US, Israel & Romainian Drone News – Life for Hackers (iHLS TV)

Video from Israel’s Homeland Security (iHLS TV)

Topics include:

  • Israeli SkyStar-180 aerostat helps secure world cup
  • Israeli company Plasan to supply APCs for Brazilian police
  • UK Hackers face life in prison
  • Romanian authorities adopt new civilian drone laws
  • U.S. Navy tests for drone-manned helicopter team
Advertisements

Real Time Worldwide Cyber Attack Map

real time hacker map 2

IPViking” (what a great name!) by Norse Security provides a real time threat intelligence cyber attack board where you can see a graphical representation of live detected cyber attacks.

More of a straight numbers person? They also provide a running tally of attacks per country for those who just want the facts without the bling:

live cyber attacks by country

According to the website, “Norse collects and analyzes live threat intelligence from darknets in hundreds of locations in over 40 countries. The attacks shown are based on a small subset of live flows against the Norse honeypot infrastructure, representing actual worldwide cyber attacks by bad actors. At a glance, one can see which countries are aggressors or targets at the moment, using which type of attacks (services-ports).”

The real time map is pretty fascinating to watch, for instance I saw a concentrated attack against a specific US IP from multiple IP addresses in South Africa.

Check it out!

 

 

Wide Open “Online Enabled” Physical Security Devices

Embedded Device Security

Online enabled devices or the “Internet of Things” as it is now being called is all the rage. Take that fancy hardware gizmo, add an embedded web server and blamo you can view and control it from anywhere in the world – What a great idea! But sadly with the mad rush to make things more user friendly and convenient, security is being left aside, even in devices that are being used to protect facilities!

Physical security devices are used to help secure important buildings, rooms, data or material. These hardware devices along with security personnel help defend a company from thieves & trespassers, and also protects employees, equipment and data.

These items include:

  • Motion detectors
  • Windows & door alarms
  • Smoke & fire detectors
  • Security cameras
  • Electronic locks

With the convenience of the internet and mobile devices, it just makes sense to give these devices an online interface so that they can be more easily monitored by reduced security staff, small business owners that are out of the office, or home owners that are away on vacation.

But what if these devices themselves were not secure? Worse, what if these devices themselves were a security threat to your network?

I recently ran into a very feature rich physical security device and to boot it was internet enabled so it could be monitored from anywhere or from any smart device. Just having this thing at your facility gave you the warm fuzzies. But with a little research I found that the device wasn’t that secure at all.

The device was being run on a Local Area Network (LAN), but the manufacturer recommended that the device be allowed outside your firewall so it could be monitored from anywhere via smart devices. And why not, it had all the surface hallmarks of security. Layers of passwords were needed to access the device, and you could even set up account access allowing some users guest viewing privileges and various levels of configuration access to manager or admin level employees.

This item seemed very secure, and why wouldn’t it be? It was a physical security device, it must also have very strong online protection. But a quick pentest of the device (took about 15 minutes) painted a totally different picture.

To test it, I first ran a standard nmap probe against the device and found that it had several open ports. A couple common ports and several high level ports were open. That partially made sense, it would need some open to be able to be monitored and configured over the web. But the sheer number of open ports just didn’t seem right.

I then ran a more indepth nmap scan to determine what software and version numbers were running on the open ports:

nmap -v -A 192.168.1.130

From the returns, I could see that the device was running some pretty standard services.

I picked the Telnet server software name and version that nmap displayed and did a quick Google search for exploits.

Low and behold the Telnet server on this manufacturer’s device seemed to have used the same default password on all devices at one time. The post even listed the default password. But this article was from 2012, there is no way that brand new devices would still use this password, or would it?

To be sure, I tried to connect to the Telnet service on the device using Netcat and the default password that I found. From a Kali Linux terminal prompt I started Netcat with the IP address and port of the device:

nc 192.168.1.130 23

It then prompted me for the username and password.

host login: root
Password: ******

I then received this:

BusyBox built-in shell
Enter ‘help’ for a list of built-in commands.

~ #

Typing “help” returned this screen:

netcat embedded server

A quick “whoami” command tells us all we really need to know:

netcat embedded root

We have “root” or god level access rights to the device.

Nice…

The password the manufacturer used to protect the root level account was not only publicly available, it was also a short simply password, under 6 characters, and all lowercase letters! Just imagine if this “Physical Security Device” was allowed outside our firewall?

A quick view of the device password file (cat /etc/password) showed that the developer created over 40 usernames(!), what is the chance that they used simple passwords for all of the other users too? Worse yet, they were notified about the root password being publicly displayed over two years ago and still haven’t rectified the issue.

All embedded or online enabled devices must be tested for basic security compliance along with your workstations, software and servers. With the rush to make everything “online enabled”, basic security practices are being brushed aside in the name of convenience… or maybe even incompetence.

