Archive for category Pentesting
Wardriving These Days (Part 2)
Posted by Mourad Ben Lakhoua in Pentesting, Tools on August 20, 2010
Tools for the first part may not be completed without SpoonWEP/SpoonWPA which firstly introduced in BackTrack3, this is also a part of aircrack-ng with a graphical interface allows pentester to take the same channel of the Access point and crack the security keys of the AP.
Another very interesting tool is Karmetasploit which allows you to fake access points, capture passwords, harvest data, and conduct browser attacks against clients.
Wireless penetration testing does not exist as programs only as in Backtrack but you can find a ready solution as the wifi peanaple. which is a nice trick that any person at home, the office, coffee shops or airports will not doubt that the peanaple contains a rogue access point that may conduct a Man in the middle attack and have all users credential, the price of WiFi Pineapple is 119$.
When any person turn on their laptops the wireless network software automatically connects to access points they remember. So the laptop starts to send out beacons. These beacons say “Is such-and-such wireless network around?” , wifi peanaple replies to these beacons and says “Sure, I’m such-and-such wireless access point – let’s get you online!”.
WiFi Pineapple is powered over battery and wireless hacking device based on the Fon 2100 access point.
make sure you subscribe to my RSS feed!
Wardriving These Days (part 1)
Posted by Mourad Ben Lakhoua in Pentesting, Tools on August 1, 2010
In the past it has been very difficult to crack wireless network we should search for the right software under Linux distribution checking the necessary driver compatibility to inject the packet on the network and finally you get access to the Wi-Fi network, the question do we still have the same difficulties today?
To answer this question we will be searching some online resources to prepare the correct distrubution and making it easy to get the required tools within few steps to evaluate any wireless network.
Today we can find two types of wireless network the first are non-encrypted network that’s mean you will need just a wireless device to be connected, second are using encryption under three forms WEP encryption which is also not any more secure because it can be cracked within few minutes and for 100% but we rarely find this type of encryption, Now most network are encrypted using WPA/WPA2 encryption.
First you need to get a Backtrack copy and you can make it on USB stick using UNetbootin, So you can have it with you everywhere , even if you forget your laptop you pull the USB and you boot on it to have all required tools to do your work.
Now you should check your wireless adapter to be sure that it can work on mode monitoring and this can be made by visiting Aircrack-ng portal.
This will make you ready to use latest tools for wardriving the first one is AUTOMATIC WPA HANDSHKE CAPTURE this tool is a Python script that helps you to get WPA handshakes, what you need to have is the Wlan interface, both Mac addresses of the AP/Client and as a result you will receive the dump traffic with the Handshake.
GerixWiFiCracker is a tool that can be as an extra add to Aircrack-ng for using it you just go to configuration settings and select the interface than press (Start Sniffing and Logging) and (perform a test of injection AP). By using Gerix you can also create a fake AP on the desired channel so your pc will respond to any probe request with a proper probe response, which tells the client to authenticate to the BSSID as in the airbase-ng this will also disrupt all AP on the same channel.
These tools come as update for all previous wireless penetration testing mentioned on SecTechno and there still others to come.
To be continued….
make sure you subscribe to my RSS feed!
TRANCHULAS Ethical-Hacking Online Training
Posted by Mourad Ben Lakhoua in Pentesting, Security Training on July 18, 2010
Tranchulas is an international consulting firm that started a new e-learning services launched from Pakistan. Training includes different IT Security topics from:
1- Web Application Security Workshop
2- PCI-Data Security Standard Training
3- Hands-On Ethical Hacking
4-ISO/IEC 27001 – ISMS Implementation
Before attending the training courses a test are conducted to evaluate the knowledge of attendees and according to the result the student will be associated to the required level.
Today I have attended a small demonstration on the Ethical Hacking course .The course teaches advanced techniques on arp spoofing and scanning the network using Backtrack. There is a very nice scenarios that are made on live to help student deeply understand how it is simple to conduct a Man In the middle attack on a real working environment even if the traffic are encrypted using SSL.
