Monday, December 31, 2007

Happy New Year!


Happy New Year!

Thursday, December 27, 2007

A good fingerprinting session


A good place to look.... well in researching so many new texts on web app vulnerabilities, they all rightfully begin with the "fingerprinting" of the application to not only understand how it works but with what technologies it depends upon. This may not be much of a revelation to some but it was a bit of a "....why didn't I think of that before..." to me. I was poking around a job board reading potential employment opportunities and in reading a specific job description (all of them had this trait in fact) I realized that the employer, in giving it's ideal candidate prerequisites, also gave all of the technologies it currently uses! It said something like this:

Ideal Qualifications:
BS degree in Computer Science or related discipline preferred.
Strong knowledge and proficiency for system administration and concepts for software utilized in HP Peregrine Service Center, HP Peregrine Asset Center and MS SQL Server.
ITIL experience with and/or ITIL certification
Bank operations and proven project management experience is a plus
Prior operational experience in a support position and/or in a position requiring a high level of technical customer service.
Strong organizational abilities


So I now know that this employer uses HP Peregrine Service Center, HP Peregrine Asset Center and MS SQL Server... (which is really nice to know so that I do not waste time trying to inject the incorrect SQL syntax if they are in fact vulnerable to SQL Injection) and it goes without saying that if you do not know what the technologies are you can easily Google for the latest vulnerabilities. I searched through additional job postings and they did the same in all of them, effectively "fingerprinting" their entire technology network for me! Who needs tools (just kidding)... again so much of hacking boils down to you, not the tools that you have, for YOU are the most powerful tool in your arsenal!

Saturday, December 8, 2007

Reflection Injection

According to OWASP, reflection injection problems are a subset of injection problem, in which external input is used to construct a string value passed to class reflection APIs. By manipulating the value an attacker can cause unexpected classes to be loaded, or change what method or fields are accessed on an object. They give the following example:

The following Java code dynamically loads a connection class to be used for transferring data:

// connType is a String read from an external source
Class connClass = Class.forName(connType);
HttpURLConnection conn = (HttpURLConnection)connClass.newInstance();
conn.connect();

Suppose this application normally passed "javax.net.ssl.HttpsUrlConnection". This would provide an HTTPS connection using SSL to protect the transferred data. If an attacker replaced the connType string with "java.net.HttpURLConnection" then all data transfers performed by this code would happened over an un-encrypted HTTP connection instead. Interesting, I was not aware of this attack vector. Does anyone have any experience with this sort of thing? Here are some additional examples from OWASP:


In C/C++:

unsigned char *simple_digest(char *alg,char *buf,unsigned int len, int *olen) {
const EVP_MD *m;
EVP_MD_CTX ctx;
unsigned char *ret;

OpenSSL_add_all_digests();
if (!(m = EVP_get_digestbyname(alg)))
return NULL;
if (!(ret = (unsigned char*)malloc(EVP_MAX_MD_SIZE)))
return NULL;
EVP_DigestInit(&ctx, m);
EVP_DigestUpdate(&ctx,buf,len);
EVP_DigestFinal(&ctx,ret,olen);
return ret;
}

unsigned char *generate_password_and_cmd(char *password_and_cmd){
simple_digest("sha1",password,strlen(password_and_cmd)...);
}

In Java:

String command = new String("some cmd to execute & the password")
MessageDigest encer = MessageDigest.getInstance("SHA");
encer.update(command.getBytes("UTF-8"));
byte[] digest = encer.digest();

Social Engineering

Sorry this has gotten a little of topic lately... In an effort to continue this blog nearly daily I guess there will be posts about some differing topics as well. At the referenced OWASP meeting yesterday the moderator got to speaking about a colleague of his that is a professional social engineer, testing companies fortitude. Some of the stories were quite interesting how easily he was able to get an employee to give up either sensitive information or complete remote control of their local system. I guess my point here is that this type of attack is possibly the first type of "hack" ever executed and it still works today. So even with all of our technology and security, you can still get someone to give you the "keys to the front door" just by asking. And that is by far the best solution right? I guess what I am saying is that don't over look anything, even if you think it will not work because you just never know. Dumpster diving anyone?

