what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Sunday, November 27, 2011

One more Pentest LAB before end of Year


I got another privilege to set up another exam and where there were two servers this time on the WAN, with one firewalling or filtering traffic to the main Box. The main had a DB and an Apache server, and other services like sshd and ftpd. This Server as per recon, it was mean for FileService/Databases.

So above is simulation of the Network. I will soon be posting on how this infrastructure would have been compromised.

Monday, November 14, 2011

One of the exams i had set this October 2011

The other day i was training EN1 and 2 and i had to set an exam that would cover much of what the student had learnt. So here it goes. The trick to passing the exam is what we call Threat Intelligence. Alot of pentesters out there have no idea how to do it, so i had found it important for my students to have a glimpse of what they are expected to do when they get back to their organizations.

First of all, the most important part of the Assessment is reconassaince.



Reconnaissance gives you a chance to get more information about the target and from here we start understanding the OS version, and what is running on the system. As you can see, we have port 80 open with Apache running on it. So lets load the website on our browser and see what we can view.



So we get to see we have a website running on this server, we can try login or even check it out, or even scan it with nikto which is located in /pentest/web/nikto in BackTrack.

Nikto gives us more information about the website and we get find some urls which are good for understanding the version of the webapp, license.txt and also some info disclosure via test.php as seen below.








So, by now we know that the OS is Linux and also we know the host name and the path to which the website is, the Apache version and also the php version. We do also know the exact version of the kernel running. We were also able to pick the version and the type of the web application which is called 1024CMS.

Now we need to do Threat Intelligence against the target running 1024CMS, and we visit exploit db website.


And we search for 1024cms in exploitdb database and you should find as below.



So lets go ahead and open the first exploit we have on the exploit-db website and see if it will run on the Target box.



As you can see, this vulnerability exploits a a flaw in code called Local File Inclusion, which is common on LAMP systems. With this we can download any file on the system that we have access to. One of the file interesting files is /etc/passwd and so we try to download from the box via the vulnerability as seen below.



As above you can see we are able to download the /etc/passwd and now we have a list of users for this box, as seen below;
# cat passwd
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash pcap:x:77:77::/var/arpwatch:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin webmaster:x:501:501::/home/webmaster:/bin/bash webadmin:x:502:502::/home/webadmin:/bin/bash michele:x:503:503::/home/michele:/bin/bash avant:x:504:504::/home/avant:/bin/bash oscar:x:505:505::/home/oscar:/bin/bash

Now with the users we can start bruteforcing for their passwords from our password list, or rather the wordlist and we use xhydra.



And xhdra should gain a password in a few minutes.


Now we have a password, all we need to do is get into the box via 22 as we had that information from our Info gathering stage and we should see the zip file in the / of the system, we copy it to michele home directory since we dont have permissions to write in slash linux skeleton directory. and we should have the password to root.



Saturday, August 20, 2011

LIFE IN INFORMATION SECURITY- PART 1


Information security is one career that a lot of Techis out there have mistaken what it entails a lot. I have seen some people think that because they can run nmap on an MS box they can do VA assessments for an organization. Others think coz they can develop code they can actually hack. Others come straight from college and join a security company, handed in some company questionnaires and shown how to scare clients when they need to do an audit, only to find they are asking for SAM files from a unix admin, LULZ. Am not hating but I think I need to talk about this.

Personally my skill-set is penetration testing, but how I got here was nasty. I started with repairing computers and mobile devices back in 1999/2000, then went into structured cabling, later I was administering domains and huge networks and I had to script code and I ended up indulging into development. As I went on, security became a huge interest and there was no guys in Nairobi I could get advice from, so I had to do research and heavy studies by myself.

With 11 years in this career am still learning new things everyday.

So here are some aspects to those who want to do security at higher level. By higher level I mean, working in those institutions where Security is taken seriously:

a) IT Background, Research and studies
b) Health and fitness
c) Personal Security
d) Patience
e) Independence
f) Intelligence
g) Confidentiality

As days go by, I will write on these aspects above.

With all regards,

./Chucks

Wednesday, August 10, 2011

Calculating PSR and the Reason to

So what is PSR, what does it stand for? In short P means Probability, S is Severity and R is relevance. This metric looks at the probability of the vulnerabilities found and how they can be exploited, with ease or with loads of trial and error. Its also looks at the severity of the impact they will cause to the organization in case exploited and then the relevance of the asset to the organization.

Below is a table we can calculate the P = Probability with.