Zubair Khan Chief Executive Officer has conducted security trainings at various forums in Pakistan and abroad. He has previously presented at renowned security conferences including Hack.lu Luxembourg, Hack In The Box Malaysia and Infosek Slovenia. Chairman of Pakistan Engineering Development Board and Chairman of Pakistan Engineering Council recognize his research and work.
This is a cutting-edge course and currently outline: Basic Bash Scripting, Information Gathering (Google Hacking and Harvesting, Netcraft, DNS Reconnaissance…), Port scanning, ARP spoofing, Buffer overflow Exploitation ,Bind shells and reverse shells etc..
For more information and details on next trainings you can visit the official website.
make sure you subscribe to my RSS feed!
Hacking Lotus Domino
Posted by Mourad Ben Lakhoua in Password Security, Pentesting, Vulnerabilities on July 12, 2010
IBM Lotus Domino Server is a solution for the corporate environment that provides different services to manage electronic documents, and it includes many models such as Mail server, Http server and Data base. The current version is Lotus Domino 8.5.1.
To detect the server we start by scanning the network, usually the server runs a web interface Lotus Domino httpd, so we run Nmap and scan the targeted network as follows:
Nmap –sV 172.16.1.0.24 –p 80
Nmap scan report for 172.16.1.7
Host is up (0.017s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80 open http Lotus Domino httpd
Now as you can see the IP address of the Domino server is found and you can open your web browser to check some nice Domino web pages with the version: http://serverip/homepage.nsf.
You can use the Google Hack method to find all web servers running on Domino by searching for inurl:homepage.nsf. In the results you will find thousands of Domino based web pages. Now it is very important to note that you should not attempt training yourself on these sites.
Usually when you install Lotus client you need to connect as a user to the server, and a screen for authentication appears to make non experienced hackers terrified, but if you concentrate and check everything slowly you will find the gaps and admin faults.
First you start by learning the important resources on the server, on Domino most important files are with the .NSF extension, so we have:
/Names.nsf File in Domino server contains file name and path (Most important database in the Domino environment)
You can find other files using DominoHunter which provides you a list on all .nsf files. But what we need is the names.nsf database which includes all mail addresses, users information, users operating systems, security applications on Lotus notes and other important information.
What is interesting that on most Domino servers this file can be accessed by anonymous users =-).
Now the kind of information that we will need take care of:
1. List of user’s login so we can guess there passwords also which user account is the admin.
2. All information can be used in the social engineering to trick non trained personal.
3. In the names.nsf you will find also OS version as lotus notes client version this will be very helpful to find the 0-days for all users and application and OS. Here an attacker can use even vulnerability in Internet explorer to compromise some accounts.
Gathering information is not all what is possible – in 2005 there someone discovered a vulnerability allows an attacker to get Internet users password hash. The vulnerability is not difficult to exploit because all users hash passwords are stored in Hidden HTTPPassowrd or dspHTTPPassword files, depending on the version.
What is strange that this vulnerability remains unfixed.
Now the number of users can be hundreds or thousands, so you will need to have all hashes in automatic way. On 2007 an exploit has been released for Dumping Password Hash Raptor_dominohash that allows downloading of all users’ hashes.
DominoHashBreaker is also an important tool that tries to find the clear text form of the password by utilizing a dictionary attack. The goal is to make it possible for an administrator to check the robustness of the passwords of its users.
But for the best results, John the Ripper with Jumbo patch – which adds modern password hashes – and all you need is give HASH.txt to JohnTheRipper (in the form username:hash). If you find one account password you will be able to know the password policy for all users and will not consume much time to have all passwords list. And these passwords are for Domino web access.
If we have the administrator password account, then its ok, if not we should repeat the previous steps. Something interesting is that the admin password will allow attacker to open webadmin.nsf (servername/webadmin.nsf) this is for administrating Lotus Domino webserver interface, and by getting access to this resource you can add, remove or modify users.
