We Are Not Just Numbers!

April 15, 2013 16:47 | Leave a Comment |

The PrisonerI’m not a number, I’m a free man” said Number 6 in the serie called “The Prisoner” (for the oldest amongst us). The serie was broadcasted in the Sixties but we have to admit that, still today, we are only numbers! And this will be worse in the coming years.

Personally, I’m not against being a number if controls are properly implemented. Numbers are easy to be indexed, to be sorted and searched. Numbers are a good way to identify things or people but they can easily be spoofed. As Wikipedia says:

In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data (in this case the number) and thereby gaining an illegitimate advantage.

Read More →

Posted in: Privacy, Security | Tagged: , , , ,

HITB Amsterdam 2013 Day #2 Wrap-Up

April 11, 2013 17:01 | 8 Comments |

HITB Room 1

And we are back for a second day full of fun and pwnage! It was a rainy day on Amsterdam today but water will not prevent hackers to meet again! I joined the hotel for the breakfast in time.

Read More →

Posted in: Event, Security | Tagged: , , ,

HITB Amsterdam 2013 Day #1 Wrap-Up

April 10, 2013 21:00 | 7 Comments |

HITB 2013

I back in Amsterdam for the third time this month. Today, it is to participate to the Hack In The Box conference. This is already the 4th one, time flies! Like the previous editions, the event is organised at the Okura hotel, a very nice place. Thanks to the Easter break, roads were clear to Amsterdam and I arrived in time to register and grab some coffee.

Read More →

Posted in: Event, Security | Tagged: , , ,

Review: Penetration Testing – Setting Up a Test Lab How-To

April 8, 2013 16:37 | 3 Comments |

Penetration Testing Book CoverI’m just back from an Easter break with $WIFE and $KIDS but it does not mean that I was completely disconnected. Between familly activities, I read some items pending in my todo list. One of them was the book called “Penetration Testing – Setting Up a Test Lab How-To” from Packt Publishing. This is the second book I read from their “Instant” collection.

The book, written by Vyacheslav Fadyushin, has only 88 pages but  goes straight to the point: Helping you to set up your home lab to learn (or improve) your penetration testing skills. Building your own lab is a critical step. Most pentesting actions being against the law (wherever you are living), it is important to have safe (read: private) environments to test new tools, new attacks or exploits. Note that the targeted audience can be extended to security researchers, developers, etc. Everybody needs a lab!

The first part of the book describes the different pieces of software that will be used by the author. Today, it’s impossible to work without virtualization and the author covers briefly the pros and cons of most common virtualization solutions. His recommended list of software includes:

  • Microsoft Windows Server 2003 & 2008
  • Microsoft Windows XP & 7
  • Ubuntu Server 12.04LTS
  • Common web browsers (Mozilla, Chrome, Safari & IE)

Note that some of those softwares are commercial and require a valid license to work (temporary or permanent). The pentester is of course responsible to buy them (or to find them by its own mean – no more comments). What about the hardware?

  • One “big” PC with many CPUs and memory
  • One Wireless router
  • One laptop
  • One Android mobile device

The author talks about a PC with “at least 4 GB RAM“. With today’s prices, my suggestion is to start directly with 16 GB RAM! More you have more smoothly will run your guests. Of course, your future lab will depend on your requirements. To help you in this way, the author in the next chapter describes briefing what are the goals of pentesting and then gives interesting tables with the different skills you would like to practice and the required components. A few examples:

Skills to practice Required components
Discovery techniques Several different hosts with various operating systems
Scanning techniques Firewall
OWASP Top-10 vulnerabilities Web server, database server and Web Application Firewall
Wireless attacks Wireless router, RADIUS server, laptop
Tunneling Several hosts

The next chapters cover how to deploy your lab in different scenarios, again depending on your needs. Configurations are reviewed step by step with multiple screenshots. Finally, the author describes some online services to practice your skills based on websites or specific virtual machines ready to be downloaded and exploited. The examples described in the book will address most of the requirements for standard pentesting projects but some configurations or architecture will be simply impossible to reproduce at home.

More information about the book is available here.

