Sometimes it is always helpful to have a hitlist you can rely on....well here's mine:
TFTP Server
#tftpd --deamon --port 69 /tmp/
#pkill tftpd
NETSTAT
#netstat -nat
#netstat -nau
#netstat -nat | grep 22
WINDOWS
Mount Share
#share <user> <targetIP> <remote share>
#mkdir /mnt/share
#mount -t ntfs <remote share>
#umount /mnt/share
15 November 2012
20 February 2012
Is Defence in Depth dead?
“Networks are no longer safe if a company takes the egg-shell
approach of simply using perimeter-centric hardware devices, anti-virus
and anti-malware software and other approaches to keep intruders out" - William Boni, VP and CISO T-Mobile USA – Jan 2012.
I am a great believer that good security comes from a multilayer approach. You don't lock your front gate and leave all the doors open, right? So why should IT security differ? This article looks at an interesting list of the "Top 20" critical security controls published recently by Centre for the Protection of National Infrastructure (CPNI). CPNI was formed from the merger of the National Infrastructure Security Co-ordination Centre (NISCC) and the National Security Advice Centre (NSAC), formerly part of MI5 the UK's Security Service and have responsibility for providing Information Assurance guidance for the UK's national infrastructure.
Here is the list:
Being in security for the past 4 years I have audited and tested the security defenses of 100+ organizations and I can honestly say I have never seen any one organization conducting satisfactory controls in all these areas, if any at all. Therefore, I suggest any organization review this list and either use it as a basis for their IT Security Policy (if they have one) or conduct a simple audit of their systems against this list. If you have gone as far as classifying the information that flows in and out of your organization you may want to use this list per classification.
My particular favorites are Training and Penetration Tests. This maybe a I have conducted many Social Engineering and Penetration Tests, but these really standout for me. Penetration Testing is a key indicator that the other 19 controls are working, and any tests they do not include elements of Social Engineering really are not true tests of the threats faced by organizations today. Just look at RSA.....
References:
http://www.cpni.gov.uk/advice/infosec/Critical-controls/
I am a great believer that good security comes from a multilayer approach. You don't lock your front gate and leave all the doors open, right? So why should IT security differ? This article looks at an interesting list of the "Top 20" critical security controls published recently by Centre for the Protection of National Infrastructure (CPNI). CPNI was formed from the merger of the National Infrastructure Security Co-ordination Centre (NISCC) and the National Security Advice Centre (NSAC), formerly part of MI5 the UK's Security Service and have responsibility for providing Information Assurance guidance for the UK's national infrastructure.
Here is the list:
- Inventory of Authorized and Unauthorized Devices
- Secure Configurations (Hardware & Software)
- Secure configurations for hardware and software on laptops, workstations, and servers
- Continual Vulnerability Assessment
- Malware Defenses
- Application Software Security
- Wireless Device Control
- Data Recovery Capability
- Training
- Secure configurations for network devices such as firewalls, routers, and switches
- Limit network ports, protocols and services
- Controlled use of Admin privileges
- Boundary Defense
- Maintenance and Monitoring
- Need to know permissions
- Account monitoring and control
- Data Loss Prevention
- Incident Response
- Secure network engineering
- Penetration Tests
Being in security for the past 4 years I have audited and tested the security defenses of 100+ organizations and I can honestly say I have never seen any one organization conducting satisfactory controls in all these areas, if any at all. Therefore, I suggest any organization review this list and either use it as a basis for their IT Security Policy (if they have one) or conduct a simple audit of their systems against this list. If you have gone as far as classifying the information that flows in and out of your organization you may want to use this list per classification.
My particular favorites are Training and Penetration Tests. This maybe a I have conducted many Social Engineering and Penetration Tests, but these really standout for me. Penetration Testing is a key indicator that the other 19 controls are working, and any tests they do not include elements of Social Engineering really are not true tests of the threats faced by organizations today. Just look at RSA.....
References:
http://www.cpni.gov.uk/advice/infosec/Critical-controls/
Cryptography has been "broken"...or has it...
A new year started and why change good habits - or maybe this is a New Years resolution? I’m just back from the second New York Metro ISSA Chapter meeting of 2012. Here is my quick wrap-up.
Pushing a strong line up the meeting was geared up to discuss the not so interesting topic of cryptography, as well as the challenges of PKI deployment. With many research papers appearing stating to have "broken" various hashing and encryption ciphers the first speaker, John Callas from Entrust, put this into perspective.
