Online Penetration Testing Videos

I found this link to some really useful (but basic) videos online. They're particularly useful as they're tool-specific and give examples, rather than just discussing tools in a generic way. They may be a little to basic for more experienced testers, but they do also show some good tips and tricks you may not already know.

Business iPhone Use

Recently, Apple have been trying extra hard to increase their market share of the business space. Amid rumours of Apple server technology integrations around Snow Leopard Server, apple have are touting their iPhones as enterprise grade by highlighting apps that are integrated with enterprise-grade appliances. One such example is JUNOS Pulse, from Juniper Networks. This is an VPN client that negotiates sessions between the iPhone and the Juniper SA appliance. For more information see here.

How to Deploy HTTPS Correctly

I have found this guide on my Internet travels. It's incredibly well written, short and is a must-read for anyone deploying HTTPS, even experienced developers. Enjoy, http://goo.gl/lehmL

Programmable HID USB Keystroke Dongles (PHUKD)

(Inspired by blog entry on irongeek.com)

A topic I’ve wanted to blog about for a while is the use of PHUKDs as an attack vector in Penetration testing. Firstly, I’d like to discuss the background of how these devices work and why they have come into being.
A PHUKD is a USB device, which is configured in such a way that it is presented to the victim machine as a USB Keyboard/mouse. The reason this has been developed is so that even when the autorun.inf and U3s are disabled on a machine, malicious inputs can be delivered to the victim quickly, accurately and in an automated fashion. Therefore, the key benefits of these devices as delivery systems are that it cannot be blocked by U3 and autorun process blocking and keystrokes can be precompiled and run quickly on the target machine.
The key benefits to a pen tester as suggested by irongeek.com:

• Extremely fast keystrokes, without errors. This is important when physical access time to the target is limited.
• Works even if U3 autorun is turned off.
• Draws less attention than sitting down in front of the terminal would. The target turns their head for a minute, the pen-tester plugs in the PHUKD.
• The HID can also be set as a logic or time-bomb.
• It is possible to embed a hub and a flash drive in your package so that you have storage and the programmable USB HID into a single package.
• Embed your device in a USB toy or peripheral and give it to your target as a 'gift'. Packaging that looks like a normal thumb drive is also an option.
• After your Trojan USB device is in place, program it to "wake up", mount on-board storage, run a program that fakes an error to cover what it is doing (fake BSOD for example).

A detailed guide on creating PHUKDs is available on the link provided above to irongeek’s blog post and a really interesting video from Defc0n is included below. It’s also worth noting that it’s possible to integrate this attack using Metasploit. The full details of their Teensy USB HID Attack Vector are available here.

Adobe Reader Protect Mode

Back in July this year, Adobe announced the release of a new security framework which will add a greater level of security to their Reader application. Adobe Reader, which is widely known to be one of (if not the) largest threat vectors in terms of remote exploits, now employs a sandboxing technique to mitigate the attacker’s ability to run malicious code on the host. Adobe states that the new design has three major effects:

• All PDF processing such as PDF and image parsing, JavaScript execution, font rendering, and 3D rendering happens in the sandbox.
• Processes that need to perform some action outside the sandbox boundary must do so through a trusted proxy called a “broker process.”
• The sandbox creates a new distinction of two security principals: the user principal, which is the context in which the user’s logon session runs, and the PDF principal, which is the isolated process that parses and renders the PDF. This distinction is established by a trust boundary at the process level between the sandbox process and the rest of the user’s logon session and the operating system.

For more detailed information on this, Adobe has started a blog thread pertaining to this new approach, which can be found here.

Firesheep and BlackSheep

Recently, there has been a huge amount of coverage of the ‘Firesheep’ add-on for Firefox. If you have missed the kerfuffle, Firesheep is a Firefox add-on which enables sidejacking (HTTP session hijacking) to be exploited over open wireless networks. One of the key reasons that this has been so popular, is that it doesn’t require any technical expertise on behalf of the attacker, as logins are sent directly to a console within Firefox and can be visited (and the user logged-in) upon double-clicking. The author, Eric Butler, released the application in order to highlight poor coding practices on social networking sites, with a particularly big ‘poke’ to Facebook.

A response to this, from a slightly surprising source (Zscaler, a cloud-based web proxy / email filtering vendor), has been another Firefox add-on called ‘BlackSheep’. The Zscaler add-on can detect if someone is using Firesheep on the network.

