And what’s the time?

While it isn’t the newest article (though it is pretty new), Dan Parker and Ryan Wegner have put an awesome piece together titled, “Integrating More Ingelligence into your IDS.” This 2 part article provides a lot of insight as to what can be done to fine tune an IDS.

The more an intrusion detection system (IDS) knows about the network it is trying to protect, the better it will be able to protect the network. This is the fundamental principle behind target-based intrusion detection, where an IDS knows about the hosts on the network.

And that is exactly what is discussed. Why post this? I feel that it is an excellent resource which can help beginners understand how an IDS does what it does and gives some tips for people that might be pros.

Be sure to check it out in its entirety. Part 1 Part 2.

Well, you can probably find her using Maltego Seriously, this thing rocks.

The first time I heard about it was during a Def Con talk given by HD Moore and Val Smith and I have worked with it a bit in the past but I just realized that there are plenty of people who aren’t familiar with it.

What is Maltego you ask?  Well, since I am short on time for the rest of this semester, you should mosey on over to their site and see for yourself.

It’s a great tool so use it!

Why the title?  Because I can.

So for the sake of making an effort at keeping this blog updated while I try and finish out my semester on a positive note, I present to you, The Dark Visitor.

In the event that those of you in the security community have managed to tune out the ongoing cyberwar (god I hate that term) being waged on CNN by Chinese hackers, you have a lot of catching up to do. The Dark Visitor is a fascinating look at these attacks taken directly from the Chinese hacking community. It’s pretty disturbing to say the least and these attackers are becoming a major problem not only for CNN but also for the rest of the us.

While I am a firm believer in keeping information free and proactive security practices, these attacks are disgusting. If someone wanted to prove that you are not what you feel the media has made you out to be, there is surely a better way to do it rather than launching hostile attacks on their resources. I mean, seriously, it’s the equivelant of saying, “if you say I am mean one more time, I am going to stab you.” Grow up dudes and stop DDoSing like a gang of disgruntled script kiddies.

Anyways, just a quick heads up as I appear to have some regular visitors, I won’t be blogging much for a little bit, maybe a week (who knows). I am getting ready to wrap up my semester so there’s plenty of work to keep me busy and I also need to rework the Inguma project page a little and I have been a bit lazy about keeping it updated and working on the wiki.

Take it easy, share the knowledge and stay out of trouble!

Welcome to what may very well be the most important blog post ever written.

I initially started this blog not as a way to talk about news (though we do a bit) but rather as a way to educate the community through simple tutorials and instructional readings. I believe that some of the biggest secrets in the hacking community are some of the most closely guarded. Today, right here and right now, we are going to blow the lid off of these secrets. For the sake of proactive security and keeping knowledge free, today we will cover the most uber of uber tactics: Hacking THE Gibson, 101.

For those of you that don’t know, the Gibson is a term which gained some major popularity with the release of the 1995 movie, Hackers. Despite the user rating of 5.7/10 on IMDB, this movie is incredible. While its cinematic integrity may be questionable, it provides a vast wealth of information to the beginning hacker. For the sake of saving me time:

A young boy is arrested by the US Secret Service for writing a computer virus and is banned from using a computer until his 18th birthday. Years later, he and his new-found friends discover a plot to unleash a dangerous computer virus, but they must use their computer skills to find the evidence while being pursued by the Secret Service and the evil computer genius behind the virus.

What that summary leaves out is the fact that the “evil computer genius” that is behind the virus, is also the system administrator of one of the infamous Gibson computer systems!!!

Now, per any usual massive uber tutorial, here is the disclaimer. I refuse to accept any responsibility for any damage you cause to 1) your system and 2) any Gibsons harmed in the process. In the event that you get busted by the man for practicing such a 1337 exercise, above all else, when you are being hauled away in handcuffs, be sure to shout “Hack the planet,” at the top of your lungs. For an example, please see below.

Note:  Unfortunately embedding this video was disabled by the user, which is a shame because had I been able to embed it into the post itself, it would have made it just that much sweeter.  Please see this link. (This clip makes me laugh every time I see it. It also makes my girlfriend shake her head at me.)

