Archive for category Pentesting
Block New & Emerging Threats with SECURITY DATABASE
Posted by Mourad Ben Lakhoua in Pentesting, Vulnerabilities on February 23, 2010
Ensuring security of the modern computer network with a large number of system and devices consumes a big effort. Keeping track all new gaps becomes more and more difficult.Here I wanted to present a very good Infosec source.
Security-Database.com is an online computer security portal .provide free comprehensive and complete information about product vulnerabilities and tools for penetration testing based on open international standards.
The most important is that the creator of Security-database managed to provide visitors with latest vulnerability alerts, by taking in consideration the CVE identifier number with a brief description of this vulnerability. Including report references if offered by the vendor.
That’s not all because all these alerts are in accordance to several international information security standards including OVAL ID, CWE ID, CAPEC ID, and SAINTexploitID.
I really like the Fact that this website helps auditor to find all their needs to perform Auditing tasks by providing the best security tools with a short description and a link to the product. It also gives visitors the possibility to participate at the portal by submitting new security tools so they feel that they play a big role in achieving portal success.
At the Top of the page, visitor can find several tabs to make search for the desired vulnerability. Under the alert you can choose the vendor and it will brings you all vulnerabilities related to the concerned vendor. You can filter what you are searching for by Year, Month, day, Severity or Categories.
As you can see information obtained from Security-Database.com is vital for any system administrator looking to prevent and manage threats on the Information system. All the warnings are recorded in the database and are available at any time.
make sure you subscribe to my RSS feed!
BackTrack 4 Final Edition
Posted by Mourad Ben Lakhoua in Pentesting on January 11, 2010
After approximately one year since the first beta version of BackTrack 4 has been released, today the Team has made the BackTrack 4 Final Release available for download. The Beta version was firstly introduced on February 2009 and we already listed the new features on SecTechno.
BackTrack is an excellent collection of security tools for penetration testing it includes more than 300 most recent pentesting tools the system is based on Debian distribution and gives all what security testing needs.
make sure you subscribe to my RSS feed!
First Tool to Crack Microsoft BitLocker Encryption
Posted by Mourad Ben Lakhoua in Pentesting on December 3, 2009
Passware Company has introduced the first commercial software solution that offer a way to Crack files encrypted by BitLocker system. Microsoft released this advanced tool for a full hard drive encryption system and it has integrated it in windows Vista and made it also available on Windows 7 and Windows Server2008.
We already listed on a previous post the enhancement in Microsoft Windows7 ( Windows 7 overall security improvement )and you can find among the improvement the BitLocker tool that is provided by Microsoft.
Passware Kit Forensic 9.5 recovers encryption keys for hard disks, secure Technology and BitLocker. the way that this software work is by scanning HD image searching for cryptographic keys and decrypt the image to make it in a clear file.
Now the Software is available in several versions and there is a mobile version that gives user the ability to have it on a USB stick and use it directly on the desired machine without leaving any trace on it. This is not all because this tool also offers 8 different password recovery attacks (Dictionary , Brute-force, Xieva , Known Password/Part , Previous Passwords, Decryptum, SureZip , Join Attacks, and Append Attacks) these 8 types gives the user a way to customize the desired attack according to the type of file and available information so it reduces the Time of operation.
Currently the tool supports 180 types of file and allows users to restore PGP-archives and virtual disks passwords. The program compatible with Windows 7/VISTA/2003/XP and 2008 server.
you can find more details on the official webstie.
make sure you subscribe to my RSS feed!
Metasploit Framework 3.3 New Stable Release
Posted by Mourad Ben Lakhoua in News, Pentesting, Software Security on November 18, 2009
A new release has been recently announced by Metasploit Team, Metasploit framework helps to perform penetration testing and creating a new exploit for the available bugs.
The Metasploit platform is used by professionals in the Network security, Network admin, developers and researchers to test the security level of any new system installed. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. Metasploit is an open source project managed by Rapid7. The software packages are based on Ruby and C.
The process of developing Metasploit Framework 3.3 has taken about 12 months. The new version includes 120 new exploit modules, over 100 new auxiliary modules, and 180 bug fixes. The release notes are online and you can download the Toolkit immediately.
Cain & Abel New Release
Posted by Mourad Ben Lakhoua in News, Pentesting on October 20, 2009
A new version of Cain& Abel has been released yesterday, this tool is a solid tool for password recovery on a various Microsoft Operating Systems, super fast flexible Password Cracker with Network Sniffing.
The Tool allows penetration tester to easy recover several kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.
The 4.9.34 version of this program includes a number of new features:
- Adding Support for Windows2008 Terminal server APR-RDP sniffer which enables sniffing on switched LANs and Man-in-the-Middle attacks.
- Adding Abel64.exe and Abel64.dll for 64 bit operating system.
- The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms.
- ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.
- Support for windows Live Mail (Windows 7) password recovery POP3, IMAP, NNTP, SMTP and LDAP.
You can download Cain & Abel v4.9.34 Here.
make sure you subscribe to my RSS feed!
