what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Friday, November 27, 2009

Computer search, scan the internet


There is this new tool done by Achillean, you can follow him in twitter, http://twitter.com/achillean that enables to search for system across the internet by issuing command searches on his site, http://shodan.surtri.com/. At the time of this blog post, the app is still running at BETA stage, which acts like an nmap search of systems online.

You can use keywords like, country code, port number, host name , etc.

Doing a scan of some systems here in Kenya, Apache webservers, having port 80 open, and registered as a co.ke would have a key search as, apache:KE port:80 hostname:co.ke

The first page...

Sunday, November 22, 2009

Banks and goverments going to Security through obscurity



Security through obscurity is something i have seen a lot of organizations using in Kenya that is Private and Government as well. But as this goes on, does it mean private and confidential data can never be compromised by the bad guys. I was doing a infosec assessment with a bank the other day and amazingly i found out that they were hiding systems behind their firewalls which were really vulnerable, but if you scanned their block very carefully without triggering the Cisco PiX you would get loads of info.

A nmap scan to the mail server reported:

PORT STATE SERVICE VERSION
25/tcp open smtp Cisco PIX sanitized smtpd
Service Info: Device: firewall

One thing the administrators didnt know is that, if you have such a disclosure just after scanning a mailserver, every attacker would know what he is dealing with. So any further attacks as from there gets blocked by an IPS which also blocks that IP and the attacker is aware of such information. Some of these organizations rarely inspects intrusions or perform incident handling so if attackers sees such info, then does research on what he has found and comes back after one year, the administrators or even the security team have no track of such attacks that must have happened 12 months ago from same range of IPs, then it becomes hard to protect such infrastructure.

This becomes a serious issue and with good luck the attacker may get into very valuable info.

After i realized that a Cisco PIX was blocking me, i decided to switch to another ISP network, and i ran through KDN and this time i was doing stealth scans going for the whole block and found mailservers and webservers, internet banking servers all gaping open to the internet. Amazingly some of these servers had MySql ports open with user root and password r00t. Several routers were also exposed to the internet,

xxx.xxx.81.190):
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet Cisco router
79/tcp open finger Cisco fingerd
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
465/tcp filtered smtps
808/tcp filtered ccproxy-http
1002/tcp filtered windows-icfw
3918/tcp filtered unknown
4004/tcp filtered unknown
34573/tcp filtered unknown
Service Info: OS: IOS; Device: router





So as far as security through obscurity is concerned, i think its not a good option especially for fanancial institutions. For government institutions its also a bad deal, since if you look at network infrastructures like KRA, such systems aren't carefully protected, such that if there is an attack, and incidents like deletion of information or change of information etc, then there would be lack of Integrity and availability of data to authorized users and to the tax payers.


./Chuks

Wednesday, November 04, 2009

Str0ke passes away


Str0ke founder of Milworm just passed away after cardiac arrest this morning, an issue he had since childhood.

This was the reason his site and tweeter feed wasn't updated in quite a while.

RIP str0ke, and God be with you and your family.

./Chuks

hey

Hi guys.

I haven't been able to blog lately, busy with work and organizing the hack battle. You can also follow me in twitter @chuksjonia to know what happening with me in the world of Infosec and i will follow u right back.

There is also some education stuff that will be blogged soon so keep check this site.

regards

./Chuks

Monday, September 28, 2009

Malicious documents and their attempts to attacks

Recently been doing ongoing research on using malware when pentesting. A lot of Banks and networks are still vulnerable to these attacks and they still dont know it. Its very important for any pentester who is already in an engagement with such a client, to find such holes before the unethical do it.

So, most of the documents downloaded or attached in an email e.g PDFs, DOCs, PPTs, etc that is infected will have a shellcode, that will do the following: Will have a trojan downloaded from a rogue webserver somewhere in the internet. Then it will write the executable in your system32 folder, and execute the file.

This attack will only work if the user is a local administrator, or has administration privileges to write to system32, and this where you will find none of the windows workstation will work without the admin user.

There are several ways to secure this, that i may have to specify in the next blog entry. Keep tuned.


