UNIX Command History

One of the great things about Mac OSX is that it is based on Unix. One of the greatest thing in Unix is its terminal. However in my new mac I see that I need to re-type every command even I have just typed before… Usually you expect your command to be stored in .bash_history and when you hit upper arrow key you should be able to see the previous commands you typed. That was not the case with this Mac.

I checked/Users/ismail directory for .bash_history file. There was none. I created with touch command.

touch .bash_history
I tried with no help… Next I see there was no .bash_profile file neither. I created that with touch too:
touch .bash_profile

I then edited the .bash_profile :
HISTFILESIZE=5000 HISTSIZE=5000 HISTFILE=/Users/ismailg/.bash_history

HISTFILESIZE
The maximum number of lines contained in the history file. When this variable is assigned a value, the history file is trun-
cated, if necessary, to contain no more than that number of lines.

HISTSIZE
The number of commands to remember in the command history

Now you should be able to use arrow keys to get previous commands. In the next blog post we will discuss how to make Unix systems not records your commands even if you are a regular user in box and how to control attackers to delete .bash_history

PCI Vulnerability Scans – Part II: PCI and Wireless

In my  previous PCI blog post we discussed risk level of vulnerabilities for PCI. In this blog post I will go over wireless requirements and how to detect rogue APs.

11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.
Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.

11.1.a Verify that the entity has a documented process to detect and identify wireless access points on a quarterly basis.

11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

_ WLAN cards inserted into system components

_ Portable wireless devices connected to system components

(e.g., by USB, etc.)

_ Wireless devices attached to a network port or network device

11.1.c Verify that the documented process to identify unauthorized wireless access points is performed at least quarterly for all system components and facilities.

11.1.d If automated monitoring is utilized (e.g., wireless IDS/IPS, NAC), verify the configuration will generate alerts to personnel.

11.1.e Verify the organizationʼs incident response plan (Requirement 12.9) includes a response in the event unauthorized wireless devices are detected.

PCI wants you to detect rogue access points. However there is a flaw here. PCI doesn’t require you to monitor your network for rogue access points. It just want you detect them quarterly…

Well, what if attacker deploy an AP after you run your quarterly scan? You will be vulnerable lots of networking attack for a 3 more months and you will think you’re secure since you have PCI certification… This is another example of why you should not think you are secure just because you have a certification…

Anyway, let’s return our subject. So we need to determine rogue AP quarterly. Himm. Let’s see. We can do this by scanning all wireless APs and comparing the BSSIDs (mac address) of the APs that have same SSID with our APs. If we see any AP that has our SSID but not in our asset, that AP is a rogue AP.

A. Windows

Go to Start, type powershell, on the blue screen of power shell run these two following commands:

Netsh wlan show networks mode=bssid -> To get all BSSIDs

Netsh wlan show networks mode=ssid-> To get all SSIDs

B. MAC

KisMAC is a free, open source wireless stumbling and security tool for Mac OS

You can download it at http://kismac-ng.org/

After you run the KisMAC, click Start Scan in the bottom right corner.

C. Linux

Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring

mode, and can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic (devices and drivers permitting).

Linux users can download Kismet at http://www.kismetwireless.net

Note: Please read the full manual, but for the quick starters, here is the bare minimal instruction to operate Kismet:

• Download Kismet from http://www.kismetwireless.net/download.shtml

• Run “./configure”. Pay attention to the output! If Kismet cannot find all the  headers and libraries it needs, major functionality may be missing. Most notably, compiling Kismet yourself will require the development packages and headers, usually called foo-dev or foo-devel.

• Make sure that all the functionality you need was enabled properly in configure. Almost all users will need pcap and libnl support for proper operation.

• Compile Kismet with “make”.

• Install Kismet with either “make install” or “make suidinstall”.

Note: you must read the “suid” installation and security” section of the Readme or your system may be insecure.

• If you have installed Kismet as suid-root, add your user to the “kismet” group

• Run “kismet”. If you did not install Kismet with suid-root support, you need to start it as root in nearly all situations. This is not recommended as it is

less secure than privsep mode, where packet processing is segregated  from admin rights.

