Tag Archives: Pentest

The Evil CVE: CVE-666-666 – “Report Not Read”

That Escalated QuicklyI had an interesting discussion with a friend this morning. He explained that, when he is conducting a pentest, he does not hesitate to add sometimes in his report a specific finding regarding the lack of attention given to the previous reports. If some companies are motivated by good intentions and ask for regular pentests against their infrastructure or a specific application, what if they even don’t seem to read the report and take it into account to improve their security level? What if the same security issues are discovered during the next tests? This does not motivate the pentester and costs a lot of money for nothing.

The idea of the “evil” CVE popped up in our mind during our chat. What about a specific CVE number to report the issue of non-reading previous reports? As defined by Wikipedia, the “Common Vulnerabilities and Exposures” (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. And a vulnerability can be defined as a weakness in a product or infrastructure that could allow an attacker to compromise the integrity, availability of confidentiality of that product or infrastructure.

Based on this definition, the fact to not read and take appropriate the corrective actions listed in the previous pentest report is a new vulnerability! A good pentest report should contain vulnerabilities and mitigations to remove (or reduce) the associated risks. It is stupid to not read the report and apply the mitigations. Even more if some of them are quickly (and sometimes cheaply) implemented. Think about the evil CVE-666-666 while writing your future reports! Note that the goal is not to blame the customer (who also pays you!) but to educate him.

 

My Little Pwnie Box

BeagleboneAs a pentester, I’m always trying to find new gadgetstools to improve my toolbox. A few weeks ago, I received my copy of Dr Philip Polstra’s book: “Hacking and Penetration Testing with Low Power Devices” (ISBN: 978-0-12-800751-8). I had a very interesting chat with Phil during the last BruCON edition and I was impressed by his “lunch box“. That’s why I decided to buy his book.

Read More →

Book Review: Penetration Testing – A Hands-On Introduction to Hacking

PenetrationTestingA few weeks ago I bought Georgia Weidman’s book about penetration testing: “A Hands-On Introduction to Hacking“. Being overloaded by many projects, I finally finished reading it and it’s now time to write a quick review. Georgia is an awesome person. There are not many recognized women in the information security landscape and Georgia is definitively one of them, I already met her a few times during security conferences! She started her own company, she’s a great speaker and the author of the SPF (“Smartphone Pentesting Framework“). That’s why I did not hesitate to buy her book.

The book title contains the word “Introduction” and, as explains Georgia in her introduction, this is the kind of book that you dream of when jumping into the penetration testing business. It covers indeed many topics but don’t be fooled by the title, it contains many tips and examples that could be useful also to experienced pentesters. Why? Sometimes people ask me how to “work in security” and I always compare information security to medicine. You have many specializations. It’s even more true for a pentester: web applications, reverse engineering, wireless, mobile devices, etc… It’s practically impossible to have a strong knowledge in all those ever-changing topics! That’s why Georgia’s book is a good reference. This is a technical book which focus on practical examples.

Read More →

Infosec VS. Airplane Security

Airline SecurityIn a previous post, I spoke about the importance of the “context” during a pentest. In a recent project, I faced a situation similar to airplane crashes. Let me explain this… Despites the fact that the crash of an airplane results sometimes in a huge amount of deaths once, airplaines can be considered as safe. Statistically, flying is less dangerous than driving to the airport with your car! Modern airplanes are very reliable: they all have multiple engines but they are designed to be able to fly with one of them being out-of-service. The cabine crew is also trained to fly in such conditions. Airplanes are also under maintenance regularly and inspected from A to Z.

Read More →

Pwned or not Pwned?

Pwn3d!Just before the announce of the Full-Disclosure shutdown a few days ago, a thread generated a lot of traffic and finally turned into a small flame war. In the beginning of the month, a security researcher reported a vulnerability found on Youtube. According to him, the Google service was suffering of a file upload vulnerability. Reading such kind of post is juicy! Accepting files sent by visitors is always a touchy feature on a website. By example, if you allow your users to upload images to create an avatar, you must implement proper controls to be sure that the uploaded file is in the correct format and does not contain any malicious code. I won’t describe how to protect against this vulnerability and even less discuss about the Full-Disclosure thread but it reveal an important fact: the severity of an issue is linked to its “context“…

Read More →

Fixing SET 5.0.3 & Metasploit 4.6.0

Social EngineeringA quick post to share with you my feedback about an issue I faced after a SET (“Social Engineering Toolkit“) upgrade to the latest version (5.0.3). SET is a wonderful tool that you must master.  I’m using SET on a EC2 instance because it does not interfere with my other IP addresses and I can enable all ports without any issue (nothing else is running on this instance). Note that Amazon has a specific policy to make pentesting from their infrastructure, have a look here).