Friday, December 7, 2007

OWASP

I was invited, through my work, to attend a local OWASP (Open Web Application Security Project) chapter meeting today. I must say that this project is just what I was looking for as a security professional diving into web application security. The website is simply loaded with tons and tons of information, instruction, the code examples I so desire and even tests and test site modules to allow you to learn how to use the various exploits covered. They have a Java application that you can install locally and run attacks and test modules against to familiarize you with each class of vulnerability. My last post was sort of a rant, as pointed out by an unnamed poster, and this experience has really awakened me to what is out there aside from text books and trial and error. The industry is certainly taking the web application issue quite seriously from this example and it is great to have access to this information. If anyone is in my "boat" I would strongly encourage you to take a look at this site and join a local chapter if you have one i your area. It was well worth my time and I will be a participating member from this day forward.

Thursday, December 6, 2007

The WASP


So I was surfing around today and found a great blog on here that I thought I would post for others interested in this field to check out. http://jeremiahgrossman.blogspot.com/ I had this guys company in here a few months ago for a POC while we were deciding on a app security vendor. The sales guy was intolerable, but Jeremiah is quite astute in this field and his blog is really full of great stuff from an industry perspective. In addition the Burp Suit BETA is now available for those familiar with it...it is available at http://blog.portswigger.net/ and it is loaded with lots of new features. It did crash one of my PC's, but lots of newer apps do...(it may be specific to my older PC) so it should be safe on an updated box. Anyway, I wanted to get back to the topic of code disclosure. I was reading through a text I have about Trojans and worms and I am really upset, or more to the point sick and tired, that they do not post an actual coded variant. What is the big stigma...? Anyway... tools are great but you really have to have a core understanding of what you are doing to really get anything out of them.

Wednesday, November 28, 2007

My Favorite Tool


You may have already guessed that I am a big proponent of the proxy interceptor tool(s). They make me feel as if time stands still, and it does in terms of the breakpoint(s). So I was at another site today, this time a retail store. I was interested in testing the durability of this shopping cart. Here we go. Upon my first breakpoint. Lets back up a bit. A proxy interceptor is a tool that allows you to control the submit and response of a web application by allowing you to set breakpoints (defined URLs tagged as the point to halt the submission or response so that you can modify the text that would normally be unmodifiable) . This should be obvious but in case its not, the proxy tool sits between your browser and the application, allowing it to control the flow of execution. OK, so I engage my proxy, navigate to the site and put an item into my cart. At this point you go back to the proxy and select the corresponding URL in which to set the first breakpoint. I set the breakpoint and refresh the page, the proxy halts the submission (I set the proxy to break on a submit first) this allows you to see if the server is going to validate the data that I change when it comes back from the server. I altered a bunch of stuff here to test many potential vulnerabilities. Make note of the "referrer" field as this will allow you to spoof the session and go right to the URL you want by naming the expected URL referrer, kind of a short-cut. Anyway, this site used some type of obfuscation which I did not follow at this point (using an x=n;y=n equation) to hide the price of the item in plain text by using a product code instead of a dollar/numeric value. So the submit was not overly viable at this point. My proxy of choice allows me to break on the response at this point so I will do that and review the response. This actually halts the response before it presents in your browser so you still have the ability alter data. I was able to alter price, logic and quantity to my liking on the response. However, as a credit to the site, I am in HTTPS (443) mode at this point by the way, and the process of transversing to the check out thwarted all of this effort as the data is sanitized and is reset to the correct denominations. No worries right? Right. I will just change the values at the check out. Here is where it gets fun. They employ a nice validation of the session on this specific page so the token changes upon every refresh of the page, causing my breakpoint to fail as I do not have it set correctly because the token is dynamically changing as I refresh the page. I set it to the last time I was there, which is not what the next time I am there will be. Pretty good, although I am able to view all of this data during the failing breakpoint (it allows me to view but not edit the data presented) and I can clearly see that if I do find the correct breakpoint I will in fact be able to alter the numeric data as I did previously and change the price. As a side note I also checked to see if I would be able to enter a negative number for my price as I would like very much to be paid for my effort by way of a refund to my chosen method of payment. Ha Ha..! But that didn't work, they did account for negative integers, at least in decimal format, I did not try a hex or base64 conversion here (I have a nice browser based converter for this that I will post up at some point unless you enjoy manually processing these conversions!), but that would be an option in the future..Moving on..now I have the option to test out my skills as an algorithm predictor...Or better yet I can continue this process several times, noting the change in the algorithm and try to deduce the pattern and predict accurately the next token. I basically stopped here for today as I was side tracked... The point is that this entire process took me less than 10 minutes to get to this point. I know my tools, but this is much more about understanding what you are looking for than being a speedy tool wielder....Spend the time to really understand what each aspect of the application means and you will be rewarded in the end. It is more about finding an over looked aspect of code or logic than it is about speed of execution. Slow down grasshopper, slow down.