• When prompted to start the Kismet server, choose “Yes”.

• When prompted to add a capture interface, add your wireless interface. In nearly all cases, Kismet will autodetect the device type and supported

channels. If it does not, you will have to manually define the capture type   (as explained later in this README).

• Logs will be stored in the directory created when you started using Kismet, unless it changed via the “logprefix” config file or “–log-prefix” startup option.

• READ THE REST OF THIS README. Kismet has a lot of features and a lot of configuration options. To get the most out of it, you must read all of

the documentation.

 

With these tools you can get all SSIDs and BSSIDs on your area (It is good idea to capture packets in different areas of your buildings so that you have better chance to detect any existed rogue APs.

 

Update: I have received couple of e-mail about PCI scope on wireless. Here is what PCI says about it:

“Wireless
If wireless technology is used to store, process, or transmit cardholder data (for example, point-of-sale transactions, “line-busting”), or if a wireless
local area network (WLAN) is connected to, or part of, the cardholder data environment (for example, not clearly separated by a firewall), the PCI
DSS requirements and testing procedures for wireless environments apply and must be performed (for example, Requirements 1.2.3, 2.1.1, and
4.1.1). Before wireless technology is implemented, an entity should carefully evaluate the need for the technology against the risk. Consider
deploying wireless technology only for non-sensitive data transmission.”

I believe it is pretty straight forward.  If there is no separation of wired/wireless networks with a firewall on your cardholder data environment you cannot think wireless network is out of your scope…

Reset Your Windows Password

We have lots of password to remember : workstation, servers, banks, forums, mails etc… This makes forgetting passwords easier. Today I would like to mention how to remove reset admin password on windows.

I am going to use chntpw. chntpw is a Linux utility to (re)set the password of any user that has a valid (local) account on your WinNT or Win2000 system, by modifying the crypted password in the registry’s SAM file. You do not need to know the old password to set a new one. It works offline (i.e., you have to shutdown your computer and boot off a linux floppy disk).

1. Insert Backtrack’s DVD on your windows computer and boot from CD (usually you can hit f2, f12 in order to see boot order, then you can force computer to boot from CD/DVD).

2. Mount your windows partition:

2.1. Run fdisk -l to determine where is your windows partition.
My windows partition is /dev/sda1

2.2 Create empty folder to mount windows partition.
mkdir /mnt/windows

2.3mount /dev/sda1 /mnt/windows

3. Go into chntpw directory
cd /pentest/passwords/chntpw

4. Run chntpw against your SAM

./chntpw -i /mnt/windows//WINDOWS/system32/config/SAM
5. Type the username you want to reset password, enter, then press 1, enter.

6. After made the changes,  you need to exit from the main chntpw menu and press “Y” to write the changes or “N”to ignore the changes.

 

PCI Vulnerability Scans – Part I : Severity Levels (Risk Rankings)

PCI requires you to have both external and internal vulnerability scans. We will discuss them in detail later. Today I will focus on the risk rankings that PCI uses for vulnerabilities.

PCI DSS requirement 6.2: Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.

Notes:

Risk rankings should be based on industry best practices. For example, criteria for ranking “High” risk vulnerabilities may include a CVSS base score of 4.0 or above, and/or a vendor-supplied patch classified by the vendor as “critical,” and/or a vulnerability affecting a critical system component.

The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement.

6.2.a Interview responsible personnel to verify that processes are implemented to identify new security vulnerabilities, and that a risk ranking is assigned to such vulnerabilities. (At minimum, the most critical, highest risk vulnerabilities should be ranked as “High.”

6.2.b Verify that processes to identify new security vulnerabilities include using outside sources for security vulnerability information.

Himm, as you see with PCI version 2 there is a change in the vulnerability severity categorization. Now PCI asks us to use CVSS and telling that CVSS will be a standardized severity level for PCI vulnerability scans after June 30, 2011.

