what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Saturday, June 30, 2007

DEFACING SITES [Methods]


Method 1 - Content replacement.

Using the existing server host, web server etc, replace the pages with defaced ones.
- Prerequisite: own the server
- To undo: delete the defaced pages and replace original ones.

Method 2 - Web server software reconfiguration.
Using the existing server host and web server, reconfigure the web server to serve
documents out of a different (possibly hidden) directory. For an added bonus, change
permissions etc, to make it marginally harder to change back.

Method 3 - Web server software replacement.
Destroy or disable the original web server, and replace it with another one, hidden
possibly as a trojan in existing system programs - ensure that this starts up before
any legit web server, thus rendering the original web server useless.

Method 4- Better web server software replacement.
Destroy or disable the original web server, and trojan system programs, and/or make
subtle configuration changes, or low-level network stuff, which causes
defaced web pages to be served one way or another, by the machine. Take any other steps
to ensure that it cannot be easily undone.

For bonus points, put network firewalling / NAT in, such that the creators / owners of the
web site still see the real site, but everyone else sees the defaced site.

Method 5 - Rerouting.
Ignore the original web server and compromise a nearby router. Add a NAT rule such that
web traffic gets rerouted to another machine where the defaced pages are served.

Method 6 - DNS hijacking.
compromise the DNS. The higher level the better. Ideally compromise a top-level DNS and insert
a fake A record in, at the root servers. Ideally point this to a network of zombie machines
(using round-robin DNS), which are all in different countries.

Method 7 - Backbone routers.
Compromise backbone routers and inject phoney IP routes to route traffic to the web site
to a (network of) owned server(s).

Method 8 - Browser compromise.
Compromise the distribution system of several major web browsers, and install backdoors
which cause the web site to appear to be defaced

Method 9 - ISP compromise.
Compromise several major ISPs, either trojanning their install CDs, subvert their routers,or do several of the above.

Method 10 - Some subtle combination of any of the above.
Especially effective would be 1,2,4,5 and 6 for instance.

A determined attacker would carry out all the compromises necessary for 1,2,4,5 and 6 ahead of time,set up zombies to serve various pages, and set all the triggers on the same time bomb.

All five of the methods would then need to be independently repaired (ok, 1,2 and 4 could be done at the same time) to fix it.

Methods 7,8 and 9 are hopefully so difficult that they're not a real threat.

Be Protected Methods.

Tips : Be Stealthy
Create IP rules or firewall rules which causes the defacement to be invisible to the site's creators, owners, or maintainers.

Tips : Be Stealthy
Create time based rules to cause the defacement to be visible only during times of day when the site's creators, owners etc, are likely to be asleep

Tips : Be Stealthy
Create IP rules which ONLY make the defaced pages available to robots, so that the defaced pages end up in Google's cache, Internet Archiver etc.

Tips : Be Stealthy
Create user-agent specific rules which make the defacement only visible to users of certain browsers / operating systems. For instance, make the defaced pages only visible to users of Windows 98 or ME, as businesses rarely use these (and sysadmins
and web designers never use them)


/Chuks

Credits to my fellow friend, MuRd3rp0L!c3