Showing posts with label windows. Show all posts
Showing posts with label windows. Show all posts

Monday, 9 December 2013

Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (MS12-020) - Validating the Findings

Results from Qualys Scan

ISSUE:
Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (MS12-020)

THREAT:
The Remote Desktop feature in Windows enables access to all of the programs, resources and accessories on a user's computer from a second Windows-based computer.

A remote code execution vulnerability exists in the way the Remote Desktop Protocol accesses an object in memory that has been improperly initialized or has been deleted (CVE-2012-0002).

A denial of service vulnerability exists in the way the Remote Desktop Protocol service processes packets. An attacker who successfully exploited this vulnerability could cause the target service to stop responding (CVE-2012-0152).

IMPACT:
Successfully exploiting these vulnerabilities might allow a remote attacker to execute arbitrary code or cause a denial of service.

SOLUTION:


Validating the Findings:

Using NMAP to verify the Vulnerability

#nmap -sV -p 3389 --script rdp-vuln-ms12-020 <IP>


Posted by at No comments:
Labels: , , , , , ,

Sunday, 3 November 2013

SANS 560 GPEN Training and CTF Event

Went for a GPEN course that was held in Singapore at the Grand Copthorne Waterfront Hotel last week and had a great time learning some of the network hacking stuffs that i am not aware of. Unlike the previous course i attended which was the GWAPT (Web Application Pen Test), the books for GPEN was much thicker. The trainer was an official GIAC trainer and was from Belgium and spoke good, clear and understandable English. He was fun and approachable and explain things confidently when we were unsure.

 At the last day of the course, like GWAPT in Bangkok, there was a Capture the Flag event, a mini hacking competition for all the participants and whoever wins it will get a special medal. This limited edition medal can only be given to those who successfully managed to capture all the flags and present to the participants how they win it. 

 The GPEN CTF was much harder than GWAPT. Only after the event was over that the trainer confessed that there were no vulnerable machines for us to exploit and we had to find another weakness in the system instead. So it was a disappointment when we found NOTHING after running tools like Nessus and NMAP vuln nse scripts. There were both Linux and Windows machines and we had to think out of the box on getting the flags! It wasn't as straight forward as i would have thought. Even the CTF organized by Symantec previously wasn't as tough as this. We needed to know how to use password cracking/guessing tools, had to know how to sniff and analyze traffic using Wireshark/TCPdump. We had to know how to crack the hashes and compile an exploit to try and exploit a Linux machine! And who would have guessed that one of the flags was stored in a VOIP traffic!!!??? It was a quite tough 3-4 hrs event.

 And eventually, despite all the toughness, our team won and was the only team to capture all the flags after the hour is over. 

 Here are some pictures: 

The Course

The Training Room

One of the Chapters

The Trainer

The Books

Posing beside the SANS banner

The Medals

Our team with the medals

Me with the GPEN Medal

The Medal Close Up


For more information about the GIAC GPEN course: 
http://www.giac.org/certification/penetration-tester-gpen







Posted by at No comments:
Labels: , , , , , , , , , ,

Thursday, 24 October 2013

RDP Auditing Tool

Tired of testing or brute forcing using individual credential? Fear not, xTSCrack is here to make it automatic! 


You can download the tool from : http://www.4shared.com/get/HTJog7YJ/xtscrack-09.html

This tool has the following cool features:
---> Test for weak password automatically;
---> Test for weak/user passwords;
---> Wordlist option;
---> Userlist option;
---> Configurable port;
---> Range IP Address audit and more.
The main window

Inputting the Userlist and Wordlist

 Password Found!!!


