Tag Archives: Software

Improving File Integrity Monitoring with OSSEC

May 13, 2013 16:00 | 15 Comments |

File Integrity ErrorFIM or “File Integrity Monitoring” can be defined as the process of validating the integrity of operating system and applications files with a verification method using a hashing algorythm like MD5 or SHA1 and then comparing the current file state with a baseline. A hash will allow the detection of files content modification but other information can be checked too: owner, permissions, modification time. Implemeting file integrity monitoring is a very good way to detect compromized servers. Not only operating system files can be monitored (/etc on UNIX, registry on Windows, share libraries, etc) but also applications (monitoring your index.php or index.html can reveal a defaced website).

During its implementation, a file integrity monitoring project may face two common issues:

  • The baseline used to be compared with the current file status must of course be trusted. To achieve this, it must be stored on a safe place where attacker cannot detect it and cannot alter it!
  • The process must be fine tuned to react only on important changes otherwise they are two risks: The real suspicious changes will be hidden in the massive flow of false-positives. People in charge of the control could miss interesting changes.

There are plenty of tools which implement FIM, commercial as well as free. My choice went to OSSEC for a while. My regular followers know that I already posted lot of articles about it. I also contributed to the project with a patch to add Geolocatization to alerts. This time, I wrote another patch to improve the file integraty monitoring feature of OSSEC.

Read More →

Posted in: OSSEC, Security, Software | Tagged: , , , ,

The Race For Resources

May 8, 2013 22:35 | 3 Comments |

StorageToday, disk space is not an issue for most of us. I remember when my father came back at home with my first hard drive (80MB!) for my Amiga in the Nineties. My reaction was “Wow, we will never fill it!“. Today, if I make a sum of all my storage at home, I’m above 10TB! And I’m sure that I will have to add more capacity in the coming months. No, this blog post is not related to “big data” but more a reflection about how developers write applications today. Again, when I was learning programming languages, professors always remembered to the students to keep our eyes on our resources: memory, CPU cycles, I/O and storage. One of the golden rule was: “If you allocated memory, don’t forget to free it! malloc() means free()“. Yeah, at this time, there was no garbage collector. I’m a little bit nostalgic tonight! ;-) . Today, computer resources are not a problem anymore. Their prices continue to decrease and the reflex of most developers is just to add resources (“Your application is slow? Add 2 cores and 2 gig of memory“).

I’ll show you a good example of the explosion of resource requirements. Today I was performing some cleanup on my corporate laptop. Being a consultant, it runs plenty of tools such as management consoles provided by $VENDORS. Working for multiple customers running different versions of this product (a well-known firewall brand), I’ve different versions of the tools installed. Of course, I need to keep multiple versions because you need to use the right one to access the firewall running the corresponding version. Just have a look at this screenshot:

Console Tools Size

(Click to enlarge)

I wonder what will ask the next version of the console as disk storage…

Posted in: Software | Tagged: ,

Fixing SET 5.0.3 & Metasploit 4.6.0

April 19, 2013 16:44 | 1 Comment |

Social EngineeringA quick post to share with you my feedback about an issue I faced after a SET (“Social Engineering Toolkit“) upgrade to the latest version (5.0.3). SET is a wonderful tool that you must master.  I’m using SET on a EC2 instance because it does not interfere with my other IP addresses and I can enable all ports without any issue (nothing else is running on this instance). Note that Amazon has a specific policy to make pentesting from their infrastructure, have a look here).

Read More →

Posted in: Pentesting, Security, Social Engineering, Software | Tagged: , , , ,

Review: Penetration Testing – Setting Up a Test Lab How-To

April 8, 2013 16:37 | 3 Comments |

Penetration Testing Book CoverI’m just back from an Easter break with $WIFE and $KIDS but it does not mean that I was completely disconnected. Between familly activities, I read some items pending in my todo list. One of them was the book called “Penetration Testing – Setting Up a Test Lab How-To” from Packt Publishing. This is the second book I read from their “Instant” collection.

The book, written by Vyacheslav Fadyushin, has only 88 pages but  goes straight to the point: Helping you to set up your home lab to learn (or improve) your penetration testing skills. Building your own lab is a critical step. Most pentesting actions being against the law (wherever you are living), it is important to have safe (read: private) environments to test new tools, new attacks or exploits. Note that the targeted audience can be extended to security researchers, developers, etc. Everybody needs a lab!

