SlideShare a Scribd company logo
1 of 40
Download to read offline
F
R
E
E
ITOnlinelearning offers Network Security courses for the beginner through to the professional.
From the CompTIA Security+ through to CISSP, Certified Ethical Hacker (CEH),
Certified Hacking Forensic Investigator (CHFI) and Security Analyst/Licensed Penetration tester (ECSA/LPT).




                 Tailored Advice and Discounts
                               0800-160-1161 or
      Please Call one of our Course Advisors for help and Tailored Advice -during office hours
                                      (Mon-Fri 9am-5.30pm)



  Telephone: 0800-160-1161
  International: +44 1795 436969
  Email: sales@itonlinelearning.co.uk
  support@itonlinelearning.co.uk
  Registered Office: 16 Rose Walk, Sittingbourne, Kent, ME10 4EW
Global I.T. Security Training & Consulting


                                                    www.mile2.com




                                                                                                                                       IS YOUR NETWORK SECURE?
     In February 2002, Mile2 was established in response to the
                                                                                                                     TM
     critical need for an international team of IT security training
     experts to mitigate threats to national and corporate secu-
     rity far beyond USA borders in the aftermath of 9/11.                                       mile2 Boot Camps




                                                                                     A Network breach...
                                                                                     Could cost your Job!


                                                                                      Available Training Formats
                                                                                      1.   F2F   Classroom Based Training
                     GENERAL SECURITY TRAINING                                        2.   CBT   Self Paced CBT
    CISSPTM          CISSP & Exam Prep                                                3.   LOT   Live Online Training
    C)ISSO           Certified Information Systems Security Officer                   4.   KIT   Study Kits & Exams
    C)SLO            Certified Security Leadership Officer                            5.   LHE   Live Hacking Labs (War-Room)
    ISCAP            Info. Sys. Certification & Accred. Professional




                                                                                                                                   Worldwide Locations
                     PENETRATION TESTING (AKA ETHICAL HACKING) Other New Courses!!
    C)PTETM          Certified Penetration Testing Engineer              ITIL      Foundations v.3 & v.4
    C)PTCTM          Certified Penetration Testing Consultant            CompTIA Security+, Network+
                                                                         ISC2      CISSP & CAP
                     SECURE CODING TRAINING
    C)SCETM          Certified Secure Coding Engineer                    SANS GSLC GIAC Sec. Leadership Course
                                                                         SANS 440 Top 20 Security Controls
                     WIRELESS SECURITY TRAINING                          SANS GCIH GIAC Cert Incident Handler
    C)WSETM          Certified Wireless Security Engineer
    C)WNA/PTM        Certified Wireless Network Associate / Professional
                                                                                                                    We practice what
                     DR&BCP TRAINING                                                                                we teach.....
                                                                                    INFORMATION ASSURANCE
    DR/BCP           Disaster Recovery & Business Continuity Planning               SERVICES
                                                                                    Other Mile2 services available Globally:
                                                                                    1. Penetration Testing
                     VIRTUALIZATION BEST PRACTICES
                                                                                    2. Vulnerability Assessments
    C)SVMETM         Certified Secure Virtual Machine Engineer                      3. Forensics Analysis & Expert Witnesses
                                                                                    4. PCI Compliance
                     DIGITAL FORENSICS                                              5. Disaster Recovery & Business Continuity
    C)DFETM          Certified Digital Forensics Examiner
(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of                              1-800-81-MILE2
CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC.                                      +1-813-920-6799
                                                                                                 11928 Sheldon Rd Tampa, FL 33626
F
                 R
                 E
                 E     Editors note