Monday, November 26, 2007

Further Exploration


So in further exploring this site...I was able to read the raw javascript code used and understand the logic they deploy to deal with this login mechanism.Below is a sample of the login process and we can see that I was wrong in my initial assumption that the login ID must be 6 characters. It must be a MINIMUM of 6 not exactly 6 characters. Thanks to the developer, I don't even have to understand the code to learn this, it is stated in the comments...a big "no no" for production code, don't tell me anything about the app, YOU need to know what is going on, not me..!

function validateLogonId(inLogonId, inVLogonId) {
var nl = newLine();
if( inLogonId != inVLogonId) { alert(nl + "New Logon ID and Verify Logon ID do not match.");
return false; }
return verifyLogonIdContents(inLogonId);
}
function verifyLogonIdContents(inLogonId) {
var nl = newLine(); var nLogonIdLen = inLogonId.length;

// must contain at least 6 or more characters

if( nLogonIdLen < i="0;" ch =" inLogonId.substring(i,i+1);">= 'a' && ch <= 'z' ) ( ch >= 'A' && ch <= 'Z' ) ( ch >= '0' && ch <= '9' ) ( ch == '@' ) ( ch == '.' ) ( ch == '-' ) ( ch == '_' )) { ;

// valid character, do nothing

} else { alert(nl + "Logon ID may only contain letters, numbers,
" + nl + "periods, dashes(-), underscores(_)," + nl + "and the @ symbol.");
return false; }
}

// appears to be properly formatted

return true;
}

Here is a sample of the field filler I mentioned and the blank field error condition:

if (curForm.LOGNID.value == "") { alert(nl + "The Logon ID field is a required entry."); curForm.LOGNID.focus();
return false; }
if (curForm.LOGNID.value.length<6){ var logonid = "000000" + curForm.LOGNID.value var newlogonid = logonid.substring(logonid.length-6, logonid.length);
curForm.LOGNID.value=newlogonid; }
inProgress = 1;
return true;
}

Again if I were to break the submit process using a proxy, would I be able to alter this logic and say (in english) "if you enter a blank(no characters) as a username", the condition is true and allow a null login? Yes, that would work however due tothefact that there is not a null entry, by nature of it's denial, I would assume that if there is a second for of authentication here, I would also need to break on that and force a true statement no matter what the input. This process depends on the presence of data sanitization, if there is none, we can perform this level of attack successfully.