Read More →

Book Review: BT5 Wireless Penetration Testing

BT5 Wireless Penetration TestingFinally, I found some time to write my review of another book: “BackTrack 5 Wireless Penetration Testing“. The book was written by Vivek Ramachadran. Good coincidence? Vivek was present during the last edition of BruCON and gave a workshop called “Wi-Fi malware for fun and profit“. Being quite busy during the conference, I didn’t have lot of free time to attend workshops. This book was a good opportunity to learn new stuff…

Wireless networks have something “exciting” from a security perspective: Everybody use them daily even if we agree that lot of them are completely insecure. Everything has been said, tested and … exploited!

Let’s review the book! The first chapter starts with the classic steps to build your own lab (Reminder: never test your attacks against a network you don’t own). Then a chapter is dedicated to a review the bases of Wireless networks: the different types of frames, how to sniff and inject packets.

The chapters three and four explain how to bypass Wireless authentication mechanisms. First, simple protections like hidden SSID, MAC filtering and shared-key authentication. Then, classic encryption protocols (WEB, WPA, WPA2). Protocols are reviewed (how they work) then an attack scenario is described step by step. Maybe the most important conclusion of this chapter is:

WPA/WPA2 is cryptographically un-crackable currently, however, under special circumstances, such as when a weak passphrase is chosen in WPA/WPA2-PSK, it is possible to retrieve the passphrase using dictionary attacks.

The fifth chapter focuses on the Wireless infrastructure: How to attack the access points (DoS, MAC spoofing and rogue access points). After the infrastructure, the next chapters (seven & height) address the client: honeypot attacks, the Caffe Latte attack (created by Vivek himselve), MitM attacks and sessions hijacking. The chapter nine covers WPA-enterprise (with RADIUS authentication). Finally, the last chapter is a big resume: How to conduct a pentest using all the techniques describe previously.

What did I learn by reading this book? I’m just a dump occasional aircrack-ng user. I already cracked some WEP & WPA keys during audits or in labs, no more no less. In fact they are plenty of interesting options and techniques to stress-test Wireless networks (always without breaking any law of course!). Regarding the way the book is organized, I liked the numerous screenshots! All commands are described with copy of screens. It’s written like a recipe. Just follow all the steps! If your job requires knowledges of Wireless network security, this book is a must!

More information about the book here.

Review: BT4: Assuring Security by Penetration Testing

BackTrack 4 Assuring Security by Penetration TestingIf you are working in the “information security” field, you must know the BackTrack distribution (otherwise you must be an alien coming from a far away planet!). If you search for the word “backtrack” on Amazon, you will find lot of references but only one book is fully dedicated to the Linux distribution: “BackTrack 4: Assuring Security by Penetration Testing“. I received a copy directly from the publisher and here is my review.

Just for those who are not familiar with BackTrack, it’s a Linux distribution made by security professionals for security professionals: It contains hundreds of tools to perform security assessments and penetration tests. Some of them are well-known like Metasploit, WebScarab or sqlmap and others are real gems (example: ua-tester which was added recently) and  increase the quality of the toolbox version after version.

Even if BackTrack 5 was released a few weeks ago, it does not reduce the book quality. There are so many tools that a single volume is not enough to cover all of them. I was also surprised to read the name of my friend Peter “corelanc0d3r” Van Eeckhoutte as a reviewer of the book.

The first chapter can be quickly skipped, except if you are a beginner with BackTrack. It gives the required information to install your distribution on a computer. Nothing fancy, the readers must have Linux/UNIX knowledge!

The second chapter is more interesting and discusses about the different penetration testing methodologies. I’ll skip the difference between white- and black-testing. The review of different frameworks is useful and gives a good idea how to start a project. If you are new in pentesting, you have to know that it’s maybe the most boring task ever:  Following a strict methodology and writing your report! Just one remark, the book remains focused on classic methodologies. You have to know that things are moving: There are new projects (like the PTES or “Penetration Testing Execution Standard“) which will take more and more importance in the future (IMHO).

The following chapters covered the classic penetration testing schema:

  • Target scoping
  • Information gathering
  • Target discovery
  • Enumerating target
  • Vulnerability mapping
  • Social engineering
  • Target exploitation
  • Privilege escalation
  • Maintaining access
  • Documentation and reporting

Each chapter reviews the most interesting tools (according to the authors) to achieve the chapter topic. Tools are briefly explained with examples. Straight to the point!

So, who’s need this book? The author’s goal is certainly not to give recipes on “how to hack a website“. The book must been see as a reference for those who already know the BackTrack distribution or who want to learn it. Don’t forget: this is just a toolbox, it does not prevent you to use your brain!

More information about the book here.

Why Physical (Network) Security is Important?

Barbed Wired NetworkWhen talking about security, companies often focus on the “security perimeter“. Inside this perimeter, you have the “good” guys and all the rest is considered as the “wild” world, the Internet. Once you passed the access controls, you are free to walk and do what you want. Can you approve this from a security point of view? And this is true for physical security as well as network security. So often, I found myself alone in corporate buildings where I could perform so many malicious actions! (I insist here on the “could” verb ;-))

A new wave of gadgets, called the “PlugBot” or the “Pwnie Express“, are available for sale on the Internet. The work “gadget” is not the most appropriate in this case. I would say “killer tools” instead. Those small boxes have the same size as a PLC adapter. This makes them extremely portable and discrete. They integrate a powerful toolbox:

  • 1.2Ghz CPU.
  • Local storage (expendable via memory cards).
  • Linux based.
  • Several communication ports (Ethernet, WiFi, 3G, Bluetooth) depending on the model.
  • A full set of useful tools (Metasploit, SET, nmap & co).

