A New Year.... A new Title....

So, yes, it has been quite some time since I last updated this thread. I have had a few major changes of late, one being my current professional role, which has left little time for anything else. I do have plans to continue this rhetoric however albeit with some potentially skewed thoughts now from the "start-up" point of view.... Could be interesting... stay tuned!

Tools Part 1 - The Intercept Proxy

I was doing an inventory of all of the tools I currently have on my systems that are outside of a standard build (this is business unit requirement for me) and man do I have alot of stuff! So I decided, (in addition to the suggestion from other readers) to include a list of all of the tools I currently use, where you can get them and what I think of them. This list will be specifically web application vulnerability related as that is really my forte and what I am most interested in currently. There may be a few network tools but they will in some way be related to web app security. And this will be a list not of commercially known tools but tools I have amassed from readings, industry events and searches. I will categorize them and dedicate whole postings to a single tool group as the list is long and the postings will be to large to search through. This may take a bit of time and if broken down a bit will be easier to manage for all of us. So here goes we will start with Intercepting Proxies:

Intercept Proxies - An intercept proxy is a tool which combines a proxy server (the server in this case is the application not a physical server) with a gateway. It sits between your browser and your internet connection. Connections made by client browsers are redirected through the proxy with/without client-side configuration allowing the transmission of the request/response to be altered, usually in a way NOT intended by the developer/protocol. This is by far the most valuable tool you will use in your web application vulnerability assessments/attacks. If you have never used this tool imagine you have total control of time; the time between the submission from your browser to the receiving server and from the receiving server back to your browser. This completely opens up the apps for intense inspection and manipulation. Here is my list of Intercept Proxies:

1. Fiddler 2 - http://www.fiddler2.com/fiddler2/ - I found this one by accident in searching for an addon to Internet Explorer as that is the only browser allowed in my professional environment. I use this one all the time as it requires no connection configuration, it is really easy to use and has a bunch of great addons. This is really a developer tool for web code debugging, as really they all are, but works great as a tool of mischief but only for Internet Explorer... It has some really good tutorials online as well.

2. Burpe Suite 1.01 - http://www.portswigger.net/ - This is really the BEST of the best in it's category. It was written by Dafydd Stuttard, the author of "The Web Application Hacker's Handbook - Discovering and Exploiting Security Flaws (ISBN 978-0-470-17077-9 Wiley)" which is the defacto standard in web app security exploits so it makes sense that it would be a great tool. It is full featured but does require configuration (as do the rest of the tools listed) to be used properly.

3. Webscarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project - Taken from the OWASP site: "...WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab..." Enough said... it also has a good spider... this is a good one too!

Paros - www.parosproxy.org/ - I really like Paros because it has a great spider tool as well as the proxy. This spider is great for finding all directories/files on a web server, which in turn is great to use in combination with very specific Google search strings to find all kinds of data leakage. But always remember that spiders make noise, usually alot of noise so be carefull who you unload it on as they will hear/see you, which is why Google is such a valuable tool, but that is for another posting altogether.

Summary:

This are the Interpect Proxies I use, there may be more out there but these are the tools I know and use daily for fun and for security engagements.

SANS 504 - Follow Up

This is a follow-up post referring to the SANS 504 GCIH class I recently attended.

SANS 504 - If you are new to IS, specifically network security, then this class might be very good for you. Maybe I am biased becuse I am so immersed in this field currently that I hear the same "buzz" words over and over again (this class was simply more of that) but I will list what I did not like about the class:

1. The test LAN (network) was not set-up until Friday evening so there was no way to really try the techniques that were presented aside from using your own machine and it's linux virtual machine. A step by step tutorial shoud have been used to explain the process of host/network discovery, probing for a vulnerable system/device and the corresponding techniques to fully compromise the box going as far as executing a payload to DOS a system, enumerate a database or something along those lines. It was far to general and attempted to cover to broad a range of topics without really getting specific on any of them. Even when I questioned the instructor about this by saying".... now what....?" there was no further action taken aside from him saying "...well you can do anything now..." and of course my reply was "... like what...?" The example here was using a Metasploit 3 technique and I got inside and attached to a process using a known flaw in the Metasploit tool kit but they never took it to the final level by illustrating how you compromise the system by being able to hop around in processes. It doesn't make any sense to go all that way to stop before the entire reason for using the tool kit is realized. Fragmented at best. Anyway I asked this question because I knew his answer wold be total crap like it was. If you have ever hacked anything before you must know that nothing is a success until you have gone all the way as each step presents new challenges and there just is not a "cookie-cutter"sure way to exploit a system, things change. I wanted him to show me exactly how to compromise MY system (which is what I was working on) not simply say, "... oh ya it is totally compromised now..."

