Tuesday 19 November 2013

Hunting and Hacking MSSQL Servers - Published Article on PenTestMag.com

Me and my colleague wrote an article about how to pentest MSSQL end to end. As pentesters, we are always constantly researching on how to make our lives easier when performing ethical hacking engagements structurally and ensure that all possible methods are used based on methodologies such as OSSTMM.

We spent about a week browsing through the web and compile what could be done to properly assess a MSSQL server/services and sat down and test it on our testing servers (knowing that most customers do not allow us to exploit the systems).

So once we wrote the article, we send it to PenTestMag.com for review and cross our fingers hoping it will be reviewed and accepted. Fair enough, upon review, we had to elaborate, add, edit and explain the methods used so it will be easy for readers to understand and technically possible to follow on a step by step basis.

Hence, after all our hard work, it was finally accepted and a month later, it got published! So ladies and gentlemen, i present you some snapshots of the article! :)



The cover of the magazine


My Colleague and myself on the cover!

The content page


The first page of the article


The end of the article and our brief bio.


The article can be downloaded at:




Thursday 14 November 2013

When it comes to Security - Nothing is Impossible

In 1995, the movie ‘Hackers’ premiered, and the feedback was unanimous: “Exaggerated! How on earth was that even possible?!”

Almost ten years on, and these ‘exaggerated’ ideas have become a reality. The film features a virus called ‘Da Vinci’ — a remote-controlled virus set to sink a fleet of oil tankers from afar. Exaggerated, right? Well, at this year’s Hack in the Box security conference, we learnt that the possibility of a virus hijacking an airline was not that far off.



An earlier film, ‘War Games’, sees Matthew Broderick playing a small-time hacker whose initial objective was simply to play games, but ends up hacking into the US Government’s mainframe. When challenged by his peers about the complexity of a system he has gained access to, he replies, “Hey, I don’t think any system is totally secure.”






This quote from a 1983 movie is still worryingly relevant in today’s society. Millions are spent on devising complex and diverse security architectures, but with every security advance, there are more determined and more specialised hackers attempting to break into the systems.

In today’s society, it takes a lot more than computer competence to become a hacker. Kevin Mitnick, one of the world’s best-known hackers and, at one time, America’s most wanted computer criminal, used simple social skills to overcome and bypass some of the most highly-secured facilities. Mitnick helped coin the term ‘social engineering’; using deception and emotional manipulation to gain access to otherwise impenetrable systems. As Bruce Schneier once said, “Amateurs hack systems. Professionals hack people.”



Electronic communications via email, chat applications, SMS, phone calls, or VoIP can all be broken down into zeros and ones. These days, communication means data, and data can mean information, which then leads to value. Controlling information means controlling the situation. Between 2007 and 2008, Chinese hackers were able to hack and control two US satellites for a total of 11 minutes, intercepting information transmitted between the satellite and NASA. Whoever gained access to the data chose not to do anything with it, but it became a landmark in highlighting issues of cyber security.


The new generation of hackers no longer just hack to disrupt services and infrastructure. They hack to take control of information and data. In the modern age of technology, the value of your data inside your flash drive could be one of the most valuable things in your arsenal.

The things that we have now, the systems we are using, the mobile phones we carry are the result of hacks that were done during the computer revolution back in the 70s. The technologies that you and I have at hand are partially the result of those people who broke the law to modify, create and innovate.

The gift of hindsight has allowed us to see the technological pathways that computer hacking has forged. Where once, hacking possibilities were at the hands of film directors and novelists, they now lie in the hands of anyone with imagination.

As industry leaders in communication, it is our job to have an awareness of the potential risks and pitfalls that hacking can create. By keeping an open mind to hackers and technological creativity, we can ensure that we are able to defend and foresee any threat in the digital world. As Einstein once said, “Imagination is sometimes better than knowledge.”


