what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Sunday, December 15, 2013

Black Box Penetration Testing

Before i start on this post, lemmie make it clear, there is nothing like BlackBox Vulnerability Assessment and there is nothing like Blackbox Internal Pentesting. "Shit people say to clients"
Black Box Pentesting is very different and as the world of Information Security changes to Information Risk this form of testing is changing and the clients will need a full and real service.

Forms of pentesting scenarios you should use when testing infrastructures are several, they should be real world. I will explain some here, that i have used over the years, most of them in Middle East and Europe. Just a few in Africa, but am still working through different contracts to educate clients how to pick Real World Pentesting from Normal Pentesting and away from Fake Pentesting.

Insider Threat

This is used a lot in the bank by criminals, where they will hire a developer, janitor or any other members of staff to provide info and access to the infrastructure.

Government Impostors

Pretending be a government agency, doing an investigation, e,g KRA, and due to that most people don't know the law, they will let you do anything to almost everything in an infrastructure.

Covert Data and Evidence Acquisition

Most Spy agencies and also Police use clandestine evidence gains, by hiring hackers to infiltrate a firm, especially Law Firms to gain access to vital information mostly for either National Security or just Superiority.

Thieves, literally Thieves

I have been in security tests where we have stolen wireless devices, broken into desks, jumped over fences, broke windows, cracked safes everything thieves do, I have had confrontation with guards and dogs, but one thing you gotta remember is that you are ethical hacker, and all that stuff you steal should be returned to the client either covertly or at the end of an operation.

Hackers on Hackers on Hackers, Brutal Brutal Hacking

Sometimes clients hire you to just pentest one server and they want this to be the target but they have it heavily secured against attacks and they thinks its safe. so whenever you try everything, it all gets caught and blocked, so as a pentester do you report it can't be broken into or do you do whatever it takes to take over? Well you should, hackers wont stop, they don't give in, they try to gain access to other servers and infrastructures trusted by the main target and so many other options on the ground.

Social Engineering

Talk good, use beautiful women, lie lie lie... is an operational gain during black box operations. Most employees have no Information Security Awareness training, 90% of people around us don't have careers but jobs, they don't care where they work, 90% of people around us are under paid, 90% bosses and leaders care less about their employees, we use that info to infiltrate an infrastructure.

Fraudsters

Most banks lose lots of money due to fraudsters, not just a hackers. So if you are testing stuff like Internet Banking, Mobile Banking and ATM Security, you need to think like a crazy Nigerian attacker. do some reading about them and let me know what you think.

Espionage

The Service and Research Organizations lose a lot of millions due to data leakage and theft. This mostly happens due to competition between two companies that offer the same service and if this is the highest risk that such an organization has, you should test it, since the client will surely need to know how far the damage will go.


Organized Criminals

I have seen so many banks lose millions due to organized crime, i know about these Banking Cartels that work with the CBK and other government offices to launder money and steal lots of it from different public offices and the normal pure Organized Criminals who just use everything to gain access to safes, and other important and secured commodities. So use of hardware like keyloggers, stakeouts, chase-outs, guards -payday, tailing, Mens-Lusts, family vulnerabilities, social media etc are used on such operations. Give the client the best.

Hacktivistism

A lot of organizations, groups, memberships are always targeted by different adversaries, who just want to deface and damage their names for a cause. These attacks mostly include website defacements, Denial of Service Attacks and many others which are not as sophisticated as the ones above. These tests are essential when you want to know how much damage you would get and how fast your Incident Handling team can handle and forensically investigate it.










Sunday, December 01, 2013

SURVEILLANCE ISSUES

Most of the time when we are doing Black Box Penetration Testing, we do get some issues on the way especially if it on a Target which has revised any form of Security Threats and has contingency plans



We all know BlackBox Penetration testing includes realistic threats to an Infrastructure either an Insider threat, Targeted attack, Fraud, Identity Theft, Govt Covert Operations, Espionage and Theft. So during these tests, we plan and execute as if we are conducting such an operation depending on what the Organization that has hired the professionals for such a service, actually needs.

