Tag Archive for penetration testing

Firefox Extensions For Penetration Testing

This year at the SecTor security conference in Toronto, Canada, Security Compass introduced a series of open source firefox extensions aiding in penetration testing exercises.

Illuminating the Black Art of Security. SecTor brings the world’s brightest (and darkest) minds together to identify, discuss, dissect and debate the latest digital threats facing corporations today. Unique to central Canada, SecTor provides an unmatched opportunity for IT Professionals to collaborate with their peers and learn from their mentors. Held at the Metro Toronto Convention Centre in downtown Toronto, SecTor runs two full days, October 7th and 8th. The event features Keynotes from North America’s most respected and trusted experts. Speakers are true security professionals with depth of understanding on topics that matter. SecTor is a must attend event for every IT Professional.

This suite of web application security testing tools is named Exploit-Me and its designed to be lightweight and easy to use.

The suite is compromised of XSS-Me allowing Cross-Site Scripting, which is a common flaw found in web applications, SQL Inject-Me used to check for SQL Injection vulnerabilities which would allow malicious users to view, delete and modify records and finally Access-Me which test for access vulnerabilities by trying to access resources without being authenticated.

XSS-Me

Cross-Site Scripting (XSS) is a common flaw found in today’s web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.

SQL Inject-Me

SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.

Access-Me

Access vulnerabilities in an application can allow an attacker to access resources without being authenticated. Access-Me is the Exploit-Me tool used to test for Access vulnerabilities.

[ad]

Root Shell – The Holy Grail

The “Holy Grail” of any attack is the creation of a root shell. On UNIX/Linux, the “root” user is a superuser account that has the capability of running any process on the machine. An exploit will attempt to gain root access to a system by obtaining a root shell prompt from which any command can be executed.

The hacker will attack a system running an exploit script that breaks into the system, following with establishment of a root shell bound to a TCP connection, which will then allow the attacker to remotely enter commands into the system.

There are basically three way that these shells can be bound to a TCP connection:

  1. Conversion – The TCP connection used to exploit the server (such as SMTP, DNS, FTP) is converted to a shell prompt.
  2. Listen – The most popular method is to register a shell (/bin/sh, /bin/ksh, etc.) within a service bound  to a particular port.
  3. Connect – This exploit will create a outbound connection back to the attacker.

In the early days, these exploits were developed by the “Leet” hackers using either reverse engineering and/or a trial and error approach to see how applications/systems behaved when unexpected packets were sent their way.

Later tools started to appear in the wild on the Internet, which then prompted the existence of the term “Script Kiddie“; allowing people without the ability to write hacking programs on their own to target machines on the Internet.

On the security consultant side, vendors in the late 80s and early 90s provided extremely expensive equipment/software such as NetTest, NetScout Systems and Sniffer Technologies as well as automated scanning tools such as ISS’ Internet Scanner.

Online vulnerability repositories like http://rootshell.org were used target specific applications to determine actual levels of threat probabilities.

With the open source initiative, many of these high-end tools have become widely available and have even matched and in some cases mastered their proprietary counterparts. Examples of these are Ethereal which then became Wireshark, Nmap, Nessus.

Rootshell.org has since disappeared and been replace by Milw0rm.com, an online exploit database. Hacking tools have become much more sophisticated in methods and automation, for instance the “Metasploit Project” providing information about security vulnerabilities and aiding in penetration testing with the capability of querying exploit databases in real-time to scan and attack for the most recent exploits.

This without a doubt raises serious questions on the approach security professional and system administrator need to take to protect and guard their systems.

We are well past the point when hacking was for the elite, when ill-intentioned people can monitor the release of security patches released by vendors and using the window of time between the patch release date and when patches are actually applied to make mischief.

[ad]