Probability

The likelihood that the risk will take place:

5 - Very High

Is almost certain (P > 95%)

4 - High

Is very likely (65% < P ≤ 95%)

3 - Medium

Is likely (35% < P ≤ 65%)

2 - Low

Is not very likely (5% < P ≤ 35%)

1 - Very Low

Is unlikely (P ≤ 5%)


So for the auditor to estimate the probability he has to consider several factors,

a) The knowledge requires to have a working exploit on the specified flaw. So the more the knowledge required the higher the probability.
b) The resource required to attack and exploit the flaw will also major out on the probability, the fewer the resource the higher the probability.
c) The duration required to exploit the flaw, if the intruder would take a short time, then the probability goes higher.
d) Also how important the target is, e.g a Banking server, where most attackers would wont to fully exploit flaws makes the P vary alot. The more attractive the system is the higher the probability
e) How well the asset is protected, physical and operation wise, if lower the protection the higher the probability.
f) Environmental, political, weather also affects the probability variations

So probability is a way of looking at a view of the like hood a risk might happen, while severity will evaluate the level of impact on the asset and organization if it takes place.

Severity

The risk taking place will cause:

5 - Very High

Major impairment

4 - High

Very severe impairment

3 - Medium

Severe impairment

2 - Low

Less severe impairment

1 - Very Low

Almost no impairment



So for the auditor to estimate the severity he has to consider several factors,
a) The degree of impairment of the reliability of the process results or information as well as the systems or related environment supported by the asset.
b) Degree of impairment of the assets performance.
c) The impairment of the quality of services, systems and information.

Thirdly is the relevance of the asset, where the importance of it is valued and what it supports to the business/organization.

Relevance

The asset’s impairment:

5 - Very High

May affect the entire organization and losses will be extremely high

4 - High

May affect one or more of the organization’s businesses and losses will be high

3 - Medium

May affect a part of the organization’s business and losses will be considerable

2 - Low

May affect a small and localized part of the organization and losses will be low

1 - Very Low

May affect a very small and localized part of the organization’s business and losses will be minimal


So now we can multiply the values to calculate the PSR of an asset after we have defined them.

Risk Level

Possible PSR Values

Very Low

1, 2, 3, 4, 5, 6

Low

8, 9, 10, 12, 15, 16

Medium

18, 20, 24, 25, 27, 30

High

32, 36, 40, 45, 48, 50

Very High

60, 64, 75, 80, 100, 125



So all the PSR calculation sum up to 125.

./Chucks

Saturday, July 30, 2011

Vulnerability and PT reporting

Lately i have been engaged with alot of Assessments, and reporting has been a major factor for the Clients bosses upstairs. So reporting is one thing that techis always hate doing, which i do too, but for the sake of these non-technical folks we need to make sure reports are done and well interpreted to the point they understand it even before a presentation.

Now, the reporting matrix should atleast be on color indexing and good diagrams, even if it means to use some Visio to draw how an attacker would penetrate from the Internal or External attack. Terms like Ease of Exploitation, Potential Impact, Ease of Identification helps the management to know the overall risk of the vulnerability and how to fix it, with its criticality associated.

Sometimes departments involved in fixing the problem or vulnerability tend to overstate the issue or deny its capability so at to drag the whole assessments or not look bad to the management, so the evidence has to be well shown, and illustrated.

The methodology used, and type of tools and timelines are also important aspects. The message has to be clear and to the point.

Wednesday, April 13, 2011

BELATED HACKBATTLE 2010

The dates for the belated Hackbattle2010 have been set, as from
25th to 29th of April and 30th will be the presentation dates. We will
have hackbattle 2011 at the end of the year.

The scenario will be two servers Natted to an FW on public IPs, and
two workstations behind the DMZ. The registered guys will have to hack
their way into the network, and collected files, they will be asked
with the right MD5 checksums. The first collector of all checksums,
from both servers and one workstation, will be the winner of the
contest.

To register, send email to hackbattle.ke at gmail.com, with your name,
the hacker handle that you will want to use. and the IP range.

The contest is hosted by ihub, so all sponsors will be needed to
contact Bernard Owuor Adongo , and also
me with jgichuki at inbox d0t com. For those who had already asked
about the sponsorship, i will be sending you the information later in
the day.


Rules:

1. Any techi involved with the infrastructure set up will be
disqualified for the contest
2. Every registered techi will be needed to have a full report of his actions
3. Any changes of the file to mess up with the checksum, will be
considered as a disqualification.
4. Any type of DOS will have your IPs blocked
5. Teamwork is allowed, but remember you will have to share the prizes
6. Winners will have to show how they hacked on 30th, in ihub just
before the Ubuntu party.
7. The registration will only be allowed from EAC members.
8. Trying to social engineer moderators will be considered as a cool
9. How to win, hack the infrastructure the fastest

Remember, ANY ACTIONS OUTSIDE OF THESE RULES WILL RESULT IN DISQUALIFICATION.