Think you can handle that? Good, then let’s move on to the next step.

First thing is first, this is no tutorial for chumps. The previous things we have covered have been pretty straight forward, get some dependencies, sudo apt-get install something, MAYBE compile something from source, you get the idea. This is a different playing field, we are now venturing into the underground. The first and most important thing you will need is a bad-ass desktop. This cannot be a Windows OS. Linux is preferred, but BSD would probably be better since even fewer people use it as a desktop OS. Once your desktop is assembled, it should look similar to what you see here.

Please be advised that while I think that screenshot is from a video game, it should still look roughly the same. It is imperative that “bank code” be displayed in the lower portion of your screen and that your password cracker is always accessible as you will most likely need to crack an approximate shitload of passwords at any given time. Before moving on, you will need a sweet video card. In case you don’t know, the inside of a gibson looks like this. You cannot hack something that rad without the proper hardware so be prepared. No rollerball mouse either!

After your box is configured for maximum h4×0ring, you need to assemble your crew. Your crew should consist of, but not be limited to:

At least one female, nothing is worse than a bunch of dudes on their computers without a single female around. This female should look a bit edgy and have massive attitude but should not be afraid of some code crunching. In the event you cannot find a female to hang out with you for this experiment (though I cannot imagine why), a cardboard cutout of a young Angelina Jolie will suffice. Note the haircut, very uber though not even remotely appealing.

A hopeless dork who in his attempt to gain acceptance into the community, makes some stupid mistakes like getting the entire crew busted but also ends up going “wicked stupid,” on the Gibson at the end. It should be noted that this kind of stupid is a good kind, unlike the previous kind which involved getting the team swept in a massive shitstorm. If this guy doesn’t have underdog potential, I don’t know who would.

You also must have a guy who is so inexplicably weird that there is absolutely no reason he should be in the movie other than comic relief. Thankfully, we have CerealKiller for this purpose. You are in charge of providing your own comedic person who appears to have no skills other than being loud and at times, mildly entertaining.

Lastly, we need the big dog. In the movie, Dade Murphy, A.K.A. ZeroCool (what a terrible alias) was a supreme virus coder who demolished Wall Street in a single day with some kind of hellbent worm or virus or something. Anyways, later in the movie he and his incredible skill set become the only real hope this team has of defeating the vindictive sys admin of the Gibson as well as the only one of these guys who has an actual chance of getting a date with the only tech nerd girl in the whole bunch. Where you will find a guy this rad, I have no idea. Good luck.

Assuming you have done everything correct up until this point, you should have something that looks like this. You should also know that leather jackers, rollerblades and tech vests are NOT optional. If your crew feels that they look stupid, show them the previous picture and they will see that nothing but fun awaits them in their venture to overtake the Gibson.

To be honest, I cannot imagine what else you would need to hack the Gibson. Get your sweet h4×0ring rig, your crew, rollerblades etc. and get started. Anything I didn’t cover is a minor detail which will not have any real effect on your ability to successfully pwn this box. In the event that you want to compare your results with a successful takeover, check the video below for how good of a job you did. If you are in fact not playing an older Jewish man in an exciting game of chess, don’t worry, you can complete that step at any point in the process.

This is not just a guide for attackers. In the event that you are ever on the receiving end of an attack in which case you yourself are the evil administrator, this can be a guide for you as well. Don’t forget, when there is a new virus eating up memory and you don’t know what to do, simply type ‘cookie’ and all will be fixed.

Until next time, share the knowledge and never underestimate the power of a garbage file!

Hello again!

Previously we covered Inguma a little, or rather the Krash part of Inguma, but it has some nice full features and once you are familiar with the command and parameter syntax, you really get a good idea of just what it is capable of.  FYI you can view the Inguma wiki in its entirety here.