2. The version on Linux (Red Hat) provided was terrible. I have distros that are far more advanced and more comprehensive in their design. This was a regular Red Hat with some additional network apps installed, the wi-fi didn't work and they even left the games on the OS, just lazy. It was no BT that is for sure!

3. I was familiar with much of the course and therefor it presented a very limited amount of new information, in addition many of the tools and topics were outdated by many years and many of the best tools (even listed in the texts) were not on the CD? It should have dealt in far more detail with more updated exploits. If your organization has vulnerabilities from years ago on your networks (that have available patches) you have a much bigger problem than just the exploits, you need to go and review your patch management standards and procedures. I would also like to mention that the texts themselves were no more than bound Power Point presentations of highlights... no comprehensive study material so basically they are useless for any type of self study.

4. This one is questionable however, manyof the people in my group were taking this class simply for the credits toward their CISSP requirements and it was clear that they had no idea what these topics were about and didn't really care as they were not taking the cert test anyway. I mention this because possibly these classes are more geared toward this type of student rather than one who is really looking for an extremely technical scenario. Or SANS is just in it for the $$ and could care less about their content our who is taking the class, and therefor diminishing the credibility of their certs. I know that now if I see a GCIH cert on someone's card or email, it holds much less value then before I took this class as they may not know much about ethical hacking at all.

5. Overall this was my first SANS training and I guess I expected a great deal more from the leading provider of information security training. I am not trying to "slam" SANS, but for the huge amount of money this costs and the length of the class (6 days) they really need to provide WAY more bang for the buck. They absolutely could have in my opinion. I really expected them to know more than I did about these topics and sadly that was not the case, and I do mean that sincerely. Even further the criteria for being an instructor of this or any SANS class is that you score above a 90% on the corresponding cert test, which is open book. So it is possible that an instructor really doesn't have extensive experience in the field, they just did well on the test and wanted to teach the class. I am not a master hacker by any means and I really thought this class would take me to the next level. It did not. I would say take this class for the cert (they are always valuable) and for a very generalized knowledge of network hacking exploits dating from about 10 years ago to near the present, however not anywhere near cutting edge. I hope this helps you in your decision to attend this class.

Moving Along and some New Stuff

So I have been pretty involved with the Google idea lately so I don't really have any new exploits to share with you currently, I just love tweaking the search and of course now I am getting into wget and curl so I will go off on that tangent for a while I am sure. If I do find any new and exciting discoveries I will be sure to post them. I am also moving toward an old but new way of thinking on exploitation. I am certainly no expert in this field, nor have I ever claimed to be, that being said it is not likely that I will discover the next new vulnerabilty or exploit as I just do not have that apptitude. I have also been enrolled in the FSISAC and there are new exploit and vulnerability reports literally every hour. What I do have is a very crafty and unique thought process which allows me to discover or see things that others may not and especially be prepared for the unexpected... And I am ALWAYS thinking, and I do mean ALWAYS. As an example, when I am driving over a bridge I mentally prepare for the possibility that the bridge will collapse and I assess the possible escape paths depending on who is in the car... I usualy crack all of the windows a touch (it is very difficult to break the glass under water) and run through a kind of disaster recovery plan like who will I have to assist in getting out of the vehicle (children, elderly), plan to remove my seat belt on the fall into the water, etc... anyway you get the point. I am sure I am not the only one who does that, but we are in the minority. I guess that infosec is kind of an extention of who I am from way back... I have a history which includes several forms of organized and unorganzied fighting and exploitation just seems to follow that same rational just in a different arena. What I learned from MMA or boxing or whatever is that I am not a master, but I do have my strengths and that is what I need to remember and focus on. Because someone else can do a flying spin kick and I cannot does not mean that I cannot defeat them with a simple brute strenght technique, mental strength or just luck. That being siad I think that I am going to pace myself and focus on MY strengths, not on my weaknesses and see how that plays out in this arena. Just be me which is what we all should do, be ourselves. On a related note I have a new web site that I am promoting so I will post it here. It may be of little interest to you other than a chuckle unless you reside in my neck of the woods. Check it out anyway.... http://fightklub.weebly.com/

Google Google and more Google

So this is nothing really new to the security and hacking world but it is fun none-the-less! By crafting specififc strings using the Google syntax, you can find truly amazing things on the web. Not much else to say here about the 2 screen shots below aside from this: If you do not know how to utilize Google in this way, you had better learn! Below is the cached view of the file, which is why you see the nicely highlighted keywords. This one gives the username, password and the URL (IP). What more could you want???

