Pentesting High Security Environments

I was checking out some of the videos on our friend Vivek’s excellent security resource – Security – again today and found an exceptional video on pentesting high security SQL systems. The video features Joe McCray’s (an awesome speaker by the way) presentation, “Big Bang Theory – Pentesting High Security Environments” at the 2012 Hacktivity Conference.

This is hands down one of the best presentations I have seen on both SQL injection and how much computer security… well… sucks!

Joe explains that many companies that are creating a web application presence on the web (or already have one) have two options, to write secure code, or write average or even unsecure code and just put a web application firewall and IDS in front of it to protect it.

In his presentation, he shows how SQL injection can still be done on a website protected by an IDS, and it does not even throw any alarms. He then shows similar techniques on a site using a web application firewall.

Joe was able to pull database information and even password hashes from a system, while the IDS system showed no SQL injection attempts at all.

None – Zero….

He then explains that these security systems are set to look for certain signatures, or attacks. Many are configured to stop low level attacks (ankle biter attacks he called them), but let more sophisticated attacks straight through. Joe also explains that commercial IDS systems many times “borrow” signatures from open source IDS programs. So hackers practice on open source ones, and if their attacks don’t trigger anything on them, the chances that they are picked up by a commercial product are very low.

Lastly, Joe shows the config file of a Web Application Firewall program and shows stunning settings that are set by default. These include IP ranges excluded from being scanned, old attacks being blocked – but newer technologies aren’t even filtered and how Outlook Web Access isn’t monitored at all…

The solution – People!

Get and maintain the people who know how to setup, test and configure these security features to protect your network!

Exceptional video, I highly recommend that you and your security team check this out. Then explain what he is saying to your boss!  🙂

Security Onion Article Featured in Hakin9 Magazine

The latest Hakin9 Exploiting Software issue is out!

This month’s issue features my article on “Easy Network Security Monitoring with Security Onion“:

Hackers and the malware that they create are getting much better at evading anti-virus programs and firewalls. So how do you detect or even defend against these advanced threats? Intrusion Detection Systems monitor and analyze your network traffic for malicious threats. The problem is that they can be very difficult to configure and time consuming to install. Some take hours, days or even weeks to setup properly. The Security Onion IDS and Network Security Monitoring system changes all of that. Do you have 10 minutes? That is about how long it takes to setup and configure Security Onion – a Linux Security Distribution based on the Ubuntu (Xubuntu 10.04 actually) operating system.

And Craig Wright continues his series on creating shell code with this month’s article, “Understanding conditionals in shellcode“:

This article is going to follow from previous articles as well as going into some of the fundamentals that you will need in order to understand the shellcode creation process. In this article, we are looking at extending our knowledge of assembly and shellcoding. This is a precursor to the actual injection and hooking process to follow. You will investigate how you can determine code loops, the uses of loops as well as acting as an introduction into how you can reverse engineer assembly or shellcode into a higher level language and even pseudo-code, all of which forms an essential component of creating and executing one’s own exploit successfully. By gaining a deep understanding just how code works and to know where to find the fundamentals shellcode programming language we hope to take the reader from a novice to being able to create and deploy their own shellcode and exploits.

Also in this issue:

  • Creating a Fake Wi-Fi Hotspot to Capture Connected Users Information
  • Accurate Time Synchronization with NTP. Hardening your Cisco IOS Device
  • Penetration Testing Methodology in Japanese Company

Check it out!

Simple Network Security Monitoring with Security Onion & NetWitness Investigator

If you want a robust, cost effective and easy to use Intrusion Detection System (IDS) and Network Security  Monitoring (NSM) platform, look no further than Doug Burks “Security Onion”.

Security Onion:

“Security Onion is a Linux distro that contains software used for installing, configuring, and testing Intrusion Detection Systems. It is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Xplico, nmap, scapy, hping, netcat, tcpreplay, and many other security tools.”