Read more about it @ https://sites.google.com/site/mobileandcomputingtips/Downhome/Computer-and-Web-Security/freerdpbruteforcetool-xtscrack

Posted by at No comments:
Labels: , , , , , ,

Tuesday, 6 August 2013

Windows Remote Desktop Protocol Weak Encryption Method Allowed - Validating the Findings

Results from Qualys Scan

ISSUE:
-Windows Remote Desktop Protocol Weak Encryption Method Allowed

THREAT:
Remote Desktop Protocol is a protocol by which Terminal Service provides desktop level access to a remote user. It can be used to remotely login and interact with a Windows machine.
Since RDP transfers sensitive information about the user and the system, it can be configured to use encryption to provide privacy and integrity for its sessions. It is possible to configure RDP to use encryption algorithms that are considered insecure, such as RC4 40bit and RC4 56 bit.

IMPACT:
If an attacker has access to the network traffic with RDP sessions using weak encryption methods, then it will be possible for them to bruteforce the encryption parameters and compromise privacy of the RDP session.

SOLUTION:
RDP needs to be configured to use strong encryption methods or use SSL as the privacy and integrity provider. To configure RDP encryption methods 'Terminal Services Configuration' snap-in can be launched in mmc.exe. In 'Terminal Services Configuration' properties dialog box General tab for the Encryption Level 'High' should be selected.

LINKS:
http://technet.microsoft.com/en-us/library/cc770833.aspx
https://www.fishnetsecurity.com/6labs/blog/remote-desktop-protocol-security-creating-successful-implementation


Validating the Findings
In order to validate the findings, we use additional tools to see if we can get the same output as Qualys scan. In this case, Qualys detected that the encryption algorithm used are RC4-40bit and RC5-56bit, hence our objective is to use other tools to get that information.

Using NMAP

nmap -p 3389 --script rdp-enum-encryption <ip>











Using Perl Script







Download the package using wget



#wget http://labs.portcullis.co.uk/download/rdp-sec-check-0.8.tar.gz







Extract the package



#tar -xvzf rdp-sec-check-0.8.tar.gz







Run the script



#./rdp-sec-check-pl <IP address>















References:



http://nmap.org/nsedoc/scripts/rdp-enum-encryption.html



http://labs.portcullis.co.uk/tools/rdp-sec-check/



http://gacksecurity.blogspot.sg/2012/12/rdp-sec-check-audit-tool-for-remote.html














Posted by



at





2 comments:
  


















Labels:
,
,
,
,
,
,
,
,
,
,
,
,
,

















          

        

          

        

Sunday, 30 June 2013


          

        










SSLv2 Depreciated Protocol - Validating the Findings












In this post, we will look at some tools used to analyze whether the web server is using SSL version 2.











SSLv2 Depereciated Protocol as stated by Acunetix

Ref: http://www.acunetix.com/vulnerabilities/ssl-2-0-deprecated-protoc/







Description



The remote service encrypts traffic using an old deprecated protocol with known weaknesses.







Detailed Information



The remote service accepts connections encrypted using SSL 2.0, which suffers from several cryptographic flaws and has been deprecated.







Impact



An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.







Recommendation



Disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.









OWASP Testing Guide





Testing for SSL-TLS (OWASP-CM-001)










THE TOOLS 



Using Nmap on BackTrack



#nmap -sV -p 443 --script sslv2 <host>













Using SSLscan on BackTrack



#sslscan --no-failed <host>















Using Openssl on BackTrack



#openssl s_client -sslv2 -host <target> -port 443













Using SSL Audit















Using Qualys




Note: Be aware of using the online Qualys SSL checker as it will stay permanently in the Qualys result database and will be made publicly available. 













Result of the online Qualys SSL Checker













Using Acunetix


















THE SOLUTION: DISABLING SSLv2







1) Disable SSLv2 and Weak Ciphers








2) Disable SSLv2 on Windows Server 2008 (IIS 6 and 7)








3) Disable SSLv2 and Force to use SSLv3 and TLS v1 in IIS












4) Disabling Weak SSL Protocol and Ciphers in IIS








5) Disabling SSLv2 in IIS 7








6) Official M$ guide to Disable SSLv2








7) Disabling SSLv2 in IIS 7 and 7.5













Posted by



at





No comments:
  


















Labels:
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,

















        

      









Subscribe to:
Posts (Atom)