So surveillance is one of the stages you will see such pentesters use against you and your employers. Most of the targeted are CEOs, Head Administrators, Gaurds (and their Companies), Janitors (Cleaners), Cooks, Businesses sharing the same building, Hanging out spots etc.

So when you profile a target, you will need to learn the subjects habits, friends, contacts, frequented places/joints. Also learning the neighborhood the target is located is very vital, since you will know how to watch the subject and from where.

So Surveillance or rather mostly Cut tailing, Stakeouts, Shadowing, Tailing (On foot or Mobile) is very essential before a social engineering attack or Physical /Operational gain-through to a organization.
Last month we watched an organization and we learned the guards love drinking on weekends, so we knew on Sundays they are more tired and hangover-ed and we used that against them on a Sunday afternoon, to get into the compound and gather more intel.

Some of the Issues we get during Surveillance

a) Losing the subject, especially when the operation has grown vital, e.g, like the moment you are almost getting some vital information and then everything goes cold, e.g Wifi Keys from his/her devices

b) Risk of being discovered. If the target discovers what your are doing, he/she (women do that a lot) might confront you or evade surveillance. Some of this may ensure to a chase, or involvement of law enforcement, which is counter productive. If its time to run be ready to run, if you've got good cover story be ready to use and make sure its effective and balances with the way you talk and dress, otherwise you are burned. Its important to act natural, sudden movements during a tail can easily get you noticed especially if the subject has learned counter-surveillance. People also try to show they know they are being watched, by acting so, it important to keep your cool and know its an attempt to harass you by just guessing you are a surveillant, which if you watch for a while, he/she might do the same to another person, who has no idea what is going on.

c) Long hours of stakes-out means no movements out and inside a vehicle. If you are in the vehicle, you gotta stick there until next shift, that may involve peeing in a bottle or paperbag. Most people cant do that,  its important to be strong mentally and be ready to do anything. Remember car stakeouts are not the way you see in movies, its much more different, e.g having two people sitting in a vehicle might raise attention, plan and be effective. Acting like two lovers is known to blend in and sell an operation.

d) Communication is vital between operatives, sometimes you will try to social engineer the target and if you don't have good communication with the people inside the compound, the operation might get blown. Constant communication between people on field and people controlling a zombie network, e.g waiting for a flash-disk to be inserted into computer is vital. Also try to encrypt any form of communication, even the keyloggers.

e) Tailing a vehicle is hard especially in Nairobi. Using GPS is one of the solutions we have used, but sometimes you will not get access to go near the car and attach a GPS equipment, so tailing such a car might need a two team surveillance and that increases the cost, though the operation is effective. Most people have not been trained how to do this and have no idea how to operate, so training a person how to cover a large area during surveillance is harder. Its also important to understand the area and follow the traffic rules, so locale reconnaissance is vital for such an operation. Night tailing is harder, due to Nairobi traffic, you can always send someone on foot to attach a reflective leaflet on a cars rear, that way its easy to spot the car at a distance.

With more projects, as they come through, i will be able to come up with a good list on how to counter some of these attacks.


There is a blog post am supposed to post later on this month, about Real World Penetration testing VS Normal Penetration Testing. This is probably important for banks who do Pentests and a month later, someone commits a fraud or hacks the Internet banking. Even though the pentesters broke into a workstation or a certain server, in a some way it might help the security dept, but how will it help the Bank to protect themselves against real world attacks.

Anyway, Great Sunday,

./Chucks






Sunday, November 17, 2013

BLACK BOX / RED TEAM ASSESSMENT FIELD REQUIREMENTS



This blog is meant for everyone who keeps asking me about Red Teaming and accompanying me, during such operations. The reason i normally refuse its due to that some of them don't have minimal requirements that an operative should have.

Now remember old school BlackBox doesn't require RedTeaming, but with the advanced technology, and security threats, this part of testing has to be applied. Most Pentest Companies will tell you its not part of Blackbox, since they have no idea how to do it and have no personnel and they will have to give you a substandard service.

