to download on August 6th
If you would like to contact PenTest team, just send an email to maciej.kozuszek@software.com.pl or ewa.dudzic@software.com.pl. We will reply a.s.a.p. PenTest Magazine has a rights to change the content of the next Magazine Edition.
CYBER CRIME LAWYERS
Pannone are one of the first UK firms to recognise the need for specialist cyber crime advice. We can both defend and prosecute matters on behalf of private individuals and corporate bodies. We are able to examine material or secure evidence in-situ and will then represent your needs at every step of the way. Our team has a wealth of experience in this growing area and are able to give discrete, specialist advice.
Please contact David Cook on
0161 909 3000
for a discussion in confidence or email david.cook@pannone.co.uk
www.pannone.com
Global I.T. Security Training & Consulting
In February 2002, Mile2 was established in response to the critical need for an international team of IT security training experts to mitigate threats to national and corporate security far beyond USA borders in the aftermath of 9/11.
IS YOUR NETWORK SECURE?
www.mile2.com TM
mile2 Boot Camps
A Network breach... Could cost your Job! Available Training Formats
C)PTETM C)PTCTM C)SCETM C)WSETM C)WNA/PTM
F2F CBT LOT KIT LHE
Classroom Based Training Self Paced CBT Live Online Training Study Kits & Exams Live Hacking Labs (War-Room)
Worldwide Locations
CISSPTM C)ISSO C)SLO ISCAP
GENERAL SECURITY TRAINING CISSP & Exam Prep Certified Information Systems Security Officer Certified Security Leadership Officer Info. Sys. Certification & Accred. Professional
1. 2. 3. 4. 5.
PENETRATION TESTING (AKA ETHICAL HACKING) Other New Courses!! ITIL Foundations v.3 & v.4 Certified Penetration Testing Engineer CompTIA Security+, Network+ Certified Penetration Testing Consultant ISC2 CISSP & CAP SECURE CODING TRAINING SANS GSLC GIAC Sec. Leadership Course Certified Secure Coding Engineer SANS 440 Top 20 Security Controls SANS GCIH GIAC Cert Incident Handler WIRELESS SECURITY TRAINING Certified Wireless Security Engineer Certified Wireless Network Associate / Professional
DR/BCP
DR&BCP TRAINING Disaster Recovery & Business Continuity Planning
C)SVMETM
VIRTUALIZATION BEST PRACTICES Certified Secure Virtual Machine Engineer
C)DFETM
DIGITAL FORENSICS Certified Digital Forensics Examiner
(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC.
INFORMATION ASSURANCE SERVICES
We practice what we teach.....
Other Mile2 services available Globally: 1. Penetration Testing 2. Vulnerability Assessments 3. Forensics Analysis & Expert Witnesses 4. PCI Compliance 5. Disaster Recovery & Business Continuity
1-800-81-MILE2 +1-813-920-6799
11928 Sheldon Rd Tampa, FL 33626