Security Basics mailing list archives
[Lso] Learn Security Online October Newsletter
From: Joseph McCray <joe () learnsecurityonline com>
Date: Tue, 17 Oct 2006 00:07:54 -0400
Hello again everyone, I hope that you are all doing well. As usual we here at LSO have an awful lot going on, but I’ll always take the time to give you some security tips that should help you out in pen-testing, incident response/forensics, and in IDS/IPS deployments. I’ll also be giving out some info about upcoming LSO events and courses as well. Let’s get rolling… Hacking Competitions: RootWars/SpeedRoot ======================================== Every weekend last month we hosted a RootWar. It was great! Each weekend we used different operating systems. We even started back-dooring the OSs that the teams were using forcing them to work on their incident response skills as well. There have been a lot of new players each week, and the feedback has been really good. As with all of the RootWars/SpeedRoot games – don’t worry about them being too difficult, they are designed for people with beginner to intermediate levels of computer/network security experience. You can register by contacting me directly via email at: joe () learnsecurityonline com Mentor-Led Training: ==================== For the month of November we will be running a special package deal that includes both the Certified Ethical Hacker (CEH), and Certified Hacking Forensic Investigator (CHFI) courses for $449 if you purchase before November 1st. You can pay for the course package by clicking on this link: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=joe% 40learnsecurityonline%2ecom&item_name=Custom%20Mentor%2dLed%20Training% 20I&item_number=CMLT1&amount=449% 2e00&no_shipping=0&no_note=1¤cy_code=USD&bn=PP% 2dBuyNowBF&charset=UTF%2d8 |--- (End of web link) Irongeek Interview: =================== There is a prominent security professional in the community that calls himself Irongeek. I love to use his videos in classes that I teach sometimes. He explains things really well, and his videos focus on how to use free and open source security tools. I highly recommend that you take a look at his site www.irongeek.com, especially Hacking Illustrated section: http://irongeek.com/i.php?page=security/hackingillustrated. I died laughing when I read his Skiddie Baiting article recently: http://irongeek.com/i.php?page=security/skiddy-baiting. I decided that I’d like to interview him for next month’s newsletter, and he agreed to the interview. Check out his site, his articles, and of course his videos and then send me a list of questions that you’d like him to answer. I’m preparing some questions for him as well. Security Tool Tips: =================== I got great feedback on the security tool tips from last month’s newsletter. It looks like you guys really liked blindcrawl.pl and SP-DNS-mine.pl. This month I’ve decided to dip into my tool chest again and give you a few more tools that I really like. ==================== Security Tool Tip 1: ==================== A lot of today’s security assessments either are or include web application security tests. SQL Injection, Cross Site Scripting, cookie tampering, and related attacks are high on the list of things that people should be on the lookout for. Of course you can always start out with something like Nessus, or Nikto. I like to start out with enumerating directories, and files with a tool called wmap written by Efrain 'ET' Torres. Since this takes the longest (several days in some cases) I start with this first. You can get wmap at: http://pwp.007mundo.com/etorres1/wmap.htm How wmap works: If target.com moves or renames the common cgi-bin directory where all of the vulnerable CGIs are contained tools like Nikto won't find them. WMAP searches recursively through the site itself grabing all the info contained in html tags like <HREF>, <FORM> and <FRAME>, capturing the new directories, and including them in the tests as well since the webmaster can call the cgi-bin/ dir anything he wants. To increase the chance of finding useful stuff, wmap also has a file containing interesting directories (dirs.db) and another file containing common CGI dirs (dircgis.db) to search for as well. If a directory