1. Confidentiality

You need to keep what you learn about the operation close up, until at a time when its declassified and irrelevant. Naming of client Organization and the vulnerabilities that they still have should not be known by the public or friends. Also the target should not know when attack is underway, everything should be stealth as possible. Thats why Red Team is part of BlackBox Pentesting especially during Clandestine Intel Gathering, Social Engineering and Physical Exploitation.

2. Strength and Speed

You have to be really fit, fast and strong. This is not a field for the weak and fatty fatty geeks who sit behind the desk all day, this is for the people, who will pull themselves over a roof / fence, who can run for a long distance, can sprint very fast at short distance, can jump from one staircase to another, go through stairs up to the floor target in a tall building and still type, and also be able to handle an on-coming threat in a hostile area. This is where alot of you fail.

3. Integrity

You can never be bought off, by thugs to help them steal money from a bank.
You can never Deny services, to servers and infrastructure because DDOS is your only options you got.
You don't Bruteforce until its the last option.
Any machine, mobile technology, access cards, printed paper work, should be returned back after the engagement.
You can not hack back the network, because the organization is taking forever to pay you.
You should never leak surveillance footage, even if its explicit, it should be deleted.

4. Think on your feet

You should be able to react to a situation, make something up real fast, be a fast thinker and be good with words. Not many Computer geeks are good with this, but you can learn.

5. On Ground Defense/Offense

You should have an idea of how to crack a safe, how to steal a wallet, to plant an accesspoint / flashdisk, notice a weapon/ gun-type, or if somebody is armed, learn how to use a side arm (Not so necessary, unless contracted for Govt Operations), learn how to spot a camera and other physical security devices and be smart on the road and streets.

6. Financial Knowledge

Its vital to understand banking and other financial infrastructure, applications used in banking, understand how these infrastructures work and which types of servers and operating systems are commonly used.

7. Adapt to any environment

During Threat Intelligence, one of the vital issues you will encounter is understanding the administrator who set up that network, the guard who is at the door, who did set the firewall/IDS and what was the state of their mind. What are the inner-working of the IT Team in this organization and how they relate to the users and their bosses. You should be able to adapt to any other situation that has developed during the engagement. (I remember fixing a service i had messed uo, before the administrator figures out the service has crashed)

8. Perfect Liar

Social Engineering and Espionage requires good liars. You gotta make up the perfect lie that will sell during an assessment.


So these are the most essential Requirements during a Black Box Penetration Testing, the others are equally important but not as essential.


Thursday, November 14, 2013

DE-CLASSIFIED VERSION OF INTERNET TO ATM EXPLOITATION

Late last year i was involved in a Penetration testing as a third party attacker. The attack was meant to show risks that can be used to gain access to ATM-Bridge and ATM machines and how someone would gain access to them from the Internet. Now the issue is that this could not be done in the amount of time the Bank wanted, and also the main contractor didnt believe in full penetration testing. So i dropped the job and talked to the IT Manager and told him i can exploit the bank in less than six months, give or take. He was reluctant but agreed on later after the contractor submitted their report.

So here is a declassified simulation, where you can use simple tools from backtrack to gain access to the network.


The fun part on this simulation is HP-Aux ATM-Bridge servers. Most banks use HP Softwares for network managements e.g HP Data Protectors and most of the time they are installed on Server level application and thus makes them easier to be exploited, we all know port 5555? I hope the answer is YesZuur






Also if you get access to A.D servers due to vulnerabilities that domain controller has, eg this one was on Windows 2003 Server, you will be able to control the main HP Protector servers and you can get full access to ATMs.


Now remember most of these applications could have passwords, so accessing them via rdesktop using another session would be hard, but by now as a pentester you should know how to hijack a remote desktop session that an authenticated user is already in, via Active Directory on a Domian Forest.


Anyway, trying to figure out which bank this is will be the hardest part of your reconnaissance, but understanding how such a pentest works will be the best part of upgrading your career in Infosec and defending your organizations.







Thursday, November 07, 2013

Blog Posts

Hi.

So,i usually make sure i release a post every month, even though some do delay, this is usually due to restrictions by clients, i cannot release some info about a pentest to avoid leakage of where and when this infrastructure was tested, so there will always be a waiting period, so that no one can actually figure out who was the target.