What is great about Security Onion is that it takes all the guess work out of setting up an effective IDS and takes the output of intrusion attempts and displays the critical ones in a nice user interface called Sguil.

You can install Security Onion to a new machine, or just run it as a live CD to check it out. Running Security Onion with two network cards installed and matching it to a Dualcomm port mirroring device provides a cheap but powerful monitoring system.

When two network cards are installed with Security Onion, one is configured as a monitoring only sensor and the other is configured to connect to your internal LAN.

Simply connect the Dualcomm port mirroring device inline with whatever traffic you want to monitor. Then connect your sensor line from Security Onion to the mirrored port and you can analyze all your network traffic live.

Another cool feature of Security Onion is that it keeps a copy of all of your network traffic stored in a daily log file.

Now if all the tools that are included in Security Onion are just not enough for you (and trust me there is a ton of them!), you can take the raw daily captures directly from Security Onion and analyze them in Netwitness Investigator.

“NetWitness® Investigator is the award-winning interactive threat analysis application of the NetWitness enterprise network monitoring platform. Investigator provides security operations staff, auditors, and fraud and forensics investigators the power to perform unprecedented free-form contextual analysis of raw network data captured and reconstructed by the NetWitness enterprise security platform.”

Simply navigate to the NSM directory on your Security Onion installation, then to the sensor directory, then to the nic used for monitoring, and finally the daily logs directory. Then choose a log file. The files cap out at 128 MB by default and then another file is created with an incremented number in the file name. A sample file name would be “snort.log.1315337092“.

Next copy that file off to a flash drive and import it directly into your Windows system running NetWitness Investigator.

Investigator then parses the information and gives you an amazing view of the packets captured. At the top, the program lists any threats that it detects as warnings. It also breaks the data down into easily navigable headings like Service Type, Source & Destination Country, City and IP address.

You can then drill down from high level topics like Destination Country to recreations of the actual data sent in a few clicks. You can look at the information transferred including scripts, programs, pictures and videos. You can also search the entire data collected for phone numbers, credit cards, hacker terms, date/time or location.

Finally, Investigator supports Google Earth to view packet travel and location data.

Security Onion & Netwitness Investigator, a powerful threat detection combination.

EasyIDS: Intrusion Detection Made Easy

Looking for an easy way to set up and learn Intrusion Detection Systems? Look no further than EasyIDS.

EasyIDS is a complete IDS solution based on the CentOS Linux operating system. Snort can be difficult to set up, especially for those new to Linux. EasyIDS takes all the hard work out and gives you a complete monitoring system with a graphical user interface.

All you need is a machine with  384MB+ of RAM, an 8GB+ hard drive and 2 network cards. EasyIDS does the rest. Just pop the CD in (it formats the drive, make sure the drive you use has no important data on it), follow the prompts and that’s it. It installs Snort, Oinkmaster (updater for Snort), Basic Analysis and Security Engine (BASE), SnortNotify, and PMGraph.

I installed EasyIDS in a VMWare virtual machine. To do so, you need to add an extra virtual network card and use the “I will install my OS later” option. Because it wants a monitoring NIC and an administration NIC, I set one of the VMWare cards as DHCP and the other as bridged. This seemed to work well.

Though VMWare recognizes the disk as Easy Install capable, it does not install right using the auto-install. Just make sure you have the disk in the drive and power up the virtual machine after it is created, it will boot off the CD and do a full install.

Just a safety note, don’t leave the CD in the drive when you are done, especially if you have boot from CD enabled. I did and when one of my family members went to use the computer later, it auto-booted off the CD and wanted to format the drive.  Luckily they asked before hitting the “Enter” key to format.   🙂

Once the program is installed, final configuration and setup is completed through a web interface from another system. One Network card acts as the monitoring nic and connects to the traffic you want to monitor. The other card connects to your switch and is used as a control/ administration port.

Works good, and being a graphical interface, it is fairly easy to use. If you are interested in learning IDS systems, check it out!