A full package for only a few bucks (starting from $220 for a Pwnie Express). This is a ridiculous investment compared to the profit that could be made by stealing data from companies. With the help of social engineering, it’s very easy to enter a company building and find an unprotected network patch! Some examples of scenario:

  • Coffee & soda suppliers have full access to building to recharge their devices
  • Fax/Printers maintenance is performed by external companies
  • Cleaning people / gardeners
  • Plumbers
  • Contractors
  • Visitors
  • Inside intruders (don’t under estimate them!)

Pentesters will like this! Once connected to your network, game over, you are 0wn3d! The device will be remotely accessible via WiFi or 3G. The attacker will have plenty of time to plan his attacks without fear of being discovered. It completely changes the pentester’s perspective. Really nice. But from the other point of view, how to protect yourself against this type of intrusion? They are two approaches that must be combined: enforce a physical security policy and enforce network controls.

The first one, physical security, is easy to understand but not always easy to implement.  The golden rule is: Nobody can be allowed to access your premises without a prior identity control, a valid access reason and a contact person:

  • Visitors must be clearly identified and access logged (time-in, time-out). They must wear a visible “visitor” badge.
  • Visitors cannot be left alone and must always be accompanied by a team-member
  • Visitors must stay in their allowed area (ex: a meeting room).
  • Visitors must leave their luggage at the reception and carry on only the required stuff.

About the network security, some best practices could reduce the risk. First, implement network segmentation! Networks must be classified based on the data passing over them and access to them must be restricted based on their classification. Why allowing access to the servers VLAN from a meeting room? Tools and configurations can be used to increase your network security. They can be grouped in two categories: prevention and detection.

Prevention is the techniques and solution that will (or at least, try to) avoid attacks from happening. At the opposite, detection is the implementation of controls to detect and to notify about ongoing attacks. Both are part of a defense-in-depth model. If prevention fails (and keep in mind that it will!), detection will ring an alert.

Here are some recommendations:

Solution Prevention Detection
Shutdown unused port on switches. “shut” is your best friend command on Cisco switches. Don’t let ports “open” or at least set them in a default (safe) VLAN. x
Active MAC address learning on switches. Major switches implement a control on the MAC addresses. If a new MAC address is detected, the port can be automatically disabled. x
Implement a NAC (“Network Access Control“) solution. Based on free (like PacketFense) or commercial tools/protocols: (802.1x, VPMS), a NAC can allow/deny access to your network and report problems. x x
Implement network segmentation (Read: don’t put all you eggs in the same bag). Unknown devices must be connected to an untrusted VLAN. A “guest” VLAN can be created for temporary Internet access (on demand!) x
Implement MAC address detection. Using tools like arpwatch, unknown MAC addresses can be detected on a network. x
Monitor ports status on switches. Except on access switches, once a device is connected, it remains in the same state. Monitor the port status changes on your switches. They could hide suspicious activity. x
Lock public network ports / wall plugs. Don’t leave unattended ports in public area (reception, meeting rooms, etc). Use locks. x
Look for suspicious traffic! It’s always interesting to analyze your network flows for suspicious traffic. x
Enable host based firewalls / ACL’s. All hosts must implement ACL/firewall to restrict access to authorized people/hosts only. x
Use WiFi scanners to detect rogue wireless access points. x x

This proves, once again, that the good old security perimeter is definitively dead! Don’t trust any device nor traffic seen on the “internal” side of your network. If we can still call it “internal”…

Easy Decryption of Facebook Passwords

Facebook PasswordAll good pentesters have their own “survival kit” with a lot of tools and scripts grabbed here and there. Here is a new one released a few days ago: FacebookPasswordDecryptor.

“FacebookPasswordDecryptor – small, simple, free, and yet truly reliable application that helps you recover stored Facebook account passwords, quickly and easily. Truly great little tool that works like a charm. Highly-recommended.”

Again, the well-known social website is a nice target for pentesters. But this time, no brute-force attack nor invasive cracking. The real targets are just the tools used to store the credentials and their poorly implemented security. More details about how the applications store the Facebook passwords is available here.

Once installed, it will scan stored data of the following applications:

  • Internet Explorer (all versions from 4 to the newest)
  • Firefox
  • Google Chrome
  • Opera Browser
  • Paltalk Messenger
  • Miranda Messenger

If interesting stuff is found, just click on “Show password” to reveal it:

FacebookPassworDecrytor Screenshot
(Click to enlarge)

You can install the tool in your regular Windows environment but, even more interesting, there is a portable version which can be used right from an USB stick…

As a conclusion (or reminder), do NOT store your passwords in your browsers/instant messaging applications! Use a strong password manager.

The application can be downloaded here.