Archive for the ‘Hacking’ Category

Top 5 server level vulnerabilities you must know!

You might have heard some these vulnerabilities irrespective of domain you are from. These are the well known vulnerabilities which caught attention in social media within the duration of one year (April 2014 and April 2015) Have you ever thought why these vulnerabilities got so much of public/social media exposure?  If not you are at the right place to understand the reason behind it.

Heartbleed was an issue that affected various versions of OpenSSL. This is one such vulnerability which allows attacker to remotely read memory of the systems/servers where vulnerable versions of OpenSSL are implemented. The type of information that could be exposed through depends on number of factors; most cases could include sensitive information like private keys, usernames and passwords of various logged-in users, sessions, database strings and much more.

Since OpenSSL is the most popular open source cryptographic library used to encrypt traffic on the Internet and considering ease of exploitation, large amount of private keys and other confidential information exposed, this vulnerability got much exposure on internet even the CVSS score was 5.0/10.0

Shocking shellshock was discovered by Stephane Chazelas. This is a vulnerability in GNU’s bash shell that allows attackers to run remote commands (remote code execution) on a vulnerable system. GNU Bourne Again shell (Bash) is a shell and command language interpreter used as the default shell on major UNIX based systems like Mac OS, red-hat Linux and much more.

Most of you out there would be thinking that you have bash pre-installed on your systems, now are you guys vulnerable to this attack? Big no! If this bash is accessible on internet then you may vulnerable, let’s say Apache; where in it allow user to set environment variables remotely on that victims system through “mod_cgi”. Shellshock vulnerability not only allows to set few environment variables but also leverages attacker to run malicious code or commands remotely.

  • Poodle :: CVE-2014-3566 (October 2014)

This is the next variant on OpenSSL after Heartbleed. POODLE, it stands for Padding Oracle On Downgraded Legacy Encryption, this bug was discovered by Google Security team. This is such a vulnerability where in attacker can perform man in the middle attack and can easily extract bits of encrypted data using oracle padding. This vulnerability had problem in CBC encryption scheme as implemented in the SSL 3 protocol which was similar to BEAST attack.

This vulnerability was initially affecting the SSLv3 protocol but later it was reported that even TLS 1.0 and 1.1 are also affected. Even though the impact is high, CVSS score given is 4.3 due to easy of exploitation which is pretty much medium/difficult.

  • Ghost :: CVE-2015-0235 (January 2015) 

The GHOST vulnerability is a serious weakness in the Linux glibc library. This is a sort of buffer overflow attack affecting gethostbyname() and gethostbyname2() function calls in the glibc library.

This vulnerability allows a remote attacker to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application or to remotely take complete control of the victim’s machine without having any prior knowledge of any credentials.

  • Freak :: CVE-2015-0204 (March 2015)

Servers that accept RSA_EXPORT cipher suites put their users at risk from the FREAK attack, this allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. The FREAK attack is possible when a vulnerable browser connects to a susceptible web server—a server that accepts “export-grade” encryption.

Unpatched OpenSSL, Microsoft Schannel, and Apple SecureTransport all suffer from this vulnerability. Note that these libraries are used internally by many other programs, such as wget and curl. You also need to ensure that your software does not offer export cipher suites, since they can be exploited even if the TLS library is patched.

More BUzz:

  • Mozilla said on its blog that “SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information”.
  • Microsoft also announced that SSL 3.0 will be disabled across Microsoft online services over the coming months.

References:

https://securityblog.redhat.com/

 

Advertisements

Recently, I authored an article at TestingCircus e-magazine and I like to publish the same on my blog so that I can reach out to my readers who are not subscribed to testingcircus or couldn’t read due to whatsoever reason(s). You can find my article in the following link  http://www.testingcircus.com/testing-circus-2014-august-edition/

Most of the applications having user interaction needs to be more secured and hence securing the application for attacks on stealing users credentials is important. Recent survey says that most of the applications are vulnerable at the user level. For example, its observed that Forget Password feature had most attacks in recent days.

Forget password feature needs to be implemented in such a way that it covers all the possibilities of any attack vector. On a recent case study about a leading security firm says that there was an attack on an social media application because of flaw in the forgot password feature. Hence I would like to come up with guidelines for implementing forgot password feature which ensures the application is more secured.

Initial step during forgot password could be gathering the identity of the user by asking various questions which would in turn proves the identity of the account like, what was the last reset password user remember? Last time user accessed his account? or any other similar questions which reveal the identity of the user.

The next step could be Security Question!