This article was also posted at http://tinyurl.com/m38xj2e

Wednesday 13 November 2013

Winners of Symantec Cyber Readiness Challenge (Cloud Asia Expo, Singapore)

Finally we emerged as Champion!!!!
There were about 25 participants. Some grouped in 2, others went solo. But i have to say that this was a very very very tough CTF unlike the first Cyber Readiness Challenge where we got the first runner up.

This time, the organizers came prepared. There were no wireless network at the location and participants were encouraged to bring their 3/4G dongle. Me on the other hand totally forgot about it and luckily, the organizers brought some spares in case there are those people who forgot (me).

Started with a video showing the story of the situation. Once the clock starts, the challenge begins! Heck, it was one tough ride. Started with a flag that you need to be forensically knowledgable and of course, one must know LINUX!!! We took almost half an hour to figure out the first flag. But after that, it went to become tougher. Glad i used nmap to scan the whole network for live machines and start finding vulnerabilities and poking their ports. It was not as straight forward as i thought it would be.

Nevertheless, we managed to bring back glory by becoming the champion of the tournament and again, a very very tiring 4 hours event. We didnt even managed to have our breakfast. Just a cup of mineral water and a cup of coffee and off we go, non stop action.......

Kudos to Symantec Singapore for organizing such a wonderful event. I really hope Symantec will continue to organize such event in future and allow potential hackers to participate and challenge themselves in the given environment to hack, steal and win -----legally of course !

Event: Cloud Asia Expo
Competition: Symantec Cyber Readiness Challenge
Location: Suntec City Convention Center
Country: Singapore

Check out the photos:




The partnership of the Hulk and Juggernaut

Working towards winning

The 2nd Placed Winners

The First Place Winners!


Previous Symantec CRC Participation:
First Runner Up in the first ever APAC Symantec Cyber Readiness Challenge: 




Sunday 10 November 2013

Never Give Up

In life, not many are/were born with a silver spoon. Some have to work very very hard and some simply ask and they have it. People who came from difficult background or humble beginnings are often admired when they carved their way to success. This is an article that was published on the 8th of November 2013 about how he overcame rejections and still make his way up to achieve his dream career.


Front Page
Translation:

Ethical Hacker in Global Firm

ITE graduate works hard to become a Consultant in BT

Now, he may have reached his dream of becoming a consultant  but not many know how much disappointments and rejections he faced. More than 10 years ago, with a Higher Nitec in Mechanical Electrical Engineering Design certificate, he tried to appeal to take a course in Infocomm Technology in Temasek Polytechnic but was not accepted  due to unsatisfactory results. Nevertheless, in 2005 and completed his NS, Fadli went on a hunt for a private diploma in Infocomm Security from Raffles Education Corporation. With that diploma, he hoped he would be accepted for a specialist course in Polytechnic but sadly, he was unable to be accepted. His appeal to study in both TP and NYP was rejected. According to Fadli, he was told he was not accepted because he did not have any local polytechnic diploma as part of the requirement.

Disappointed but did not give up, he tried again in 2007 and this time with another diploma in Information Technology from SMF. Once again, he got rejected due to the same reason. "I was disappointed  and worried at that time." said Mr Fadli, now 30 recalling it all back. "Disappointed as though i was ignored and worried about my loans," said Mr Fadli who loaned $16000 from a bank for his degree. He hoped he will be able to pay off all his loan of about $8000 by end of next year.

According to him, he was stubborn, searching for a career in the field of IT Security and has a huge interest in Hacking. "Im not sure why but ever since i watched the show 'Operation Takedown' and 'Hackers' i fell in love with Hacking," said Mr Fadli. Ever since that, he never gave up to chase his dream career.

In 2008, he started his degree with Murdoch University and now he has armed himself with a Degree double majoring in Cyber Forensics, Information Security Management and Business Information Systems, He is also now building up his career as an IT security consultant with BT and part of the Ethical Hacking Center of Excellence. The company offers IT solutions and services globally. 

