Articles « Security related discussions, articles, and tutorials

Over the past couple of months I have been very busy with a new job and school.  Originally, I did not think I would be able to make it to Defcon 19.  The closer and closer it came to Defcon I felt the need to attend, even after I canceled my original flight and hotel reservations.  The week of Defcon I gave in and got a flight to Las Vegas and a hotel room at Bally’s since the rooms at the Rio by then were highly over priced coming in at $364 a night wow, Bally’s was a lot more reasonable at $130 a night.  So I got the flight the room all squared away, woke up on Friday morning at 6am to go to work until 5pm head to Logan airport and catch my 7:55pm flight to vegas.  I was TIRED….   It was an awesome weekend full of great talks, people, and of course drinking =)  Overall, I really enjoyed all the talks I attended however, one stood out for me.  It was @iiamit talk about botnets over VOIP, it was incredible.  Other than that I took a few pictures while at defcon, to warn you I am not a photographer and don’t take pictures every step I take so I just have a few.  On Sunday evening I was at the LV airport waiting for my red-eye back to Boston, and I got word my flight was delayed an hour and a half.  I was pissed since I had to go straight back to work once my flight landed, I was hungover, tired, and probably smelled bad by the time I got to work on Monday.  I put in my eight hours drove home and went right to sleep for the whole night.  Next con on deck is DerbyCon for me and I am very excited about this new conference it looks awesome already =)

Thanks for reading, more posts will be coming soon..

peace..

-bl

Backtrack 5 ships with some very nice features, however I will be discussing Metasploit and PostgreSQL within this post.  Backtrack 5 ships with metasploit and postgresql out of the box, which means that postgres is already running within BT5.  One thing to note here is that you may need to install the postgres gem and specify the db_driver within msf.  I installed the gem using ruby version 1.8.7, I get errors installing the postgres gem using ruby version 1.9.2_dev.  There are some very nice how-to’s for this over at the BT5 forums. Update 6/1/2011 – MSF does not contain any postgres drivers if launched from ‘/pentest/exploits/framework3′ however, if launched from you path then drivers are available and postgresql is initialized and connected.  However, it is not running on the default 5432 tcp port, instead postgres is running on localhost:7175.  A quick ‘netstat -antp | grep 7175′ command will display if any service is running on a port.

But, if we try to stop the postgres service using /etc/init.d/postgresql-8.4 stop, we get no luck no service is running called postresql-8.4.  Hmm, lets display all services with the ‘service –status-all’ command.  We see the following, which indicates that the installation of postgresql is associated with msf by default within BT5.  As we can see this service is called ‘framework-postgres NICE =)

What does this mean, it means we know the service name so we can start and stop the service, stop auto-run at boot time, and we know that the installation of postgres is associated primarily with metasploit.  But hey, the postgres config files are not in there default location.  Well ok, letf find where they are.  Lets start with where metasploit is installed.  the ‘framework3 directory within the ‘/pentest/exploits/’ directory is a symbolic link to ‘/opt/framework3/msf3′.  Therefore, we look inside these directories and see a postgresql directory within the ‘/opt/framework3′ directory.  However if we start metasploit and try to connect to the database with user and password of ‘root:toor’  we get an authentication error.  So what is the user and password combo used?

After going through some of the directories within the ‘/opt/framework3′ directory, I find an interesting directory called config which has a file named ‘database.yml’ within it.  Let’s cat the contents of the file and see what it tells us.  As we can see from the screenshot below it tells us the username and password.  Nice info, however, instead of specifying the username and password everytime we connect to msf and want to use the postgresql database, we can use the ‘db_connect command with the database.yml file.

As we can see, we have a username of msf and a randomly generated password.  I am running a few different BT5 virtual machines and each one has a different password.  Nice.  Now to connect msf to the database we just use the db_connect command with the right syntax to use the yml file, with the absolute path to the file specified.

Now we are in business.  I figured I would do a little write-up on this since I have not seen a lot of documentation for this anywhere, hope you enjoy.  To be honest I am finding more and more very nice features the BT5 developers introduced.  Nice work.

To sum this all up I really wanted to try out my Alfa AWUS051NH usb card with the new BT5 distro. Injection worked flawlessly and I was able to crack my seclab WEP enabled WAP within a few minutes of injection. However, this was a 64bit WEP key, stronger encryption will take a bit longer and more IV’s to crack. Lets get this going.

The Setup:

BT5 KDE x32 – Virtual Machine
Alfa AWUS051NH USB card
Wireless Access Point running WEP

The Results:

Alfa AWUS051NH in monitor mode.

Start airodump-ng to see where my AP is.

Airodump-ng refined command specifying the BSSID and channel of my target AP.  (sorry guys) =)

Now to start the arp injection using aireplay-ng while airodump-ng is capturing only IV packets.

And now for what everyone has been waiting for =)  Cracking the WEP key, using aircrack-ng.

Easy as 1,2,3 =)  Glad my card works out of the box with BT5.  Hope you all enjoyed this brief post. Till the next time.

-bostonlink

Today May 10th 2011 was the release date of Backtrack 5.  As far as I can tell, it is the best backtrack release to date.  It is highly polished and a easy install.  In my personal and professional opinion this release is a game changer to the industry.  I know I am going to be busy for days exploring all the new tools and features of BT5.  I have also installed BT5 on my XOOM wifi with the BT5-GNOME-ARM edition release as well.  My initial thoughts are the ARM edition is not as polished as the x32 or x64 editions, however, we all knew that.  To be honest I don’t know how practical having BT5 installed on my XOOM is or will become however the coolness factor is there =)  I just couldn’t resist.