The table above should give you a very clear idea of which severity category that a vulnerability will be assigned.  For example a vulnerability that has CVSS score of 5 will be a medium level vulnerability that should be fixed to pass PCI compliance.

In order to pass PCI compliance all the vulnerabilities should have 3.9 or less CVSS. There are four exceptions for this rule:

1. The vulnerability is not included in the NVD (National Vulnerability Database): If it is a new vulnerability you have a chance that you don’t have the vulnerability in the NVD.

You can still use CVSS system to calculate the risk ranking score. PCI also asks you to reference to other external resources of information about the vulnerability.

2. You disagree with the CVSS score noted in the NVD: Sometimes the CVSS score may not make sense for your organization for a specific vulnerability. In this case PCI asks you to provide followings:  Score in the NVD, your score, and why you are disagree with the score provided in the NVD.

3. It is a denial of service (DoS) vulnerability:  If it is a purely DoS type of vulnerability you have found, you can ignore it regardless of CVSS score since it is not in the scope of PCI compliance.

4. It is one of the “automatic failure” type of vulnerability: Like DoS vulnerability, you will not care CVSS score (this time it is other way around, the CVSS score is lower than 4.0 but due to the nature of the vulnerability system cannot be PCI compliant)

Here are the all automatic failures:

  • Operating system has no longer supported by the vendor
  • There is an open access to database from internet
  • Built in accounts (OS, DB, Web, Application, Network, etc…)
  • Unrestricted DNS zone transfer
  • SQL injection, XSS, director traversal, HTTP response splitting/header injection
  • The presence of well-known, remotely detectable backdoor applications installed on the servers.
  • If server supports SSL 2.0 or older, or SSL 3.0 with 128-bit encryption

In my next PCI post, I go over wireless requirements and how to detect rogue APs.

Detecting Rogue Virtual Machines On A Network

Introduction

Today our topic is detecting rogue virtual machines. Rogue virtual machines can pose huge threat to your organization. Even with your managed machines, you might have unauthorized virtual machines. There are some ways to keep the number of rogue vm’s very low on your network such as using software policy, restricting admin accounts for those only need them etc..

What if your employees install virtual machines without your knowledge. How can you detect those virtual machines?

Detecting “evil” at rest

If you can identify all virtual machines that sits on your network, then you can compare them with the authorized virtual machines. In this way you can find rogue virtual machines.

There are two ways you can identify virtual machines. One way is checking MAC address, other is checking running process.

First way: Checking MAC address of remote system

MAC addresses are unique to each device. If you can get a mac address of a device then you can tell what company is made the device. Since virtual machines uses their virtual network adapter to connect a network and this virtual adapters are unique to each company, we can determine if mac address belong to a virtual machine company.

So how can we get mac addresses of other computers on a network?

The answer is easy. We can ping each devices on the network and then check our arp tables.

OR we can use nmap.

nmap -sP 192.168.1.1/24
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-03-17 22:35 EDT
Nmap scan report for 192.168.1.1
Host is up (0.018s latency).
MAC Address: 00:24:A1:17:44:CD (Motorola CHS)
Nmap scan report for 192.168.1.13
Host is up (0.000094s latency).
MAC Address: 00:26:BB:07:17:DD (Apple)
Nmap scan report for 192.168.1.11
Host is up (0.014s latency).
MAC Address: 00:1B:77:CD:FF:CD (Intel Corporate)
Nmap scan report for 192.168.1.13
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 5.53 seconds

As you see nmap has predefined mac database so it can convert mac addresses to manufacturer’s name.

Second way: Checking Process Names

You can get mac address of the computers that sits on the same vlan/lan with you so first option is only good for you have only one lan. Moreover some virtual adapters can be on NAT mode so you cannot see their MAC address.  (On NAT mode they use same mac address with the physical machine.)

Each virtual machine software will have running processes. For example VM Fusion has vmware-vmx as running process on OSX. So you can login each machine to see if there is a running process related with a virtual machine software.

Nessus has a plugin for checking vm ware machines  by using this technique(http://blog.tenablesecurity.com/2007/04/i_was_speaking_.html) , you can write your own plugin to find other virtual instances.

