Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

[Lso] Learn Security Online October Newsletter

From: Joseph McCray <joe () learnsecurityonline com>
Date: Tue, 17 Oct 2006 00:07:54 -0400
Hello again everyone, I hope that you are all doing well. As usual we
here at LSO have an awful lot going on, but I’ll always take the time to
give you some security tips that should help you out in pen-testing,
incident response/forensics, and in IDS/IPS deployments. I’ll also be
giving out some info about upcoming LSO events and courses as well.
Let’s get rolling…


Hacking Competitions: RootWars/SpeedRoot
========================================
Every weekend last month we hosted a RootWar. It was great! Each weekend
we used different operating systems. We even started back-dooring the
OSs that the teams were using forcing them to work on their incident
response skills as well. There have been a lot of new players each week,
and the feedback has been really good. As with all of the
RootWars/SpeedRoot games – don’t worry about them being too difficult,
they are designed for people with beginner to intermediate levels of
computer/network security experience. You can register by contacting me
directly via email at: joe () learnsecurityonline com


Mentor-Led Training:
====================
For the month of November we will be running a special package deal that
includes both the Certified Ethical Hacker (CEH), and Certified Hacking
Forensic Investigator (CHFI) courses for $449 if you purchase before
November 1st. You can pay for the course package by clicking on this
link: 
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=joe%
40learnsecurityonline%2ecom&item_name=Custom%20Mentor%2dLed%20Training%
20I&item_number=CMLT1&amount=449%
2e00&no_shipping=0&no_note=1&currency_code=USD&bn=PP%
2dBuyNowBF&charset=UTF%2d8  |--- (End of web link)


Irongeek Interview:
===================
There is a prominent security professional in the community that calls
himself Irongeek. I love to use his videos in classes that I teach
sometimes. He explains things really well, and his videos focus on how
to use free and open source security tools. I highly recommend that you
take a look at his site www.irongeek.com, especially Hacking Illustrated
section: http://irongeek.com/i.php?page=security/hackingillustrated. I
died laughing when I read his Skiddie Baiting article recently:
http://irongeek.com/i.php?page=security/skiddy-baiting. I decided that
I’d like to interview him for next month’s newsletter, and he agreed to
the interview. Check out his site, his articles, and of course his
videos and then send me a list of questions that you’d like him to
answer. I’m preparing some questions for him as well.



Security Tool Tips:
===================
I got great feedback on the security tool tips from last month’s
newsletter. It looks like you guys really liked blindcrawl.pl and
SP-DNS-mine.pl. This month I’ve decided to dip into my tool chest again
and give you a few more tools that I really like.

====================
Security Tool Tip 1:
====================
A lot of today’s security assessments either are or include web
application security tests. SQL Injection, Cross Site Scripting, cookie
tampering, and related attacks are high on the list of things that
people should be on the lookout for. Of course you can always start out
with something like Nessus, or Nikto. I like to start out with
enumerating directories, and files with a tool called wmap written by
Efrain 'ET' Torres. Since this takes the longest (several days in some
cases) I start with this first. You can get wmap at:
http://pwp.007mundo.com/etorres1/wmap.htm

How wmap works:
If target.com moves or renames the common
cgi-bin directory where all of the vulnerable CGIs are contained 
tools like Nikto won't find them. WMAP searches recursively through 
the site itself grabing all the info contained in html tags like 
<HREF>, <FORM> and <FRAME>, capturing the new directories, and including
them in the tests as well since the webmaster can call the cgi-bin/ dir 
anything he wants. 

To increase the chance of finding useful stuff, wmap also has a file
containing interesting directories (dirs.db) and another file
containing common CGI dirs (dircgis.db) to search for as well. If a
directory is found it is added to the test. This includes all the
directories that are found in the html tags as well. For each directory
found, not only scans for vulnerable cgis (cgis.db) it can also scan
for interesting files (ex. service.pwd) included in the file
(file.db) and does an http PUT scan. It also checks to see if
the directory is browsable. You can't beat that.

Obviously wmap isn't fast because it has to do so many tests. 
Another useful option is the possibility of grabing all the CGIs,
hosts and users referenced in the pages.