The first part of the book describes the different pieces of software that will be used by the author. Today, it’s impossible to work without virtualization and the author covers briefly the pros and cons of most common virtualization solutions. His recommended list of software includes:

  • Microsoft Windows Server 2003 & 2008
  • Microsoft Windows XP & 7
  • Ubuntu Server 12.04LTS
  • Common web browsers (Mozilla, Chrome, Safari & IE)

Note that some of those softwares are commercial and require a valid license to work (temporary or permanent). The pentester is of course responsible to buy them (or to find them by its own mean – no more comments). What about the hardware?

  • One “big” PC with many CPUs and memory
  • One Wireless router
  • One laptop
  • One Android mobile device

The author talks about a PC with “at least 4 GB RAM“. With today’s prices, my suggestion is to start directly with 16 GB RAM! More you have more smoothly will run your guests. Of course, your future lab will depend on your requirements. To help you in this way, the author in the next chapter describes briefing what are the goals of pentesting and then gives interesting tables with the different skills you would like to practice and the required components. A few examples:

Skills to practice Required components
Discovery techniques Several different hosts with various operating systems
Scanning techniques Firewall
OWASP Top-10 vulnerabilities Web server, database server and Web Application Firewall
Wireless attacks Wireless router, RADIUS server, laptop
Tunneling Several hosts

The next chapters cover how to deploy your lab in different scenarios, again depending on your needs. Configurations are reviewed step by step with multiple screenshots. Finally, the author describes some online services to practice your skills based on websites or specific virtual machines ready to be downloaded and exploited. The examples described in the book will address most of the requirements for standard pentesting projects but some configurations or architecture will be simply impossible to reproduce at home.

More information about the book is available here.

Posted in: Pentesting | Tagged: , ,

Review: Wireshark Starter

March 22, 2013 15:00 | Leave a Comment |

Wireshark StarterHere is a quick review of a book about the well-known network sniffer: Wireshark. This book is part of new collection called “Instant” edited by Packt Publishing. This is an interesting idea for people who don’t have time/don’t want to read a classic 200-pages book or that need to go straight forward to the minimum to start using a tool. This book has 68 pages and is of course cheaper!

Read More →

Posted in: Software | Tagged: , ,

Signing Documents Using an Unsigned Application!

February 6, 2013 14:04 | 5 Comments |

SignatureBelgium is strange country… at various levels! For years, Belgium is known as a country which quickly developed and distributed electronic identity cards (eID) to its citizens. Your eID can be used in multiple applications to perform citizen’s authentication and to sign documents. The number of applications and web sites keeps growing constantly. Private organizations can also integrate the eID in their applications! Looks great…

Today, I had to use my eID on my Macbook for the first stime. Step one, download the software and install it. Piece of cake, I visited this page, downloaded the .dmg and installed it. I’m running the latest version of OS X, Mountain Lion. This one introduced a significant new feature called Gatekeeper, a new security system to help keep users from installing malicious applications on their machines.

Guess what? When I started the eID software, I got this nice warning:

eID Warning

I found this unfortunate from Fedict, Federal Public Service for Information and Communication Technology, which is in charge of the eID infrastructure. I had to use my eID so I temporary decreased the security level of Gatekeeper to perform a smooth installation then I re-enabled the default settings. I don’t say the software is unsafe but that’s a Belgian joke… Using a non-signed software (at Apple level) to sign my documents!

Posted in: Belgium, Security, Software | Tagged: , , ,

Managing Apple iCloud Notes with Python

January 11, 2013 18:14 | 2 Comments |

iCloud with PythonThis is my first post in 2013! Every begining of a new year, people tend to make a list of good resolution. I also did and one of them is to switch from Perl to Python to develop! Being a Perl addict for years, I don’t expect to completely abandon my beloved language but… I must be able to write better Python scripts! It’s a fact: Python is more and more chosen as the preferred language in many open source projects. I just started to read the bookViolent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers“. Based on my experience with Python, It looks very good and I hope to write a quick review soon. So, here is my first Python script!