Security questions should not be the same old traditional way asking about mother’s maiden name/place of birth/ favorite teacher or any such questions which are easily crackable and letting the attacker to easily compromise the account. Instead if the application allows user to set his own set of questions) which could infinite set for an attacker to guess the answer.

One more important thing to remember here is that the input field for accepting the answer for the security question should be of type “password” this would protect from shoulder surfing, most of the applications does not do so, which is of more important. Number of attempts user can try answering the security question should also be limited or CAPTCHA needs to implement to prevent brute force attacks. Once the user provides the correct answer the password can be resetted in 2 ways.

  • Reset password link with a token associated to it
  • Temporary password

One of the wage methods on forgot password feature followed by some developers is directly sending the password which was set by the user during registration. This happens only when the password is saved in clear text. Good practice in storing the password is to be hashed+salted before storing it.

Reset password link with a token associated to it

  1. Once reset password link is used, link should be expired for the next use.
  2. Till the user resets password, the previous password should not be disabled.
  3. Even if the link is unused the reset password link needs to be expired within a defined time say 48 or 72 hours.
  4. Reset password link should be over an SSL
  5. Old/previous password reset link should be expired once new password link is generated.
  6. Token used in reset password link should be mapped to the users email ID and should not be used to reset password of another user.
  7. Token should not be sequential or easily guessable or a short one. It should be minimum of 16 characters so that it is not easily brute forced.
  8. Password policy should be maintained on reset password page.
  9. Display custom error message to avoid username enumeration

Temporary Password

  1. Application should force the user to change the password on the first login.
  2. If not used the previous password should not be disabled.
  3. Temporary password should be one time use and should not be able to use it again
  4. Flush the memory of the browser after password change
  5. 302 redirection after successfully resetting the password.
  6. Validity for the temporary password could be not more than 4-5 hours.
  7. Password should not be the same as old password.

Sending reset password link with a token associated to it is the best and economical way of implementing forgot password feature, it avoids usage of CAPTCHA and increased accessibility.

Footprinting

Information Gathering/Footprinting is crucial in the whole process of penetration testing.More the information gathered about the target(application/user), more is the probability that appropriate results are obtained. Many tools are available for footprinting which I will be sharing in this post.

Information gathering is not just one phase in security testing! Its an art where each one of us should be a master shifu at gathering relevant info for a better experience in the whole process of Penetration testing.

This post would give you a glimpse of footprinting like, what is footprinting? Purpose of footprinting? What does an attacker gain from footprinting? The various information that can be gathered and how could that be useful in attacking/securing an application or a website.

Ok let me give you a generic example, If a theif wants to rob a bank how does he plan his moves? Will he directly go to the bank and rob without a plan or will he plan by collating all the information required to execute the plan successfully?

The theif would plan by collecting the information from different sources like security loopholes and other required information. Once he plans his moves he would be ready to execute his plan and would go ahead with robbing the bank.

Without this information it would be very difficult for a robber to successfully rob a bank.

Cautionary note: This is only an example. Please use the information wisely and for the purpose of learning only.

Reconnaissance is one such way of collecting the information about an organization/application. The basic reason behind Information gathering here in security context is to learn about the architecture, infrastructure, design, security loop holes of an organization or any application..

There are 2 ways of collecting various information about an organization or 2 types of footprinting,

  1. Active Footprinting

  2. Passive Footprinting

I would be explaining about different ways of gathering information in both the ways using different variety of tools and techniques.

 

1.    Whois is a widely used Internet record listing that identifies who owns a domain or who has registered that particular domain and how to contact them. The Internet Corporation for Assigned Names and Numbers (ICANN) regulates domain name registration and ownership. Whois records have proven to be extremely useful and have developed into an essential resource for maintaining the integrity of the domain name registration and website ownership process.

A Whois record contains all of the contact information associated with the person, group, or company that registers a particular domain name. It also provides information about when was a particular domain registered or getting expired, and when was the last update made on that domain and sometimes this records may also provide the administrative and technical contact information.

2.    Metagoofil is an information gathering or footprinting tools used for extracting information or data which is publicly available on internet belonging to company. INformation can be of any formats like pdf,xls,ppt,doc and much more. Basically metagoofil performs google search in obtaining different files it also uses different file type libraries like PDFMiner which have an index of different PDF files and others. It also provides very useful information like usernames which would in turn be helpful for brute force attack and other information like versions of different softwares and servers being used.

 3.    The Harvester is also used for information gathering where it helps you in extracting the email address and subdomains of a particular target, Harvester is an simple python script which searches information from giant search engines like Google, Yahoo, Bing and much more.