To learn more about basic security check out the book, “Basic Security Testing with Kali Linux“.

Quick and Easy Website Vulnerability Scans with OWASP-ZAP

OWASP ZAP Main

Today let’s take a look at quick and easy website vulnerability checks with the OWASP Zed Attack Proxy, or “OWASP ZAP” for short.

Introduction and Setup

OWASP ZAP is a web application penetration testing tool that has some great features. It is a very easy to use scanner that allows you to do manual or automatic website security checks. In this tutorial we will learn how to use the automatic attack feature.

For this tutorial we will be using Kali Linux and Metasploitable 2 virtual machines. Metasploitable 2 is purposefully vulnerable virtual machine that contains tons of vulnerabilities to find and exploit. I just used VMWare player for this tutorial running on a Windows 7 host.

  • Download both virtual machines and open them in VMWare player.
  • Kali Linux username and password is root/admin
  • Metasploitable username and password is msfadmin/msfadmin

Before we get started and as always, never use any security tools to scan or test a network that you do not own or have permission to do so. Also do not put Metasploitable 2 on a system that has open access to the internet as it is very vulnerable!

Automatic Security Scan Tutorial

1. After booting Metasploitable and logging in, run the command “ifconfig” to get the system’s IP address.

2. Start Kali Linux, which will boot to the graphical user interface.

3. Start OWASP ZAP:

In the Kali Linux menu, you can find OWASP ZAP in the top ten security menu (If it is not there, update to the latest version of Kali):

OWASP ZAP Menu

OWASP ZAP will open to the main menu.

4. Now, simple input the Metasploitable system’s IP address (192.168.1.133 in my case) into the ‘URL to attack’ box and select, “Attack”:

Attack

That’s it, OWASP ZAP will then begin to spider the website:

spider

It will also list any security issues it finds and place them under the “Alerts” tab. Clicking on the tab will show the following alerts:

Owasp ZAP Alerts

Wow, that is a lot of alerts! Each folder contains different types of security issues. For this tutorial, let’s just check out the “Path Traversal” folder.

Click to expand it.

Go ahead and click on the very first alert:

Transversal Alert

On the right side you will see an explanation of the issue:

Path Traversal Vulnerable

It is tagged as a red flag “High” level warning. OWASP ZAP then explains the error:

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal…
The most basic Path Traversal attack uses the “../” special-character sequence to alter the resource location requested in the URL. Although most popular web servers will prevent this technique from escaping the web document root, alternate encodings of the “../” sequence may help bypass the security filters. These method variations include valid and invalid Unicode-encoding (“..%u2216” or “..%c0%af”) of the forward slash character, backslash characters (“..\”) on Windows-based servers, URL encoded characters “%2e%2e%2f”), and double URL encoding (“..%255c”) of the backslash character…

Basically this means that we can view files or folders on the webserver just by using a special sequence. And OWASP ZAP gives us the exact command to enter:

http://192.168.1.133/mutillidae/?page=%2Fetc%2Fpasswd

The command above will list a webpage on the Metasploitable server. If we enter this URL in a web browser on our Kali system, it will go to the Metasploitable server and pull up a certain webpage, the “?page=” part followed by the webpage to display.

The page requested in the alert is “%2Fetc%2Fpasswd”. Now this may not look like much, but if you are familiar with Linux, the command becomes “/etc/passwd”, which is the location of the server’s password file!

Entering this command in the web browser in Kali (using your Metasploitable IP address) will return this:

Path Traversal Attack Results

You see what appears to be a normal web page control interface, but if you look in the center window you see this information:

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash bind:x:105:113::/var/cache/bind:/bin/false postfix:x:106:115::/var/spool/postfix:/bin/false ftp:x:107:65534::/home/ftp:/bin/false postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false distccd:x:111:65534::/:/bin/false user:x:1001:1001:just a user,111,,:/home/user:/bin/bash service:x:1002:1002:,,,:/home/service:/bin/bash telnetd:x:112:120::/nonexistent:/bin/false proftpd:x:113:65534::/var/run/proftpd:/bin/false statd:x:114:65534::/var/lib/nfs:/bin/false snmp:x:115:65534::/var/lib/snmp:/bin/false

The contents of the Linux password file – Obviously not something you want displayed on your webpage!

Conclusion

For every alert that OWASP-ZAP finds, it also includes a solution to protect your system from the vulnerability found. As seen below:

Path Traversal Attack Solution

Automatic scanning is just one feature of OWASP-ZAP, but you can see how easy it us to find and correct some serious vulnerabilities very quickly. OWASP-ZAP is a great tool for both penetration testers and software coders!

If you are interested in learning more about Kali Linux and basic computer security testing, check out my book, “Basic Security Testing with Kali Linux 2” available on Amazon.com.