Thursday, October 31, 2013

HEAD ON WITH KSN 2013

I have had any assessments where i have gone head to head with Symantec, McAfee and other security products, KAS once in a while but this year i had a chance to face KES or rather Kaspersky Endpoint Security and KSN Kaspersky Security Network.

Now, alot of Pentesters get scared of some of these AVs and HIDS that these End Points products do host. But as a security official, you should know that nothing is impenetrable, and you should not give in, since the bad guys who come after such an organization wont.


I have seen Pentest reports from majority of our Security Companies, and most of them would report that they do see a vulnerability (That is from a scanner), but they can't penetrate to the system, and thus, the Assessment changes to a Vulnerability Assessment. I know most of you can't agree to that statement, but its a true fact and you know it. I did get myself to such a situation last month against a WAF when doing a Pentest and i couldn't report it as VA, blog of another week.

So lets go back to Kaspersky and understand it.

We know Kaspersky as KAV, or rather Kaspersky Antivirus, which as a matter of fact is one of the best. Even though how expensive the product is, you will find it in most secure networks especially the financial infrastructures world wide, and i think thats where KSN came from. So Kaspersky will find worm, trojans, malware, viruses, botnet-callbacks and neutralize them. So with KSN, all the users of this product from around the world are connected together in some way, via the Kaspersky Labs, to help with the identification of malware, new and oldies, and reduce the duration to neutralize them.

Understanding of the product and the target using it, are vital important aspects during an attack. A lot of us do Target Profiling during Threat Intelligence Phase, but we forget the need of understanding of the AV and its background. Just the same way we find the LimeSurvey CMS on a target, we download it from its main source website and run it in our Virtual Network to understand it, it should be the same way we deal with AVs.

Kasperky when installed on a domain network will have the main Server that will install agents to each machine on the network  that are joined to the domain, but the admin panel has no password login, so if you access the server that hosts the administration, you can easily admin agents to the workstations and other servers.

KES still doesn't catch Polymorphic intrusions, if you have good experience in executing such malware you will have a good way in, it all about experience and making the infrastructure believe your executables are to be trusted. Such an operation should be tested virtually before execution in an network that you are testing.

If you gain access to the box and do your add, 'net user' to the domain, this will be the screen you will get, KES will gladly welcome you.


Don't change a Pentest to Vulnerability Assessment and tell the client that it was a Penetration Testing, just because an AV stopped you. Bad guys will not.

Tuesday, August 20, 2013

HARMONY

A while back i encountered a security App/Device  called Harmony which was installed in a Windows Machine, 2008 MS Server. Now, the reason i was able to find it was coz i was already in the infrastructure WiFi, via a simple WPA PassPhrase and this Software/hardware product from Israel wasnt secure as it should be, but it was meant to secure a banks' doors.

I wont mention which one.

Anyway, i completely understand the ignorance SysAdmins have, maybe its coz of the pressure from the bosses, but security should be considered first hard, especially when physical and operational security are interconnected.

Yes most of the auditors and security testers will ignore this aspect, but not all do, and that means all the bad guys will never ignore such a gateway, FIX IT!!!

Harmony is used to control Physical security for doors and has both Proximity and Biometric capability, and the server which is holding this together, should at least be moved from all the other Vlans and should have a name, that no one would figure out what it is after a scan.

So this box kinda had its LAN, connected to the controllers at each door, and these boxes connected to a port on the server that allowed data to be stored and reflected for the SysAdmins. Due to how Symantic treats traffic, the first option was to kill all its PIDs, and i didn't expect that, all  the doors would jam, which happened. And immediately all the floors at the Banks were opened, late at night, without even an alarm.

Then nextsteps were just simple, since all the other sensors were controlled by the server, moving between floors, was easy especially in the morning when every one is busy, to further Post-Exploitation

VITAL LESSON, early defense is the best defense.

Monday, August 12, 2013

MOST OF THE KENYAN BANKING PASSWORD SECURITY

Lately i have been involved with Banking Security alot and i have noticed that admins are really trying so hard on Password Security. Personally i never bruteforce, i always let the guys starting up to run the Xhydras, but if i do its normally a manual check, not running a tool on the network, with a string of passwords.