Sunday, November 25, 2007

A New Financial Customer


So I am looking to put some money into a local credit union in my area. I have heard great feedback from existing customers and it is a community organization so I wanted to take a look into their services. I went to the website not really expecting much by way of technology, after all this is a credit union, basically promoting itself with technology of yesterday such as telephone account assistance for balances and such. Anyway they do have an online solution for the more modern customer. The following is why I am not currently a customer of this institution: I click the link for the web banking aspect and I am immediately concerned as I am no longer at the credit union site. OK so they use a 3rd party for this service, it should be hosted on their own network, but whatever right. The only field for entry on this page is a login text box. Of course for my own security and that of others using this site I am forced to run a simple test on the login mechanism. I enter a name, "John." Here is where it gets ugly..... I failed the login, expected, however the poor coding of the application actually filled in the exact number of remaining characters required for the field with zeros! So now I know that I need exactly 6 characters for a valid login on this screen. How about "John12".. well of course that worked...and now I am on the next screen, which was a security question, I assume that this was their attempt to tout a "dual authentication" process. Anyway, I was not able to guess the correct answer in the 3 tries I was given and I actually locked "John12"s account. Sorry about that, and of course it again informed me that I had done so, and that an email was being sent to my address with instructions on how to reset my password. So...if I were to use a proxy tool to stop the submit/response to take a look at what was going on there, would I be able to bypass this logic using some boolean logic of my own? Possibly...but the point is that even without exploring this any further, this site clearly demonstrated a complete lack of not only security implementation but a complete lack of security as a concept. I will not be a customer of this financial institution, however I may call them on Monday to solicit a web application vulnerability assessment. They are placing their customers at great risk. See what I mean, these vulnerabilities are EVERYWHERE!

Thursday, November 22, 2007

Happy Thanksgiving


Fellow exploiters, always remember that the holidays are perfect for working as many professionals are NOT in the data center today, myself included. This should give you a bit of a window in your exploit as no one is physically sitting in front of the IDS/IPS monitor to cut you off in your exploration.... And remember to not over think anything, people are just people and make things as simple as possible...sometime the door is already open and you don't need a battering ram to get in! People still leave the "key to the front door" under the welcome mat, that is if they even bother to lock the door! Gobble...gobble!

Wednesday, November 21, 2007

You Might Be A Hacker If.....


You want to be a hacker if this scenario sounds like something you would do. I was at work the other day, back in my retail days, at an esteemed retailer known for security breaches. I will start with a bit of background. Can you tell I’m not a writer? I was hired right at the beginning literally as they were pouring the foundation walls and more importantly when they were setting up the server room. The geek that I am, I instantly made friends with the out of town contractors who was setting up the equipment. I must mention that I was a manager of the store at this point, so I did have a bit more access and freedom than a regular worker bee. Anyway, I followed these guys around the store day after day, unbeknownst to them my UNIX/Linux expertise, and watched everything they did. To my amazement, with only a tiny bit of invocation, one of the guys actually gave me his password to the command line! For the record, the UID was 3 characters and the password was, take a guess…. the same 3 characters! Now that is clearly security hard at work. Anyway, I went in to work and being who I am, something caught my eye. I was using the intranet to look up something work related when I noticed that the browser, Mozilla, had a very limited tool bar at the top. This was always the case but for some reason I just noticed it right now. So again being who I am, I immediately began to believe that there was no way that the geeks who set this browser up had any idea what they were doing by way of security so I just knew that the missing tool bar fields were there somewhere, but where? This is a great example of how a painfully simple over site turns into a painfully real vulnerability. By pressing the Ctrl + F10 key, low and behold, several “hidden” options became available to me that were clearly not supposed to be available to me. One the surface you might think, “who cares, what can the ability to open a file in a browser reveal to you…” well plenty if they also forget to lock the new file creation aspect. The ability to open a file was still not realized from the initial finding. The fact that I was allowed to spawn a new instance of the simplistic text editor, big mistake, was the fatal error. This feature enabled me to open a new file and, even I could not believe this, provide full access to every file on the LINUX tree from root down. There was even a check box to show hidden files! To review up to this point, I have access to a “nopriv” user account from the command line, which I had not done anything with currently, but now I have full root access to view all files on the system from within the browser. I had access to the /etc/passwd and /etc/shadow files, which lists all users and password hashes on the system and I could write files to the system from the text editor from within the browser. At this point this certainly told me, as it should tell you, that the system is extremely vulnerable in many ways from minimal probing and thought methodologies. This is what is meant by the ability to think like a hacker, an industry phrase that is tossed around all the time as a concept, but never really explained in this type of detail. This is where you have to always be thinking about how something may be vulnerable, or even not just right. This applies to more than just computer information security. Take for example the fact that this same company left customer credit card applications in a locked file cabinet out on the sales floor. Honestly, who thought that was a smart or secure process? I had nothing to do with credit but I had a key that unlocked everything in the store, including that drawer. The simple fact that it is not a controlled process makes it insecure, how can you validate that the credit apps were actually making it into he locked file cabinet? Or if the associate, yes a non-manager level employee, was not going and retrieving them and making copies of the applications, which contains very sensitive information about a customer. People just do not think about security and this methodology is everywhere, believe me. Of course being that I was a woosie I did not really do anything damaging to the system aside from looking around it and laughing to myself about all of the errors I found, or changing a color on the terminals, or locking up user accounts of people I did not care for. But that is hacking, I didn’t have to destroy anything to get a great deal of satisfaction out of knowing that I found many breaches in the systems security, that was a reward in and of itself. This experience was really the beginning for me in terms of deciding that a career in information security may be a path worth taking. I was not really interested in becoming a criminal and infosec as a profession allows you to do the same things as a criminal in terms of hacking without it being illegal. I perform tests on apps all the time and I test UNIX security measures daily, it is my job. The bottom line is that if you really want to hack for a legitimate living you need to get into security. Or move out of the USA because you will get caught and put in jail for a long time, just like Kevin Mitnick, and what is he doing now? Security consulting. None of the real attacks that I have seen from my professional experience have come from within the USA. That’s not to say that it doesn’t happen, but I have not encountered anything originating from US soil. Aside from disgruntled employees or asset loss, for example a lost unencrypted laptop, everything comes from outside of our country. Why? Because we cannot prosecute these people effectively across borders, we have no jurisdiction and they all know that. Many countries are not interested in assisting us in extradition of these criminal rings. This is really not news to anyone, I hope. But ask yourself this, if you were to hack into a bank and gain access to accounts, where would you transfer the money? Exactly, that is the question. The answer most often includes associations with other groups of people to assist in this process, groups that know how to launder money. You are now stepping into the real world of the FBI, are you ready? I have been to several meetings with local FBI units held in conjunction with various financial institutions that I have worked for/with and they have some very smart officers in their employ, do not be mistaken.