[j0e@Linux wmap1.3]$ ./wmap somesite.com
[LoWNOISE] WMAP v1.3    X-Mas adjustment version
                         by ET et () cyberspace org
------------------------------------------------
--[ CGI Found!!!: /cgi-bin/a1disp3.cgi ]


To give you an idea (key word here is idea) of what is going on you can
add the -t switch to see all of the checks it's performing.

[root@Linux wmap1.3]# ./wmap www.learnsecurityonline.com -t
[LoWNOISE] WMAP v1.3    X-Mas adjustment version
                         by ET et () cyberspace org
------------------------------------------------
-[CGI: /a1disp3.cgi ]
-[CGI: /cgi-bin/a1disp3.cgi ]
-[CGI: /scripts/a1disp3.cgi ]
-[CGI: /a1stats/a1disp3.cgi ]
-[CGI: /cgi-bin/a1stats/a1disp3.cgi ]
-[CGI: /scripts/a1stats/a1disp3.cgi ]
-[CGI: /a1stats/a1disp4.cgi ]
-[CGI: /cgi-bin/a1stats/a1disp4.cgi ]
-[CGI: /scripts/a1stats/a1disp4.cgi ]
-[CGI: /addbanner.cgi ]
-[CGI: /cgi-bin/addbanner.cgi ]
-[CGI: /scripts/addbanner.cgi ]
-[CGI: /add_ftp.cgi ]
-[CGI: /cgi-bin/add_ftp.cgi ]
-[CGI: /scripts/add_ftp.cgi ]
-[CGI: /admcgi/contents.htm  ]
-[CGI: /cgi-bin/admcgi/contents.htm  ]
-[CGI: /scripts/admcgi/contents.htm  ]
-[CGI: /admin.cgi ]
-[CGI: /cgi-bin/admin.cgi ]
-[CGI: /scripts/admin.cgi ]
-[CGI: /admin/contextAdmin/contextAdmin.html ]
-[CGI: /cgi-bin/admin/contextAdmin/contextAdmin.html ]
-[CGI: /scripts/admin/contextAdmin/contextAdmin.html ]
-[CGI: /Admin_files/order.log ]
-[CGI: /cgi-bin/Admin_files/order.log ]
-[CGI: /scripts/Admin_files/order.log ]
-[CGI: /adminlogin ]
-[CGI: /cgi-bin/adminlogin ]
-[CGI: /scripts/adminlogin ]
-[CGI: /admin-serv/config/admpw ]
-[CGI: /cgi-bin/admin-serv/config/admpw ]
-[CGI: /scripts/admin-serv/config/admpw ]
-[CGI: /admisapi/fpadmin.htm ]
-[CGI: /cgi-bin/admisapi/fpadmin.htm ]


Just let it run - if it's searching a big website it'll take a while. Go
ahead and move on to the next tool while this guy is running.

====================
Security Tool Tip 2:
====================
Ok, now while wmap is running let’s start with a tool that tests for
server version and .ASP information. I like a new tool called asp-audit
written by David Kierznowski. You can get it at:
http://michaeldaw.org/projects/asp-auditor-v2/


[root@Linux asp-audit]# ./asp-audit.pl siterunningasp.com
Target: siterunningasp.com 
Server Software: Microsoft-IIS/6.0
ASP Framework: YES 
ASP Simple Version: 1.1.4322 
ASP Specific Version: Unknown 
ASP verbose messages: No 
ASP Validate: No 
Default Error Messages: YES

====================
Security Tool Tip 3:
====================
Ok, now let’s try one for cross-site scripting. I like to run a quick
scan with an older tool called ScreamingCSS which is a modication to
another tool called ScreamingCobra. You can get this tool at:
http://www.devitry.com/screamingCSS.html


[j0e@Linux screamingCSS1.02]$ ./screamingCSS.pl
http://www.somevulnsite.com
Beginning to scan www.somevulnsite.com ::  for CGI bugs...
Kick back and relax, this will take a while...

BUG FOUND - http://www.somvulnsite.com:80/go/stocks/quote?symbol=%22%
3exxx%3cP%3eyyy&Go=

15 - pages accessed /   414 - attempted CGIs to break /     1 - CGI bugs
found
[j0e@Linux screamingCSS1.02]$

This is by no means fast, and the site scanned has hundreds of XXS
vulnerabilities so I stopped it before it completed the scan. The 15 -
paged accessed / 414 - attempted CGIs to break / 1- CGI bugs found is
what you see when the tool finishes scanning whether you terminate it
early or not. I find it to be pretty helpful.