Dear Readers!                                              Attacks
                                                                 Get it on with ZAP
                                                           06by Gareth Watters
To thank you for your support with creating PenTest
community we decided to publish PenTest Free.
Every month you will get five great articles that will     Let’s take a look around Zed Attack Proxy and see what
teach and keep you up to date with IT security is-         it’s all about, but before we go on let’s emphasize some of
sues.                                                      the greatest ZAP’s attributes. It’s easy, it’s free and open
    In the first issue you will find articles devoted to   source, ZAP in fully internationalized, has extensive user
attacks. We have chosen the most popular titles and        guides and unlike some similar tools, has the ability to
here you can read the best articles devoted to Zed         save sessions to go back to later for reports, which is an
Attack Proxy, internationalized, free and of great         imperative requirement for pen testers as report writing
help as far as report writing is concerned. Probe Re-      tends sometimes not to be our strongest area.
quest Based Attack article is a great technical tuto-
                                                                 Wireless Eurynomus: A Wireless
                                                           14(802.11) Probe Request Based Attack
rial for anyone interested in wireless attacks. Can we
train a computer user to be sufficiently security liter-
ate? What's the best way to defend one from phish-               by Hitesh Choudhary and Pankaj Moolrajani
ing attacks? You can read about this in the article of     In the recent years, the proliferation of laptop computers
Ian Moyse.                                                 and smart phones has caused an increase in the range of
    In the section Cyberwar you can read about digi-       places people perform computing. At the same time, net-
tal frontier and the impact of cyber attacks on our        work connectivity is becoming an increasingly integral
lives. Are we living in the times of an ongoing cy-        part of computing environments.
berwar? See what our author has to say about this
                                                                 Securing Users from Phishing,
                                                           18Smishing & Social Media Attacks
problem. Last but not least, we would like you to
read article about pentesting SCADA written by our
regular author Stefano Maccaglia.                                by Ian Moyse
    I hope that you will find this issue a valuable com-   Some experts believe one of the best solutions
pilation and encouragement to stay with us for good.       to thwart phishing attacks is end-user training,
If you have any suggestions for us concerning top-         but can we really train every computer user
ics, problems you want to read about or people you         to be sufficiently security literate? Will it
would like to know better thanks to PenTest please,        ever be the case that anyone can distin-
feel free to contact us at en@pentestmag.com.              guish a phishing message from a genu-
                                                           ine bank email?
   Thank you all for your great support and invalu-
able help.

                                       Enjoy reading!
                                    Malgorzata Skora
                                     & PenTest Team




            01/2012
F
                                                                                                                                         R
                                                                                                                                         E
                                                     CONTENTS                                                                            E



Cyberwar
      Digital Apocalypse: The Artillery of Cyber
22War
      by Cecilia McGuire
Cyberspace is now the digital frontier of choice for executing
many combat operations, by extending the medium in which
greater levels of power can now be accessed by Machiavelli
agents, militants and nation-states. Squads of cyber militants
going under the banner of Anonymous and LulzSecare, moti-
vated by the ease in which they can now execute high impact                                                               TEAM
operations whilst avoiding detection, are just a few of the much
                                                                       Supportive Editor: Ewa Dudzic
publicized names synonymous with cyber terrorism. The multi-           ewa.dudzic@software.com.pl
dimensional characteristics of cyber space have dissolved the
                                                                       Product Manager: Małgorzata Skóra
boundaries between digital landscape and physical security, fa-        malgorzata.skora@pentestmag.com
cilitating cyber-attacks that produce devastating impacts to criti-
                                                                       Betatesters / Proofreaders: Robert Keeler, Daniel Wood,
cal infrastructure, as well as Corporate and Government assets.        Scott Christie, Massimo Buso, Hussein Rajabali, Aidan Carty,
                                                                       Jonathan Ringler, Thomas Butler, Dan Felts, Gareth Watters,

SCADA                                                                  Stefanus Natahusada, Francesco Consiglio, Harish Chaudhary,
                                                                       Wilson Tineo Moronta, Scott Stewart, Richard Harold,
      The Box holes. Pen Testing a SCADA plat-                         Ryan Oberto, William R. Whitney III, Marcelo Zúñiga Torres

28    form                                                             Senior Consultant/Publisher: Paweł Marciniak
      by Stefano Maccaglia
   In the last decade SCADA systems have moved from propri-            CEO: Ewa Dudzic
                                                                       ewa.dudzic@software.com.pl
      etary, closed, networks to open source solutions and TCP/
        IP enabled networks. Their original “security through ob-
                                                                       Art Director: Ireneusz Pogroszewski
           scurity” approach, in terms of protection against un-       ireneusz.pogroszewski@software.com.pl
              authorized access, has fallen, together with their in-   DTP: Ireneusz Pogroszewski

               terconnection limits. This has made them open to
                                                                       Production Director: Andrzej Kuca
                communicate with the rest of the world, but vul-
                                                                       andrzej.kuca@software.com.pl
                  nerable, as our traditional computer networks.
                                                                       Publisher: Software Press Sp. z o.o. SK
                                                                       02-682 Warszawa, ul. Bokserska 1
                                                                       Phone: 1 917 338 3631
                                                                       www.pentestmag.com


                                                                       Whilst every effort has been made to ensure the high quality of
                                                                       the magazine, the editors make no warranty, express or implied,
                                                                       concerning the results of content usage.
                                                                       All trade marks presented in the magazine were used only for
                                                                       informative purposes.


