Video from Israel’s Homeland Security (iHLS TV)
Topics include:
“IPViking” (what a great name!) by Norse Security provides a real time threat intelligence cyber attack board where you can see a graphical representation of live detected cyber attacks.
More of a straight numbers person? They also provide a running tally of attacks per country for those who just want the facts without the bling:
According to the website, “Norse collects and analyzes live threat intelligence from darknets in hundreds of locations in over 40 countries. The attacks shown are based on a small subset of live flows against the Norse honeypot infrastructure, representing actual worldwide cyber attacks by bad actors. At a glance, one can see which countries are aggressors or targets at the moment, using which type of attacks (services-ports).”
The real time map is pretty fascinating to watch, for instance I saw a concentrated attack against a specific US IP from multiple IP addresses in South Africa.
Online enabled devices or the “Internet of Things” as it is now being called is all the rage. Take that fancy hardware gizmo, add an embedded web server and blamo you can view and control it from anywhere in the world – What a great idea! But sadly with the mad rush to make things more user friendly and convenient, security is being left aside, even in devices that are being used to protect facilities!
Physical security devices are used to help secure important buildings, rooms, data or material. These hardware devices along with security personnel help defend a company from thieves & trespassers, and also protects employees, equipment and data.
These items include:
With the convenience of the internet and mobile devices, it just makes sense to give these devices an online interface so that they can be more easily monitored by reduced security staff, small business owners that are out of the office, or home owners that are away on vacation.
But what if these devices themselves were not secure? Worse, what if these devices themselves were a security threat to your network?
I recently ran into a very feature rich physical security device and to boot it was internet enabled so it could be monitored from anywhere or from any smart device. Just having this thing at your facility gave you the warm fuzzies. But with a little research I found that the device wasn’t that secure at all.
The device was being run on a Local Area Network (LAN), but the manufacturer recommended that the device be allowed outside your firewall so it could be monitored from anywhere via smart devices. And why not, it had all the surface hallmarks of security. Layers of passwords were needed to access the device, and you could even set up account access allowing some users guest viewing privileges and various levels of configuration access to manager or admin level employees.
This item seemed very secure, and why wouldn’t it be? It was a physical security device, it must also have very strong online protection. But a quick pentest of the device (took about 15 minutes) painted a totally different picture.
To test it, I first ran a standard nmap probe against the device and found that it had several open ports. A couple common ports and several high level ports were open. That partially made sense, it would need some open to be able to be monitored and configured over the web. But the sheer number of open ports just didn’t seem right.
I then ran a more indepth nmap scan to determine what software and version numbers were running on the open ports:
nmap -v -A 192.168.1.130
From the returns, I could see that the device was running some pretty standard services.
I picked the Telnet server software name and version that nmap displayed and did a quick Google search for exploits.
Low and behold the Telnet server on this manufacturer’s device seemed to have used the same default password on all devices at one time. The post even listed the default password. But this article was from 2012, there is no way that brand new devices would still use this password, or would it?
To be sure, I tried to connect to the Telnet service on the device using Netcat and the default password that I found. From a Kali Linux terminal prompt I started Netcat with the IP address and port of the device:
nc 192.168.1.130 23
It then prompted me for the username and password.
host login: root
Password: ******
I then received this:
BusyBox built-in shell
Enter ‘help’ for a list of built-in commands.
~ #
Typing “help” returned this screen:
A quick “whoami” command tells us all we really need to know:
We have “root” or god level access rights to the device.
Nice…
The password the manufacturer used to protect the root level account was not only publicly available, it was also a short simply password, under 6 characters, and all lowercase letters! Just imagine if this “Physical Security Device” was allowed outside our firewall?
A quick view of the device password file (cat /etc/password) showed that the developer created over 40 usernames(!), what is the chance that they used simple passwords for all of the other users too? Worse yet, they were notified about the root password being publicly displayed over two years ago and still haven’t rectified the issue.