./Chuks

Tuesday, September 22, 2009

MetaSploit Unleashed


Hi.

For those who haven't heard, the Metasploit course has been released and for you to get the full course, u need to visit offensive security site for more details. The public course material can be found here, http://www.offensive-security.com/metasploit-unleashed

./Chuks

Wednesday, September 09, 2009

SecureICT day two

Second day at secureICT.



SecureICT day one

Hi guys, This is how day one was at SecureICT








Saturday, August 22, 2009

WHY WE MIGHT NEED A BETTER SECURITY ASSESSMENT VENDOR



THE SCAMS

During the mail list last week, a member brought up this issue whereby i was also involved in the consultancy in a company situated in Ghana.
http://lists.my.co.ke/pipermail/security/2009-August/000566.html


This a bit hilarious provided that these guys were doing a security assessment for the company and i expected such a company like KPMG to be aware of the security assessment factors and which services are offered during such an engagement.

THE FACTORS

So which factors does a client need to look into before taking in a Security Assessment:
a)Penetration testing External or Internal
b)Durations, how many times do you need the service, annually, semi-annually?
c)Last but not least, which security assessment service do you need.

Before we go down to some explanations, during a presentation at KRA i did explain the difference between a Vulnerability Assessment and a Penetration Test. To make that statement short, a penetration test is the actual outcome after a vulnerability assessment. In short a penetration test is the actual hands on confirmation of a vulnerability picked up during a Vulnerability Assessment therefore its a VA logical conclusion.

EXTERNAL AND INTERNAL TESTING

During a test, you might choose if you want the pentest to be performed outside your network from a remote site or you want the engineers to be in the network. When its performed externally, the engagement is taken inform of an outsider Blackhat who is supposed to bypass your firewall and any device on your perimeter from the internet. In such kind of test, the testers are not given any IP ranges, no DNS and no users, in short, no information, they have to covertly collect it and perform as much intelligence as they can before picking their prime targets. This test is commonly known as Blackbox pentesting.

The internal testing, this is carried more of like an inside threat. Someone who is already behind the perimeter, who has much info about the network and the organization. Here the testers will try to use social engineering, privilege escalation, exploitation etc.

DURATIONS, HOW MANY TIMES DO YOU NEED THE SERVICE, ANNUALLY, SEMI-ANNUALLY?

This may be considered by the security team in an organization that needs this service and also from the consultants perspective. The factors may include:
a) Threat Intelligence
b) Security Incidents (scan, bruteforces, hack attempts, DOS)
c) Insiders
d) Business espionage
e) Perimeter devices and applications e.g Portals, may need external blackbox pentests
d) Application and system changes including addition of clients and employees


WHICH SECURITY SERVICE DO YOU NEED?

One thing I have noticed with most of the security vendors in Africa is that they come with crazy names for their products that leaves customers wondering which to take and get up tricked into non service commitment. When a client asks for a security assessment, or an organization which needs one, this is what to look into as the services needed.

a) Vulnerability Assessment

b) Penetration testing

c) Web Application Assessment

d) Physical Security Assessment

This is just to mention the most important ones. I will be writing a brief blog entry for each of them soon.

./Chuks


Monday, August 17, 2009

Hacking in EA just grew bigger


Recently, after the last few posts in sec forums, though the hate and the mail list trolling, i realized a sudden increase of attacks on some of the servers i man security-wise. The attacker was going mostly for the webserver keeping me awake on Friday, through Saturday and i had to get a little of sleep on Sunday.

One crazy initiative is that the guy was trying to look for links which he can use to gain access to one of the sites.