                                                                       All rights to trade marks presented in the magazine are
                                                                       reserved by the companies which own them.
                                                                       To create graphs and diagrams we used                program
                                                                       by



                                                                       Mathematical formulas created by Design Science MathType™



                                                                       DISCLAIMER!
                                                                       The techniques described in our articles may only
                                                                       be used in private, local networks. The editors
                                                                       hold no responsibility for misuse of the presented
                                                                       techniques or consequent data loss.
F
                    R
                    E
                    E                                                                           attack


Get it on with Zed
Attack Proxy
Let’s take a look around Zed Attack Proxy and see what it’s all
about, but before we go on Iet’s emphasize some of the greatest
ZAP’s attributes. It's easy, it’s free and open source, ZAP is fully
internationalized, has extensive user guides and unlike some
similar tools, has the ability to save sessions – a great help as far as
writing reports is concerned.




Y
       ou can download Zed Attack Proxy from               code.google.com/p/zaproxy/wiki/HelpStartProx-
       http://code.google.com/p/zaproxy/. Note: If         ies.
       you don’t already have it installed, you need         When you open ZAP for the first time you will be
to download and install java http://www.java.com.          prompted to create an SSL Root CA Certificate as
  ZAP is at it’s heart an interception proxy and has       in Figure 2. In the context of this article, we will be
to be configured in-line between your browser and          working with the secure login to a vulnerable web
your application. For instructions to configure ZAP        application. Therefore we shall create a SSL Root
as a proxy for all the major browsers go to http://        CA certificate.




Figure 1. Setup of ZAP for use in a Penetration Test


              01/2012                                  Page 6                            http://pentestmag.com
F
                                                                                                               R
                                                                                                               E
                                                                                                               E

Option Dynamic SSL Certificates                          tem (browser). In other words when you’re not
OWASP ZAP allows you to transparently decrypt            testing in a safe environment, but on productive
SSL connections. For doing so, ZAP has to encrypt        machines, be aware that you could be opening an
each request before sending to the server and de-        additional attack vector to your system if your cer-
crypt each response, which comes back. But, this         tificate was in the wrong hands. ZAP generates a
is already done by the browser. That’s why, the on-      certificate that is unique to you, so keep this cer-
ly way to decrypt or intercept the transmission, is      tificate safe.
to do a ‘man in the middle’ approach.                       Next you configure ZAP’s Local Proxy port: Go
                                                         To Tools -> Options -> Local Proxy -> localport Set-
Overview                                                 tings: Localhost 8090.
In other words, all data sent to and received from          Then configure your browser to use ZAP as a
the server is encrypted/decrypted by using the           proxy. In this example we are using Firefox run-
original server’s certificate inside ZAP. This way,      ning Foxyproxy: Go To Edit ->- Preferences -> Net-
ZAP knows the plain text. To establish a SSL pro-        works – > Settings -> Choose to Use ZAP for all
tected session from you (your browser), ZAP is           URLs.
using it’s own certificate. This is the one you can         Now you’re ready to go. All you need is your tar-
create. Every certificate created by ZAP will be         get application (Pentester) or your own Web Appli-
signed for the same server name. This way, your          cation that’s under development (Developer). for
browser will do regular SSL encryption.                  the context of this article we will use DVWA (Damn
  Import Certificate in to Mozilla Firefox – Firefox     Vulnerable Web Application)
is using it’s own certificate store. Installation and
late on validation is done in the same preferences       DVWA – Damn Vulnerable Web App
dialog:                                                  (User: admin Password: password)
                                                            Damn Vulnerable Web App (DVWA) is a PHP/
• 	 Go to Preferences                                    MySQL web application that is damn vulnerable.
• 	Tab Advanced                                          It’s main goals are to be an aid for security profes-
• 	Tab Cryptography/Certificates                         sionals to test their skills and tools in a legal envi-
• 	Click View certificates                               ronment, help web developers better understand
• 	Click tab Trusted root certificates                   the processes of securing web applications and
• 	Click Import and choose the saved owasp_              aid teachers/students to teach/learn web applica-
    zap_root_ca.cer file                                 tion security in a class room environment.
• 	 In the wizard choose to trust this certificate to
    identify web sites (check on the boxes)              WARNING!
• 	 Finalize the wizard                                  Damn Vulnerable Web App is damn vulnerable!
                                                         Do not upload it to your hosting provider’s pub-
Attention Risks                                          lic html folder or any working web server as it will
When adding self generated Root CA certificates          be hacked. I recommend downloading and install-
to your list of trusted root certificates, anyone with   ing XAMPP onto a local machine inside your LAN
the root certificate can smuggle data into your sys-     which is used solely for testing. http://code.google.
                                                         com/p/dvwa/