That being said, I would like to thank all of the backtrack developers for their hard and continuous work on backtrack.  I can truly say I am in love with this new release and will be testing it out within my lab environment at home and at client engagements while at work.  Thanks again and to the devs your hard work pays off, I hope you all feel appreciated.  Nice work guys.

Moto Xoom BT5 pictures:

Information within today’s society is a very interesting topic for discussion.  Add on security and we will have an all out debate.  Overall, information rules our society, everything runs off of some form of information in one way or another.  This is why information is power.  For example let’s say company xyz.com was breached and proprietary information was obtained by the attackers.  Well not so good for xyz.com but lets analyze the motivations of such attacks.  The majority of the time the motivation behind such attacks are to gain information which will lead to financial gain for the attackers.  There are many breaches every year, however the exact numbers are out of scope and not what this article is intended to be about.  Information is a priceless commodity which in the wrong hands can bring down an entire company, cost the company lots of money, ruin reputations, and feed the attackers to breach more companies.  Knowing this sheds light on how much power information has within our society.

What is information?  Information is just about everywhere to name a few, data, databases, webpages, intellectual property, credit card numbers, identities, social security numbers, drivers license numbers, addresses, etc.  I believe there is a need to protect sensitive and confidential information.  This boils down to how to classify information with categories such as Top Secret, Classified, and Public to name a few classifications.  If information is not classified by the nature of the information then how would we know what to secure and what information to make public?  Therefore, information classification should be one layer within a multi-layered information security program.

As a pentester I get a thrill out of trying to circumvent security layers and gain unauthorized access to a box who doesn’t.  However, the main reason behind a pentest is to identify vulnerabilities and use the vulnerabilities to successfully breach a organizations system and report the risk to the organization of the specific vulnerabilities and exploits discovered.  Well to truly report the risk of a vulnerability to an organization the tester needs to analyze what can be done once he has successfully exploited a system.  This is called post-exploitation.  Is it enough that I got a shell on a box during a pentest?  No, a full scale penetration test should include post-exploitation tasks too see what information can be gained from the attack.  Yes it is helpful to let the organization know if a server is vulnerable to a remote code execution vulnerability or a SQL injection attack.  However, it would be more valuable to the organization if the tester was able to identify and gain access to sensitive information within the institution.  There are numerous security researchers who actively research post exploitation and methods to achieve different types of information from a system or network.  Metasploit started to port post-exploitation scripts into actual modules.  As well as Carlos Perez, who has done some awesome research and crafted some excellent scripts for post-exploitation work.

To sum this all up, information is key to any profession within the security industry.  My opinion is not new, I just felt compelled to write a brief blog stating my opinion.  Overall, my motivation behind this article was seeing many client pentest reports that companies gave them automatically generated scan reports and nothing else.  This is not good for the simple fact that it does not indicate a proper penetration test was conducted for the client.  For a great description of what penetration testing should include for an organization I highly recommend heading over to PTES (Penetration Testing Execution Standard).

So, if you read my post below on my script that searches the exploit-db.com database for exploits for anything, there was a problem installing the shodan module in BT4 R2.  With a late night and a few beers in hand I went at this problem and got the shodan python module working.  I believe that it is due to the versions of python in BT4 R2 they are 2.4 and 2.5, where 2.5 is the default interpreter that is executed when running a script or just the IDE, python 2.6 does not have this issue at least on my macbook pro.  Below are the steps I took to get the shodan module sucessfully working on BT 4 R2.

first we install the ‘python-simplejson’ module that the sodan api.py is dependent on and download the shodan module’s source
[code]
apt-get install python-simplejson
wget http://pypi.python.org/packages/source/s/shodan/shodan-0.2.tar.gz
gzip -d shodan-0.2.tar.gz
tar xvf shodan-0.2.tar
cd shodan-0.2/shodan
nano api.py
[/code]

Now if we try to run the ‘setup.py install’ the module will error out and not install, so we have to edit the api.py file and change a couple of lines for it to install. the first line we need to edit is the first line of the file where it states ‘ from json import dumps,loads’ to ‘import simplejson as json’ then we go down to line 59 of the file and where it says ‘data = loads(data)’ change this too ‘data = json.loads(data)’ now save and exit the api.py file, and run the following commands:

[code]
cd ..
python setup.py install
[/code]
Now it successfully installs with no errors, and we have the shodan python api working.

-bostonlink

I was bored and started to browse some of google labs new features and services.  Before I could get far a title caught my eye, it was the first listing on the google labs page.  The title was ” Web Application Exploits and Defenses”, what is this?  This interesting google code university project reminds me of OWASP’s WebGoat project.  The difference is the web application is hosted remotely not locally.  After further investigation I found out some very interesting features.  The application called “Jarlsberg /yärlz’·bərg/” is the vulnerable web application, and once a user sets up their application, the application runs in a separate sandboxed  instance specifically for the user.  This means there is no contending with others you can work at you own pace and overall you have your very own remote instance of a vulnerable web application, how fun =)

Additionally, the project has labs for a user to go through and learn various web application penetration testing techniques.  It also includes labs for blackbox testing, as well as, whitebox testng which according to the projects documentation reviews a lot of the source code of the vulnerable web application to look for vulnerabilities.  Within the labs the project has for users they take a user through the exploit as well as document how to fix this issue in the vulnerable web application.

Overall, I believe this is a very nice project from what I have read so far.  I can’t wait to get my hands dirty and dig in to have some fun with this vulnerable application.  Let’s have some fun, learn some new stuff, and break some things while we are at it =)

Link to the Web Application Exploits and Defenses Project Listed Below:

Google Lab Description

http://jarlsberg.appspot.com/