Critical Windows Remote Vulnerability Exploit
Posted by Mourad Ben Lakhoua in Pentesting, Vulnerabilities & attacks on September 30, 2009
A new post has been released yesterday providing a script to exploit a critical vulnerability in windows, the vulnerability has been discovered since the 7th of September.
Up to this Monday the vulnerability can lead only to a failure in the system but now and after Stephen Fewer from Metasploit issued this script publicly it is possible to run remotely on the vulnerable PC unauthorized software.
Recently security firm Immunity has developed its own code that uses this bug, but that was available only for their subscriber, while Metasploit made it freely available for the wide.
Members of the Metasploit project, which produces an open-source program for network testing, said that the exploit works on Windows Vista Service Pack 1, 2 and Windows 2008 SP1, SP2, on the other hand, according to Kostya Kortchinsky from Immunity, Metasploit code is completely unreliable. The expert said that he was able to make exploit work only with operating system that runs on virtual machine VMware. If he tried to apply it to Windows runs on physical machine it just fails.
In response,HD Moore from Metasploit team assumed that the attack definitely works on several physical machines, but it seems that additional test is required for it.
Now we find that there is a serious vulnerability and there still no patch available yet, Microsoft advice the following:
Mitigations that help prevent attacks
There are a number of mitigating factors that could aid in preventing attacks such as:
• Enterprise customers can disable SMBv2 using a simple registry script or the Fix It described above. Disabling SMBv2 prevents the vulnerable code from being reached.
• Consumers (not part of an enterprise network) are protected by the on-by-default firewall included in Windows Vista:
o The on-by-default Windows firewall protects vulnerable systems
o The on-by-default Windows firewall allows packets through only if a user explicitly shares a folder or printer.
o When a Windows Vista user chooses the ‘Public’ firewall setting, the firewall will block packets even if a folder or printer has been shared.
This can help to mitigate the risk till a patch will be issued. you can also test this vulnerability by using Metasploit framework which is also available on the BackTrack.
make sure you subscribe to my RSS feed!
Ways for Effective Network Penetration Testing
Posted by Mourad Ben Lakhoua in Pentesting on September 27, 2009
Any security professional has his own way in conducting a penetration testing mission but the whole plan and method for performing the pentest should be in accordance with the security standards recommendations and regulations.
The first thing is to start with defining a framework for the several part of pentest this will involve obtaining comprehensive information about the Internal system that can help to map the infrastructure. The required information includes:
- Network segmentation.
- Firewall rules (Access list… ).
- Web based applications and databases if exist.
- Wireless network if exist.
- Any other security details that should be taken into account during the mission (for example login lockdown when Number of authentication attempt fails that helps to prevent brute force password discovery).
To start the network pentest you will need a good tool for packet analyzing this can be Wireshark or Commview. You just need to implement the sniffer for a period of 2 hours to intercept the needed traffic and analyze them.
We will need to care about the following protocols:
- Switching protocols (STP, DTP …)
- routing protocols (RIP, EIGRP…)
- Dynamic Host configuration protocols (DHCP, BOOTP)
- Open protocols that do not use encryption (Telnet, rlogin…)
Well these protocols can show if there is a problems in the network and what we have to test in the network for example:
- If we found DHCP/RIP protocol we should test Man in the middle attack.
- For the Spanning-Tree Protocol (STP), testing the root bridge electing which allows intercepting all neighbors segment.
- On the DTP it is also possible to change port mode to trunk and intercept legitimate traffic.
To test these attacks you can use Yersinia. Yersinia is a network tool designed to take advantage of some weakness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
This is for the datalink layer, next we can move to the ARP-poisoning attack, we can choose for this attack one of two tools or both (Cain & Abel or Ettercap ) a successful ARP-poisoning attack can allows pentester to get in the clear passwords of various information resources – database, Active directory domain name and others but it’s very important to lunch the tool on a single target to do not Dosing the system.
For the network layer we can add other tools but globally that can do a good job to include in the main report.
make sure you subscribe to my RSS feed!
Computer’s could get owned by a USB device
Posted by Mourad Ben Lakhoua in Operating System, Password Security, Pentesting on September 21, 2009
USB Switchblade is a tool that can help you to be a king on the enemies’ land. Hack5 USB Switchblade is the second name for this tool but this does not change anything.
The project consists of several software packages that do a great job for password grabbing and pentesting:
Dump SAM is made for dumping the windows Security Account Manager.
IE/Firefox Password Grabber makes a good job for grabbing browser passwords.
VNC-Service is a hidden installer that helps to add users and monitor the network activity on the victim machine.
On the official sites there are several techniques for using this tool:
1. Max Damage Technique just Plug your U3 Drive in any computer with XP/2000/2003 (Requires Administrator account) and Wait about 20-45 seconds Eject U3 Drive, Go to “Run” in the start menu, Type in “X:\Documents\logfiles”(X = Flash Drive Letter) Press enter, Open the text file with the computer name you got into and you will find what you are looking for.