41.223.57.73 - - [16/Aug/2009:16:01:57 +0300] "GET /www2/admin HTTP/1.1" 404 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.76 - - [16/Aug/2009:16:02:16 +0300] "GET /www2/admin.html HTTP/1.1" 404 280 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.74 - - [16/Aug/2009:16:03:13 +0300] "GET /admin.html HTTP/1.1" 404 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.75 - - [16/Aug/2009:16:03:43 +0300] "GET /administrator HTTP/1.1" 404 278 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.74 - - [16/Aug/2009:16:03:55 +0300] "GET /administrator/backup HTTP/1.1" 404 285 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.78 - - [16/Aug/2009:16:04:07 +0300] "GET /administrator/login.php HTTP/1.1" 404 288 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.76 - - [16/Aug/2009:16:04:28 +0300] "GET /admin.php HTTP/1.1" 404 274 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.75 - - [16/Aug/2009:16:05:29 +0300] "GET /vpn_administration HTTP/1.1" 404 283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.77 - - [16/Aug/2009:16:06:06 +0300] "GET /vpn_administrator HTTP/1.1" 404 282 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"

41.223.57.73 - - [16/Aug/2009:16:10:13 +0300] "GET /www2/administrator HTTP/1.1" 404 283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13


This was not even as bad as sshd attack which took 47 to 50 hours of straight bruteforce. He was trying usernames like admin, admin_companyname and companyname and all these are not on default sshd port. A snipet here.

Aug 15 01:10:01 xxxxx sshd[3834]: pam_unix(sshd:auth): authentication failure; logname= uid=0 e uid=0 tty=ssh ruser= rhost=41.223.57.74
Aug 15 01:10:01 xxxxx sshd[3834]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Aug 15 01:10:02 xxxxx sshd[3834]: Failed password for invalid user admin from 41.223.57.74 port
48129 ssh2
Aug 15 01:10:17 xxxxx sshd[3834]: pam_unix(sshd:auth): check pass; user unknown
Aug 15 01:10:17 xxxxx sshd[3834]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Aug 15 01:10:19 xxxxx sshd[3834]: Failed password for invalid user admin from 41.223.57.74 port
48129 ssh2

The bruteforce goes on through Saturday to Sunday......
Aug 16 00:03:03 xxxxx sshd[7758]: Failed password for invalid user admin_xxxxx from 41.223. 57.72 port 57217 ssh2
Aug 16 00:03:09 xxxxx sshd[7758]: pam_unix(sshd:auth): check pass; user unknown

Aug 16 00:03:09 xxxxx sshd[7758]: pam_succeed_if(sshd:auth): error retrieving information about user admin_xxxxx
Aug 16 00:03:11 xxxxx sshd[7758]: Failed password for invalid user admin_xxxxx from 41.223.
57.72 port 57217 ssh2
Aug 16 00:04:52 xxxxx sshd[7768]: Invalid user admin_xxxxx from 41.223.57.72

This is just to warn the hacker upto this mischief, just know i am watching you alot and if you have never seen such crazy logs in your perimeter machines, please check again.

All the above IPs are from Zain Modems.

./Chuks

Saturday, August 08, 2009

Incoming SecureICT!!!!



Okey guys, you remember the http://secureict.co.ke/. we are getting ready for the Conference. See you guys there, am doing Wireless Penetration testing presentation.

Good weekend.

./Chuks

Sunday, July 12, 2009

Afr0-w00t convention announced in the Forums



Hi. If you are member of Security Forums, Kictanet, Skunksworks, you may have seen the call for papers for Afr0-w00t hackers convention. This is going to be the first of a kind in Kenya. http://bit.ly/NSzbM

We are expecting papers from most of the information security experts in Africa and Kenya mostly coz it will held in Kenya, Nairobi.

This year, we will make this convention a different one from any other information security conference ever done in Kenya. This is due to the fact that, most of the topics this year will be more on hardcore hacking and penetration seen in Nairobi.

We will also set up a contest, Hacking the Box. More information will posted in the security mailist in my.co.ke.

./Chuks

Wednesday, July 01, 2009

is Kenya Safe from a Cyber Attack





Hi guys.
We have currently been discussing at The Security Forum about a post we found online on Cyber attacks in Kenya and if Kenya is Safe incase of such a launch.

Most of the Discussion are here:

http://lists.my.co.ke/pipermail/security/2009-June/000283.html

http://lists.my.co.ke/pipermail/security/2009-June/000285.html

More found, http://lists.my.co.ke/pipermail/security/2009-July/000286.html

And another post from tyrus, http://lists.my.co.ke/pipermail/security/2009-July/000289.html

What do u guys think? What are the major utilities if shutdown, can affect the ways of Kenyan?

./Chuks

Sunday, May 03, 2009

April heated debate.[Security Forum] Lab Pentesting versus Real World tests


April heated debate was on Lab pentesting versus Real World testings where alot of the pentesters felt that you get to learn a lot from testing real and live server rather than Lab networks where you are aware of everything.

There was also this proposal by Simiyu that he come up about a competion, "
blue Team:
All the sys admins, web developers on the skunkworks list.
They get to install and run their apps on some local network.

Red Team:
Pen testers from Kenya, from the list and as well as those who are not on the list.
They get to try and break into the set up network.

At the end of the day both teams sit down and discuss on the vulnerabilities discovered
and how to prevent such attacks in real life scenarios and the losers buy lunch of course ;)"

Reply guys

./Chuks

Sunday, April 19, 2009

MOVED THE SECURITY FORUM TO A NEW HOST


Hi guys, we have moved the First Kenya Information Security Forum to a new host, maintained by penguin labs.

For more info, check this out, http://lists.my.co.ke/pipermail/security/2009-April/date.html#start and to join please visit http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

./Chuks

Wednesday, April 08, 2009

security forum is back

Morning Lions and lioness'.

For the whole of last week, we have had the security forum down due to a server crash and we lost most of the subscriptions. Been working on this list for some hours now to make sure any member who had subscribed gets back in as i work on my official day to night works, LOL!

Anyway, hope to see some replies to this post, thank you for your patience. This has been a good learning resource for us. Am soon going to index the mailist on my new domain as soon as i can due to that we need archives.

If you had a member friend who tried to register last week and failed, tell them to try it again from now. Good week and safe holidays.

To register just send a black email to security-subscribe@openworld.co.ke

{EDITED} We moved to a new host, check http://lists.my.co.ke/cgi-bin/mailman/listinfo/security


./Chuks

Monday, March 30, 2009

research site down

For those trying to reach www.kamongo.co.ke, please just try it through the IP, http://41.206.42.174/ since my domain is down, until further notice.

./Chuks

Friday, February 27, 2009

insecure webapps



We had this discussion that a certain server was certainly so secure, and the owners stated that 10 million was used to setup the portal. Out of curiosity, a research pentest was done on this portal. To download the paper, http://www.kamongo.co.ke/chuksjonia/info/home_insecurity/TheHomecoke.pdf




/Chuks

Tuesday, February 03, 2009

Some of The Conference Docs

Hey good people. Some of the conferences i have done previously, presentations are hosted in this site(www.kamongo.co.ke/chuksjonia/info). You can download for references at your own time.

/Chuks

Tuesday, January 27, 2009

A perfect pentest example

1. Information Gathering Phase (find the company's website,
emails, employees (and their blogs etc) and anything else related)
2. Network Discovery Phase (find the internal and external
network(s) of the company if possible, with help from the
information above)
3. Service Discovery Phase (find all services belonging to the
company thus the versions, ftp, http and so on.)
4. Vulnerability Match Phase (see if it is possible to find any
holes directly in the applications.)
5. HTTP-Vulnerability Phase (check out all http-services belonging
to the company, check for everything ranging from SQL injection to
XSS)
6. Gaining Access (see if it is possible to gain full or partially
access to their systems. Social Engineering might work.)
7. Escalation of Privileges (if partial access was gained,
escalate privileges in order to gain root.)
8. System/Network Browsing (find other nodes on the network if
possible, if so begin from service discovery phase or information
gathering phase.)
9. Gaining Internal Access (if it was possible to gain internal
access, then the job is almost done. If not, we will need to do it
here. This could be achieved with XSS, Trojans, Eavesdropping,
Phishing or by Cracking the wireless network if they have such.
Even Social Engineering can work in this phase))
10. Backdooring Phase (put a rootkit or w/e i like, as long as it
isn't detectable. This isn't necessary for most companies.)
11. Removal of Traces (if needed, then remove all traces possible.)


All they best

/Chuks