Read More →

Posted in: Apple, Software | Tagged: , , ,

Cuckoo 0.5 on OS X Mountain Lion

December 31, 2012 11:26 | 23 Comments |

Christmas CuckooClaudio Guarnieri and his developers gave us a great gift to finish the year. A few days before Christmas, they released the version 0.5 of Cuckoo, the open source malware analysis system. What’s new in this release? Plenty of nice stuffs! I won’t review there here, have a look at the blog post published to announce this new release. While enjoying some holidays, I took the time to upgrade my Cuckoo environment. Basically, I’m running two different Cuckoo instances: one linked to my CuckooMX script to automate the analysis of attachments extracted from my SMTP flows. And one running on my Macbook for on-demand analysis and while I’m on the road. In the Cuckoo documentation, Ubuntu is referenced as the reference platform but it does not mean that other operating systems can’t run Cuckoo! Here are some information I would like to share if you plan to install Cuckoo on Mac OS X.

I’m running Mountain Lion (10.8.1) on my Macbook. The good news: Python 2.7 is the default version enabled on Mac OS and is recommended to run Cuckoo. The installation is pretty straight forward: deploy the tar ball in your preferred directory and review the *.conf files in the conf/ directory. But the very first (and critical!) step is to have a valid Python and libraries environment. First, check that your active version of Python is 2.7:

snowwhite:~ xavier$ python -V
Python 2.7.2

Than install the required Python decencies. To manage my Python libraries, I’m using the easy_install script. In my environment, I had to install the following ones:

snow-white:~ xavier$ easy_install sqlalchemy
snow-white:~ xavier$ easy_install Jinja2
snow-white:~ xavier$ easy_install Bottle

The last library is required by web.py (the Cuckoo web front-end). Since version 0.4, Cuckoo completely changed the way it analyses the network traffic. Today, it uses tcpdump to capture packets and generate a .cap file. Then, the content is analysed with the dpkt library. I was not able to install it via easy_install. Just download the latest version and install it manually:

snow-white:~ xavier$ wget \
'http://dpkt.googlecode.com/files/dpkt-1.7.tar.gz'
snow-white:~ xavier$ python setup.py install

Once Cuckoo installed, you must prepare your virtual machine(s) to analyse malwares. The documentation is very clear but only the network configuration is a little bit tricky. There are two main requirements:

  • Cuckoo must talk with the virtual machine. A Python script is running on the guest to handle XMLRPC requests.
  • Cuckoo must be able to see (and capture) all the traffic generated by the guest.

If you travel a lot like me, you must have an easy setup which will work in all environment. The best way to setup the network connectivity for your guest is the “host-only” networking feature (I’m using VirtualBox, please refer to your other virtualisation environment to find the corresponding connectivity). By definition, a “host only” network permits only traffic across multiple guests and the host using a private subnet. How to allow a guest to access the Internet? If it’s easy in a Linux environment (using IPtables), how to achieve the same with OS X? No stress, it’s also easy!

First, make your OS act as a router:

snow-white:~ xavier$ sudo sysctl -w net.inet.ip.forwarding=1

Then, enable NAT. No need to play with firewall rules on OS X, there is a nice daemon which takes care of this job. Note: ‘en0‘ is the interface used to get your Internet connectivity, change it to yours if different.

snow-white:~ xavier$ sudo natd -interface en0

Finally, add a firewall rules:

snow-white:~ xavier$ sudo ipfw add divert natd ip from \
any to any via en0

Boot your guest and try to access the Internet, it works! My ‘host-only’ network interface is vboxnet0. Inspect the traffic with tcpdump, you must see all the traffic between the guest and the Internet. Two important remarks:

  • For security reasons, I do not execute the commands above at boot time. I prefer to start a small script before launching Cuckoo. Having your OS X acting permanently as a router is not recommended.
  • When you will analyze malwares, some malicious traffic could potentially be sent outside your OS X via the same network interface used for your regular traffic. This could make your OS X detected as “malicious” and generate alerts or unsuspected behaviors like being completely banned from the network! Don’t do this on a corporate LAN.

Please post your comments or tips to use Cuckoo in an OS X environment! Happy New Year and happy malware analysis!

Posted in: Apple, Cuckoo, Malware, Security, Software | Tagged: , , , ,

Database Tables and Rows: Security by Obscurity Is Sometimes Helpful!

November 27, 2012 00:12 | 3 Comments |

Security by ObscuritySecurity by obscurity is bad!“… Most infosec professionals will tell you this. The principle is to implement security by hiding stuff in the installation of tools or solutions. Often, people using security by obscurity believe that their stuff will be properly protected (not found by the attackers). But this technique will protect you only during the reconnaissance phase of the attacker. It will just make his task more difficult to gather interesting information.

After the Alexander Kornbrust’s talk during the last edition of  HashDays about self-defending databases, a question popped up in my mind: It could be interesting to know what are the most commonly used table and row names in databases. This could help to track suspicious queries sent to SQL engines. So, what are the preferred words used by developers?