Some people might call this plagiarism but hey, I wrote the wiki so I can do this! Anyways, below is a beginner friendly tutorial for Inguma. For those of you that do not know what Inguma is, it is a platform-independent penetration toolkit written in Python. It is also the project I work on in conjunction with another developer. So for the sake of using my blog as an advertising platform and introducing some people to a program they might not otherwise have found, let’s start.

After obtaining the required dependencies as noted on this page, you are set to run Inguma. Please be advised that Inguma must be run as root or with superuser privileges (*nix based systems) in order to utilize it’s full capabilities. For the curious, this is necessary as certain functions require raw sockets and other goodies which are often restricted by user and/or group rights. As the PyQT GUI is currently less than stable, this usage overview will be handled through the CLI. Be aware that all instructions are relative to your OS outside of the inguma environment, when working from the inguma> prompt you should be able to follow these examples verbatim without error. This tutorial also assumes you are smart enough to make it this far so if finding out whether or not a port is NAT’ed means nothing to you then prepare for a serious learning curve with the program’s more robust functions.

Starting Inguma
Unless you have created a symlink for Inguma, we will assume that it will be executed as a python script from the working directory.

user@host:~/inguma$ sudo ./inguma.py
Inguma Version 0.0.6
Copyright (c) 2006, 2007 Joxean Koret

inguma>

As with any application, referring to the program’s help manual always eases learning. When working with Inguma, the help option can be accessed from almost any prompt. As we move through the tutorial you will see that our prompts may change depending on which module we are using.

Using Inguma
Inguma’s module layout can be thought of as sequential with regard to execution. It is for this reason that we will first work with the discover modules. Before continuing it must be stressed that various modules should only be exercised on systems you have permission to target. Auditing systems that you are not authorized to work on most likely breaks quite a few laws and could land you in an unfortunate predicament. With that out of the way, let’s continue our tutorial.

While the importance of the discover modules is not to be diminished, it is safe to assume that you most likely have a target as well as some prerequisite information about that target. With that in mind, we will move to the gather modules. The gather modules serve to collect information about your target so that you can better evaluate its security. One of the most basic and useful gather modules is portscan. Let’s run a portscan on the machine we wish to check.

inguma> target = “uberserver.com”
inguma> show options
inguma> scanType = “S”
Options

Target: uberserver.com
Port: 0
Covert level: 0
Timeout: 1
Wait time: 0.1
Wizard mode: False

Note the use of the show options command. This is helpful in case you somehow manage to forget
what the hell it was you were doing or to verify your target parameters. We also set scanType = “S”.
This sets our portscan as a SYN scan as opposed to ACK, XMAS, TCP, etc. This option is
planned to be fully available in the 0.0.7 release.

inguma> portscan
Portscan results

Port 80/www is opened at uberserver.com
Port 7777 is opened at uberserver.com
Port 8080/webcache is opened at uberserver.com
Port 21/ftp is opened at uberserver.com
Port 9090 is opened at uberserver.com

Now that we know what ports are open on our target, we may want to refer to a discover module, isnated.
Isnated does what the name implies, finds out whether or not the specified port is NATed.

inguma> port = 80
inguma> isnated
Port 80 is NOT NATed
inguma>

We have now established that port 80 is not nated, the next thing we want to do is to gather information
about the service running on port 80. For this we will utilize the gather module, identify.

inguma> port = 80
inguma> identify
Port 80 : Apache/2.2.4 (Ubuntu) DAV/2 SVN/1.4.4 mod_perl/2.0.2 Perl/v5.8.8

This is currently where the tutorial ends. It does not delve into the program’s exploitative capabilities and payloads. This is done under the assumption that if you have made it this far, you know what to do next. In the event that you find yourself stuck, you can always refer to the source code or the help command. As noted above, whenever your Inguma prompt changes, i.e. inguma> to SNIFFER>, there will be a help command displaying any/all available options.

That’s all I have for now, but far from all this program has to offer. Check it out, take it for a spin, find some bugs and give feedback if you are so inclined! We love to hear back from users, both good and bad comments as it helps us to build a better application.

Stay classy.