4.    Nmap can be extensively used for information gathering with the help of Nmap Scripting Engine. It can he helpful in basic information about the target like IP address and the ports open and services running, it can be used in determining the information like whois over an nmap console which we discussed earlier, it is also used in harvesting email addresses which discussed earlier(The Harvester), it also helps in discovering additional host names or sub domains that exist on the same server. You can learn more on Namp and other tools on my previous post(Security testing for beginners)

5.    A search engine named Bing(http://bing.com) by Microsoft has a unique feature where in which it could help hacker in enumerating all hostnames which bing had indexed on that server or specific IP address. We can easily use it parameter IP: followed by IP address of the server where in which it provides all the websites hosted on that server. An alternative to the same would be Reverse IP lookup

6.    Blackwidow and HTTrack Website copier is used in better understanding of the website flow as it can be used in cloning the entire domain and could help in offline debugging and to perform tests on local. It can be used in the cases where the server responds only on a particular network.

7.    One of the easiest and craziest way would be Social Engineering. It is an art of wangling people to reveal confidential information which is not supposed to be told out. It involves gaining the trust of an individual in order to obtain confidential information. Social Engineering is a non technical attack but involves tactics for making a victim get trapped. This is an art of gaining important information about an organization, its employees Department, Extension, Email, Role, Phone number etc.

For more information you can have a look at my previous post What is Social Engineering which can give interesting insight on how anyone can be victimised.

I could conclude as, Information Gathering or Footprinting or Reconnaissance is the initial step for penetration testing, more the information you gather more you would be successful in performing the penetration tests. If you are interested in learning further, I would suggest you to start using Kali-Linux or BackTrack!

 References:

https://www.sans.org/reading-room/whitepapers/auditing/footprinting-it-it-why-62
http://hackingmyths.blogspot.in/2012/02/footprinting.html
http://www.domaintools.com/learn/key-terms–definitions-428/#whois

 

Hmmm. I decided to write this blog keeping aside my inhibitions, and I’m happy I am doing it, particularly, this one!

Okay, I assume you would have heard of something called “Social Engineering”.  If yes, are you aware that there is no patch for human stupidity with respect to Social engineering?  According to me, this is true, as we see many companies/users getting victimized even after many past experiences.

Human beings are weakest links!

Social Engineering is an art of wangling people to reveal confidential information which is not supposed to be told out. It involves gaining the trust of an individual in order to obtain confidential information. Social Engineering is a non technical attack but involves tactics for making a victim get trapped. This is an art of gaining important information about an organization, its employees, systems etc.

What is Social Engineering

Here, the victim can be anybody; where which includes a high possibility of a hacker himself getting victimized at times! This would be possible when the hacker could be a part of a group of friends, and the entire  group can be victimized at once, as it is completely based on trust where tricking them emotionally would not be very difficult.

Sometimes, it so happens that  in a continuous conversation, we do not even realize that we are revealing personal & confidential information, or end up revealing some hints, which will in turn make the job of a hacker easier, to hack into their extremely personal & confidential information.

Some basic information which can be gathered very easily would include a person’s favorite color, actor, food, car, teacher, best friend etc. It might even include some of the information about childhood, school days or about his/her family. Such information would suffice to an extent in order to hack into any account, as the secret questions to recover the password for any application would mostly involve these.

Let assume, you have become the victim. Now, do you mind answering any questions like your favorite teacher or your pet name or any such questions mentioned above? If you have a very close friend who would try for a social engineering attack does not have to ask you for any such questions, he would be aware of you and your likes and dislikes up to some extent.

A sample Email which can misslead the admin of an organization (An example for social engineering

A sample Email which can mislead the admin of an organization

Generally if you ask for a piece of sensitive information, people naturally become suspicious immediately. If you pretend you already have the information and give out wrong information, they will frequently correct you unconsciously – thereby rewarding you with the correct piece of information you are looking for.

Social engineering toolkit! No, we do not need a SET to victimize anyone! Real-time hackers do not completely depend on social engineering tool kit.

Social Engineering

Preventing Social Engineering:

In my opinion, I don’t think there is any well defined way or application which helps user to prevent social engineering. Different methods are being evolved hence having an eye on different attacks is recommended.

Educating employees of an organization and performing random tests on them might be helpful to identify the mouse traps within the organization, it is recommended not to share their passwords even with their higher authorities or team leaders, let them have an administrator password if access required.

Organizations have to take care of social engineering too, along with other security attacks as it holds more than 50% of share on different attacks.

