Secure Dose

Wednesday, 3 May 2017

Hands on Eternalblue, Doublepulsar and Patch

I know, I am writing after a quite long time but I had to!
Eternalblue and Doublepulsar are the exploits by NSA which were leaked by Shadow Brokers. These leaks are known to be a big Cyber Chaos after Stuxnet.
I though to dive into it.

Setting up the environment:
Here is a piece of the orignal exploit by two researchers, Pablo Gonzalez and Sheila Berta from ElevenPaths for the msf implementation.
You can clone it from here
https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/
I assume that you are aware about the how's and do's of msf.
Download and place the exploit file into it.
/usr/share/metaplsoit-framework/modules/exploit/windows/smb/
Search for eternalblue and use it on msfconsole.
In the options, give the path to the dependencies for both eternalblue, doublepulsar and also fulfill rest of the options.Make sure you are giving correct TARGETARCHITECTURE value and PROCESSINJECT value. 

This may give you an error for wine. Simply run wine foo.exe and it will create a .wine folder to your root directory.
Run again and it should successfully run. 


It is not really necessary to set value for LHOST unless you have networks constrains.
I have got access to the win7 machine.

What it does?
It actually uses the original binary present in the leak using wine.
You can find this on Ln 105 and 114 


Not so deep but just an overview that the orignal binary, exploits the SMB protocol and have Windows Kernel exploit and then:
  • DLL Injection
  • Process Injection
You need to have a persistence access so that on every startup it then just require a multi handler and no exploiting again, and again each time you want to access.

Exploitation Scope: 
  • Windows XP(all service pack)(x86)(x64)
  • Windows Server 2003 SP0/1/2(x86)
  • Windows Vista(x86)(x64)
  • Windows Server 2008(x86)
  • Windows Server 2008 R2(x86)(x64)
  • Windows 7(all service pack)(x86)(x64)

Reliable?
These exploits aren't reliable for win7 as well as win server 2k8 R2 as it doesn't always exploit it but does affect the server in some or the other way. 
Following are the behaviors:
  • Unexpected Shutdown
  • BSOD
  • Reboot
  • Hangs up
  • Errors poping up
So if these are the issues you are facing since 3-4 days, you probably being attacked using these "public" 0days.

What did I see?
Lots of errors and critical issues the system was facing.
Let me share:


There were lots of Criticals, Errors and Warnings.
Ok, on analysing these errors you may get a good idea on how these exploits work! :)

If you are interested to dive into few of them following are the links where you can understand it more deeply
https://answers.microsoft.com/en-us/windows/forum/windows8_1-security/custom-dynamic-link-libraries-are-being-loaded-for/912df301-9adc-4a07-8fff-5edd50e9d64b
https://community.spiceworks.com/windows_event/show/1844-microsoft-windows-wininit-11#windows_event_comment_1857
Patch Available?
MS17-010 for Eternalblue and I think MS16-123 for Doublepulsar.


For Eternalblue if you are not interested to have ms17-010, you can disable the SMBv1,2,3 protocol by the following PowerShell Commands.
For SMBv1 Client:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
For SMBv2,3:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
Share if you liked it. :)
 @bhashitpandya

Sunday, 22 May 2016

Penetration Testing and Its Methodology


Following is the video about Penetration testing and the mythologies used to implement it. 




You can view and download the presentation here


Friday, 1 April 2016

InfoSec Positions today!





When we dive into InfoSec, we generally try finding what are the jobs positions, what are their role, etc..
With a small compilation, lets find what all position we have in the filed of Security and what are their roles.
Following is a small list:

Security Engineer:
Security engineers have responsibility for developing effective computing fixes to increase the security of their company's systems and projects. They are in charge of creating innovative ways to solve existing production security issues and must possess an advanced understanding of intrusion detection and prevention protocols.

Security Engineer Tasks:
  • Create test plans which will allow for a proper evaluation of security issues for new hardware and software.
  • Identify security solutions and implement a multi-layered defense to protect the networks.
  • Test new or upgraded hardware and software and implement new technologies.
  • Configure and set up firewalls and intrusion detection systems.
  • Respond to network intrusions and be familiar with performing forensic investigation.
Information Security Engineer:
Large enterprise have employees working in a variety of office locations, job sites, and home environments (through telecommuting). Information security engineers help maintaining integrity of all data communicated and stored through the business enterprise. They maintain  and develop protocols for the safe use, entry, transmission, Transactions, and retrieval of data and software assets at a company.