First off, this is a long post so go get coffee.

For those of you that aren’t familiar with it, or programs like it, Burp is a local proxy similar to Paros which acts as a middleman intercepting HTTP/S requests and allows the user to inspect and manipulate the traffic traveling from the client to the server and from the server to the client.

Today we will be going over exactly what the title implies, testing web applications. The tools today will be: Apache 2, Tomcat 6, Burp Suite v1.1 and Firefox. Since we are going to be looking at raw HTTP traffic, this post has officially been renamed “raw-ass web app skillz.” Don’t worry, the material still remains the same.

Fulfilling the prerequisites can be a bit tricky, so for those of you on Ubuntu/Debian systems, let’s get you caught up.

You will need a working Apache 2 install so:
sudo apt-get install apache2

For a quick and easy Tomcat install, click here.

Burp which can of course be downloaded here

And firefox which you should already have.

We will be using our Tomcat install to run an insecure web application developed as part of the Insecure Web App Project developed by OWASP. And last but not least, the web application we are going to be using can be located here.

So, let’s go over our checklist real quick:
Firefox
Burp
Apache2
Tomcat6
OWASP Web Application

Since it looks like you have everything we should probably keep moving.

**I would like to take a minute to say that since you have Apache and Tomcat running, for this exercise it is NOT necessary to forward your webserver or otherwise expose your Apache/Tomcat service(s). These tests will be done on the loopback IP and since we are working with an already insecure web application, you do NOT want it exposed to the internet**

Now we are actually going to start the overview (I’m serious).

The first thing we need to do is tell Firefox that we are using a proxy, the proxy on localhost to be more specific. This will allow us to funnel our traffic through Burp. To do this we need to start Burp from its working directory and set our proxy settings in Burp as well as Firefox.

user@host:~/burpsuite_v1.1$ java -jar burpsuite_v1.1.jar

When the Burp window appears, you should be on the intercept tab, you will notice that intercept is on. This means that Burp will be grabbing our requests and holding them until we forward them. You may also drop them or hold them until you are finished inspecting them. Burp will also keep a history of all traffic for later analysis. In the options tab, check the box that says “proxy running on port,” and change the port to 7070. By default your Tomcat install uses port 8080 so if you do not change this, you will receive an error telling you that it could not use port 8080.

Once you have your proxy settings done on Burp, we need to fix them in Firefox. To do this, open up Firefox and then navigate to, edit > preferences > advanced > settings. Set it up so that your proxy settings look the same as those pictured below. Be advised that you need to remove the line in the field, “No Proxy for,” as it will not push traffic trough Burp on localhost. Once your settings match those in the picture below, click “OK” to save your changes.

With our proxy configured on both the browser and Burp, it’s time to navigate to our web application. If you haven’t checked it, read the documentation contained within the OWASP web application we downloaded for this exercise. In case you are lazy (there are a lot of you out there, admit it) I took the liberty of quoting the document.

1. Copy insecure.war file to tomcat’s webapp directory
2. Start Tomcat then use sqltest.jsp to test Tomcat’s database connection.
sqltest.jsp
You should see a list of users and passwords that you can use to login into the application.
Note the application’s database tables are reset to the initial values each time the application is started.
3. Login to the application
Login

Be advised that if you click those links in the Firefox that is configured for our local proxy, they will not load unless you forward the traffic with Burp. We will get to that later but for right now, just copy insecure.war to Tomcat’s webapp directory. If you followed the tutorial that directory is going to be ‘/usr/local/tomcat/webapps.’ Again, for the lazy please run (where insecure is the directory you untar’ed the web app):

sudo cp ~/insecure/insecure.war /usr/local/tomcat/webapps

Let’s start examining our web application in Burp. The first thing you should do is go to your Burp window and turn off intercept. This way we can load the page right away. If you don’t want to turn it off, make sure you click “Forward” until the page loads. Once you are at the application page, go back to Burp and turn intercept mode on. In the proxied Firefox browser navigate to http://127.0.0.1:8080/insecure. If things are working per the tutorial, your browser should look similar to the picture below.