A few days ago, I found an interesting piece of code via my tool pastemon.pl on pastebin. The code was very suspicious and was quickly deleted by the Pastebin team! But i’ve a local copy! Basically, it’s a IRC bot written in Perl which connects back to an IRC channel and performs queries on multiple search engines to grab SQL URLs returning errors. Its purpose is to search for websites vulnerable to SQL injections. But the most interesting part was the data searched by the bot. The source code contains interesting information, exactly the ones I was looking for: table and row names!

my @tabele = ('admin','tblUsers','tblAdmin','user','users',
              'username','usernames','usuario','name','names',
              'nombre','nombres','usuarios','member','members',
              'admin_table','miembro','miembros','membername',
              'admins','administrator','administrators',
              'passwd','password','passwords','pass','Pass',
              'tAdmin','tadmin','user_password','user_passwords',
              'user_name','user_names','member_password','mods',
              'mod','moderators','moderator','user_email',
              'user_emails','user_mail','user_mails','mail',
              'emails','email','address','e-mail','emailaddress',
              'correo','correos','phpbb_users','log','logins',
              'login','registers','register','usr','usrs','ps',
              'pw','un','u_name','u_pass','tpassword','tPassword',
              'u_password','nick','nicks','manager','managers',
              'administrador','tUser','tUsers','administradores',
              'clave','login_id','pwd','pas','sistema_id',
              'sistema_usuario','sistema_password','contrasena',
              'auth','key','senha','tb_admin','tb_administrator',
              'tb_login','tb_logon','tb_members_tb_member',
              'tb_users','tb_user','tb_sys','sys','fazerlogon',
              'logon','fazer','authorization','membros',
              'utilizadores','staff','nuke_authors','accounts',
              'account','accnts','associated','accnt','customers',
              'customer','membres','administrateur','utilisateur',
              'tuser','tusers','utilisateurs','password',
              'amministratore','god','God','authors','asociado',
              'asociados','autores','membername','autor',
              'autores','Users','Admin','Members','Miembros',
              'Usuario','Usuarios','ADMIN','USERS','USER',
              'MEMBER','MEMBERS','USUARIO','USUARIOS','MIEMBROS',
              'MIEMBRO');

my @kolumny  = ('admin_name','cla_adm','usu_adm','fazer','logon',
                'fazerlogon','authorization','membros',
                'utilizadores','sysadmin','email','user_name',
                'username','name','user','user_name',
                'user_username','uname','user_uname','usern',
                'user_usern','un','user_un','mail','usrnm',
                'user_usrnm','usr','usernm','user_usernm','nm',
                'user_nm','login','u_name','nombre','login_id',
                'usr','sistema_id','author','sistema_usuario',
                'auth','key','membername','nme','unme','psw',
                'password','user_password','autores','pass_hash',
                'hash','pass','correo','userpass','user_pass',
                'upw','pword','user_pword','passwd','user_passwd',
                'passw','user_passw','pwrd','user_pwrd','pwd',
                'authors','user_pwd','u_pass','clave','usuario',
                'contrasena','pas','sistema_password','autor',
                'upassword','web_password','web_username');

The origin of the bot is clear: Poland (“kolumny” means columns in Polish). But the authors targeted also Spanish databases according to the table names (“usuario“, “miembros“). Based on the data above, if security by obscurity is bad, choosing right unique names for your databases schemas can slightly reduce the risk to be compromized. But let’s be clear, this will never prevent you to write secure code! ;-)

Posted in: Security | Tagged: , , ,

Manage an Efficient List of Open Proxies

November 21, 2012 21:48 | 7 Comments |

Free EntryOpen proxies… Everybody likes them! Please don’t immediately think about malicious activities… Of course, open (and chained) proxies can be useful to make you anonymous on the Internet but they can also by very interesting for “good” purposes. As a pentester, they can help you to distribute your reconnaissance phase across multiple IP addresses and to reduce the risk to be identified. Most log management solution come with out-of-the-box light currelation rules to detect brute-force attacks (“if event X is seen Y times in a time window of Z seconds, pop up an  alert“). Finally, you can use them to avoid stupid blacklists system which try to prevent you to abuse an online service. Note that in this (my) context “abuse” means “accessing several times the same resources for research purposes“. Nothing malicious!

Read More →

Posted in: Security, Software | Tagged: , , ,