2. Amish Technique here you start by Downloading the Amish Payload 1.0, Extract the payload to the root of your flash drive, Plug your flash drive in to any computer, Go to “My Computer” double-click (autorun) the USB Drive, Select the “Open Files On Folder” option when inserted into a target computer, Wait about 20-45 seconds, Eject the flash drive, Go to “Run” in the start menu. Type in “X:\Dump”(X = Flash Drive Letter), Press enter , Open the text file with the computer name you got into and that’s it.
3. Gandalf’s technique: the advantage of this technique that you can use it on a USB drive, iPod, local computer, it doesn’t matter you just need to run start.vbs and then you can find the passwords and logs at $backup/%computername%.7z.
This brings a very important issue in the corporate security, disabling the usb ports is vital for the Information system but companies also need to pay attention on educating users about the potential security risks posed by USB flash drives. On the other hand it can be sometimes very useful 
.
make sure you subscribe to my RSS feed!
Password Auditing Tools
Posted by Mourad Ben Lakhoua in Password Security, Pentesting, Tools on August 15, 2009
VPN (Virtual private network) is often used for securing communication over the public network, many security specialists advice to use it in the public Wi-Fi to encrypt all traffic and make it impossible for outsider to sniff information or to provide a remote access to an offsite user, but after implementing the VPN connection there is a testing phase for user’s authentication.
Now the question is who said that cracking password for VPN account impossible?
THC group has proved that this is reachable by using THC PPTP bruter. This software is a brute force for PPTP protocol (1723/TCP), this tool works only if the authentication servers are using Microsoft windows Chap v2 and can be used for Windows and Cisco gateways.
The good point in bruter that you can attempt up to 300-400 passwords depends on packets delivery speed. So the operation time can depends on how many bytes long is your password (8 or less is very risky) and the network speed, by hours we can try 14 million password per hour (but this can takes less time if you know the password policy used by the organization). The only disadvantage of pptp-bruter is that we need some third-party libraries to compile the program.
Microsoft SQL servers are also using authentication and after implementing the data base infrastructure, checking user accounts security is a must. Piggy 1.0.1 is a good tool for brut forcing and auditing passwords on Microsoft SQL server. The good point on Piggy that you can check multiple servers at the same time , after NMAP scans for the available services on the network it provides IP addresses of the servers with 1433 (TCP) port and piggy automatically starts to audit the user servers password with a very big possibility to find those accounts by using dictionary password attack.
Finally here is some online useful links for cracking hashes:
http://passcracking.com/
http://www.hashchecker.com/index.php
http://www.milw0rm.com/
http://www.gdataonline.com/
http://www.md5hood.com/
and here brute force on Python and Perl
make sure you subscribe to my RSS feed!
Scapy: Massive hacking tool!
Posted by Mourad Ben Lakhoua in Pentesting on July 20, 2009
Working with command line interface makes many users feel uncomfortable with this tool but Scapy brings us a benefit of many popular tools like : hping , nmap, arpspoof ,arp-sk ,arping,tcpdump ,tetheral ,p0f and so on..
Scapy works perfectly with packets and give pentester the ability to test some advanced attacks like VLAN hopping, ARP cache poisoning, VOIP decoding on WEP encrypted channel …)
Let’s start by the installation package here is the list of software to make Scapy works fine under windows system:
• Scapy for windows
• Pywin32 Python for Windows Extensions
• WinPcap the driver for capturing packets.
• Pcap
• Libdnet
• Pyreadline
There is also some other modules that can improve Scapy capacity, we will keep them to another post.
After installing these software packages you open a command prompt (cmd.exe), change to the directory containing scapy.py and run Scapy with “python scapy.py” (or just “scapy.py”) and all should works good now, you can try command ls () to list all protocols that it supports (ARP ,DNS…).
Well this tool is powerful in creating a sequence of packets; Scapy is able to create several packets on different ports in which make it a huge port scanner. Next thing that we can do is to scan the network for the active host by using Arp ping. It is the fastest way in finding computers on the LAN, or trying to send ICMP packets to list the active hosts on the Network. If ICMP protocol is disabled on the LAN you can use different TCP ping on any active port like http port 80.
Here at Sectechno there were a various posts on the DNS cache poisoning like the Google.co.ma incident. It’s not difficult to make Arp cache poisoning by Scapy, it uses already function arpcachepoison () to set the Mac of the attacker with the IP of the victim. So if client will ask for the victim web server he will be redirected physically to the attacker website.
Scapy also supports Fuzzing,Fuzzer testing is a tactic used by vulnerability researchers, with pushing a random data into applications or operating system components to see if it crashes and where it crashes. So it hammers on the application inputs.
The main important thing in Scapy is that you don’t need to write a new tool. For writing proof of concept to Microsoft IP option DoS needed 115 lines in C language, while with Scapy is released by just one line:
Send (IP (dst=”target”,options=”/x02/x27”+”X”*38)/TCP())
Finally with Scapy you can do everything you want (sniffing, fuzzing, Arp spoofing) all offline and without internet connection , you just connect to python scenario and you can work without borders.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Pentesting category.
SUBSCRIBE