I find running some of these automations so chaotic

One issue i have come to realize its better just to try bypass the AV and just dump the passwords on the memory and since all the Kenyan banks carry same security loop holes, from one institution to another, that they never fix, its has become like the same game for me each day. So, i will list some of the passwords you might find if you are doing Pentests for Kenyan banks in Nairobi.

Domain Administration Passwords

P@ssw0rd
$ecurity2013
$ecurity2012
p@ss2013 e.g DTBp@ss2013 "This is just an example, its doesnt mean its the one"
p@ss2012
N3ptuneApps
datast0re!

kkitabu

Application passwords

admin: netptune
admin: Oracle10
admin: netfilter
admin: nitajaribu


The above, experienced in five banks.

Will Continue adding more as time goes on.

Wednesday, July 10, 2013

CREATIVITY DURING PT & VA

Most of the Pentesters testing Networks, Organizations and infrastructures fail due to lack of imagination and lack of adapting to the environment.

Take for example, there are organizations that use the Domain Controller Machines as Proxies Servers, so when doing an Internal Pentest with these companies, you will be working with Proxies to get to the Internet, so obviously they will give you a user-name and a password for the proxy, so that you can communicate and share information during the White Box Internal Pentest. so if you have those credentials, don't you try see if you can join the Domain, yeah, why not use a virtual box to do so. You might just find your self owning the whole Domain Network, or maybe a bunch of Domain Forests. Though Penetrating in Domain Controller environment requires past experience in maintain and developing one or two, when you were System Admin back in the day; adapting to the environment is vital, maybe Primal, as many would say fundamental.

So when i talked about tracking cars, we all know that some of these equipments are really expensive, but you can always adapt, get a normal car GPS, like the one below, these equipments show every route or direction a car is going, this is like 20k now in the market. When i bought my first, they were a little expensive.


   This is a very good way to know which route your target uses mostly, i know couples who have used these devices to burst their cheating spouse. So its just creativity, use what you have and you will make a good pentester out there. No need of buying CoreImpact if you can't afford it, you can always rewrite Metasploit according to your own needs.

Use what you have, manipulate what is there, adapt to what you see and surrounds you, every infrastructure can be broken into. Help them to defend it. Thats why you are there. You are not there to just run Burp, Beef, Nessus, MSF Auxiliary, Nmap, and other tools, that will make the client fancy you. Your job is to help them defend it.



Tuesday, July 02, 2013

DOGS -THE INTRUSION DETECTION SYSTEM

There is nothing which is as bad as being caught by an IDS during a Penetration Testing. Well, i have been caught several times and i will not deny it, i felt terrible.

I remember a few days ago i was in the middle of this assessment and i found a hole on a XAMPP server, and also found out the phpmyadmin CMS was not protected.  It was on the first days of the assessment and i thought there was no need to exploit the flaw even when it was all there for me. So i decided to run Acunetix, due to laziness, because i had loads of other machines on the network to look into. Immediately an IPDS installed on that box shut down all corners of the xampp box, and i couldn't even access the phpMyAdmin. Now that was demoralizing.

So a few nights ago we were doing a recon against a target, collecting information, picking up activity log, registering movements, occupants, picking email addresses and developing a distributed metastasis plan, until when i decided to enter the compound to try get more information especially from their dust bins, since running coverage wasn't as fruitful as we needed. Me and my team we never thought that, the dogs were let out in the compound at a certain point. These big mean beasts were always in the house, feeding and sleeping. Jumping over the fence was easy, the compound is located at cool quiet Estate in the uptown Nairobi. During these tests where Physical, Social and Operational is used, arming yourself with "Get Out Jail Free Card" is advisable due to cops and guards.

Remember dogs are so used to seeing people and you can easily walk through the front door and it will think its just a normal guest.The problem is if you try to break in or jump through the windows and they spot you, you are dead. Learning the dog breeds is one other important aspect that we didn't consider, professional burglars do it. During pentesting we also try to figure out the remote AV versions, IDS version, but unfortunately here we didnt  even get to understand which breed was guarding the house.