Frequency of social engineering when compared to other security Attacks.

Frequency of different Security Attacks

Frequency of different Security Attacks

Courtesy: http://securitywize.com/the-risk-of-an-uncertain-security-strategy/1430

If you have any methods of preventing social engineering or any other social engineering cases you are aware of (attention-grabbing) please comment. Let others know your experience.

Infographic: State of Security Testing by Nagasahas Dasa and Santhosh Tuppad

Infographic: State of Security Testing by Nagasahas Dasa and Santhosh Tuppad

Recently, I authored an article at TestingCircus e-magazine and I like to publish the same on my blog so that I can reach out to my readers who are not subscribed to testingcircus or couldn’t read due to whatsoever reason(s).

Thanks to Mr. Santhosh Tuppad for encouraging me to write this article and Mr. Ajoy Singha for providing me an opportunity to write for TestingCircus and I am looking forward to continue my contribution to TestingCircus e-magazine by writing, you can find my article in the following link  http://www.testingcircus.com/testing-circus-2013-september-edition/

Without much ado, here I present you with my article.


There is no wrong way to start hacking, everything is right way and I have my own way. Whatever your style of hacking is, make sure it’s consistent. If you are starting out today you can be benefited based on your skill sets. Don’t learn to hack, hack to learn.

Well, coming to the point how did I start hacking or how did I land up here, It was in the year 2008. I was in my 2nd year diploma where one of my friends was trying to download videos by searching on Google. In 2008, getting a video to your local machine was one of the biggest achievements for people of my age. My friend showed me how to get the videos from Google, by extracting only videos from the vast search results. He asked me to enter some string along with the search query.

Filetype: avi <Search Query>

He didn’t know what it was, and he told that he came to know about it through his senior. Ok!! As I am very much interested in computer technologies, I tried to find out what they are. I referred to many articles and found that they are called as GOOGLE DORKS. I even came across some of the terminologies like White, Black and Grey hat hackers. During this phase, I got a common response from whoever I asked about hacking, which was “Hacking is very difficult and I don’t know anything on it except that it is illegal”.

But, it is not illegal as I told you before. There are 3 categories of hackers:

  • Black Hat Hackers
  • White Hat Hackers
  • Grey Hat Hackers

Black Hat hackers are those who perform undercover hacking for malicious reasons and also with intent to harm others, such people can also be referred to as ‘crackers’.

White Hat hackers are those who perform hacking for legitimate reasons and use their skills and knowledge for good, e.g. IT Security technicians testing their systems and researchers testing the limitations of any software.

Grey hat hacker is a combination of a black hat and a white hat hacker. A grey hat hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has a security defect.

According to a survey the most common technique of hacking a website is SQL Injection. SQL Injection is a technique in which hacker insert SQL codes into web form to get Sensitive Information like (User Name, Passwords) to access the site and deface it. The traditional SQL injection method is quite difficult, but nowadays there are many tools available online through which any script kiddie can use SQL Injection to deface a website. Because of these tools, websites have become more vulnerable to these types of attacks. Some of the tools used for SQL Injection are mentioned in this article. However, as I know nothing is bug free and there will be exploits every minute/hour.

Some of the tools which help in finding the vulnerabilities are discussed below:

1.      Wireshark is also known as Etherea. It is one of the most powerful tools in a network security, as a network packet analyzer on any network. It is used to capture each packet sent to or from your system to the router. If you’re capturing on a wireless interface and have promiscuous mode (Admin/super user) enabled in your capture options, you’ll also see other packets on the network sent from different nodes. This also includes filters ex: DNS, TCP, UDP, ip.addr etc), color-coding, capturing packets and other features that let you dig deep into network traffic. Wireshark is an extremely powerful tool; this is just scratching the surface of what you can do with it. Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals. To get this position, it takes a fair amount of practice. It takes practice to know how and where to capture right data, filters to use, and how to interpret the data.

People willing to learn can use this link to get sample captures on Wireshark to get experience hands on this http://wiki.wireshark.org/SampleCaptures

2.      Fiddler is an open source web debugging tool which captures all the traffic between your computer and the internet, it also acts as proxy between the browser or any application on the local machine and the internet say, all the traffic flows through the fiddler and the requests can be altered and the altered request is been sent to the server. In simple words fiddler sits between HTTP client that is the browser and the HTTP server.

Normally it would be configured with all the browsers being used on a particular machine or you may have to manually configure the browser to capture all the traffic in/out of our machine.