is found it is added to the test. This includes all the directories that are found in the html tags as well. For each directory found, not only scans for vulnerable cgis (cgis.db) it can also scan for interesting files (ex. service.pwd) included in the file (file.db) and does an http PUT scan. It also checks to see if the directory is browsable. You can't beat that. Obviously wmap isn't fast because it has to do so many tests. Another useful option is the possibility of grabing all the CGIs, hosts and users referenced in the pages. [j0e@Linux wmap1.3]$ ./wmap somesite.com [LoWNOISE] WMAP v1.3 X-Mas adjustment version by ET et () cyberspace org ------------------------------------------------ --[ CGI Found!!!: /cgi-bin/a1disp3.cgi ] To give you an idea (key word here is idea) of what is going on you can add the -t switch to see all of the checks it's performing. [root@Linux wmap1.3]# ./wmap www.learnsecurityonline.com -t [LoWNOISE] WMAP v1.3 X-Mas adjustment version by ET et () cyberspace org ------------------------------------------------ -[CGI: /a1disp3.cgi ] -[CGI: /cgi-bin/a1disp3.cgi ] -[CGI: /scripts/a1disp3.cgi ] -[CGI: /a1stats/a1disp3.cgi ] -[CGI: /cgi-bin/a1stats/a1disp3.cgi ] -[CGI: /scripts/a1stats/a1disp3.cgi ] -[CGI: /a1stats/a1disp4.cgi ] -[CGI: /cgi-bin/a1stats/a1disp4.cgi ] -[CGI: /scripts/a1stats/a1disp4.cgi ] -[CGI: /addbanner.cgi ] -[CGI: /cgi-bin/addbanner.cgi ] -[CGI: /scripts/addbanner.cgi ] -[CGI: /add_ftp.cgi ] -[CGI: /cgi-bin/add_ftp.cgi ] -[CGI: /scripts/add_ftp.cgi ] -[CGI: /admcgi/contents.htm ] -[CGI: /cgi-bin/admcgi/contents.htm ] -[CGI: /scripts/admcgi/contents.htm ] -[CGI: /admin.cgi ] -[CGI: /cgi-bin/admin.cgi ] -[CGI: /scripts/admin.cgi ] -[CGI: /admin/contextAdmin/contextAdmin.html ] -[CGI: /cgi-bin/admin/contextAdmin/contextAdmin.html ] -[CGI: /scripts/admin/contextAdmin/contextAdmin.html ] -[CGI: /Admin_files/order.log ] -[CGI: /cgi-bin/Admin_files/order.log ] -[CGI: /scripts/Admin_files/order.log ] -[CGI: /adminlogin ] -[CGI: /cgi-bin/adminlogin ] -[CGI: /scripts/adminlogin ] -[CGI: /admin-serv/config/admpw ] -[CGI: /cgi-bin/admin-serv/config/admpw ] -[CGI: /scripts/admin-serv/config/admpw ] -[CGI: /admisapi/fpadmin.htm ] -[CGI: /cgi-bin/admisapi/fpadmin.htm ] Just let it run - if it's searching a big website it'll take a while. Go ahead and move on to the next tool while this guy is running. ==================== Security Tool Tip 2: ==================== Ok, now while wmap is running let’s start with a tool that tests for server version and .ASP information. I like a new tool called asp-audit written by David Kierznowski. You can get it at: http://michaeldaw.org/projects/asp-auditor-v2/ [root@Linux asp-audit]# ./asp-audit.pl siterunningasp.com Target: siterunningasp.com Server Software: Microsoft-IIS/6.0 ASP Framework: YES ASP Simple Version: 1.1.4322 ASP Specific Version: Unknown ASP verbose messages: No ASP Validate: No Default Error Messages: YES ==================== Security Tool Tip 3: ==================== Ok, now let’s try one for cross-site scripting. I like to run a quick scan with an older tool called ScreamingCSS which is a modication to another tool called ScreamingCobra. You can get this tool at: http://www.devitry.com/screamingCSS.html [j0e@Linux screamingCSS1.02]$ ./screamingCSS.pl http://www.somevulnsite.com Beginning to scan www.somevulnsite.com :: for CGI bugs... Kick back and relax, this will take a while... BUG FOUND - http://www.somvulnsite.com:80/go/stocks/quote?symbol=%22% 3exxx%3cP%3eyyy&Go= 15 - pages accessed / 414 - attempted CGIs to break / 1 - CGI bugs found [j0e@Linux screamingCSS1.02]$ This is by no means fast, and the site scanned has hundreds of XXS vulnerabilities so I stopped it before it completed the scan. The 15 - paged accessed / 414 - attempted CGIs to break / 1- CGI bugs found is what you see when the tool finishes scanning whether you terminate it early or not. I find it to be pretty helpful. =================== Security Tool Tip 4 =================== After all of this I break out my creme de la creme. I love this tool called Wapiti. Quote from wapiti.sourceforge.net "It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable. Wapiti can detect the following vulnerabilities : * File Handling