2 minutes near the veranda, and these three dogs just jumped out, i almost pooped, i knew i had been caught. Luckily i am really fit, i just turned, dropped my torch and moved real fast towards the fences with dogs on my heels.

Well we eventually found a way to gain access to the target infrastructure and did our reporting, and the mention of the Dogs issue wasn't mention there. Am sure even right now they still think, there were burglars in the compound, or maybe not.





MAXING THE WALLS

Hi good people.

A few Months ago i was tasked to a Penetration Testing, for a Secure Organization and they wanted to know which vulnerabilities they had and how someone with some bad intentions would take it.

Now this organization, i will call Tazama LTD, for security reasons and NDA agreements. This will be used for Knowledge transfer only and should not be used against an infrastructure which could be having similarities.

Now, i was called in for a target, everything was Blackbox Penetration Testing and i was allowed to use Red Team Assessment wherever possible. Now hard to hack infrastructures are my best, since i love challenges, and anything i fear doing, seems to make me grow further.

The thing about security is that the very things that protect you can be turned against you by someone who knows what he's doing.

So first was to get the recon done, find where the offices are based, the HQ and also the Management names from the website. Remember, every battle is won before its fought. The organizations chart, Job vacancies, Emails addresses, Phone numbers, Facts and Figures, were the first to go for.

Recon went on to the operation aspects, Domain names, Network blocks, DNS Servers, etc. As i did this, i realized the IPs they were using as gateway, was not registered under their name, and several offices across the country had Internet Connection from different providers. And to get all the IPs, i had to send mails to all different offices, and X-Originating IPs came with internal network IPs flowing back in to my Thunderbird like little springs on hills.

All the IP were all heavily secured, no ports allowed, except the MailServer in Nairobi, and The Website, hosted in States, now this was a challenge. Alot of pentesters get dead tired, when they see this:

Starting Nmap 5.21 ( http://nmap.org ) at 2012-xx-xx 18:25 EAT
Nmap scan report for xxx.xxx.xxx.xxx

Host is up (0.0037s latency).
All 1000 scanned ports on xxx.xxx.xxx.xxx are closed


I used to be there too, experience is the better teacher. Nothing is impossible.

Next step is to check out the HQ office in town, and they were up the top floors, up to 20ths, and the building surrounded with others. Driving around town and getting a parking was getting hectic. I needed i better solution. So hired a van for three days, a driver, and packed in my gadgets for this adventure. We drove around the buildings as we looked for an easier way in, without having to drive in, at the same time i had my antenna just a few inches out of the windows, picking up one ESSID that had their Org name on it. Lets call it Tazama1, was a bit faint to receive packets though. So eventually, i knew there must be Tazama2 and maybe 3. With a building that is almost 20 floors, and the offices all way far up, i had a task. Had no tablet on me, and i really needed some good OS for this attack, so i had to find a way to the building, with a good laptop and maybe extra batteries, just incase. (Shud invest in a 12 hrs Laptop Battery :D)

The building has a college and an entertainment office, as long as you knew their names, you would walk right throw the main door. So, i left the van, walked through the main door, social engineered the guards and went to the 2 floor where the Entertainment Agency was located. I realized that the stairs weren't guarded, so up i ran, to the 19th floor, and there i could get clear WiFi signals. That was the first vulnerability picked up. These guards seemed professional, but forgot to secure the stairs, but had their men all over the corridors.








All the doors to the offices were locked with Biometrics hardware, to get in through, you needed a fingerprint and a code. During this kinda of assessment its okay to try break into them, but if you don't have good hardware, you might end up being caught. Its an optional target, but remember these days, a Pentester is like a plumber, a dentist or a mechanic. Everybody is always looking for a good one.


Breaking down the equipment is bad for business as the test is a Covert Operation and thats why we call it BlackBox Penetration Testing.

There were no cameras on the hall way and the toilets aren't closed. Guards Room was closed though, it wasn't like a former Pentest, where we wore guards uniform and walked all over the company, story of another blog post

The WiFi Access Points, were all hardened WPA and all that i would collect were handshakes, nothing further, but to bruteforce later.

airodump-ng -c 9 --bssid xx:xx:xx:xx:xx:xx -w psk ath0

Tried not use --ivs, since i wanted all packets, then de-authenicate the users, and they all connected back and grabbed all data.

