Sunday, May 31, 2009

Drive/partition secure deletion

Cheat sheet for wiping on Ubuntu. Use the following command to list the partitions on all available disks.

sudo fdisk -l

The utility, "shred", is native to Ubuntu so you don't need to download and install another tool. The "-n" switch is used to specify how many times to overwrite and the default is 25. I define "/dev/urandom" as the source of data to overwrite my portable drive. A word of caution... wiping using random data instead of 0s is time consuming.

shred -n 1 --random-source=/dev/urandom /dev/sdb1 -v

Alternatively, the "dd" command can be used to wipe too. The disadvantage of "dd" is that it doesn't provide verbose information and thus you can't track the status of the wipe.

sudo dd if=/dev/urandom of=/dev/sdb1

I found an enhanced version of "dd" that is called "dcfldd". It is better than "dd" because it displays its progress while executing.

sudo dcfldd if=/dev/urandom of=/dev/sdb1

Substitute "urandom" with "zero" if you opt to overwrite with 0s. Zeroing out drives is the faster option with less overhead.

Friday, May 22, 2009

Web application hacking

Perimeter defenses (eg. firewalls) do little to protect vulnerable applications from compromise. IPSs may block attacks against your apps but it doesn't address the root problem... the flaws that reside in your apps. Web application firewalls are complex to configure and are currently not commonly deployed.
SQL injection is the use of SQL statements and logic to expose or steal sensitive information stored within the corporate DB. In the demo, I utilise SQL logic to log into the portal without needing to know the admin's password thus gaining full access as the administrator.
' or 1=1--
I was also able to dump usernames and their respective passwords stored in the DB using the following statement.
1/1/2010 union select userid, 'username: ' + username , 'password: ' + password,null from users--
The high res version of this demo can be downloaded here.

Cross Site Scripting (XSS) is the injection of malicious code into applications to compromise visitors to the website. I enter Javascript pop up code into the vulnerable search box. I am able to successfully inject the Javascript code though it is not persistent. However, hackers overcome this limitation using social engineering. They can trick their victims into clicking on links containing malicious XSS code sent via email or Instant Messenging.
The high res version of this demo can be downloaded here.

Filtering special characters at the server end will mitigate the threat posed by SQL injection and XSS. Do not implement client side filtering as this can easily be overcome with the use of web proxies!!!

Wednesday, May 20, 2009

Anti keylogging

Came across a Firefox add-on called Keyscrambler Personal. It is a free software that secures keystrokes entered into IE, Firefox and Flock browsers. Like my SANS forensic trainer said, this "warrants further investigation". Never take the vendor's/author's word until you verify it for yourself.
I installed a keylogger on my virtual machine. I capture my keystrokes entered into Firefox with Keyscrambler turned off. The Gmail URL I typed as well as my credentials are captured in the keylogger log. I enable Keyscrambler and enter my credentials at the Gmail login page again. This time, Keyscrambler prevents the keylogger from recording my keystrokes.
The high res version of this demo can be downloaded here.

Saturday, May 16, 2009

RAT brute forcing dead?

Is Remote Administration Tool (RAT) brute forcing dead? I tried brute forcing RDP and VNC recently to no avail. Rdesktop and Medusa were rendered useless against security mechanisms built into Remote Desktop and VNC.
The high res version of this demo can be downloaded here.

Brute forcing (in 2006) used to be so easy. Tsgrinder was the tool of choice against systems with RDP enabled.
The high res version of this demo can be downloaded here.

Have M$ and VNC added mechanisms to make RAT logins more secure? Or is brute forcing no longer in vogue with hackers and pentesters to release updated versions of their tools?

Friday, May 15, 2009

Security lab

A lab is a must for any security professional to test out tools, configurations and hacks. My lab setup is made up of:
  • Linksys router
  • Linksys hub
  • Desktop (Windows+Vmware)
  • HP Compaq laptop (Windows+Vmware)
  • Thinkpad (Ubuntu)
  • Macbook (Mac OS X+Windows)

A simple setup comprising of old personal equipment, donations and 2nd hand purchases. I hope to expand this lab when budget permits and if more donations come in.

Monday, May 11, 2009

Nmap on Ubuntu

Quick and easy way of installing Nmap on Ubuntu 9.04.

commandrine@bridge:~$ sudo apt-get install nmap
[sudo] password for commandrine:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
nmap
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1187kB of archives.
After this operation, 4502kB of additional disk space will be used.
Get:1 http://sg.archive.ubuntu.com jaunty/main nmap 4.76-0ubuntu4 [1187kB]
Fetched 1187kB in 2s (571kB/s)
Selecting previously deselected package nmap.
(Reading database ... 102801 files and directories currently installed.)
Unpacking nmap (from .../nmap_4.76-0ubuntu4_i386.deb) ...
Processing triggers for man-db ...
Setting up nmap (4.76-0ubuntu4) ...

commandrine@bridge:~$


Run the following command to perform software upgrades.

commandrine@bridge:~$ sudo apt-get upgrade

Thursday, May 7, 2009

Firewall hack

Ever encountered a system where the group policy prevents you from enabling the firewall? Sounds lame and ironic but it happened to me. I feel naked and insecure without a host-based firewall so I had to figure out how to crack the policy and turn on the firewall.
Hack to enable Windows Firewall. Here are the instructions.
  1. Click "Start" then "Run". Type in "regedit".
  2. Back up your registry by clicking "File" then "Export".
  3. Drill down to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\" and delete the key "EnableFirewall".
  4. Drill down to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\" and delete the key "EnableFirewall".
  5. Reboot Windows, login and turn on Windows Firewall.
Viola!!!

Monday, May 4, 2009

Nouseragent

Paros Proxy is a pretty nifty proxy tool for application security testing. I use it frequently to intercept interactions (ie. requests and responses) between my browser and sites I want to scrutinise. What I didn't realise was that Paros would attach its name to the User-Agent header when submitting my browser's requests. This is not desirable if you want to avoid hackers being alerted to your interactions with their compromised site.
To counter this, the User-Agent header has to be modified before sending out the request traffic. The permanent solution is to instruct Paros to stop adding its name into the header by adding the switch "-nouseragent" after the Paros command.
Thanks to w01f for this tip.