"BlackSheep does this by dropping ‘fake’ session ID information on the wire and then monitors traffic to see if it has been hijacked. While Firesheep is largely passive, once it identifies session information for a targeted domain, it then makes a subsequent request to that same domain, using the hijacked session information in order to obtain the name of the hijacked user along with an image of the person, if available. It is this request that BlackSheep identifies in order to detect the presence of Firesheep on the network."

If BlackSheep identifies that a host has Firesheep installed on the network, it displays a banner indicating that someone has the add-on installed and shows their IP address (as below).



Un-ironically, BlackSheep and Firesheep cannot be installed on the same Firefox profile as they use a lot of the same code and will conflict.

Bye to BIOS

The end appears to be nigh for BIOS, as the 25-year-old start-up software is finally usurped by UEFI. According to its designers (the UEFI forum) “UEFI (Unified Extensible Firmware Interface) will be a specification detailing an interface that helps hand off control of the system for the pre-boot environment (i.e.: after the system is powered on, but before the operating system starts) to an operating system, such as Windows or Linux. UEFI will provide a clean interface between operating systems and platform firmware at boot time, and will support an architecture-independent mechanism for initializing add-in cards.”

In an interview with the BBC, Mark Doran, head of the UEFI Forum he described the antiquated BIOS as “up there with some of the physical pieces of the chip set that have been kicking around the PC since 1979". The new UEFI specification will be de facto in all new specification builds from early 2011 - watch this space! For more information see: UEFI Homepage.

Juniper SA SSL VPN – Migration to JUNOS Pulse

With version 7 (see previous post) of code having been released for Juniper SA, I have been busy testing all the new features in our lab and in some cases, deploying them for clients. One of the most interesting features has been Junos Pulse, which Juniper’s marketing team describe below.

"Junos Pulse is an integrated multi service network client that supports integrated connectivity, location-aware network access, acceleration, and security. Junos Pulse simplifies the user experience by letting the network administrator configure, deploy, and control the Junos Pulse client software and the Junos Pulse connection configurations that reside on the endpoint."

Junos Pulse is a replacement for Network Connect; it adds new functionality and interoperability with other Juniper Networks appliances (IC Series UAC Gateway Release 4.0, Secure Access Series Gateway Release 7.0, WXC Series JWOS Release 6.1, SRX Series Release 10.0). The following key features have been added in Junos Pulse:

• Credential saving – Ability to save credentials on the client machine.
• Host checker consolidated to Pulse client rather than a separate installer.
• WAN acceleration.
• Certificate trust and storage.
• Dynamic connections – Allows connections through newly discovered supported gateways through the web browser.
• Wireless suppression – Disables a wireless adaptor (if feature enabled) when a wired connection is available.
• Scan list – Allows a white list of SSIDs for wireless networks to be added.
  
• Location awareness – Allows conditional connection depending on where the endpoint is located.



• Enhanced Endpoint Security – Extra licence for endpoint security on the box, now present on the client.

Migration

Knowing the Juniper SA pretty well, in the first instance I decided to have a ‘tinker’ and see if I could work out how Pulse worked and how it could be activated for a small sub-set of users in the lab environment. This proved difficult, partially due to the labyrinthine depth of some of the menus and partially because of non-standard logic derived from hundreds of configurations I have done on the SA. After an hour or so of tenacious (mis)configuration, I decided to look for the admin guide on the Juniper website, which is well written and simple. It’s definitely worth reading it in its entirety (or at least pages 31-47 which are relevant to the SA) and the migration guide, located on the same web page. The admin guide contains a step-by-step for configuration on the SA (and for all the other appliances) and the migration guide provides information about which features are new and which are missing. A key point to note is that Network Connect and Pulse cannot function for the same role, even though they share the same split tunnelling policy and the documentation is very misleading on this point! What this will mean, is that once you have deployed Junos Pulse and users have installed it, they will no longer be able to connect to the same SA (or cluster) using Network Connect. Whilst discussing the solution, it’s worth mentioning the principle reason for this being an issue. Junos Pulse will ONLY work with Windows at present (Windows Mobile Included!) and this is an issue with the proliferation of Macs and desktop Linux distributions such Ubuntu and Fedora Core (especially in IT Security where pen’ testing rigs are almost always Linux based using Back|Track or a custom build). This means that it is no longer possible or logical to group all users of Network Connect together in one role as it previously was.