Posted in: Pentesting | Tagged: , ,

HITB Amsterdam 2013 Wishlist

April 4, 2013 09:57 | Leave a Comment |

HITB LogoThe next edition of Hack In The Box gets closer! It will be held next week in Amsterdam. Thank to the organizers, I get a press pass and I’ll again be back for two days at the Okura hotel to cover the conference. I’ll tweet live (follow the official #HITB2013AMS hashtag) and write wrap-ups. The conference is organized in the classic format: two days of trainings and two days of high-level talks. They will be split in a three-tracks schedule. Here is my wishlist:

I had to make difficult choices due to the overlapping of very interesting tracks. At the end of the first day, I hope to be able to attend Itzik Kotler’s workshop about his new tool released just a few days ago (hackersh). The content looks amazing with very good speakers. Stay tuned for more details soon. Ping me if you want to meet!

Posted in: Event, Security | Tagged: , , ,

Are You Using “NAC” like “No Access Control”?

March 25, 2013 21:19 | 2 Comments |

Access ControlAn interesting reflexion about a situation I faced while performing a pentest for a customer. The scope was the internal network or “show me what an attacker could access from a rogue device“. A very wide scope indeed… The customer is using a NAC (“Network Access Control“) solution to allow only corporate devices to connect to the network. To briefly explain, a NAC is based on tools and protocol to identifiy end-point devices and grant (or deny) access to resources based on multiple factors like the operating system, the installed patches, the presence of a firewall, an antivirus, a security component or a specific software configuration. A device granted on the network will usually by switched to a specific VLAN corresponding to its profile. Some firewalls may also be dynamically reconfigured to allow new traffic flows. If you are interested, Google has plenty of results on this topic. Most security $VENDORS have a NAC solution in their portfolio.

The first idea to perform the pentest is to try to understand how the NAC is implemented. How to try to simulate a “good” device on a “rogue” one…  Wait, wait, stop! Let’s take a deep breath… What will happen if a rogue device is detected? In most cases, it will be moved to a quarantine or guest VLAN. This allows the owner to access basic services on the Internet (web surfing, email, VPN) or to perform some remediation and solve the configuration issues (like upgrading the antivirus signatures).

How to take advantage of this? We could imagine the following scenario: Let’s connect a rogue laptop on the network. It will be logically be connected in the guest VLAN. Now, let’s wait for another device, try to pwn it and setup a permanent reverse backdoor. If you’re lucky, the next time it connects, it will join the right VLAN. In my case, it was even more easy: the guest VLAN was not properly configured and it was possible to reach servers as well as other devices in internal VLANs!

Conclusions:

Attackers, don’t try to attack the big wall facing you, always try circumventing the difficulty by exploiting weaknesses on the side:

Gate Bypass

Defenders, don’t ruin your $$$ security solution by implementing poor controls or no control at all!

Posted in: Pentesting, Security, Uncategorized | Tagged: , ,

Review: Wireshark Starter

March 22, 2013 15:00 | Leave a Comment |

Wireshark StarterHere is a quick review of a book about the well-known network sniffer: Wireshark. This book is part of new collection called “Instant” edited by Packt Publishing. This is an interesting idea for people who don’t have time/don’t want to read a classic 200-pages book or that need to go straight forward to the minimum to start using a tool. This book has 68 pages and is of course cheaper!

Read More →

Posted in: Software | Tagged: , ,

BlackHat Europe 2013 Wrap-Up Day #2

March 15, 2013 17:58 | 2 Comments |

Photo

And we are back with the second wrap-up of BlackHat Europe 2013!  After a dinner with friends and some beers at Rapid7 and IOActive parties, I went back to the hotel to finish the first day wrap-up. I woke up, tool shower, grab some coffee and I’m ready for the second day! No workshop planned for today only talks. Here is a review of the one I attended.

Read More →

Posted in: Event, Security | Tagged: , , , ,

BlackHat Europe 2013 Wrap-Up Day #1

March 14, 2013 23:17 | 10 Comments |

BlackHat 2013 Badge

Hello Everyone, it’s BlackHat time again! Here is my wrap-up for the first day. Yesterday evening, after a safe drive to Amsterdam with @corelanc0d3r, we went out for dinner and had good times with other friends and guys from the Rapid7 team who maintain the Cuckoo project. The conference is organized at the same location as the last edition, the Grand Hotel Krasnapolsky, a very nice place in the centre of the city. After a standard dose (but necessary) of caffeine, Jeff Moss performed a brief introduction of the conference. For this edition, 500 people registered to attend the conference. Jeff insisted on the feedback that attendees can provide to build better events in the future and choose the right directions to meet most of our expectation. New events will be organised like local (geographically) events and events dedicated to trainings only. What are the current trends? Mobile and embedded devices remain on top of the talks. Another classic, some minutes were also allowed to the main sponsor for  some “marketing” messages.