Recently, hacking events has been the talk of the town in the media when the hacker known as 'The Messiah' and claimed to be from the group 'Anonymous' vowed to threated the IT infrastructure of the Singapore Government. PM Lee Hsien Loong told that this act is dangerous and true. Unsurprised, the services offered by the security  consultants like Mr Fadli who declared himself as 'Hacker for Hire' is on demand.

He said that he never would have thought becoming a security consultant one day since owning his first computer at the age of 18. "Without hard work, all these will never be in fruition", said Mr Fadli.

Page 17
Translation:

Hard Work is the key to Success

Work and overcoming the trials of life is not an alien concept to Mr Fadli, 30 years old. Since his father died in an accident in 1988, Mr Fadli was only 5 years old at that time and his 2 other siblings had to shift house to house while his mother goes to work. His studies was more or less affected, said Mr Fadli who had to change from school to school to accomodate the shifting of houses.

In a pressed state, his mother had to send her children to Jamiyah, Darul Mawa, an orphanage while he was 11 years old. "The challenge living in the home was many..if you think the influence in the school was great, imagine the influence you get living all day and night in the home", said Mr Fadli. Finally, Mr Fadli stayed in the home until he completed his O Levels from Serangoon Garden Technical school. 

To increase the family income, he had to work part time in a shop called Miz29 and selling satay while waiting for his O level results.

Upon completing his ITE education and National Service, he worked at HP as a media operator and then NCS. 3 years later, Mr Fadli went back to HP as a systems engineer. According to him, while getting different experiences in the field of IT, he often changed job in the hopes of getting a raise to pay off his education loans. In silence, he was still hoping to get a career in the field of IT Security.

The opportunity came when he was offered a position in BT Global Services in 2010. "Even though i had to stare at the computer for hours, i truly enjoyed my job. Not many have the interest in doing this kind of job but i loved it because of its challenging landscape and the need to have a strong sense of creativity and continuos learning," said Mr Fadli who has to always keep up with the knowledge of the neverending change of new threats in the cyber world.

"Most of the systems encountered are very vulnerable and able to be exploited and these vulnerabilities change in time," said Mr Fadli. As of now Mr Fadli has published at least 3 security articles at an international security magazine called PentestMag. Additionally, Mr Fadli was also a member of the BT team that won the hacking competition GWAPT, Catch the Flag in Bangkok, Thailand. He and his colleague also became the first runner up in the Cyber Readiness Challenge organized by Symantec last month. Next week, Mr Fadli and his colleague will be participating in another Catch the Flag hacking competition in the Cloud Expo Asia in Suntec. 

Mr Fadli, who now married with Mrs Siti Mariam realized how things have changed. Mr Fadli hopes that he would continue his studies once he completed his loans. He also advised teenagers with similar beginnings and background to never give up. "Our future will not change without hard work", he said.

Saturday 9 November 2013

Be Humble and Shut Up

"Let sleeping dogs lie. Don't issue warnings or threats to the attackers via the media; this will only keep the issue alive, raise tempers and greatly enhance the possibility of another assault. Most DDoS attackers seek publicity, so don't hand to it to them on a silver platter." - Prolexic (The company giving advice to future targets of Anonymous)


In 2008, Anonymous attacked the Church of Scientology bringing down the website to its knees through DDoS attacks. 

The church then stepped up its security and hired Prolexic to help them guard itself from DDoS attacks which works.

But they made a huge mistake when they arrogantly announced to the media about the steps they had taken.

This attracted more Anons to attack the site and then took themselves to the streets to protest against the church. 


Moral of the story: Don't feed the trolls!

-----------------------------------------------------------------------------------------------------

In another event at the same year (2008), an Indian software company called Aiplex worked with MPAA (Motion Picture Association of America) whose job is to bring down websites that host pirated videos such as Piratebay to its knees via DDoS.



The Film Industry hired Aiplex which boasted about DDoS-ing websites hosting pirated stuffs. 


