Sunday, 30 June 2013

SSLv2 Depreciated Protocol - Validating the Findings

In this post, we will look at some tools used to analyze whether the web server is using SSL version 2.



SSLv2 Depereciated Protocol as stated by Acunetix
Ref: http://www.acunetix.com/vulnerabilities/ssl-2-0-deprecated-protoc/

Description
The remote service encrypts traffic using an old deprecated protocol with known weaknesses.

Detailed Information
The remote service accepts connections encrypted using SSL 2.0, which suffers from several cryptographic flaws and has been deprecated.

Impact
An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Recommendation
Disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.

OWASP Testing Guide

Testing for SSL-TLS (OWASP-CM-001)


THE TOOLS 

Using Nmap on BackTrack
#nmap -sV -p 443 --script sslv2 <host>


Using SSLscan on BackTrack
#sslscan --no-failed <host>


Using Openssl on BackTrack
#openssl s_client -sslv2 -host <target> -port 443


Using SSL Audit


Using Qualys
Note: Be aware of using the online Qualys SSL checker as it will stay permanently in the Qualys result database and will be made publicly available. 


Result of the online Qualys SSL Checker


Using Acunetix



THE SOLUTION: DISABLING SSLv2


1) Disable SSLv2 and Weak Ciphers

2) Disable SSLv2 on Windows Server 2008 (IIS 6 and 7)

3) Disable SSLv2 and Force to use SSLv3 and TLS v1 in IIS


4) Disabling Weak SSL Protocol and Ciphers in IIS

5) Disabling SSLv2 in IIS 7

6) Official M$ guide to Disable SSLv2

7) Disabling SSLv2 in IIS 7 and 7.5

Saturday, 29 June 2013

SET on BT5r3 - Stealing Facebook Credentials

In this tutorial, we will show you how to steal Facebook credentials using the Social Engineering Toolkit on BackTrack Linux.


Fire up the Social Engineering Toolkit from BackTrack.  Select 1 for the SET Attack.

 For this tutorial, we will use the Website Attack Vectors as our mechanism

Since we are going to steal the credential, we proceed to select 3

We will choose 2 to clone the site we are going to dupe.
Enter the IP address of where the clone site be hosted.
Enter the link of the website. In this case, we will clone the facebook login page.

 Once the site is cloned, provide the link/IP for the victim to enter. The victim will get the Facebook login page website.

And when the victim type in the username and password, the credentials will be sent to the attacker's console.


Wednesday, 26 June 2013

Skybox - How Skybox (Risk Control) can be used in a Pentest Engagement

So i went for a 3 day Skybox training to learn the fundamental uses of the product and i kinda liked it and although Skybox is meant to be used as an 'in house' product, it can be used for pentesting engagement.

Basically there are Five components in Skybox:
1) Firewall Assurance
     - http://www.skyboxsecurity.com/products/firewall-assurance
2) Network Assurance
     -http://www.skyboxsecurity.com/products/network-assurance
3) Risk Control
     -http://www.skyboxsecurity.com/products/risk-control
4) Threat Manager
     -http://www.skyboxsecurity.com/products/threat-manager
5) Change Manager
     -http://www.skyboxsecurity.com/products/changemanager

In this article, i will focus on the Risk Control component and how it can be used for a penetration testing scope. I will be using a Demo Model used during my training to illustrate to you the cool stuffs of Risk Control.

Note: The demo model was provided to me during the training. As it was a brief introduction of Skybox, there were no time to have a practical lessons on how to create a model and input information such as the vulnerabilities, hosts, etc from scratch and map it out into an architecture.

Once i loaded the model, the first thing i see is the list of vulnerabilities in the whole organization's network.



Finding Information

One of the features that i liked was the finding the information i want for example, if i want to find how many Critical vulnerabilities are there:




If i want to find a list of hosts with the name "app_0_db"



By default it wont show the Vulnerabilities tab, therefore we need to customize the window to view it.




Vulnerabilities Analysis

To view the information of the vulnerability, the General tab provides lots of information about it



It also shows the CVSS score of the vulnerability


Creating an Attacker

Let's create an virtual hacker/attacker from the Internet. This hacker will then be used to simulate the attacks later.



After creating the virtual attacker, we analyze the exposure of what are the possible targets of the attacker.