Read More →

Posted in: Event, Security | Tagged: , , , ,

WordPress GET Requests Flood?

March 11, 2013 17:30 | 2 Comments |

Flow WarningLet me share this story with you. I faced a strange incident last Saturday. My web server was flooded with thousands of GET HTTP requests generated by WordPress blogs. Those connections apparently seemed legit. The “attack“, let’s call it like this in a first time even if I don’t think it was one, occurred Saturday PM between 17:00 & 18:00 PM (GMT+1). A first bunch of requests hit the servers starting from 15:54 and the real food occurred one hour later as you can see on the timeline below.

Attack Time Window

Attack Time Window

The biggest peak of requests was around 325 connections/second. Enough to put my server in trouble but not enough to conduct an real attack. That’s why I’m thinking about a misconfiguration. Another clue that helped me to categorize the incident: it was very (too?) easy to block. The traffic was easy to catch via a simple pattern. How did I detect the problem? I was notified by my tools in place:

  • High CPU usage and low free memory on the web server (health monitoring)
  • Unusual HTTP traffic (log management)
    • Amount of traffic originating from same IPs
    • Number of requests/sec (behavior)

The received requests were very simple and hit only one of the websites hosted on the box (www.leakedin.com):

41.203.18.72:36261 - - [09/Mar/2013:15:54:20 +0100] "GET / HTTP/1.0" 200 33393 "-" "WordPress/3.5; http://www.finserv.co.za"

Nothing suspicious in the payloads, even mod_security did not fired any alert during the flood! I also had time to capture some traffic into pcap files, nothing wrong except the amount of requests. Once the problem identified, my first priority was to come back to a stable environment (containment). My first idea was to block all “bad” requests based on the User-Agent. The UA were those used by WordPress: “WordPress/<version>; <blog_url>“. This simple Apache configuration did the job:

SetEnvIfNoCase User-Agent WordPress block
<Directory "/xxxx/xxxx/xxxx">
    Order allow,deny
    Allow from all
    Deny from env=block
</Directory>

It worked during a few minutes but this quick fix only prohibited the remote hosts to grab data from the server. All requests were still processed and returned a 403 instead of 200 error. The second idea was to limit the number of concurrent sessions allowed for www.leakedin.com. This was implemented via mod_bandwidth:

<Directory "/xxxx/xxxx/xxxx">
    BandWidthModule on
    MaxConnection all 10
</Directory>

This time, it was successful and the situation came back to a stable (managable) server. Time for investigations! I extracted useful data from my log files and did some researches. First, some stats:

  • 761395 GET requests
  • Coming from 624 unique IP addresses
  • Coming from 562 different blog addresses (grabbed from UA strings)
  • Coming from 28 different WordPress versions (non obfuscated)

The amount of hits per IP addresses was stable as seen in the char below. The first IP addresses hosted more than one blog (shared platform).

Hist per IP Addresses

Hits per IP Addresses

Where are those websites came from?

WordPress Map

(Click to enlarge)

The logged IP addresses were indeed the one of the blogs mentionned in the UA strings (not fake).  What about the different blogs? They were not compromized (I just tested some using urlquery.net) and are alive. The content does not help me to understand the issue: different languages, multiple topics, most of them are not related to IT or close to leakedin.com. I searched for “leakedin.com” on them, no hit returned!

Having multiple versions of WordPress (from very old to the latest one) tend to prove that it’s not an exploit. Some blogs that I visited were not updated since 2011! What was the origin of this problem? I don’t have a clue. If you have more information or ideas to share, feel free to post comments!

A final remark: The number of outdated WordPress versions is impressive! The oldest one detected was 2.8.3!

Posted in: Incident Management | Tagged: ,