Thus began the attack of pirate websites which was lead by Aiplex
Source: http://www.techradar.com/news/internet/movie-industry-launching-cyber-attacks-on-pirate-websites-715149

And because of this arrogance stance, began the series of attacks on Aiplex which was called #Operation Payback


When the damage is done, there's no turning back. You can't simply erase your history...


Moral of the story: Payback is a bitch.








Wednesday 6 November 2013

Symantec Cyber Readiness Challenge is Back in Singapore

"Symantec Security hosts the Cyber Readiness Challenge - an interactive 'capture the flag' style competition modelled after real-life security issues – at Cloud Expo Asia 2013.

The challenge positions participants as cyber security experts who will compete for system penetration within a simulated environment set with diverse and realistic vulnerabilities.

Within a fictitious scenario, participants will face challenges of increasing complexity and difficulty as they move through the various stages of a security breach."

Conference cum CTF



Register Here

For more information about Symantec's CRC
Link: http://www.symantec.com/page.jsp?id=cyber-readiness-challenge

Watch the introductory video about Symantec's CRC


Sunday 3 November 2013

SANS 560 GPEN Training and CTF Event

Went for a GPEN course that was held in Singapore at the Grand Copthorne Waterfront Hotel last week and had a great time learning some of the network hacking stuffs that i am not aware of. Unlike the previous course i attended which was the GWAPT (Web Application Pen Test), the books for GPEN was much thicker. The trainer was an official GIAC trainer and was from Belgium and spoke good, clear and understandable English. He was fun and approachable and explain things confidently when we were unsure.

At the last day of the course, like GWAPT in Bangkok, there was a Capture the Flag event, a mini hacking competition for all the participants and whoever wins it will get a special medal. This limited edition medal can only be given to those who successfully managed to capture all the flags and present to the participants how they win it. 

The GPEN CTF was much harder than GWAPT. Only after the event was over that the trainer confessed that there were no vulnerable machines for us to exploit and we had to find another weakness in the system instead. So it was a disappointment when we found NOTHING after running tools like Nessus and NMAP vuln nse scripts. There were both Linux and Windows machines and we had to think out of the box on getting the flags! It wasn't as straight forward as i would have thought. Even the CTF organized by Symantec previously wasn't as tough as this. We needed to know how to use password cracking/guessing tools, had to know how to sniff and analyze traffic using Wireshark/TCPdump. We had to know how to crack the hashes and compile an exploit to try and exploit a Linux machine! And who would have guessed that one of the flags was stored in a VOIP traffic!!!??? It was a quite tough 3-4 hrs event.

And eventually, despite all the toughness, our team won and was the only team to capture all the flags after the hour is over. 

Here are some pictures: 

The Course

The Training Room

One of the Chapters

The Trainer

The Books

Posing beside the SANS banner

The Medals

Our team with the medals

Me with the GPEN Medal

The Medal Close Up


For more information about the GIAC GPEN course: 







Friday 1 November 2013

'Anonymous Collective' Warns Singapore Government

There was a Youtube video apparently showing an Anon giving speech using a digital voice changing software threatening Singapore Government and telling the people to peacefully protest on the 5th of November by wearing Black/Red and change the Facebook profile pic with a black image. 

The message to the SG Govt was straightforward: Enforce Internet Regulations and We Will Attack you. We have seen such attack on govts in Korea, Philippines, Finland, United Kingdom and US. We have seen how databases being hacked and leaked out and govt websites and online services being disrupted and denied. There's nothing more frustrating than not being able to access your sites. 

The full transcript of the message below:

"Greetings Government of Singapore,


We are Anonymous and we believe that we have your undivided attention.We also believe that you have had the pleasure of meeting our comrade The Messiah, who demonstrated what a single Anon could do to your so call technologically advanced island.Now allow us to explain the objective of our recent invasions.
The secondary objective was to welcome you to the new rule where ignoring the issues of your citizens will not go ignored by Anonymous. We advise you to stop feigning ignorance and serve the people.