Simulating the Attack

Now that we have analyzed the exposure, its time to explore the attack.



After analyzing, we will see the kind of targets and the description of the attack as well as the Risk level.

To view a simulated attack, choose on a Target and click 'Attack Explorer'


From the above simulated attack, we can see how the attack was done, the vulnerabilities used, the steps of the attack, the ports used and the hosts that was attacked.

How can this integrate to a Penetration Testing Engagement

The Risk Control component of Skybox can be used to illustrate attacks and simulate hacking situations based on Live environment or What If scenarios without using the actual production environment itself. With this, it will be easier for pentesters to then perform a POC of the attack to confirm the possibility of the penetration. This would be useful for client organizations who wants to have an engagement but are very very afraid that such engagement could lead to a DOS or service failures.

The Disadvantage

1) While finding information and simulating attacks are fun and cool, one needs to do ALOT of work to get the initial config files, scanned hosts files, modelling it in Skybox and organizing it to output into something like this:


Only personnel who have extensive experience on designing the layout would be an advantage of using the Skybox.



2) While this component is very good and useful, the down side to it is that how many of the clients would actually provide all the switches, IPS/IDS and firewalls configurations to another Penetration Testing company? As Skybox is only useful to perform a proper security/network architecture analysis when fed with all the necessary config files. Without them, we cant make full use of Skybox capabilities....

Sunday, 23 June 2013

MSSQL Enumeration - Using Open Source/Freeware Tools

In this article, we will demonstrate on how to find available M$ SQL servers within a network range and enumerate or get information about them.


Using Metasploit

msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS <IP Address/range>
msf auxiliary(mssql_ping) > set THREADS 10
msf auxiliary(mssql_ping) > run



Using Nessus Cmd
#nessuscmd -i 10674 <IP range> --max-hosts 25




Using Nmap
#nmap -p 1434 --script ms-sql-info --script-args mssql.instance-port=1434 <IP range>


Using SQLRecon



Result of the Scan


Using SQL Ping v3
SQL Ping v3 and SQL Recon has the same interface. The difference is that SQL Ping v3 has additional option for Brute Forcing Passwords with the ability to input the User and Password list.


Result of the Scan


I will find more tools that can be used to gather information for SQL servers and will list them down here in future. If there's anything out there you readers are aware of, do share!

Saturday, 22 June 2013

NESSUS - The Basics

Nessus is one of the most common and reliable vulnerability scanners used by security professionals to check and scan for known weaknesses in the system. Here, we are going to focus on how to configure a scan, understanding the result and knowing its ability to export the result for further use and analysis.


First, after installation and setup of Nessus, load it using the browser to https://localhost:8834 and log in using your username and password.

In the Scan Queue tab, click New Scan

Enter the following
-Name:
-Type:
-Policy:
-Scan Targets:
And then click Run Scan

A completed scan will show the status as 'Completed' on the 'Results' tab

In the Hosts Summary, it will show a summary of the scan results

By clicking on the Vulnerabilities tab, it will show the summary of all the vulnerabilities found

Clicking on one of the vulnerability will produce a list of information associated to the vulnerability and even provide links of references to further read or research about it,

The Scan results can also be exported for further review.

The following export formats are available to be exported.

You can always load the exported file back to Nessus to view the results. Additionally, you can import the results (NBE Report) into the MSFconsole database!






Monday, 17 June 2013

Awesome and Inspiring People Met in the IT Security World

I am privileged to meet those people i read about in books during training and conferences. These are some of the amazing and inspiring security Gurus i met along the way during my pilgrimage in the IT Security world.


Me with John 'Capt Crunch' Draper @ Hack In The Box Malaysia in 2012.



Me with Bruce 'Rocker of Security' Schneier at a ISC2 conference and got two books autographed.



Me with Bryce Galbraith, one of the contributing authors of Hacking Exposed Fifth Edition.


Me with Michael Vein, the CHO (Chief Hacking Officer) of SecureNinja.com 




Sunday, 16 June 2013

Social Engineering - Pentesting the Human Element


Alas, wrote an article to Pentestmag and got accepted and published! 
The cover page of the PentTest magazine

The list of authors of the individual articles


The first page preview of the article.

Download and read the full article here