Advice on Testing

During a ‘live’ testing period with end users it’s advisable to provision both access methods in case there are any issues and to give an environment where you can easily test the same action with the other application. The optimal method (IMHO) is to create an additional role for Junos Pulse. I would advise copying an existing role that includes Network Connect as this will contain all the IP address pools and settings that will duplicate the user experience. I would recommend that you name these logically as “<role> Junos Pulse” and “<role> Network Connect” as this will help greatly with troubleshooting.

In order to correctly assign the roles to users I recommend either a regular expression to recognise the useragent (e.g. userAgent = '*Safari*' OR userAgent = '*Linux*') in the realm level role mapping or to update your OUs in Active directory (i.e. split the users into Mac / Linux / Windows). From experience, I’d advise the ‘regular expression’ method at the realm level role mapping and moving it to the top of the processing order and adding a stop rule. The next group, which should be your Windows users that have not hit the first rule, should then be mapped to both the Network Connect role and the new Junos role and the option “User must select from among assigned roles” selected. This will give the users the option of selecting the role they require upon login to the portal. Once this is set up, you will need to add the roles to the Network Connect resource policy. It doesn’t explain or tell you how to do this in the step-by-step guide, which means it can often be a gotcha! Simply add the role to the Access, NC Connection Profiles and Split Tunnelling settings (Users > Resource Policies > Network Connect).

Built-in Windows Security features ignored by most AV vendors and common desktop applications but is this important?

A widely discussed topic in a many security blogs of late has been that of DEP and ASLR being neglected in many common desktop applications and more notably, desktop Antivirus software. Most of the posts, even if not directly accredited, were spawned by an interesting research paper authored by Secunia.

Background

DEP (Data Execution Prevention) is a Windows security feature that was introduced in Windows XP SP2 and has persisted in both Vista and Windows 7 (despite changes in how it is invoked by the OS). DEP is designed to prevent execution of services and applications from non-executable regions of memory, blocking exploits that store code via buffer overflow. This feature has to be enabled explicitly within the application in order to provide protection. DEP will not guard against more complex coding techniques such as ‘return-into-libc’ attacks that change the return address of a stack to a different location in memory containing an alternative instruction. In order to overcome this ASLR (Address space layout randomization) was introduced with the release of Windows Vista. ASLR randomises the location of key data areas in memory (such as libraries, heap and stack) in order to make it difficult for attackers to guess their location. These two features in combination can mitigate attacks targeting memory space if they are enabled within the respective applications. Additionally, there are several things worth noting with ASLR. Firstly, ASLR is not proprietary to Microsoft or a new concept and its security is greatly improved by increasing entropy by means of a larger address space.

Issues

It appears that many applications, including Antivirus software, do not take full advantage of what is a proven and easy to implement technology (although they are by no means impossible to crack) present in most Windows implementations. Some interesting responses from AV vendors, posted by Brian Krebs on his security blog, give some insight into the state of AV programming.

“Mikko Hypponen from F-Secure said that “adding support for DEP and ASLR in our products is on our roadmap, but has not been implemented yet. This is because we’ve focused our development efforts lately to focus on performance. Once we have this feature ready, it will be available to all of our customers through our update channel.””

“Pedro Bustamante, a senior research adviser at Panda Security, said Panda decided not to use either ASLR or DEP in favour of their own technology “to provide protection not only for the single AV processes but also for other types of operations. For example our products include a Shield component which already takes care of the protection as offered by ASLR and DEP, in addition to other types of self-protections such as preventing a process from injecting a thread into a separate process, preventing certain applications from executing dangerous operations on the system (such as Adobe Acrobat dropping an executable in the system and running it), protection of the AV files in the installation directories, etc.””

Given the conflicting stances on these two technologies from antivirus vendors, it’s difficult to decide which approach is better or if either is (?). However, I do feel that deciding not to use built-in features of an operating system, to be adding complexity in an area where performance is quite obviously an issue. That said, it may be quicker to take a different approach to doing the same thing in a different way, but why then is one technology better than another? With this confusion in mind, it does bring one back the quantitative metric of detection rates and if we care about the ‘how’ if the results are good? It would be interesting to look at detection rates vs. implementation of DEP and ASLR, but that’s slightly beyond the scope of this blog! However, I digress, the main issue is that DEP and ASLR are built in protections which are not being utilised by many popular applications and some will even admit to being remiss (even if it’s accompanied by marketing spin) in their exclusion.
Although the primary focus of this post, it’s not only Antivirus software that suffers from a lack of these functionalities. The most alarming, in my opinion, being Java (Sun java JRE)! To quote Secunia’s paper “Java resources are loaded and processed in the java.exe process and not in the context of the browser opening a web page that embeds a Java applet. DEP was found to be disabled in the java.exe executable included in the latest version of the software (6 Update 20). Furthermore, default libraries are loaded at fixed addresses.”