The disadvantage of this method is you need to have admin credentials.

Summary

We can find rogue virtual machines on network by comparing all virtual machines with authorized virtual machines. We can identify all vms by using mac addresses or running processes. With the first method we can only identify virtual instances on the same LAN. With the second method we need to have admin credentials for the boxes we scan.

Update: Please check here for more info http://realinfosec.com/?p=678

 

 

 

CEH Module 8 and 9: Trojans, Backdoors Viruses and Worms Part 1

Definitions

Trojans:A program that appears to be a legitimate program but in fact performs some malicious functions.

Backdoor: A secret entry point to the system that allows someone who is aware of the backdoor gain unauthorized access.

Viruses: A piece of malicious code attached a program that replicates by attaching itself to other programs.

Worm: A standalone program that propagates copies of itself across the network

Example

Covert channels are important for hiding activity from system owner when attacker communicate via his backdoor. Covert channel is a communication channel in a way that was not intended.

There are lots of reason for using covert channel but as an ethical hacker you should know that covert channel can be used directly communicating with the target to continue maintaining server or launching attack against other system via target. In this way attacker can hide himself from second target.

I am going to show a linux utiliy called ptunnel  – tunnel TCP connections over ICMP echo request/reply packets.

From its man page:

ptunnel  is  an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request  and  reply  packets,
commonly  known  as  ping  requests  and replies. At first glance, this might seem like a rather useless thing to do, but it can actually  come
in  handy  in  some  cases.  The following example illustrates the main motivation in creating ptunnel:

Setting: You’re on the go, and stumble across an open wireless network. The  network gives you an IP address, but won’t let you send TCP or UDP
packets out to the rest of the internet, for  instance  to  check  your mail.  What  to do? By chance, you discover that the network will allow
you to ping any computer on the rest of the internet. With ptunnel, you can  utilize  this  feature to check your mail, or do other things that
require TCP.

I believe the scenario author discussed was tricky since using a service you are not authorized to use is illegal. However one can argue that since ICMP is allowed by network, there is nothing illegal. My suggestion just play safe and not try in that scenario. Instead use this tool in your home network.

As an ethical hacker we footprint a system, scan it, enumerate users, and crack passwords, then got an access. We elevated privileged access and plant some rootkits. We now want to attack another server with ssh connection, however we want to cover ourselves. We are going to use ptunnel on the already compromised target so in this way system owner will only see lots of ICMP echo request and reply packets instead of actual commands we are running to communicate with the system. Consequently we will be hiding our activity from him/her. We will be launching attack against another server.

Installation

On a debian based system you can install ptunnel with this command:

apt-get install ptunnel

Note: We need to install ptunnel on the our computer (client computer) and also on the proxy computer (comprimisedTarget)

Action

On the compromisedTarget run ptunnel.

./ptunnel

Here compromisedTarget is the target we have access (already hacked). The second target is the one we want to attack.

On your local computer run following command:

sudo compromisedTarget -p 12345 -da secondTarget -dp 22

We are attacking ssh server of the secondTarget to gain access. There are lots of automated tools like Hydra, brutessh, sshater. You can configure them for a brute force attack. For simplicity I am using ssh command for manual tries to guess the password.

ssh -p 12345 localhost

Now we are sending our ssh packets through the ICMP tunnel that is established with the compromisedTarget. The owner of the compromisedTarget will see lots of ICMP echo request/reply packets but they are part of our ssh attack.

CEH Module 5: Scanning (NMAP)

Today I would like to write about CEH module 5, that is Scanning. The last module was covered on this blog was Footprinting can be found here If you want to see all the modules written about CEH, you can click “Certified Ethical Hacker” section at the right side bar.

Even tough I will talk about some general scanning techniques, my focus will be on practical knowledge of nmap that is heavily is tested on your CEH exam. I will not go deep on the nmap, you can do lots of cool stuff with it, but my focus will be its general usage for the ceh exam.