Any form of arrogant and ignorant statement from a person of position towards the people will not go ignored by Anonymous.Have you forgotten who you work for? Traditionally the workers respect the boss. Let us stick to tradition.But the primary objective of our invasion was to protest the implementation of the internet licensing framework by giving you a sneak peak of the state of your cyberspace if the ridiculous, communistic, oppressive and offensive framework gets implemented.Did i mention the previous hacks was executed by a single Anonymous member?Now close your eyes and imagine a legion of Anonymous unleashed upon your tiny little island and infrastructures. It will be like dipping yourselves into a pool of piranhas.We have faced much larger and more secured corporations such as the F.B.I & the NSA.

Do you think the I.D.A will be a problem for us?After all, security is just an illusion against time and temporary ignorance.So mark our words when we say that we Anonymous stand firm on our belief that no Government has the right to deprive their citizens the freedom of information.No one has the right to tell an individual what he can or cannot read or write.This is a basic fundamental of democracy and we will use everything in our resources to protect it at all cost.We demand you reconsider the regulations of your framework or we will be forced to go to war with you. For every single time you deprive a citizen his right to information, we will cost you financial loss by aggressive cyber intrusion. An intrusion your $130 million cyber security will not be able to stop.After all how do you stop an idea?You may be ambitious enough to try and stop us but remember, the people you are after are the people you depend on:we cook your meals, we haul your trash, we teach your children, we pay your high salaries, we feed your families, we guard you while you sleep!It is not wise to piss us off.

And finally we call upon our fellow Singaporean brothers and sisters to join our protest by dressing fully in black & red on the 5th of November to paint your streets with the colors that represent the current Singaporeans emotion.We urge you to black out your FB profile picture for a day along with the status message:I am a Singaporean and i had enough of being oppressed! I want my freedom back!!Anonymous will be making a virtual protest by your side.Let us demonstrate our frustrations in organized unseen unity that may live a thousand years. This action might not make a political change but it is the first step towards the mental conditioning needed to achieve our goals.

Remember, remember. The fifth of November.
We are anonymous, we are legion.
We do not forgive, we do not forget.
Expect Us!"

source: http://singapore.coconuts.co/2013/10/31/video-anonymous-warns-govt
video: https://www.facebook.com/photo.php?v=656364671075370&comment_id=6755136&notif_t=like%3E


But the question is, who is this 'Messiah'? Is he really an Anon member? Or a rebel with a great cause? When the video went viral, both the video from Youtube and its Twitter account was removed/disabled. Why?

When Straits Times reported the issue and deceived the readers by changing the 'Anonymous threatens to Attack the Singapore Government' to 'Attack Singapore', the Messiah hit the media back by hacking into the journalist account and posting its message;

"Dear ST: You just got hacked for misleading the people!

Greetings Irene Tham & Straitstimes.com,

I am The Messiah from the Anonymous Collective. We are a decentralized non-violent resistance movement, which seeks to restore the rule of law and fight back against the organized criminal class. We oppose any form of internet censorship among other things.

Allow me to explain our intrusion.

Earlier today upon discovering the existence of a Youtube video of ours (click here), a straitstimes correspondent by the name of Irene Tham chose to publicize an article distorting our words and intentions (click here). She chose to conveniently modify the sentence "war against the Singapore Government" into "war against Singapore". 

That in our opinion can be very misleading and unfortunately we suspect that must have been her intentions. Look what she made us do! :( Irene Tham, since you had the ignorant nerve of invading our world (the internet) to speak blasphemous lies, then we took it upon ourselves to invade your tiny little space to voice our issues over a few matter. We sincerely hope you wont mind.

PAY ATTENTION:

1) So dear SPH, in regards to Irene Tham, we will give her 48 hours to make an apology to the citizens of Singapore for trying to mislead them with her hate. In the event she refuses to apologize then we expect her resignation.  If those demands are met we will be on our way. But in the event our demands are not met in the next 48 hours, we will place you in our "to do" list and next time you wont be let off this easy.