Information Security Engineer Tasks:

  • Create test plans which will allow for a proper evaluation of security issues for new hardware and software.
  • Identify security solutions and implement a multi-layered defense to protect the networks.
  • Test new or upgraded hardware and software and implement new technologies.
  • Configure and set up firewalls and intrusion detection systems.
  • Respond to network intrusions and be familiar with performing forensic investigation.
Security Consultant/Adviser:
Security Advisers evaluate the existing security to conclude the potential risk of a breach. The consultant develops security policies and procedures that reduces the risk to objects, employees and computer systems. Consultants may also provide evaluations and assessments in collaboration with sales staff for the security business.

Security Consultant Tasks:
  • Develop security design
  • Design security processes and documentation(Policies).
  • Conduct a security test and prepare a report for all the weakness along with their solution and fix.
  • Demonstrate the designed security system. 
Security Analyst:
A security analyst is responsible for maintaining the security and data integrity within the company or an organization. Security analyst have the knowledge about the security information of his company. The security analyst has to even work with the business administration as well as its IT department for communicating flaws and security investments.

Security Analyst Tasks:
  • Responsible for protecting sensitive data
  • Responsible to ensure that nobody can have an unauthorized access to the system or network.
  • Security analyst must plan and document all security information which includes physical and internet security.

*Note:There are lots of position but I haven't covered them all just for the sake of simplicity.

Tuesday, 8 March 2016

Facebook URL Redirect Vulnerability


Facebook URL Redirect:
I reported but wasn't accepted..
The page redirect the user to a facebook phishing login page! They said It'll be redirected for only few users but what if create the link which include the those effected users?
Enjoy!


Sunday, 8 November 2015

Bug Bounty!!

The Bug Bounty Trends
These days in India there's lot of people into earning money via Bug Bounty..
What actually bug bounty is? An ATM Machine where people get dollars??
Actually no. Lets see what it is actually and why there is more craze about bug bounty especially here in India.




What is Bug Bounty?
Well, bug bounty is a program offered by many companies which are into developing a Web-based or Standalone products to find bugs in it and on submission they verify the bug and based on the seviourity, these companies provide rewards. It is similar to any kind of deal.  It is open to public and anybody can take this program by finding bugs(Generally, Security bugs!) and properly reporting.
You might be thinking that If anybody can take this deal then penetration testers are losing their job then? Actually No they are not.


How it works?
There are procedure, protocols and standards has to be followed by the person taking part in the program for the sake of the companies risk. Not following these protocols can be illegal and may land you into jail and official issues. We will be discussing about it soon.
First lest see what actually companies do to start such a program.

Their bug bounty program is initiated only and only after they test their own application first.
This includes all types of tests like Security testing, Unit testing, Functionality testing, Compliance testing, etc and only after they are fine with it they initiate these programs. The reason is, if they do not do so, their company procedure will increase, also their reputation and trust among their clients reduces. 
Reputation? how? 
If they do not have their own testing team, they are likely to have more critical bugs, easy to find and exploit. This directly strikes the reputation of the company and hence, penetration testers are not losing their job at all.

How they take bug bounty these days?
Most of the bug hunters today are taking their level of skill based on the bug they find in much reputed companies  web-applications. The more reputed the company, the much "pro" they are.
Another thing is, a source of money to again a big population.
There are many out there who actually take this as a learning process.

What is the advantage of bug bounty program?
I would like to highlight the things we learn. 

1)The professionals who have actually participated bug bounty usually have their own blog where they post how did they found bugs. Reading bout such bugs you learn more about how to discovers vulnerabilities. So when we actually participate into this we increase our skill set into Vulnerability Assessment. 
  1. Vulnerability assessment 

2)When we submit bug to them we actually learn how to write a report. A quick search and you can find many ways to write a bug report with a good POC(Proof of Concept) with video and screenshot.
Here you can find why writing good report is important.
  1. Vulnerability assessment
  2. Bug Reporting

3)Interacting in a formal way is another skill you can add to your list. Many of them have skills and are good into VA but their interacting power is not so good hence they lose the bounty program. I have come across few people who find good bugs into reputed companies but they eventually do not get their bug approved just because of the interaction issue.
  1. Vulnerability assessment
  2. Bug Reporting
  3. Communication Skills