NMAP

Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

You need to know some basic options, scan types, IP addresses’ and ports’ formats in nmap.

OPTIONS

-sT: connect scan -sX:XMAS scan
-sS: syn scan (half open) -sP: ping scan
-sF: fyn scan -sU:UDP scan
-sO: raw scan -O: OS detection

3 way hand shake will be performed on the connect scan, that is why this option is slow and will have lots of footprints on the target system.
Syn scan will only send SYN packets to targets. If the port is open then we will receive SYN+ACK other wise we will receive RST that indicates the port is closed…
Ping scan: This also known as ping sweep. Basically nmap will be pinging all the given machines and determine live hosts.
UDP scan: In case you want to see UDP ports, you need to run a UDP scan.

IP addresses

192.168.0.1-255
scanme.nmap.org/24
192.168.0.1/26

Port

-p23,25,80
-p1-1000

Examples

nmap -sS scanme.nmap.org/24 -p1-65535
nmap -sT -O 192.168.0.1-25 -p23

Hiding Data: Steganography on Linux

My last blog post was about hiding info on slackspace by using a special tool called Bmap. Today I am going to discuss Steganography in more general. Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. It is different than encryption since encryption may not care existence of cipher text from outside world. However steganography deals with hiding information even if it is encrypted.

See following example:

Alex wants to send a message to Bob. She wants only Bob reads the message. She can use encryption (symmetric or asymmetric). The risk here is possible attack for deciphering her message. She can also try hiding the message in a different format (say in a jpeg file) and send over the Bob. Since the message will be in a picture probably attacker Tom will not recover the message from the file.

Of course in case he desperately wants to read the message, he can use some forensics tools to read the message. For this reason combining encryption with a stenography will be best choice for Alex.

Today I am going to discuss a Linux tool steghide that does both encryption and stenography. On debian based system you can install steghide by following command:

apt-get install steghide

By default steghide compress the embedded data, and encrypted with rijndael-128 algorithm.

I have two files under my Private folder:

root@bt:~/Private# ls -l
total 24
-rw-r--r-- 1 root root    20 Jan 30 18:24 myMessageToBob.txt
-rw-r--r-- 1 root root 17875 Jan 30 18:23 soccer.jpg

My goal is embedding text file into jpeg file.

Let’s check if we have enough space on jpeg file to do that:

steghide info soccer.jpg
"soccer.jpg":
format: jpeg
capacity: 1.0 KB
Try to get information about embedded data ? (y/n)

So we can embed 1.0KB data and we only have 20B data (see ls -l output)

root@bt:~/Private# steghide embed -cf soccer.jpg -ef myMessageToBob.txt
Enter passphrase:
Re-Enter passphrase:
embedding "myMessageToBob.txt" in "soccer.jpg"... done

-cf stands for cover file whereas -ef stands for embedded file.

Let’s now check the size of the jpeg file.

ls -l
total 24
-rw-r--r-- 1 root root    20 Jan 30 18:24 myMessageToBob.txt
-rw-r--r-- 1 root root 18396 Jan 30 18:27 soccer.jpg

Himm, it got bigger and that was expected but the original data was just 20B and we know that steghide will compress data before embedding.

As you guess the reason of 521B (18396-17875) is encryption and crc check sum of the embedded data that will also added into the jpeg file.

Try to open the jpeg file. You will not see any difference from the original jpeg file.

Now, we want to extract the data out of the jpeg file.

root@bt:~/Private# steghide extract -sf soccer.jpg
Enter passphrase:
the file "myMessageToBob.txt" does already exist. overwrite ? (y/n) y
wrote extracted data to "myMessageToBob.txt".


root@bt:~/Private# ls -l
total 24
-rw-r--r-- 1 root root    20 Jan 30 18:58 myMessageToBob.txt
-rw-r--r-- 1 root root 18396 Jan 30 18:27 soccer.jpg

After we extracted the text file from jpeg file the file in the jpeg is still there (check the size after embedding and after extracting, they are same)

The only disadvantage I can think of is not being able to wipe the data from the cover file (the file you embed data into).