Yours,

./Chucks

Sunday, March 06, 2011

KenyaPolice Website Vulnerabilities

So, a new post showed up on Security list about how to get the relevant personnel know about the vulnerabilities that KP Website would be having. http://lists.my.co.ke/pipermail/security/2011-March/001725.html

If you check for obvious vulnerabilities with your browser e.g Cross Site scripting, SQL Injection, hidden directories, its much easier with lack of WAF (Web Application Firewall), and bad coding tactics.

With such obvious flaws, we can actually get a sense of how Government infrastructure is, and how vulnerable applications running confidential information are, e.g Civil Servant information, NSSF information, Health Organization, Ongoing Corruption investigations etc. With such information being in susceptible vulnerable infrastructures, in case of a cyber attack, its would be easy to overwhelm and bypass the Governments intergrity and confidentiality.

Back to KP website, pages like report_a_crime.asp, lost.asp, site_search.asp, crime_reports_processor.asp, contactus.asp and several others are vulnerable to serious security flaws, especial the Top Ten Owasp Risks. This is due to non-sanitized pages with page variables like, category, details, name, email_address, telephone, txtAnswer etc.

Security Assessments for Kenyan Goverment Infrastracture should be enforced, and use of Information Security Policies should be introduced. MOD or any other law enforcement organization should at least have a Task Force that does tests once in a while by assuming cyber attacks, and such common vulnerabilities on KP webserver should no longer exist (very embarrasing flaws).

NB, i have not disclosed to anyone how to inject or exploit these vulnerabilities, KP has not been informed yet, so the site is still vulnerable. Please also note that, any information i have shown here should NOT be misused, if so, use at your own risk.

Posted by Chucks

Thursday, March 03, 2011

Nairobi War-Drives

Its been long since i did some war driving in Nairobi.

So this weekend, am planning to start with Upperhill to Hurligham looking for WEP and Open wireless Access points. If you wonna join in please shot me a mail jgichuki at inbox d0t com.

We may also do some wireless pentest to show risks to the public and why insecure wireless can be a external threat to your organization.

Keep tuned in,

./Chucks

Thursday, February 17, 2011

Why PT without FW/IPS Evasion is not reliable Part 2

So, part 2 is here, i have received several mails to blog on this.

This attack is simulated with a Cross Site Scripting vulnerability, example www.bank.co.ke. So what happens is the attacker discovers a flaw on the website where user inputs are not sanitized. Www.bank.co.ke, sits in the banks Server Farm, inside the DMZ well protected by the Cooperate Firewall. In the Server farm are DB servers, Mails Servers, Domain servers and the Web server etc.

So what happens is the hackers injects code into the website and convinces a techi support user to check the link out. The link has full website address, but the other injection parts are encoded for disguise, and the IDPS (Intrusion Detection Prevension System) sensors does not pick that when going to his email.

The attacker has a remote zombie which has an exe embedded to a js script, so he will send an encode format of an url that sounds like below (this needs to be encoded to bypass Intrusion sensors and filters)

The character // --> is meant to comment out anything that gets generated up to that point. Then we have the next step of the payload where a script is hosted on attacking server which has the exploit ready for the client. Its downloaded and is executed on the Users PC. From there, we have an SSLED tunnel, from inside cooperate LAN to zombie server via a command prompt. So the attacker can control the PC from his laptop via the zombie through a tunnel which is not detected at the FW and IDPS centre.
There is so many other ways to inject malicious code on websites, which can fully trick users to engage with the exploits without their will. These attacks will need to be obfuscated to avoid AVs and Intrusion Sensors

Questions and comments can be done below. If you wish to know how far more the exploitation can go, please comment or mail me, i will be happy to recreate a full post as part 3.

Wednesday, February 16, 2011

Yes, An old Friend scanned the site...

Was with one of my friends the other day and he had just set up a financial website, and he was telling me that they will be doing serious stuff with several Financial institutions all over Africa.

So the discussion about security came up, and boldly said, "Old Friend from India did a Penetration Test on it by, scanning it, now its safe and secure" So he actually did not even do this for his comfort but wanted to pass Compliance test from some banks and CBK. I don't like pointing fingers, but i think the CBK, should also regulate how such Assessment and Audits are done. CBK should update their mandate on such matters.