Secure Internet search, on Google?

If you haven't already been using the service, Google now provide an SSL encrypted version of their popular search engine. The site can be accessed simply by visiting https://www.google.com and is currently in Beta. Unfortunately, the site is currently only available under its generic top-level domain '.com' and will default search results to US sites. When using the encrypted site, links to results for image search and maps will not be included as these features are not supported at the present time. In their blog, Google assure users that the data sent as part of the query remain unchanged and the only alteration is that it's SSL encrypted. One thing that I'm enjoying is the lack of sponsored links and advertising on search results, which obviously won't last – but it's a refreshing change not to be bombarded. The site also works in conjunction with GoogleSharing meaning a completely encrypted and anonymous experience in Google!

SSL VPN - What’s new in Version 7?

Two of the major players in SSL VPN appliances, F5 (Edge, Firepass) and Juniper (SA) have just released new versions (both version 7) of code. There are some notable (and not so notable) new features included in the new releases which may well whet the appetite of Information Security managers and administrators across the industry – or so the vendors hope.

Firstly, and at a slight tangent, I think it's worth mentioning a bit about F5 and how they have been refocusing their approach to SSL VPNs with the release of their Edge Gateway appliance. The Edge focuses on throughput and download speeds with the consolidation of their existing modules; WAN acceleration (WOM), Web Acceleration (WBA) and Access policy management (APM) into one 'Edge' Package (For datasheet on Edge click here). F5 are continuing development of Firepass, however, conversations I've had with several SEs from F5 allude to it be phased out over the next few years. The Edge itself is essentially the three existing F5 modules mentioned above on Big-IP running on F5's standard hardware. This is sold as a bundle and held together by pretty impressive client-side software specific to Edge.

F5 Firepass

The new version of code for the Firepass contains a few updates for Endpoint functionality, including support for Mac OSX and Linux Antivirus inspectors (something the Juniper SA doesn't do), Endpoint Hardware inspectors which enables access to be locked down by Mac address or HDD ID and the addition of CAPTCHA field to the login page to thwart brute force attacks. Additionally, a major new feature is the ability to run the software as Virtual appliance. The Firepass VE (Virtual Edition) runs on VMware ESX4 and can be licenced for up to 2000 users. F5 seem to be positioning this as a DR option if capacity needs to be boosted during a failure, rather than an SME or scalable option. F5 have also added a java applet for RDP giving the end user the ability to connect to windows machines remotely from any platform, this essentially a feature to catch up with Juniper (although it's quite difficult to configure on Firepass).

Overall, I think that the changes to Firepass in version 7 bring it in-line with other offerings within this space (notably Juniper – rated as the best appliance on the market by Gartner (and my personal preference)) and features such as support for Mac AV checking and java-based RDP on the Endpoint will tip a few decisions with the growing prevalence of the 'business-Mac-user'.

Juniper SA

Version 7 of the Juniper software doesn't add as many features as F5, but focuses on enhancement and transition to the JUNOS platform. One of the 'stand-out' features of the release is the JUNOS Pulse client, which improves upon network connect and is (as the name suggests) JUNOS compatible. As the java RDP client that was used in version 6.x was quite difficult to configure and customers often reported back a poor user experience (normally based around resolution and window sizing, especially on Macs), Juniper have included third-party software from Hobsoft. Hob RDP is now included with 2 concurrent user licences, requirements exceeding this need to be purchased through Juniper or a reseller. I have only just started testing this myself as I may recommend this to a customer who's unhappy with the standard script. However, looking at comments in general on the J-Net forum, the feedback seems to be pretty positive. Although, it appears that it's not possible to force the use of Hob RDP for windows users, it defaults to the older platform-specific version for windows, meaning the end user experience is still different on Mac and Linux. Like F5, Juniper has also invested in creating a virtual appliance. Their focus for this lies in scalability and there is no limit on user licences unlike with F5.