This next one just gives you the entire load! The username passowrd (in hash, but nothing JTR cannot conquer!) and URL. Isn't this great stuff? The list of availbe search strings is really entirly up to your skill and imagination. I currently have over 1,200 verified strings that produce some type of useful result. Maybe I will put it up here someday.....

Actual Exploit

Here is an exploit that you are sure to find all over the web. I often look at shopping carts from a security perspective, specifically data sanitation. You can find a nearly limitless number of sites that allow you to alter data being submitted back to the server but not all of them have such a lack of re-checking the data you are sending as this particular site. I went the extra mile on this one and took 2 screen shots for validation.



I know that these are kind of small however you can get the idea here. In the above shot, you can see that I have 3 items in the cart. 2 items for $47.99 and 1 for $247.99. I tried to make the change more obvious so I just removed the 2 from the $247.99. Also notice that we are not in an HTTPS session at this point. Ironically or maybe not, I modified the cart prior to this page and changed the quantity from 1 to 2 of the item for $47.99 and it again did not check the price and simply updated the quantity without further use of the intercepting proxy. I added the regular priced item for the comparison. So this part is mostly unimpressive as I mentioned earlier this is quite common on the web. The next stage is the real test as the server must review the data I am asking to pay for in the request which takes me to the check out screen. Of course this site does NOT do that as you can see in the shot below:



So now we can see that I am in a HTTPS session, all safe and secure right??? Pointless... Anyway, I have made it to the final screen to check out, enter my payment method and shipping address and the price has NOT been changed to the correct amount it has remained in the altered state that I have set. The final test would be to complete the order however that is not my intention for obvious reasons. It is possible that they would validate the data during the final confirmation process however it would seem to me that would be VERY unlikely having arrived at this point unchanged. To fully exploit an over sight such as this it should be apparent that you would also need to have stolen someone's identity and credit card info and have a safe delivery point unless you are willing to take a potentially unnecessary risk with an encounter with law enforcement. Doesn't seem worth it for a few hundred dollars however this example exists elsewhere at potentially more lucrative destinations. I did think that a site such as Home Depot, Walmart, Lowe's or other retailers that allow you to purchase the item online and then pick it up at your local store may be a better choice for such a stunt as many of them accept online or "web" orders. If you have ever purchased from at least Home Depot or Lowe's when you go in to sign out an order such as this, your receipt is tiny and the sheet they look at to sign off on your pick up does NOT have the amount paid on it, only the item numbers and quantities being picked up. It would seem to me that no one would catch this at the store during the pick up because they would not be looking for it. Just goes to show that a companies security posture resonates all they down to the lowest link in the chain.

SANS 504 "Hacker Training 2008"

So I recently attended the SANS Security 504 GCIH seminar, a 6 day "boot-camp" style training session on hacker techniques and incident handling. I'm not sure if it is just me but when is the security sector going to finally wake up and start teaching security professionals how to actually defend systems using real scenarios. I guess I complain about this frequently, however this event opened by pointing out that the "bad guys" share information and techniques so the "good guys" also need to do this to keep up with their pace. Well this class sure did NOT do that. I spent 6 long days reviewing very dated material, tools and techniques without any type of environment to try out these "exploits" until the last days lab where they set up this lame network of 2 systems with every hole imaginable. Not to mention that the 6 texts where basically power point slides shows that the instructor just read aloud and went into some minimal detail about the topic. I could have read it myself and received the same training. The real point here is that this course cost $3,100.00 and in my opinion it was not even close. I really expected to get a lot out of this and was sorely disappointed. On the positive side, this is exactly why hacking will be around forever. Courses like this that are "leading edge" for security professionals will do basically nothing in terms of getting a security professional on-par with an attacker. What a joke.