Errors (Local and remote include/require, fopen, readfile...) * Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections) * XSS (Cross Site Scripting) Injection * LDAP Injection * Command Execution detection (eval(), system(), passtru()...) * CRLF Injection (HTTP Response Splitting, session fixation...) Wapiti is able to differentiate ponctual and permanent XSS vulnerabilities. Wapiti prints a warning everytime it founds a script allowing HTTP uploads. A warning is also issued when a HTTP 500 code is returned (useful for ASP/IIS) Wapiti does not rely on a vulnerability database like Nikto do. Wapiti aims to discover unknown vulnerabilities in web applications. It does not provide a GUI for the moment and you must use it from a terminal." [root@Linux wapiti-1.1.3]# python wapiti.py http://www.vulsite.org ................................... Attacking urls (GET)... ----------------------- MySQL Injection (id) in http://www.vulnsite.org/whitepapers/showarticle.php Evil url: http://www.vulnsite.org/whitepapers/showarticle.php?id=%BF%27% 22%28 Attacking forms (POST)... ------------------------- Looking for permanent XSS ------------------------- [root@Linux wapiti-1.1.3]# At this point I would fire up my blind sql injection tools now that successful SQL Injection has been found. After verifying the blind sql-injection is possible I'd bruteforce the table names and see if I could enumerate more information from the site. Let me know if you guys are interested in this type of stuff and we can of course cover more of it in a private lesson or future newsletter. Non-Member Introductory Private Lesson Offer ============================================ Are you not an active LSO member but would like to try a private lesson in the hacklab with me? For just 35.00 I'll spend an hour with you in the lab working with you on the topic of your choice (Footprinting, Scanning, Enumeration, Exploitation, Post-Exploitation, Web Application Security, etc - it's completely up to you). I can evaluate your skill-set/security goals and give training recommendations as well. The lab includes Linux, Solaris, FreeBSD, and of course all modern versions of Windows (2000, XP, 2003) wih MS SQL Server all running as target operating systems. We will schedule the training to meet your time contraints, meet online (instant messenger, IRC, Phone, Skype, etc) and yes I'll make sure we cover the stuff that you won't learn in the Hacking Exposed books. Click on the link below to purchase the training: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=joe% 40learnsecurityonline%2ecom&item_name=Introductory%20Private% 20Lesson&item_number=IPL&amount=35% 2e00&no_shipping=2&no_note=1¤cy_code=USD&bn=PP% 2dBuyNowBF&charset=UTF%2d8 |-- End of link LSO WebSite Update: =================== The website should be back online on the 23rd of this month (might be a day or so late, but should be back online then). We've moved to a new CMS so that's taking us some time to learn it, and even worse - secure it. All in all I'm pretty happy with how things are coming along. I think the classes are doing good, the private lessons are going well, the hacking competitions each weekend are going well and I only have a few gray hairs. What more can you ask for in life? Most of you know that Chris Gates (chris () learnsecurityonline com) is starting to take over LSO operations now. He's been with LSO for nearly 4 years now. He started as a customer back when we were RootWars.org, and he is now writing our courses, mentoring customers, running the hacking competitions on the weekends, and making videos for ethicalhacker.net and milw0rm.com. Chris is now starting to do more of the private lessons to help me out as I'm averaging 3-4 a day now. He's more than competent and I strongly encourage you all to learn as much as you can from him. U DA MAN Chris!!!!! Last but not least I would like to thank all of you for supporting us here at LSO. Take care. -- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Lso mailing list Lso () www learnsecurityonline com http://www.learnsecurityonline.com/mailman/listinfo/lso
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- [Lso] Learn Security Online October Newsletter Joseph McCray (Oct 17)