Currently one of the finalists in the NIST's SHA3 competition, John's 45min slot covered a top level of view of threats to cryptography - hence Quantum Computing. John reassured the audience the current suite of encryption ciphers are pretty solid despite the recent exposures found in the popular AES cipher. Where a biclique attack was found to disclose 2 bits faster than traditional brute forcing attacks (http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf). "Broken" in cryptography is the result of any attack that is faster than brute force. The biclique technique described allows attackers to recover keys up to five times faster than brute-force. AES may not be completely broken, but it's broken nonetheless.
Conclusion
With weaknesses starting to appear what can we do to protect ourselves? Encryption should be looked on as another layer of security. We all know Defense in Depth is a staple part of any good secure system design and we must not loose sight of the fact that anything that has been encrypted can be decrypted so key management is really where attention to detail is crucial.
For those of you that are unaware The Information Systems Security Association (ISSA)® is a "not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members."
This is my first experience of the ISSA New York Metro Chapter and of the ISSA, having only joined the ISSA in November 2011. I can honestly say this is one of the most informative events I have found in New York and look forward tot he next event.
Pushing a strong line up the meeting was geared up to discuss the not so interesting topic of cryptography, as well as the challenges of PKI deployment. With many research papers appearing stating to have "broken" various hashing and encryption ciphers the first speaker, John Callas from Entrust, put this into perspective.
Currently one of the finalists in the NIST's SHA3 competition, John's 45min slot covered a top level of view of threats to cryptography - hence Quantum Computing. John reassured the audience the current suite of encryption ciphers are pretty solid despite the recent exposures found in the popular AES cipher. Where a biclique attack was found to disclose 2 bits faster than traditional brute forcing attacks (http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf). "Broken" in cryptography is the result of any attack that is faster than brute force. The biclique technique described allows attackers to recover keys up to five times faster than brute-force. AES may not be completely broken, but it's broken nonetheless.
Conclusion
With weaknesses starting to appear what can we do to protect ourselves? Encryption should be looked on as another layer of security. We all know Defense in Depth is a staple part of any good secure system design and we must not loose sight of the fact that anything that has been encrypted can be decrypted so key management is really where attention to detail is crucial.
For those of you that are unaware The Information Systems Security Association (ISSA)® is a "not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members."
This is my first experience of the ISSA New York Metro Chapter and of the ISSA, having only joined the ISSA in November 2011. I can honestly say this is one of the most informative events I have found in New York and look forward tot he next event.
22 November 2011
Metasploit & Proxy Setups
If you're setting up Metasploit and can't seem to make msfupdate to work because you're behind a proxy, here is a fast tip:
# nano /etc/subversion/servers
Scroll down until the end of the file and uncomment the lines below as well as set the appropriate values:
# http-proxy-exceptions = *.exception.com, www.internal-site.org
http-proxy-host = proxy.company.com
http-proxy-port = 8080
Save and run msfupdate and you're good to go :)
(Kudos to
28 September 2011
WebInspect - Useful Notes from manual....
Im not one to RTFM but I did read the WebInspect manual and pulled out these little nuggets of info. I plan to revisit all of these items during the next few uses to provide more information around their usage so check back soon.
Optional Depth-First Crawler
Java Model View Control (MVC) Support
Accommodate E-mail Messages
Pace the HTTP Traffic
Delete Uploaded Files
Web Service Assessment
In both Site view and Sequence view, blue text denotes a directory or file that was “guessed” by WebInspect, rather than a resource that was discovered through a link. For example, WebInspect always submits the request “GET /backup/ HTTP/1.1” in an attempt to discover if the target Web site contains a directory named “backup.” A Blue folder: A private folder on your Web server found by WebInspect. These folders are not linked from the site itself.
Once the parent is found, the folder will display in either blue or yellow, depending on its properties. Export Site Tree (Site View only) Saves the site tree in XML format to a location you specify.
Session
A session is a matched set comprising the HTTP request sent by WebInspect to test for vulnerabilities and the HTTP response received from the server.
Full manual is available from: http://www.echo-zero.co.uk/echo-zero-downloads/webinspectuserguide_8_0_548_0.pdf
Optional Depth-First Crawler
- Depth-first crawling accommodates sites that enforce order-dependent navigation (where you must visit page A before you can visit page B). This method traces the first link on a page to the first link on the referenced page before returning to the original page and tracing the second link. By contrast, breadth-first crawling (which is also available) follows all the links on a page before drilling down to the pages that are being linked.