===================
Security Tool Tip 4
===================
After all of this I break out my creme de la creme. I love this tool
called Wapiti. Quote from wapiti.sourceforge.net "It performs
"black-box" scans, i.e. it does not study the source code of the
application but will scans the webpages of the deployed webapp, looking
for scripts and forms where it can inject data.
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to
see if a script is vulnerable.

Wapiti can detect the following vulnerabilities :

      * File Handling Errors (Local and remote include/require, fopen,
        readfile...)
      * Database Injection (PHP/JSP/ASP SQL Injections and XPath
        Injections)
      * XSS (Cross Site Scripting) Injection
      * LDAP Injection
      * Command Execution detection (eval(), system(), passtru()...)
      * CRLF Injection (HTTP Response Splitting, session fixation...)

Wapiti is able to differentiate ponctual and permanent XSS
vulnerabilities. Wapiti prints a warning everytime it founds a script
allowing HTTP uploads. A warning is also issued when a HTTP 500 code is
returned (useful for ASP/IIS) Wapiti does not rely on a vulnerability
database like Nikto do. Wapiti aims to discover unknown vulnerabilities
in web applications. It does not provide a GUI for the moment and you
must use it from a terminal."
 
[root@Linux wapiti-1.1.3]# python wapiti.py http://www.vulsite.org
...................................
Attacking urls (GET)...
-----------------------
MySQL Injection (id) in
http://www.vulnsite.org/whitepapers/showarticle.php
        Evil url:
http://www.vulnsite.org/whitepapers/showarticle.php?id=%BF%27% 22%28

Attacking forms (POST)...
-------------------------

Looking for permanent XSS
-------------------------
[root@Linux wapiti-1.1.3]#


At this point I would fire up my blind sql injection tools now that
successful SQL Injection has been found. After verifying the blind
sql-injection is possible I'd bruteforce the table names and see if I
could enumerate more information from the site. Let me know if you guys
are interested in this type of stuff and we can of course cover more of
it in a private lesson or future newsletter.

Non-Member Introductory Private Lesson Offer
============================================
Are you not an active LSO member but would like to try a private lesson
in the hacklab with me? For just 35.00 I'll spend an hour with you in
the lab working with you on the topic of your choice (Footprinting,
Scanning, Enumeration, Exploitation, Post-Exploitation, Web Application
Security, etc - it's completely up to you). I can evaluate your
skill-set/security goals and give training recommendations as well. The
lab includes Linux, Solaris, FreeBSD, and of course all modern versions
of Windows (2000, XP, 2003) wih MS SQL Server all running as target
operating systems. We will schedule the training to meet your time
contraints, meet online (instant messenger, IRC, Phone, Skype, etc) and
yes I'll make sure we cover the stuff that you won't learn in the
Hacking Exposed books. Click on the link below to purchase the training:

https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=joe%
40learnsecurityonline%2ecom&item_name=Introductory%20Private%
20Lesson&item_number=IPL&amount=35%
2e00&no_shipping=2&no_note=1&currency_code=USD&bn=PP%
2dBuyNowBF&charset=UTF%2d8  |-- End of link



LSO WebSite Update:
===================
The website should be back online on the 23rd of this month (might be a
day or so late, but should be back online then). We've moved to a new
CMS so that's taking us some time to learn it, and even worse - secure
it. All in all I'm pretty happy with how things are coming along. I
think the classes are doing good, the private lessons are going well,
the hacking competitions each weekend are going well and I only have a
few gray hairs. What more can you ask for in life?


Most of you know that Chris Gates (chris () learnsecurityonline com) is
starting to take over LSO operations now. He's been with LSO for nearly
4 years now. He started as a customer back when we were RootWars.org,
and he is now writing our courses, mentoring customers, running the
hacking competitions on the weekends, and making videos for
ethicalhacker.net and milw0rm.com. Chris is now starting to do more of
the private lessons to help me out as I'm averaging 3-4 a day now. He's
more than competent and I strongly encourage you all to learn as much as
you can from him. U DA MAN Chris!!!!!

Last but not least I would like to thank all of you for supporting us
here at LSO. Take care.


-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe () learnsecurityonline com
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Lso mailing list
Lso () www learnsecurityonline com
http://www.learnsecurityonline.com/mailman/listinfo/lso


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: