SecTechno Information Security Blog

Scylla – Framework for Penetration Testing

March 31st, 2013

Mourad Ben Lakhoua

Scylla is another tool that you can use for penetration testing protocols used by different applications. Scylla works with three basic stages, the pre-hack stage where the tool can readily obtain information about the remote application without resorting to brute-force attacks (something like enumeration). Here is where anti-anti-Brute Force techniques are implemented, such as getting information on password policies, latency times, etc. Scylla is also obtaining extra information to make the attack: searching for protocol and service versions, verify null sessions, and system enumeration among other things.

The second stage is the brute force attack to audit accounts in use and break any available ones. compared to hydra Scylla works 3 times faster which will make the test runs faster and allows to have a faster attack on remote systems. For example when hydra makes 7.000 tries/min, Scylla makes over 22.000 tries/min over MSFTPd.

Final stage is the post hack where pentester will use gathered information to PoC the attack on remote systems.the benefit from this tool is that you have User, password list based Brute force , tools support multiple hosts , tools allow to use multiple session simultaneously, Nmap integration, Ability to restore sessions, Session auto-saving (based on SQL Server CE), Hacker oriented, Open source.

You can download scylla on the following link: http://code.google.com/p/scylla-v1/

South Korean Malware Infects, Wipes MBR

March 24th, 2013

Mourad Ben Lakhoua

South Korean company NSHC have released more information about the software tools that have been used for attacks March 20, 2013 against banking systems and media in South Korea. The computer networks of three broadcasters and two banks froze at around 14:00 local time. Shinhan said its ATMs, payment terminals and mobile banking in the South were affected.

Windows computers that were infected erased boot record MBR and VBR, and on servers running Unix / Linux files deleted via the standard remote management, after receiving authorization data from infected Windows-machines.

This sophisticated malware verifies the system for any security software presence such as AhnLab Policy Agent or Hauri ViRobot and next it tries to kill their running services on the system. When this done it goes to overwrite the MBR data and shuts down the system.

All is automated to finally make the system unbootable. So the available information concludes that the malware objective is just to destroy production system and can be an effective way to take enemies computer resources out of service.

Major security software usually provides a good way to not allow disabling antimalware’s locally and this is very important to make killing security service by malwares impossible and protect local users so do not hesitate to enable this functionality.

Also as always make sure to keep you security software definition updated to have the protection against any new malware.

you find the NSHC report by following this Link: http://training.nshc.net/KOR/Document/virus/5-20130322_320CyberTerrorIncidentResponseReportbyRedAlert.pdf

Trend Micro Warns of Attacks Against ICS/SCADA Systems

March 17th, 2013

Mourad Ben Lakhoua

At Blackhat Europe 2013 in Amsterdam security researcher at Trend Micro revealed a collaborative honeypot project with Scada security team that was running fake ICS/Scada devices used in many critical infrastructure power and water plants.

The honeypot were optimized and promoted on different search engines such as google to be found directly and trick attacker about the reality of these servers. Servers were named ‘Scada-1′,’Scada-2′, and so on.

According to Scada security researcher Kyle Wilhoit they also made the honeypot seeded on devices that were part of HD Moore’s Shodan Project.4. This to attract motivated and targeted attackers to easily find the servers and the first attack was detected after only 18 hours.

Trend Micro reported detecting 39 attacks on the Honeypots from 11 different countries during the 28 days they were active. 12 of the attacks were targeted and 13 of them were repeated several times by the same actor, indicating they could have been automated.

Beside the honeypot results researchers published snort intrusion detection system result where top Snort alert generated in the honeypot environment was Modbus TCP non-Modbus communication on TCP port 502. This rule is triggered when an established connection utilizing Modbus is hijacked or spoofed to send other commands or attacks to a different device.