Java Model View Control (MVC) Support
- Based on in-depth research by the HP DevInspect for Java team, WebInspect now supports applications built on the Java MVC platform by the use of the depth-first crawler, path-based attacks, and navigational parameters.
Accommodate E-mail Messages
- If your system generates e-mail messages in response to user-submitted forms, you might consider disabling your mail server. Alternatively, you could redirect all e-mails to a queue and then, following the audit, manually review and delete those e-mails that were generated in response to forms submitted by WebInspect.
Pace the HTTP Traffic
- WebInspect can be configured to send up to 75 concurrent HTTP requests before waiting for an HTTP response to the first request. The default thread count setting is 5 for a crawl and 10 for an audit (if using separate requestors). In some environments, you may need to specify a lower number to avoid crashing the Web application or your server.
Delete Uploaded Files
- Finally, WebInspect tests for certain vulnerabilities by attempting to upload files to you server. If your server allows this, WebInspect will record this susceptibility in its scan report and attempt to delete the file. Sometimes, however, the server will not allow a file to be deleted. For this reason, part of your post-scan maintenance should include searching for and deleting files whose name begins with “CreatedByHP.”
Web Service Assessment
- When performing a Web service assessment, WebInspect crawls the WSDL site and submits an arbitrary enumeration value for each parameter in each operation it discovers. It then audits the site by attacking each parameter in an attempt to detect vulnerabilities such as SQL injection. You can tailor these attacks to your WSDL by creating a file containing specific values that should be submitted, and by selecting the WebInspect option to “Auto-fill SOAP messages during crawl” (select Edit ? Default Scan Settings and then select the Method category in the Scan Settings group). For more information, see SOAP Editor on page 185.
In both Site view and Sequence view, blue text denotes a directory or file that was “guessed” by WebInspect, rather than a resource that was discovered through a link. For example, WebInspect always submits the request “GET /backup/ HTTP/1.1” in an attempt to discover if the target Web site contains a directory named “backup.” A Blue folder: A private folder on your Web server found by WebInspect. These folders are not linked from the site itself.
- A Yellow folder: A folder whose contents are available over your Web site.
- A Grey folder: A folder indicating the discovery of an item via path truncation.
Once the parent is found, the folder will display in either blue or yellow, depending on its properties. Export Site Tree (Site View only) Saves the site tree in XML format to a location you specify.
Session
A session is a matched set comprising the HTTP request sent by WebInspect to test for vulnerabilities and the HTTP response received from the server.
- 0 - 9 Normal
- 10 Information
- 11 - 25 Low
- 26 - 50 Medium
- 51 - 75 High
- 76 - 100 Critical
Full manual is available from: http://www.echo-zero.co.uk/echo-zero-downloads/webinspectuserguide_8_0_548_0.pdf
25 September 2011
Password Hashes
So for my first post I thought I would keep it simple. Hashes.
There are two broad types of attack when it comes to attacking a system or application that is protected by some sort of authentication mechanism:
- Password Guessing - where you *don't* have access to the stored password representation (hash) aka brute force attack.
- Password Cracking - where you *do* have access to the stored password representation
I am going to leave password guessing attacks for now but it maybe on another post in the future. But there are many simple tools out there (Hydra, Metasploit, Web Brute) so find a decent wordlist (Rockyou75, Openwall) and get brute forcing!
Resources for password lists:
- John - http://www.openwall.com/passwords/wordlists/
- Grimwepa - http://code.google.com/p/grimwepa/downloads/detail?name=rockyou-75.txt
- Skull Security - http://www.skullsecurity.org/wiki/index.php/Passwords
This is going to brief and I am sure i will add to this in the future. However, without a toolbox of zero-day exploits in your back pocket, capturing, breaking or reusing hashes is essential when assessing security of you network. Understanding what you have is key here.
A recent talk from IronGeek (Adrian Crenshaw) on pilfering windows targets gives a good overview of the types of common hashes you may encounter:
 |
| Source: Irongeek - Nashville 2011 Talk
(VNC is listed here however it is a simple Base64 encoding of the password. Not really a hash more an obfuscation as its easily reversible)
Once you know what you have, 'cracking' them is the next step. Tools that are useful here are:
|
Subscribe to:
Posts (Atom)