So the box , LAMPs, several organizations use, has several vulnerabilities or rather non-hardened LAMPs. Hackers will always look for such default installs and if found will probe for more information and use such intel to exploit further, especially if they see a gain, financially or Infrastructure-wise. So lets look at a few tips on how to harden the LAMPs. These tips are just 10% of what you should do to protect a LAMP. Otherwise, if they have not been done, you have a 0% security on your webserver.

HIDE YOU APACHE & PHP INFORMATION.

No one needs to know which version of apache or php your are running, when browing your site, except hackers. So inside httpd.conf, change the ServerSignature from On to Off. Below there is ServerTokens, change from OS to PROD. Also inside php.ini file, there is expose_php which is on, turn it off, also change SafeMode to ON from Off. There are also some dangerous configurations which need to be turned off, in disable_functions=

After that restart Apache.

INSTALL WEB APPLICATION FIREWALL.

You will need to install a WAF, to protect against online login bruteforces, web directory bruteforce, and other forms of attacks. PHPIDS is another solution which needs to be installed. PHPIDS is capable of detecting attacking pattern strings, e.g File Inclusions either remote or local attacks, SQLIs, XSS etc.

REMOVE SPECIAL FILES/FOLDERS.

Sometimes developers like to have files like phpinfo. These files expose paths to web folders, server kernels and internal IPs. Was doing a Pentest last year where i found one. Prior to that, i had no idea that the webservers had connectivity to internal business networks. The internal security personnel had no idea either, so during the test, i found one on a server and it had an internal connectivity. That's when i released the Admins had deployed internal IPs to the network for easier access of the Webservers. So these phpinfo files, remove them. Other folders are like /phpmyadmin, /mysql, /admin etc which need to be blocked from the public.

BLOCK DIRECTORY LISTING.

Directory listing is on immature mistake developers and webmasters make. Most of the Apache servers will have these turned on. Inside httpd.conf, edit Options Indexes FollowSymLinks to Options -Indexes FollowSymLinks.

The other security fixes are much more exercised by Security Personnel in your organization. These will include Code analysis, Checklists, Top Owasp risks test, Penetration testing, Vulnerability Assessments etc.

Any questions, comments, please post below.

Regards,

./Chucks

Thursday, February 10, 2011

Why PT without FW/IPS Evasion is not reliable Part 1


Many attackers out there, Cyber armies, black hats, Investigators etc, who want data from your Network/Infrastructure will stop at nothing to try evade all Access Controls that cooperates have. Due to this, its the responsibility of security companies hired to demonstrate this vulnerability and try to recommend many ways of blocking the security flaws that can be used for FW/IPDS evasion.

On the picture shown is one example. Here, an attacker with a laptop sitting somewhere sends a Malware to a user inside the network. So all he will need to do is to wait for the user to open his document that was attached on mail, and he will run code on the victim and a tunneled control channel is applied via the Firewalls to his box. This is well achieved via ssl-tunneling.

I have taken sometime to test this attack on several banks in Kenya, and it was well achieved unlike try outs in Fast world countries, which needs more recon of IPDS sensors and Firewalls. I will be continuing this with Part two in the coming week.

For questions, check below.

Regards,

Chucks

Sunday, January 30, 2011

If They scan and paste, why not just buy the tool!

As an Infosec specialist, you might have worked with tools like Nessus, Appscan, Acunetic etc. Well these tools kind of give a pentester an easy time during an engagement.

Organization throughout the world who have security departments that test vulnerabilities in a daily basis use the same tools for easier scans on their subnets, but they also contract Security Specialists for a view above the scope. Its more money on their budgets so they always expect a better addition of the value they are procuring for.

The other day, i was looking at some reports done by a very powerful company that specializes with AV (Anti-virus)and also on with PT(Penetration Testing). From such AV cooperations i was expecting real good reports but all i could see were copy pastes from Nessus plugins. Many question unanswered there......

One of the questions i asked myself was, why not just buy a scanner and leave it running for your report?

Another question that truly comes up is, will the bad guys be doing the same?

Anyone who has answers, please post below.



./Chuks

Sunday, January 16, 2011

Before PT, Call-inject

Just before a PT Op, clients who understand PT and VA will tend to call, maybe via management or even with their Technical Security Departments, and will ask you as the pentester several questions, maybe about Owasp, methodologies, tools, etc During this session, i tend to listen and also ask questions cause they tend to also lead to Pre-Infor gathering just before the projects.

This actually worked some months ago last year, when doing a PT on a big organization which was using Windows Domain Controllers and was also reachable via the internet. This wasnt to be figured out before the operation, it was to, after negotiations and the start of work.

Companies should be aware of such errors/flaws/human weaknesses, due to the fact that, the pentesters who dont win the bids tend not to be unhappy, and may have discovered that information via the phone-calls.


./Chuks