4)Companies get to know about your skills and may also hire you. Similar thing happened with me when I was finding something to do in my vacations. I found a bug in a startup's web-application, reported them and I was doing internship withing few weeks. Cool right? 
  1. Vulnerability assessment
  2. Bug Reporting
  3. Communication Skills
  4. Opportunity and Exposure 
5)You can include this into your CV that you participated in such bug bounty programs where you reported vulnerabilities in so and so companies. This makes your CV more attractive and gives a reason to hire you.
  1. Vulnerability assessment
  2. Bug Reporting
  3. Communication Skills
  4. Opportunity and Exposure
  5.  Attractive Portfolio

There are many websites which provide a platform for Hunters and Companies both.
To find some reputed companies program search about them. 
There are many more things which come up to you and you can learn. 
Hope this article helps to know more about bug bounties.  
pic source: bugbounty.att.com

Wednesday, 15 July 2015

The Famous Top 10!


Introduction:
The title says it all.
This is a list which has world top 10 vulnerabilities being found on web application.
Every person from the InfoSec community knows about it but as a beginner you should know about it.
In this post we'll check out what are this top 10 list and what is owasp.


OWASP:
OWASP(Open Web Application Security Project) is an open community where security researchers, professionals and security enthusiast from around the globe work together and build an Open Source security tools and project.
Anybody can contribute to it and anybody can create their own projects.
They even have an owasp slack team, where you can ask, join, chat and share files. Join the team @owasp.slack.com
and you can check out it's wiki to owasp.org

 List:
 These are the list of vulnerabilities defined and regularly updated. This is the list you must always have in priority while you test a web application. You can even consider this as a check list to have a eye or decide your vulnerability testing priorities. 


I was speaker at a local security meetup last to last month, where I represented and explained these lists and demonstrated XSS and Injection category. You can find the PDF from the resource section with the title "Breaking Web Application" and here is official list with description - [OWASP TOP 10].  

1. Injection:
Injection is the 1st category of Top OWASP List. Injection are the malicious codes written in between the original code.
Now the question arise, But we don't have access to the code then how it is possible to write such codes?
Answer to this is very simple. You don't need to have any kind of access to the original code. A simple typical way to write code in between the original code is to write where the user inputs are provided but it's not always necessary that only user inputs are the ways to inject malicious codes. There are several other ways like writing the code in the URL itself, into http request headers, into a crafted file which executes as soon it is uploaded, etc. 
There are so many method to inject as mentioned above. We will understand this briefly in later posts.

2. Session Management & Broken Authentication:  
The session management includes the maintenance of the state of entity communicating with it and Authentication is an act to confirm that something communicating with the system is the one who they claim they are.

3. Cross-Site-Scripting
Cross-site-scripting is also known as XSS. This is a generally used as a client side attack which affects the clients visiting the infected websites. This vulnerability can do lot of harm to users like and eventually harm to the site visitors. This actually loads javascript the victims browser which can cause stealing of credentials and identity and much more.

4. Insecure Direct Object reference:
It occurs when a  reference is being unknowingly left open which gives direct access to the internal implementation object. This includes directory access, config files access, etc where an attacker can take advantage of this and can further exploit the system and gain deep access.

5. Security Misconfiguration:
A good security is defined when configuring the firewall, web application, framework, database and servers in a secured manner. For example default configuration and default users and passwords and
Directory listing, extra information exposed, etc. also falls in this category.

6 Sensitive Data Exposure: 
This is a flaw where many of the web applications are vulnerable to. Sensitive data like configuration files, Exposure of internal files sharing in a company or at an enterprise level, and similar scenario. Taking advantage of these sensitive data can cause tragedy to the system.

7. Missing Functional Level Access:
What if you get access to a privilege without being asked? It is like being a student you can still perform actions of your HOD or Principle. Similar there is a website and you know the admin page, now as you visit the page you directly get access to it. This is A7.

8. Cross Site Request Forgery:
Cross Site Request Forgery can be "csrf" too. This is a kind of an attack which uses a web page. When an authenticated user of a vulnerable web application visit the malicious site, an action is automatically performed which is being executed on the user's browser and which act on the vulnerable website. This can change the password of that user. It'll work as if the user itself changed it own settings.