So, right now you should have that pictured page loaded and Burp in interept mode. In case you got lost finding it, it is under the Proxy > Intercept, tabs.

Now, let’s try and log into our web application with anything we choose. This request will need to be forwarded manually through Burp proxy. After you enter a username and password of your choice (make sure it is invalid), click login.

Per usual, this request will need to be forwarded through burp and even though it is not in our immediate window, we can view the contents of it in our history tab. In the screen shot below we can see the raw information on our request under the raw request tab. How appropriate especially since this entry was officially named “raw-ass web app skillz.”

As seen in the shot above, we can examine some detailed information about the request/reply using out history tab. This is pretty normal to be honest and could most likely be viewed via TCP reassembly in Wireshark even though it is not as straight forward.

Now, let’s examine real authenticated requests. If you followed the instructions and clicked sqltest.jsp, you most likely saw a table listing valid login information. For the lazy, see below.

USERID LOGIN PASS NAME EMAIL ADMIN
1 admin secret Administrator admin@mail.com 1
2 asmith andy Andy Smith andy@mail.com 0
3 bmoody beth Beth Moody beth@mail.com 0
4 cjones chris Chris Jones chris@mail.com 0

Let’s use the 2nd login info, because that is my name. Log into your application with the userid ‘asmith’ and the password ‘andy.’ When you are logged in, you will see something interesting. Well, not necessarily all that interesting, but a different page at least. This is the page for our Asmith. Why is this important? We are going to examine that request, which unlike our first, was a valid authentication. From there we will see what we can make happen with parameter tampering, actually, you will be doing that without me.

Now, I will spare you the details but the GET requests are relatively the same. The only major differences are those based upon submitted login credentials. The first point of interest is the response. Why is this interesting? Well, that is actually where this tutorial ends.

I believe that best way to educate someone is determined by their desire to learn. If you paid attention to this post you should have learned a lot such as setting up and installing Tomcat, adding a web application and working with local proxies. On that note, figure out why you should care about the response and request information. Dissect the application further and be sure to check the supplied information on the OWASP web application for additional practice tests like parameter tampering and SQL flaws.

In the mean time, don’t learn to hack, hack to learn!

P.S. If you are interested in more program features which are WAY beyond the scope of this post, be sure to stop over at the Burp page and read up on this awesome program’s features and capabilities.

P.P.S If you have read this far I am assuming you are probably at least relatively interested in the subject matter covered. If you want to learn more about auditing web applications with Burp leave a comment and if the response is solid, I’ll do a part 2 using the same setup and application(s).

P.P.P.S Good lord. This is the last edit I am going to make to this post but in the event that anyone is really fascinated by this, make sure to check out the OWASP Testing Guide.

I’ve been busy lately!

I plan on working up something cool soon.  Maybe dissecting the web with Paros Proxy, some cool TCP reassembly with Wireshark, Inguma module usage or tactical target reconnaissance.  In the mean time, play with this.

Share the knowledge and use it responsibly!

A lot of security professionals know there is no solution to insecurity.  There are remedies and precautions one can take, but as long as networks and servers and databases and all that other fun stuff that help to serve up YouTube videos to make the work week go by faster are around, there will always be infiltration.

Now, I don’t care to distinguish between the ‘hats’ hackers wear, because in the end, exploitation and infiltration are just that.  Kind of an, ‘it is what it is,’ situation.

One of the biggest concerns I have is the amount of blind faith people put into  security safeguards, particularly SSL and HTTPS. For those of you that don’t know, a quick Google will tell you that SSL stands for  Secure Socket Layer.  HTTPS is  HTTP over SSL and the basic concept is that SSL encrypts data between the client and server, thus making it impossible for anyone to ninja your communications in transit.  At least that’s the theory.  Imagine 2 people standing at opposite ends of the room  shouting a conversation  across the  place and no one other than those 2 people know what the conversation is about.  Pretty awesome eh?  As with most technological solutions, this is easier said than done.