Hack this!


So, like me, you have decided to take over the world as a hacker, right? Me too and I have been trying for nearly 10 years. So what am I doing wrong? Let me start this off differently. Do you get “nervous in your pee-pee” when you visit a financial institutions website, type in a bogus name only to see it auto fill the exact character length of the field for you with zeros? Or how about a totally vulnerable URL field in your browser? If this describes you, then this blog is for you. People just have an instinctive curiosity about errors and problem solving; most people want to fix them while others want to move in the other extreme by leveraging the error to its most granular source, complete compromise or failure. We are the “others.” I am not going to impress anyone one with magical code or scripts here, because I am not a wizard (literally), if I were I would not need to be a hacker. I am not a genius (I misspelled this word until I gave up and let spellchecker tell me how to spell it…so there you have it!) but that in my opinion is not the point. I am, however, extremely relentless in my pursuit of virtually anything I ”get into.” This is not really a technical manual either. I will, however, provide EXACT code strings that will leverage the different exploits that I have come across where applicable. This blog is to be a collection of “real world” events that I have encountered in my life that show what a hacker really is all about. I want your feedback in the same way. It’s not about the scripts or the code or the next hot vulnerability, there are plenty of blogs for that already. It is a mind-set that yields pleasure just from the encounter. It is also a real script blog not some jargon filled crap that never really tells you anything useful, aside from extreme concepts clouded by a lack of or poor technical writer. I have been looking for something like this for years, which is why I decided to start it…makes sense. The point is that there is no defined way to hack, it is a language and some people have a better grasp of the vocabulary than others. Just like in programming there are multiple ways to accomplish the same task, some arguably better than others, but nonetheless they all work. Lets not get into the semantics of this right now, for security sake. The idea is that you must understand the thought process more than anything else, which can be perceived as the boring part, until you understand what it is. That is what will allow you to leverage opportunities, which present themselves in the real world everyday. So lets get this started and see what happens and if I get enough good material I will make it into a book. Post away.