Another feature that Juniper has added is the ability to open multiple user session. This feature is very handy if you use multiple machines at the same time and wish to complete two tasks on the VPN concurrently, although, I am struggling to think of too many scenarios where this would be useful. One situation that springs to mind is when logged into the VPN and wanting to initiate a secure meeting. This was not possible previous (and still isn't from a single machine) to version 7 as it was strictly one session per-user. After picking the brains of my colleagues as to a circumstance when this could be useful, we decided that the preclusion of multiple sessions could restrict use from smart phones or disparate devices (or iPads / iPhones when the JUNOS Pulse app is released in July). Two more minor features that caught my eye on the release notes were RDP7 support (which is fairly self-explanatory) and the ability to present legal disclaimers or MOTD to users through the portal. In large estates this feature could be very useful, as we all know that people don't read emails or SharePoint messages boards religiously.

Summary

To conclude, I believe that both vendors are making steps in the right direction to improving the user experience. Although, in this release I feel that Firepass is playing catch-up and Juniper is smoothing the cracks that appear when you create a product with such granularity of control. It's disappointing also, that F5 have not updated a horrible Windows 95'esque GUI, but I believe a complete re-write isn't going to be imminent as the Edge Gateway moves closer into focus.

Can I Un-Google My Online Habits and Identity? Yes.

As any IT Geek, Nerd or Professional will tell you, Google knows all (at least when it comes to Internet browsing trends). Even if you’re not logged into one of their accounts, Google knows everything you've ever searched for, the search results you’ve clicked, the news and current affairs sites you frequent and every location you have searched for on Google Maps. Additionally, if you have a Gmail account, they have access to every email you’ve ever sent or received even if it’s been deleted. Cross-referencing this information intelligently is what Google is best at, be afraid!

Given the promiscuity of Google’s information gathering and analysis, it’s quite worrying what information they can profile about any Internet user based on this data references against an IP address. Is there anything that you can do if you feel ‘stalked’?

Enter ‘GoogleSharing’. GoogleSharing is, in essence, a proxying process that obfuscates user information that is sent to Google by mixing multiple users’ requests and metadata together and adding in false requests for good measure. This process ONLY filters out any data being sent to Google and does not affect other traffic passing through the proxy. The solution is open source and consists of a proxy server (already running in the cloud) and a Firefox add-in. As the ‘icing on the cake’ feature, all traffic sent to the GoogleSharing proxy server is encrypted using HTTPS.

For more information visit: http://www.googlesharing.net

I’m currently in the process of testing the GoogleSharing proxy and comparing HTTP responses from filtered and unfiltered traffic. Further information regarding my findings will follow.

The fallacy of cloned machine SIDs

(Inspired by Mark Russinovic’s Blog entry “The Machine SID Duplication Myth”)

On the 3rd November 2009, Sysinternals retired ‘NewSID’, a utility that changes a computers machine Security Identifier (machine SID), but why?

What is a SID?

A Security Identifier (commonly abbreviated to SID) is a unique name (an alphanumeric character string) which is assigned by a Windows Domain controller during the log on process that is used to identify a subject, such as a user or a group of users in a network of NT/2000 systems.

How are duplicate SIDs created?

For those who are unfamiliar with the concept, when machines are cloned using imaged systems the new machine will contain the same SID as the original. If two machines have the same machine SID, then accounts or groups on those systems might have the same SID.

Common sense in de-duplication?

As most IT professionals who work with virtual technologies will attest, when creating virtual machines from templates, conventional wisdom dictates that the new machine’s SID must be changed as the clone retains a facsimile of the parent’s. However, Mark Russinovic (Microsoft Fellow, OS Guru and creator of ‘NewSID’)and Microsoft have delved deeper into this idea and concluded that changing the SID of machines that contain facsimile entries is unnecessary. This came to light when Mark was investigating bugs with NewSID in windows Vista, he realised that he could not conceive of a scenario where duplicate SIDs could cause a security risk / vulnerability. Mark took this concept to Microsoft’s Windows security and deployment teams and no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue – further investigation by Microsoft is yet to find such a risk. Food for thought next time you clone a machine.

To view the entire article, please see Mark’s blog:

http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx

Welcome!

Hello and welcome to my blog - 418 I'm a teapot! Feel free to add any posts or comments that you like and I hope you enjoy the blog find some of the post interesting.

This is my first attempt at a Security blog and I hope it will prove useful.