Now, when people tell you “Never submit your credit card information unless you see HTTPS in the URL,”  it’s like saying “don’t take candy from strangers.”  I’m not saying this isn’t good advice to follow, but  you should never put it past your friends, or people that act like friends, to poison you, at least I don’t.  As of yet, hackers have yet to find a way to physically poison someone over the internet (give them time) but HTTPS does not mean that the connection is to be trusted.

So, if encryption is the ‘magic bullet’ of security and it will stop any attacker in his or her tracks, why am I even writing this post?  (Don’t you love my clever use of rhetoric to guide the reader into following the post the way it was written?)  Well, if you haven’t caught on yet, SSL is not all it is cracked up to be.  Beyond merely encrypting information, SSL certificates give you the ability to validate the website or rather approve the site you are visiting.  We may or may not talk about that more, we’ll see how this goes. =P

There are certain attacks known as man in the middle attacks which are pretty obvious from the name alone.  A MITM attack is when a third party is able to adulterate an active or stateful connection and either hijack that connection or read the data being transmitted. Now, MITM attacks range from incredibly simple (ARP poisoning) to pretty complicated (SSH session hijacking and other forms of credential theft).

These attacks aren’t really why SSL/HTTPS has some flaws nor are they what this post is about. The biggest problem with SSL and HTTPS is that even though they encrypt your data in transit and allow you to validate the site you are visiting, they guarantee nothing as far as what the individual on the receiving end will do with your data. This is usually pretty obvious to most hackers but it isn’t necessarily something that occurs to the average PC user.  It may seem that if you can trust the connection, why can’t you trust the destination?  Let’s look at this a bit more in depth.

Now, when you connect to a website that uses HTTPS, you most likely are prompted to accept a security certificate like the one seen below

Now, first of all let’s look at the most glaring detail of this certificate, the .MIL extension.  That’s military and probably best left alone so don’t be an idiot and screw with it at a later date in time.  You will also notice that it says, “the signer(s) are not registered.”  This may seem like common sense as this blog caters to people with an  existing base of security knowledge but all too often things like this go unnoticed by the normal user.  In reality people cannot bear to have to actually see security measures, so rather than making sure their information is going to be transmitted to a trusted individual and/or site, they click whatever they need to click so that they can order some really cute pencils as fast as humanly possible.

With that security certificate we can assume that a government issued security certificate can be trusted (relatively speaking).  The real problem arises with the fact that pretty much anyone can add SSL capability to their website and issue their OWN certificates pretty inexpensively.  The initial idea behind SSL certificates was that they would be issued by a trusted third party.  To clarify, someone other than the server and client would issue the certificate as kind of an…impartial but trusted party.  The problem with third party certification is that it costs money and since we know most people click away whatever gets in the way of them and their eBay auctions, it doesn’t need to be legit!

Let’s do a quick and somewhat inaccurate example of how this technology can exploit the ignorance of the general public.

**Disclaimer** DO NOT actually set something like this up.  If you do, I am in no way responsible.

I can create a web page that advertises microwaves for $5.00.  Who wouldn’t want a $5.00 microwave?  Anyways, I can also enable SSL on my server and create my own certificates.  This is also a rude assumption to make as it preys on their…stupidity for lack fo a better word (that is the nature of the beast), but I am going to assume that anyone who thinks a $5.00 microwave is a good investment won’t be reading the security certificate (I can’t help myself).  To this user it appears as though I am providing a legitimate service and doing so in a way that will encrypt their data so that they get their microwave, I will get my $5.00 and life will be excellent.  The reality of the matter is that I don’t care if 90% of my site’s visitors don’t buy because of my willy-nilly certificate.  Eventually someone will be dumb enough to buy a microwave and since the best tactics are to hit and run, once I have just one credit card number, I can take off and set up a new site, selling something totally different, financed and built with the person’s credit card who was silly enough to give me their information.

In closing, think like a criminal, don’t be one.  Share the information and for the love of all things sacred, check your SSL certificates.