On domino there is another protocol which is NRPC using port 1352, and this allows users to have client Lotus notes and Lotus designer, and the client should have a certificate to approve his identity with extension ID. There is also a password authentication mechanism.
Passwords are used to decrypt the ID file, so to have access to any Domino account we will need 2 things: an ID file and password for this file. This is more complicated than the Web access but it is always possible.
To get the ID file you can exploit a vulnerability in Lotus Domino where the server keeps a copy of the ID stored on the server, so if you have users login as shown using names.nsf. you will have the ID for the password there is 3 tools that can search for the ID password which is ( ID Password recovery, Lotus Notes Password Recovery or Notes Password Recovery by following this link ,all three tools for free.
This post presents a clear idea about the different configuration faults that can exist in a Domino server with a small vulnerability that can allow an outsider to take full control of the server and manipulate a corporation’s very sensitive information.
Reference: http://dsecrg.com/pages/pub/show.php?id=2
make sure you subscribe to my RSS feed!
Block New & Emerging Threats with SECURITY DATABASE
Posted by Mourad Ben Lakhoua in Pentesting, Vulnerabilities on February 23, 2010
Ensuring security of the modern computer network with a large number of system and devices consumes a big effort. Keeping track all new gaps becomes more and more difficult.Here I wanted to present a very good Infosec source.
Security-Database.com is an online computer security portal .provide free comprehensive and complete information about product vulnerabilities and tools for penetration testing based on open international standards.
The most important is that the creator of Security-database managed to provide visitors with latest vulnerability alerts, by taking in consideration the CVE identifier number with a brief description of this vulnerability. Including report references if offered by the vendor.
That’s not all because all these alerts are in accordance to several international information security standards including OVAL ID, CWE ID, CAPEC ID, and SAINTexploitID.
I really like the Fact that this website helps auditor to find all their needs to perform Auditing tasks by providing the best security tools with a short description and a link to the product. It also gives visitors the possibility to participate at the portal by submitting new security tools so they feel that they play a big role in achieving portal success.
At the Top of the page, visitor can find several tabs to make search for the desired vulnerability. Under the alert you can choose the vendor and it will brings you all vulnerabilities related to the concerned vendor. You can filter what you are searching for by Year, Month, day, Severity or Categories.
As you can see information obtained from Security-Database.com is vital for any system administrator looking to prevent and manage threats on the Information system. All the warnings are recorded in the database and are available at any time.
make sure you subscribe to my RSS feed!
BackTrack 4 Final Edition
Posted by Mourad Ben Lakhoua in Pentesting on January 11, 2010
After approximately one year since the first beta version of BackTrack 4 has been released, today the Team has made the BackTrack 4 Final Release available for download. The Beta version was firstly introduced on February 2009 and we already listed the new features on SecTechno.
BackTrack is an excellent collection of security tools for penetration testing it includes more than 300 most recent pentesting tools the system is based on Debian distribution and gives all what security testing needs.
make sure you subscribe to my RSS feed!
First Tool to Crack Microsoft BitLocker Encryption
Posted by Mourad Ben Lakhoua in Pentesting on December 3, 2009
Passware Company has introduced the first commercial software solution that offer a way to Crack files encrypted by BitLocker system. Microsoft released this advanced tool for a full hard drive encryption system and it has integrated it in windows Vista and made it also available on Windows 7 and Windows Server2008.
We already listed on a previous post the enhancement in Microsoft Windows7 ( Windows 7 overall security improvement )and you can find among the improvement the BitLocker tool that is provided by Microsoft.
Passware Kit Forensic 9.5 recovers encryption keys for hard disks, secure Technology and BitLocker. the way that this software work is by scanning HD image searching for cryptographic keys and decrypt the image to make it in a clear file.
Now the Software is available in several versions and there is a mobile version that gives user the ability to have it on a USB stick and use it directly on the desired machine without leaving any trace on it. This is not all because this tool also offers 8 different password recovery attacks (Dictionary , Brute-force, Xieva , Known Password/Part , Previous Passwords, Decryptum, SureZip , Join Attacks, and Append Attacks) these 8 types gives the user a way to customize the desired attack according to the type of file and available information so it reduces the Time of operation.