9. Using components with known vulnerabilities: 
The developers when not knowing what libraries, components or packages or plugin they are using, when they get outdated and vulnerable, the developers do not know as they are not "Security freak" as you. ;) They are unaware and bang!!! Somebody takes the advantage who knows the plugin is vulnerable and the developer is pwned. This is where some web apps are compromised.

10. Unvalidated redirects and forwards:
An unintended and unexpected(Developer's perspective) redirect the user to any or similar looking website(probably malicious{phishing page,drive by downloads, etc}). In a nutshell, it uses a parameter to redirect the website to something else. As provided in the sweety curl braces above are the attacks can be exploited. 

Conclusion:
The famous top 10 are one of the most important parameters to have a closer look as they can be considered as a check list while conducting Vulnerability Assessment and Penetration testing.

Monday, 8 June 2015

Secure Web Application PART - II

In case you haven't read PART - I read it here
Lets continue..

Common attack vectors:

@Attack Vectors are the "scope" of an attacker/malicious user to attack on the application and exploit the vulnerabilities discovered by him.

The Following are some common attack vectors where an attacker can attack and gain a particular level of access to your web application or can make it unavailable to other users so that they cannot access the resources and features provided by this web app.

1.  User Input Fields

2.  URL & Parameter Manipulation
3.  Information Disclosure (http header/server side error/etc..)
4.  @Authorization
5.  @Authentication
6.  Insecure Data Storage
7.  Insecure File Upload
8.  Pivilage Elevation
9.  Dos/DDos
10. Business Logics
11. Insecure Hosted Applications
12. Social Engineering
The following image includes them:



Check your existing web security:

Following are some of the question/check list to answer and have a look into to check whether your existing web application is having basic security implemented?
It can also be used as a checklist to develop a secured web application.

Infrastructure Considerations:
  • Does the network provide secure communication?
  • Does your deployment topology include an internal ‍ all?
  • Does your deployment topology include a remote application server?
  • What restrictions does infrastructure security impose?
Input Validation:
  • How are you ‍validating user inputs?
  • What do you do with the input?
Authorization:
  • How do you authorize end users?
  • How do you authorize the application in the database?
  • How do you restrict access to system-level resources?
Authentication:
  • Do you separate public and restricted access?
  • How do you authenticate the Application?
  • How do you authenticate with the database?
  • Do you enforce strong account management practices?
Sensitive Data:
  • Do you store secrets?
  • How do you store sensitive data?
  • Do you pass sensitive data over the network?
  • Do you log sensitive data?
Cryptography:
  • Why do you use particular algorithms?
  • How do you secure encryption keys?
  • Are you revealing your logic's unknowingly?
Parameter Manipulation:
  • Do you validate all input parameters?
  • Do you pass sensitive data in parameters?
  • Do you use HTTP header data for security?
Exception Management:
  • Are you revealing too much of information to the user?
  • Sure you have made a check to all the corners?
  • Are you exceptions default?
Monitoring Fails:
  • Do you log fail attempts?
  • Where are your logs stored?
  • Are they open to public?
  • Are your log files secure?
Using these check list and looking after it will fill up the basic gaps to secure your web application. Also do mind, that in maximum cases the insider is responsible behind the attack on an organization. 

So #OperationalSecurity is also to be taken care of. 


Web Application testing methodologies:

  • Where to start?
  • How to test a web application?
  • What are the per-requisites? 
  • How to finding vulnerabilities?
  • How to report?
  • Any standards?
  • Any drafts or documentation? 
  • How to mitigate risk?
To answer these questions, there are open communities where experts from around the world contribute.

Lets checkout few of them:
1.   Owasp (www.owasp.org)
2.   OSSTMM (www.isecom.org/research/osstmm.html)
3.   NIST (csrc.nist.gov)
4.   PTES (www.pentest-standard.org)
5.   ISACA (www.isaca.org)
6.   AppSec Labs Methodologies (www.appsec-labs.com) etc...

Why testing methodologies?
Testing with a particular method is known to be efficient because:
  • It helps if you have missed out something.
  • Defines the way to approach risk based testing
  • Systematic way to conduct test.
  • Proper report generation.
Conclusion
Having a checklist help developing a secured web application though, we never consider that an application is 100% secure but having this checklist we can say that we took security measures. 
Following the standards helps a lot with security as it shows the direction. From where to start till where to end. Well, security is a never ending task! :D

 
biz.