You can have Trend Micro report by following this link: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf

Microsoft Patch Tuesday: Microsoft fixes critical flaws in IE

March 10th, 2013

Mourad Ben Lakhoua

Microsoft about to release a bunch of security patches for windows operating system. Seven patches are coming to fix four critical vulnerabilities that allow an attacker to execute malicious program on remote system by redirecting victims to a malicious website.

First update is for Internet explorer which is required on all windows operating systems while Microsoft Silverlight patch is necessary on Mac OSX and windows system as well. The third critical update is affecting Microsoft office and here according to Qualys rating this bug as critical is puzzling because it requires from the victims opening an infected file in order for the attack to work.

The last critical security patch is for Microsoft SharePoint Server 2010 Service Pack 1.

If you are using Microsoft based system make sure to review next patch Tuesday advance notification to prepare your infrastructure and plan how you will patch and restart affected software’s.

SUDO Auth Bypass Vulnerability

March 9th, 2013

Mourad Ben Lakhoua

Authentication bypass vulnerability has been discovered in sudo utility, the affected versions are Sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 inclusive. The security bug allows an attacker with a physical access to run commands without user’s password. UNIX sudo allows user to execute commands with root privilege which mean full administrator privileges on the system.

Exploiting the vulnerability require some conditions such as authorized user must be included in the legitimate /etc/sudoers , and it is also essential that the operating system be able to change the system time. If we have these conditions we run “sudo -k” and then setting the clock to the epoch (1970-01-01 01:00:00). Next users will be able to run sudo without having to authenticate.

This vulnerability is fixed in sudo 1.8.6p7 and 1.7.10p7. These versions will ignore a time stamp file that is set to the epoch. Also as a work around you can Use “sudo -K” instead of “sudo -k” to completely remove the time stamp file instead of just resetting it.

Evernote warns of possible security breach

March 3rd, 2013

Mourad Ben Lakhoua

One of the popular online services Evernote has been hacked this week. Unknown attacker gained access to a database for email addresses and passwords. The sensitive information is not yet published but it is always possible that attacker publish the data on internet.

Evernote is a cloud based service that helps users to store all personal documents, notes or information online with the synchronization which allows accessing the data at any time from any online device. After detecting the breach an email message was sent to all users with instruction to reset their password account and to create a new one.

Detecting such an incident and urging users to change their passwords is a good but incomplete step for preventing a future attack as with today’s security measure a multifactor authentication is very important to protect user’s sensitive information.

Also users needs to verify the type of encryption used by the company and for Evernote they still use a weak encryption RC2 (64-bit) to protect user’s documents. Also Evernote web site do not support HSTS that is the basic protection against man in the middle attacks.

Cookie Cadger – Tool for auditing non encrypted Web Traffic

February 24th, 2013

Mourad Ben Lakhoua

Wireless networks are widely used in public places such as airports, coffee shops or hotels. having access to network will allow attackers listening to some sensitive information. Many users still share private and personal information through Web services which emphasize the HTTP protocol to transport unencrypted data rather than HTTPS encrypted version using SSL / TLS.

Here we have the Cookies which can be used for authentication, session or to store specific information about users, such as preferences of a site or the content of electronic shopping cards. Although cookies from certain sites are detected and prevented by many antivirus software because they allow users to be tracked when they visit certain websites.

For pentest a wireless network that are used for web browsing we can consider Cookie Cadger. this is a tool that can be used with standard sniffer such as wirshark to identify information leakage from applications that utilize insecure HTTP GET requests.

Cookie Cadger works on Windows, Linux, or Mac, and requires Java 7. Usually simply installing Wireshark will be sufficient. Additionally, to capture packets promiscuously requires compatible hardware. Capturing Wi-Fi traffic requires hardware capable of monitor mode, and the knowledge of how to place your device into monitor mode.

If you are planning to use a Wi-fi network be sure to activate a VPN connection and for sensitive data make sure that you are using SSL/ TLS so you encrypt all your non encrypted navigation to different websites. you can download Cookie Cadger on the following link: https://www.cookiecadger.com/files/CookieCadger-0.9.jar