All embedded or online enabled devices must be tested for basic security compliance along with your workstations, software and servers. With the rush to make everything “online enabled”, basic security practices are being brushed aside in the name of convenience… or maybe even incompetence.
To learn more about basic security check out the book, “Basic Security Testing with Kali Linux“.
Today let’s take a look at quick and easy website vulnerability checks with the OWASP Zed Attack Proxy, or “OWASP ZAP” for short.
OWASP ZAP is a web application penetration testing tool that has some great features. It is a very easy to use scanner that allows you to do manual or automatic website security checks. In this tutorial we will learn how to use the automatic attack feature.
For this tutorial we will be using Kali Linux and Metasploitable 2 virtual machines. Metasploitable 2 is purposefully vulnerable virtual machine that contains tons of vulnerabilities to find and exploit. I just used VMWare player for this tutorial running on a Windows 7 host.
Before we get started and as always, never use any security tools to scan or test a network that you do not own or have permission to do so. Also do not put Metasploitable 2 on a system that has open access to the internet as it is very vulnerable!
1. After booting Metasploitable and logging in, run the command “ifconfig” to get the system’s IP address.
2. Start Kali Linux, which will boot to the graphical user interface.
3. Start OWASP ZAP:
In the Kali Linux menu, you can find OWASP ZAP in the top ten security menu (If it is not there, update to the latest version of Kali):
OWASP ZAP will open to the main menu.
4. Now, simple input the Metasploitable system’s IP address (192.168.1.133 in my case) into the ‘URL to attack’ box and select, “Attack”:
That’s it, OWASP ZAP will then begin to spider the website:
It will also list any security issues it finds and place them under the “Alerts” tab. Clicking on the tab will show the following alerts:
Wow, that is a lot of alerts! Each folder contains different types of security issues. For this tutorial, let’s just check out the “Path Traversal” folder.
Click to expand it.
Go ahead and click on the very first alert:
On the right side you will see an explanation of the issue:
It is tagged as a red flag “High” level warning. OWASP ZAP then explains the error:
Basically this means that we can view files or folders on the webserver just by using a special sequence. And OWASP ZAP gives us the exact command to enter:
http://192.168.1.133/mutillidae/?page=%2Fetc%2Fpasswd
The command above will list a webpage on the Metasploitable server. If we enter this URL in a web browser on our Kali system, it will go to the Metasploitable server and pull up a certain webpage, the “?page=” part followed by the webpage to display.
The page requested in the alert is “%2Fetc%2Fpasswd”. Now this may not look like much, but if you are familiar with Linux, the command becomes “/etc/passwd”, which is the location of the server’s password file!
Entering this command in the web browser in Kali (using your Metasploitable IP address) will return this:
You see what appears to be a normal web page control interface, but if you look in the center window you see this information:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash bind:x:105:113::/var/cache/bind:/bin/false postfix:x:106:115::/var/spool/postfix:/bin/false ftp:x:107:65534::/home/ftp:/bin/false postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false distccd:x:111:65534::/:/bin/false user:x:1001:1001:just a user,111,,:/home/user:/bin/bash service:x:1002:1002:,,,:/home/service:/bin/bash telnetd:x:112:120::/nonexistent:/bin/false proftpd:x:113:65534::/var/run/proftpd:/bin/false statd:x:114:65534::/var/lib/nfs:/bin/false snmp:x:115:65534::/var/lib/snmp:/bin/false
The contents of the Linux password file – Obviously not something you want displayed on your webpage!
For every alert that OWASP-ZAP finds, it also includes a solution to protect your system from the vulnerability found. As seen below:
Automatic scanning is just one feature of OWASP-ZAP, but you can see how easy it us to find and correct some serious vulnerabilities very quickly. OWASP-ZAP is a great tool for both penetration testers and software coders!
If you are interested in learning more about Kali Linux and basic computer security testing, check out my book, “Basic Security Testing with Kali Linux 2” available on Amazon.com.
CYBER ARMS - Computer Security 