The first password list failed, no need to try futher, maybe later on, if there is no more holes to get through. DDOSing the WiFi wasnt an option, although bad guys would do the same to course havoc, i had to choose between that and Penetrating into the systems.

Weekend was approaching, and all i had were WPA Handshakes and Building Structure, Physical Security and Organization chart. So i decided to explore further and the building had basement floors where employees park their cars.

Now one thing you will find in most cities is that Parking Lots are labeled with the company name and who is supposed to park there. Now this is good for governance but at the same time can be used against the organization.  By the end of that day, i had the names and a few car number plates of the users. Target was the IT Tech team, yes it has always been.

Developing plans for the next attack, coming week, was harder, due to that it needed a second player, someone equipped with art of deception. I needed someone  to sell a good lie. This is where putting in a little show, making someone angry or work hard to get a piece of information, without compromising the real intention of the whole scenario seemed real chaotic at this moment. A great way to get people talking about their security is to put them on the defensive, accusing a Information Security guy of having bad IDS systems, Weak Firewalls and before you know it he's telling you where his motion detectors are, what WAF he uses, and even the IPS configurations. With not much experience on this, a back plan was underway.

Now, the backup plan was to follow IT Manager to his house, and hope he has wifi and carries his laptop home with him. This seemed better, and this time i went with one of my fellow workmates.

Monday is pretty havoc in the city, traffic is all over the streets from morning to evening, trailing someone might seem real hard especially with City Cops, not allowing motorists to use street lights. So we decided to plug out my car GPS, stick it with glue under his car, and secure it in a way that it wouldn't fall due to bad roads in Nairobi. The GPS if well charged, can be up, to 6-7 hrs. From here, there was no need of trailing our mark, but to wait for him to park his car the next day in the basement, pick up the GPS, charge it and check out his route.

This whole plan worked okay throughout but with only one issue, he was living in Umoja Estate. This estate is a little crowded, going over recon via such a diverse area was getting almost unreasonable for this type of work especially at night due to the risk of getting mugged or robbed, depending on how many hours we might use breaking into his home WiFi.

Luck was on our end, it was on WEP and a cheaper, older router. No wonder he had no access to WPA Security. With SMB shares on the laptop, we were in via smbclient, and able to know the version of Anti Virus and get to understand which type of exe to upload. Mostly, the best way is to set it up on C: drive which is frequently opened. Setting up an Outrun file, the executable will quickly launch in the background.

With smbclient, you cant read SAM, or even copy it. And even if you copied it, it would still have problems decrypting, a meterpreter call back would give us the hashes, all cleaned up. But nowadays, in real life Pentests MSF seems not to do much, so if you can, get to use your own prepared tools. On this one, Symantec EndPoint Protection, was hell and back. Metasploit was not an option here.

The exe didn't called back until after five days, we used that time to go through any sort of data we pulled from his drive. Machines running Window XP don't have much security even when hooked up on a secure domain, and i still wonder why Security Departments let workstations still share files or hard drives to the network.

A workstation is not a server!

We pulled SQL files, downloaded PST, which had some information about the Employee entry cards and Boimetric data. All the vulnerability reports done by Information Security Dept was also there, so we knew all specific types of servers and their internal IP Address, decryted alot of passwords, and this time we had a connection from our zombie, and it was from Tazama internal network. This is a classic Advanced Persistent Threat.














Now with this form of encrypted network attack, scanning throughout the network is much more easier, and more vulnerabilities were picked, plus new targets.

Reporting and cleaning up is always the last options for a penetration tester.

Show the customer the risks, and group them by:

a) Ease of Identification
b) Ease of Exploitation
c) The impact to the Business
d) Over all Risks
e) Recommendations

More blogs to come,

The thing about security is that the very things that protect you can be turned against you by someone who knows what he's doing.

signing off,

./Chucks.

Monday, June 24, 2013

Real Penetration Testers VS The Fakes

Lately I have been seeing reports done by several banks as I worked for a Government entity to see how secure Kenyan Banks are to Compromise / Security Breaches as we all moved to a further digital network as campaigned by the new officials.