2) Next we would like the attention of the PAP community foundation that was involved with the baby scalding incident. We demand that you make known to the public your investigation details and discoveries. We advise you to do that before attempting to reappear on the internet. This is to save yourselves the trouble of taking it down again.

3) To those disappointed in us for not intervening in the Dhinesh Chandran case, allow us to explain. Anonymous have been watching this case for a while now. We feared that our aggressive protesting methods could affect the verdict of the appeal. This can be very disastrous if miscalculated.  So now,  Anonymous would like to appeal on behalf of the mother of Dhinesh Chandaran to the High Courts and AGC to give her the closure she requires.Your verdict will demonstrate the level of humanity our justice system has on the low & middle class citizens. We will be watching, that we promise.

4) In regards to the murder of Tammy the puppy by Dr Esmee Koh from The Animal Clinic. All we can say to Dr Esmee Koh is that you are fucked. This we take personally and we have decided to attack you in ways you least expect. Making it a touch more personal. Stay excited!

5) In regards to CHC and Pastor Satan Kong Hee, we have time. :)

6) Finally to the Singaporeans who are behind us, we salute you! :) For the rest who are more distracted on unnecessary details such as deciphering the software we use, graphic we use or criticizing our skill sets. We genuinely sympathize with your inability to see the bigger picture and also your deep seeding insecurities. Nonetheless, we will fight on the behalf of your freedom.

The media has also misled our intentions by stating that we had plans to attack the infrastructure of Singapore on the 5th of November. That is ONLY our intention if the internet framework gets implemented. Not otherwise.

Instead on the 5th of November, we shall paint the streets red and black with our attires and when you see your fellow comrades in black and red, smile and shake their hand. Let us use that day to demonstrate our new undivided unity even in the amidst of all our differences. This is a very important stage in regaining your freedom.

Join us!" 

Encrypted Message : 22 66 5e 7b a8 68 c9 0d f3 f0 47 c9 d2 e5 4a 33 02 be 20 f4 15 29 5e 7b 76 12 8d 5f 1f dd 59 44"


source: http://therealsingapore.com/content/straits-times-hacked-messiah-misleading-people

From this message we can tell that the Messisah is not an actual crew of the hacking group Anonymous but declares itself as an 'Anonymous Collective'. Also, if we follow thru the trails of Anonymous, they have never removed or disabled any of their communication channels or mediums such as Youtube or Twitter. So the question is who is this Messisah and who else is behind the Messiah? And who/what else will the Messiah attack next? 

While i dont think that he is an actual Anon hacker, he definitely has shown the skills to perform it. A Rebel with a Cause and a believer in freedom of speech and expression on the internet. What is scary is when true Anon hackers support The Messiah on this cause, then it will be something for the SG Govt to be really worried about. 

Can The Messiah be caught? Probably but remember, how many web defacers out there actually got caught? Remember the Brazil Hacking Team that defaced a couple of SG Govt websites and no one got caught? So if The Messiah is doing this from overseas, then its going to be really really tough to nab this person. What the govt can do is to quickly ensure that the security of their systems are in proper. Hire white hat hackers and perform Black Box pentest on their servers facing the internet. Always remember that prevention is most of the time better than cure...

News and links about the situation:

1) http://www.techinasia.com/singapore-newspaper-straits-times-hacked-messiah-anonymous-collective/
2) http://sg.news.yahoo.com/anonymous-threatens-singapore-government-in-youtube-video-091443515.html
3) http://www.straitstimes.com/breaking-news/singapore/story/government-agencies-alert-after-hackers-threaten-attacks-20131101
4) http://nakedsecurity.sophos.com/2013/10/31/anonymous-threatens-singapore-with-hacking-attacks-calls-for-november-5-protest-perhaps/