Fiddler can also be used to find the statistics, inspect the request or the response and can even act as an auto responder and is capable of sending request from the fiddler wit out any browser. Fiddler is designed in such a way that it capability to run API’s through composer functionality and can even right some scripts which can be helpful for check automation and has the capability to decrypt HTTPS traffic.

3.      Nessus, the first public release was in 1998. Nessus was an open source vulnerability scanner, recently nessus turned into a paid tool. This tool is used for scanning both web application and network, Network can be either internal or external IP/Network. Nessus is designed to automate the testing and discovery of known security problems. Allowing system administrators to correct problems before they are exploited.

Nessus uses a client server design that allows the user to set up one server that has multiple nessus clients that can attach and initiate vulnerability scans, where servers can be placed at various strategic points on a network allowing tests to be conducted from various points of view.

Nessus security checks vulnerabilities and database is updated on a daily basis which could be retrieved to cross check the database with the command “nessus-update-plug-ins”.

4.      IBM Rational AppScan is an automated web vulnerability scanner which helps in finding the vulnerabilities quickly and effectively, even a svan (semi technical person) can also use the tool and find vulnerabilities.  Using IBM app scan, we can decrease the risks in web application attacks and data breaches. It helps in testing the web application either on production site or on any staging sites which can ensure that it checks for web attacks.

Basically in IBM AppScan once you add a web app to test for its security the initial step is to crawl all the pages/links on that application which are allowed to be crawled based on robots.txt

Basic functionalities of IBM AppScan are

  1. Gives the larger coverage of test report
  2. It mainly concentrates on top 10 OWASP (Open Web Application Security Project) web application vulnerabilities.
  3. Accurate and advanced scanning algorithms used hence less false positives
  4. Recommendations, Which I personally like here, It gives us description of each vulnerability found and the risk involved in not fixing it.

As we all know automated scanning is not perfect all the time and is not advisable to completely depend on automated scanner, hence they have provided a manual scanning for any vulnerability found to give the perfect solution without false positives.

IBM app scan is a paid tool and it has a trial version as well if you are interested in exploring the application.

5.      Nmap, also known as “network mapper”, it is an open source application which helps in quickly scanning different ranges of devices such as desktops/laptops or any mobile devices and provide valuable information about the devices which are connected to a particular network. Nmap is available for all the platforms where it can be operated in 2 ways, command mode and GUI mode but most people prefer command mode for its advanced features but requires technical knowledge.

Nmap uses raw IP packets to determine what hosts are available on the network (Host Detection), the services that are enabled, the operating system and version, using TCP SYN or a TCP Connect ping to gather active hosts. Nmap is used by security researchers and hackers who want to find the weakness and exploit them.

Nmap can provide different types of scans, where some are more aggressive and some are simple, designed to be stealthy and scan undetected. Depending on the type of scan performed, different information can be discovered; some of the scans are Ping, SYN Stealth, UDP Scan, IP Protocol Scan, ACK Scan, RPC Scan, List Scan etc.

6.      Havij is an automated SQL Injection tool that helps hackers or security researchers to find and exploit SQL Injection vulnerabilities on a web page on a vulnerable web application, using Havij user can access database, retrieve DBMS users and  password, dump tables and columns, fetching data from the database, running SQL  statements and  executing commands on the  operating system.

Hackers use Havij along with vulnerability scanners such as IBM AppScan or Web Inspect, vulnerability scanners find vulnerabilities but not help you in actual exploitation and that’s where Havij showcases its functionality.  In other words, vulnerability scanners will help you in finding list of vulnerable webpage’s whereas; Havij helps you with the access to the database for entire exploitation.

Once URL is feed to the Havij, it comes up with a list of databases being used, version, and db-name’s. Later selecting a particular database we can drill down to tables, and then to columns and even to the actual data. Passwords would hashed usually, there are set of de-crypter’s  associated with the tool which help user to decrypt the hashed password, it is also associated with an algorithm which helps users to find the admin page of a particular web application. In simple words it’s more useful for hackers than security researchers.

7.      SQLMap is one of the most popular and powerful open source SQL injection automation tool, which is built on python and can run on any platform if python is installed in it.

Giving a vulnerable URL, SQLMap can exploit the database and provides with sensitive information like extracting database names, tables, columns, all the data in the tables etc. It can even read and write files on the remote file system under certain conditions.

We can run this application only on command mode and doesn’t have an interface, and has simple commands to extract information from the database.

Dear readers, you have been following me on this blog which is on *.wordpress.com. I am freaking happy to announce that I have transferred all the blog posts to new domain and new hosting of my own. Please visit http://solidmonster.com/ from now on. Thanks all!