Now, what I came to see, were Reports by several Security companies on Penetration Testing, which were really bad, am still wondering whether to call it disgusting, or un-purified work.

So I got to ask myself, how would a client know if the guys he hired are really doing something? As I read these reports, most of the snapshots were from Nmap, Cain and Abel, Nessus etc. Funny, I rarely saw no snapshot from xterm, terminal, konsole etc. At least, I was wishing, "please, just a MS CMD screen shot, please"

Other pentests as I read, were done for 7 days, or 10 days, and as you know, this is equally impossible for a PT, unless you are doing a Health Check. Health Checks are supposed to be free, why pay millions for one. Does it make any sense?

So anyway, how do you know you are getting robbed?

a) The Pentest team are just using MS Windows

Any hacker out there who is trying to rob you, hack your network, he will be busy using tougher tools, and mostly these will be found on Unix/Linux systems, which are more robust, and can handle robust networks adequately. So unless the team is using Core Impact, then you are not getting your moneys worth.

b) The Pentest is taking less than 2 weeks

Any hack, Penetration test, goes further than a Vulnerability Test, or even a Health Check. Real Black hats, even in Terrorism and Organized Crime, take time, scanning, checking vulnerabilities, learning the network, coding new scripts to find ways to bypass the some changes you did on your Webserver/Filters, Social Engineering and many more. Yes, in Hollywood, they take 5 minutes. So if you are getting a pentest and these guys are just busy firing nmaps, nessus, burp, w3af, etc, and nothing else is happening, and they actually told you ten days Pentest, or less, please just fire them, they are just after your money.

c) Logs, on your Systems

One thing i know as a Pentesters is that logs will always be there, no matter how covert you are during a test. As a Pentester, an online Bruteforce, will always come as the last option. So as a System Admin, if you see some bruteforce on telnetd, or maybe sshd on the first five days, just know these pentesters are hopeless. Another tool used commonly is nmap. Most of the Organizations out there have Firewalls and IDSs already implemented on the network, you can always see nmap scans no matter how covert they move, but why would a Pentester still run nmap on your network on last days or even on the second week? But if he is running a nmap scan, from a machine that you own, that he has already infiltrated, then bravo, he has talent and is giving you, your moneys worthy.

d) Pentesters Clocking time, in and out

This is mostly for Internal Assessments, where the Pentester sits in your internal network with his machine. So he/she is there in the morning for the first few days and leave by 5 pm every day. The same schedule, even after the second week, what is really happening here? Ask yourself that twice. To make it clear, every pentester has a habit of getting a shell, and trying to maintain it until he has found a way to lay down a backdoor on that system. He/She cant lose that contact, that first shell is everything to move to next target, and use it for more malicious attempts on the other machines. So, if on the third week, the penetesters are not even prolonging testing, eg even going 18 hrs on that desk, then just know, they are not getting any shells, and they are busy facebooking and tweeting, as nmap scripts run on repeat, just to impress you.

e) BlackBox Testing, turned into a WhiteBox

I have seen organizations asking for a blackbox penetration testing, and then i have seen penesters, ask for logins, passwords and connections. Seriously, a blackbox test is a blackbox Assessment, it would rather turn into Red Team Assessment. Come on Security guys, get over yourselves, lets give these people what they asked for, there is a reason they did.

Well, i cant remember other ways for you to identify the fake Penetration Testers, but one thing you gotta remember, these days, in IT Field, certifications don't matter much anymore, they are just there to show you he/she can learn, that way you find Bedroom Coders are the best programmers than guys fresh from University.


More blog entries later,

./Chucks


Friday, June 14, 2013

BACK

Hey people, been a while since i blogged. Been working hard to restore a few things back, coding and research. Will soon be posting a few things that i did early this year, especially on RedTeam Assessments, Black Box Penetration Testings, and new Labs that i have been creating.

We are supposed to have a Pre-Hackbattle before we go for a bigger one at the end of year. which will be before August and the real one on November.

Stay tuned, hashtag #infosec