Currently the tool supports 180 types of file and allows users to restore PGP-archives and virtual disks passwords. The program compatible with Windows 7/VISTA/2003/XP and 2008 server.
you can find more details on the official webstie.
make sure you subscribe to my RSS feed!
Metasploit Framework 3.3 New Stable Release
Posted by Mourad Ben Lakhoua in News, Pentesting, Software Security on November 18, 2009
A new release has been recently announced by Metasploit Team, Metasploit framework helps to perform penetration testing and creating a new exploit for the available bugs.
The Metasploit platform is used by professionals in the Network security, Network admin, developers and researchers to test the security level of any new system installed. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. Metasploit is an open source project managed by Rapid7. The software packages are based on Ruby and C.
The process of developing Metasploit Framework 3.3 has taken about 12 months. The new version includes 120 new exploit modules, over 100 new auxiliary modules, and 180 bug fixes. The release notes are online and you can download the Toolkit immediately.
Cain & Abel New Release
Posted by Mourad Ben Lakhoua in News, Pentesting on October 20, 2009
A new version of Cain& Abel has been released yesterday, this tool is a solid tool for password recovery on a various Microsoft Operating Systems, super fast flexible Password Cracker with Network Sniffing.
The Tool allows penetration tester to easy recover several kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.
The 4.9.34 version of this program includes a number of new features:
- Adding Support for Windows2008 Terminal server APR-RDP sniffer which enables sniffing on switched LANs and Man-in-the-Middle attacks.
- Adding Abel64.exe and Abel64.dll for 64 bit operating system.
- The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms.
- ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.
- Support for windows Live Mail (Windows 7) password recovery POP3, IMAP, NNTP, SMTP and LDAP.
You can download Cain & Abel v4.9.34 Here.
make sure you subscribe to my RSS feed!
Critical Windows Remote Vulnerability Exploit
Posted by Mourad Ben Lakhoua in Pentesting, Vulnerabilities & attacks on September 30, 2009
A new post has been released yesterday providing a script to exploit a critical vulnerability in windows, the vulnerability has been discovered since the 7th of September.
Up to this Monday the vulnerability can lead only to a failure in the system but now and after Stephen Fewer from Metasploit issued this script publicly it is possible to run remotely on the vulnerable PC unauthorized software.
Recently security firm Immunity has developed its own code that uses this bug, but that was available only for their subscriber, while Metasploit made it freely available for the wide.
Members of the Metasploit project, which produces an open-source program for network testing, said that the exploit works on Windows Vista Service Pack 1, 2 and Windows 2008 SP1, SP2, on the other hand, according to Kostya Kortchinsky from Immunity, Metasploit code is completely unreliable. The expert said that he was able to make exploit work only with operating system that runs on virtual machine VMware. If he tried to apply it to Windows runs on physical machine it just fails.
In response,HD Moore from Metasploit team assumed that the attack definitely works on several physical machines, but it seems that additional test is required for it.
Now we find that there is a serious vulnerability and there still no patch available yet, Microsoft advice the following:
Mitigations that help prevent attacks
There are a number of mitigating factors that could aid in preventing attacks such as:
• Enterprise customers can disable SMBv2 using a simple registry script or the Fix It described above. Disabling SMBv2 prevents the vulnerable code from being reached.
• Consumers (not part of an enterprise network) are protected by the on-by-default firewall included in Windows Vista:
o The on-by-default Windows firewall protects vulnerable systems
o The on-by-default Windows firewall allows packets through only if a user explicitly shares a folder or printer.
o When a Windows Vista user chooses the ‘Public’ firewall setting, the firewall will block packets even if a folder or printer has been shared.
This can help to mitigate the risk till a patch will be issued. you can also test this vulnerability by using Metasploit framework which is also available on the BackTrack.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Pentesting category.
SUBSCRIBE
Latest Comments