SANS 504 "Hacker Training 2008"

So I recently attended the SANS Security 504 GCIH seminar, a 6 day "boot-camp" style training session on hacker techniques and incident handling. I'm not sure if it is just me but when is the security sector going to finally wake up and start teaching security professionals how to actually defend systems using real scenarios. I guess I complain about this frequently, however this event opened by pointing out that the "bad guys" share information and techniques so the "good guys" also need to do this to keep up with their pace. Well this class sure did NOT do that. I spent 6 long days reviewing very dated material, tools and techniques without any type of environment to try out these "exploits" until the last days lab where they set up this lame network of 2 systems with every hole imaginable. Not to mention that the 6 texts where basically power point slides shows that the instructor just read aloud and went into some minimal detail about the topic. I could have read it myself and received the same training. The real point here is that this course cost $3,100.00 and in my opinion it was not even close. I really expected to get a lot out of this and was sorely disappointed. On the positive side, this is exactly why hacking will be around forever. Courses like this that are "leading edge" for security professionals will do basically nothing in terms of getting a security professional on-par with an attacker. What a joke.

Happy New Year!

Happy New Year!

A good fingerprinting session

A good place to look.... well in researching so many new texts on web app vulnerabilities, they all rightfully begin with the "fingerprinting" of the application to not only understand how it works but with what technologies it depends upon. This may not be much of a revelation to some but it was a bit of a "....why didn't I think of that before..." to me. I was poking around a job board reading potential employment opportunities and in reading a specific job description (all of them had this trait in fact) I realized that the employer, in giving it's ideal candidate prerequisites, also gave all of the technologies it currently uses! It said something like this:

Ideal Qualifications:
BS degree in Computer Science or related discipline preferred.
Strong knowledge and proficiency for system administration and concepts for software utilized in HP Peregrine Service Center, HP Peregrine Asset Center and MS SQL Server.
ITIL experience with and/or ITIL certification
Bank operations and proven project management experience is a plus
Prior operational experience in a support position and/or in a position requiring a high level of technical customer service.
Strong organizational abilities


So I now know that this employer uses HP Peregrine Service Center, HP Peregrine Asset Center and MS SQL Server... (which is really nice to know so that I do not waste time trying to inject the incorrect SQL syntax if they are in fact vulnerable to SQL Injection) and it goes without saying that if you do not know what the technologies are you can easily Google for the latest vulnerabilities. I searched through additional job postings and they did the same in all of them, effectively "fingerprinting" their entire technology network for me! Who needs tools (just kidding)... again so much of hacking boils down to you, not the tools that you have, for YOU are the most powerful tool in your arsenal!

Reflection Injection

According to OWASP, reflection injection problems are a subset of injection problem, in which external input is used to construct a string value passed to class reflection APIs. By manipulating the value an attacker can cause unexpected classes to be loaded, or change what method or fields are accessed on an object. They give the following example:

The following Java code dynamically loads a connection class to be used for transferring data:

// connType is a String read from an external source
Class connClass = Class.forName(connType);
HttpURLConnection conn = (HttpURLConnection)connClass.newInstance();
conn.connect();

Suppose this application normally passed "javax.net.ssl.HttpsUrlConnection". This would provide an HTTPS connection using SSL to protect the transferred data. If an attacker replaced the connType string with "java.net.HttpURLConnection" then all data transfers performed by this code would happened over an un-encrypted HTTP connection instead. Interesting, I was not aware of this attack vector. Does anyone have any experience with this sort of thing? Here are some additional examples from OWASP:

In C/C++:

unsigned char *simple_digest(char *alg,char *buf,unsigned int len, int *olen) {
       const EVP_MD *m;
       EVP_MD_CTX ctx;
       unsigned char *ret;

       OpenSSL_add_all_digests();
       if (!(m = EVP_get_digestbyname(alg)))
               return NULL;
       if (!(ret = (unsigned char*)malloc(EVP_MAX_MD_SIZE)))
               return NULL;
       EVP_DigestInit(&ctx, m);
       EVP_DigestUpdate(&ctx,buf,len);
       EVP_DigestFinal(&ctx,ret,olen);
       return ret;
}

unsigned char *generate_password_and_cmd(char *password_and_cmd){
       simple_digest("sha1",password,strlen(password_and_cmd)...);
}

In Java:

String command = new String("some cmd to execute & the password")
MessageDigest encer = MessageDigest.getInstance("SHA");
encer.update(command.getBytes("UTF-8"));
byte[] digest = encer.digest();

Social Engineering

Sorry this has gotten a little of topic lately... In an effort to continue this blog nearly daily I guess there will be posts about some differing topics as well. At the referenced OWASP meeting yesterday the moderator got to speaking about a colleague of his that is a professional social engineer, testing companies fortitude. Some of the stories were quite interesting how easily he was able to get an employee to give up either sensitive information or complete remote control of their local system. I guess my point here is that this type of attack is possibly the first type of "hack" ever executed and it still works today. So even with all of our technology and security, you can still get someone to give you the "keys to the front door" just by asking. And that is by far the best solution right? I guess what I am saying is that don't over look anything, even if you think it will not work because you just never know. Dumpster diving anyone?

OWASP

I was invited, through my work, to attend a local OWASP (Open Web Application Security Project) chapter meeting today. I must say that this project is just what I was looking for as a security professional diving into web application security. The website is simply loaded with tons and tons of information, instruction, the code examples I so desire and even tests and test site modules to allow you to learn how to use the various exploits covered. They have a Java application that you can install locally and run attacks and test modules against to familiarize you with each class of vulnerability. My last post was sort of a rant, as pointed out by an unnamed poster, and this experience has really awakened me to what is out there aside from text books and trial and error. The industry is certainly taking the web application issue quite seriously from this example and it is great to have access to this information. If anyone is in my "boat" I would strongly encourage you to take a look at this site and join a local chapter if you have one i your area. It was well worth my time and I will be a participating member from this day forward.

The WASP

So I was surfing around today and found a great blog on here that I thought I would post for others interested in this field to check out. http://jeremiahgrossman.blogspot.com/ I had this guys company in here a few months ago for a POC while we were deciding on a app security vendor. The sales guy was intolerable, but Jeremiah is quite astute in this field and his blog is really full of great stuff from an industry perspective. In addition the Burp Suit BETA is now available for those familiar with it...it is available at http://blog.portswigger.net/ and it is loaded with lots of new features. It did crash one of my PC's, but lots of newer apps do...(it may be specific to my older PC) so it should be safe on an updated box. Anyway, I wanted to get back to the topic of code disclosure. I was reading through a text I have about Trojans and worms and I am really upset, or more to the point sick and tired, that they do not post an actual coded variant. What is the big stigma...? Anyway... tools are great but you really have to have a core understanding of what you are doing to really get anything out of them.