                                                         Tip
                                                         If you fancy skipping past the installation and setup
                                                         of dvwa, I suggest downloading SamuraiWTF, you
                                                         will find that this great distro already has DVWA al-
                                                         ready installed setup and ready to go.
                                                            The next thing to do for a beginner new to de-
                                                         velopment or pentesting is explain how ZAP’s ad-
                                                         vanced components can be useful as a tools in a
                                                         basic web application penetration test.
                                                            Basic Web Application Penetration Test: Recon
                                                         -> Mapping -> Discovery/Enumeration -> Exploi-
Figure 2. SSL Root CA Certificate                        tation.


              01/2012                               Page 7                             http://pentestmag.com
F
                 R
                 E
                 E                                                                          attack
  ZAP is useful in the Mapping context using the          • 	 Sites tab – A Hierarchical representation of
proxy and spider. ZAP is useful in the Discovery con-         your application
text with the active vulnerability scanner and fuzzer,    • 	 History Tab – Lists all the requests (GET/
brute forcing web directories and files with DirBuster.       POST) and the order they are made
  ZAP is useful in the Exploitation phases when           • 	 Search tab – Search ZAP gathered information
you combine it’s findings with exploitation tools         • 	 Port Scan – a basic port scanner allows you to
such as like SQLMap,BeEf and Metasploit.                      scan and shows which ports are open on the
                                                              target sites.
Basic Web Application Penetration Test                    • 	 Output tab – This shows various informational
– Mapping                                                     messages.These can include the stack traces
To do comprehensive mapping, you must navigate                of unexpected exceptions
through your web application. Ensure to follow and        • 	 Alerts tab – Shows you any potential issues
explore through all of the functionality of the appli-        and vulnerabilities ZAP has found. (See Ex-
cation. Click each link, traverse through all tabs and        ploitation for more info.)
areas of your application. Press all buttons, fill in
and submit all forms. If your application supports        Click on entries in Sites or History – correspond-
multiple roles then do this for each of the roles e.g.    ing requests and responses will be visible in the
User, Admin. Note: In order to use multiple roles, it’s   Request and Response Tabs If you right-click on
best to save each role as a separate ZAP sessions.        any item – A whole load of extra options and func-
  Zap maps out the web application in a hierarchi-        tionality becomes available.
cal manner as in the sites tab displayed in Figure 3.       Zap passively scans the Requests and Re-
  The lower pane brings together all the tabs for web     sponses and reports any potential problems,
application pen. testing in a universal status bar.       but does not submit any responses on your
                                                          behalf.
Tip
In Zap – Double click on a tab and it the tab for a       Spider
better view – Double click and it will revert back to     Can be activated by the play button on the Spider
the lower status bar.                                     tab or Right-Click Attack on the sites tree.




Figure 3. A completed mapping of DVWA


            01/2012                                  Page 8                           http://pentestmag.com
F
                                                                                                              R
                                                                                                              E
                                                                                                              E

   The spider looks for pages that weren’t found in      those hidden files and directories. And if that was
the manual recon/mapping. Running the spider,            not enough DirBuster also has the option to per-
will crawl the website and find URLs that you may        form a pure brute force, which leaves the hidden
have missed are hidden. It places them in the            directories and files nowhere to hide!
Sites page with a spider icon. It is recommend to
manually explore and map the web application             Tip
first and then use spider. If the spider does find       ZAP also allows for custom files to be used, in the
unseen links, revert back through the application        SamuraiWTF training course we used CeWL (Cus-
through your browser and visit those URLs.               tom Word List generator) by DigiNinja. CeWL is a
                                                         ruby app which spiders a given url to a specified
Tip                                                      depth, optionally following external links, and re-
A good crawl will enable you to have a better ac-        turns a list of words which can then be used for
tive scan.                                               password crackers such as John the Ripper. John
                                                         the Ripper can aswell be used to create a wordlist
Basic Penetration Test – Discovery                       that has different versions of the words that CeWL
Active scanner                                           collected for example – ex@mpl3 These custom
Active vulnerability scanner attacks the application     wordlists can then be imported and used by ZAP
and performs a number of known attacks.                  for Brute Forcing and Fuzzing.
  Active scanner is there to find basic vulnerabili-
ties (Only to be used in development environment         Fuzzer
unless explicitly permitted in writing by the Web        ZAP also has fuzzing capabilities through its in-
App. owner in case of a Penetration test – It is ille-   tegrated use of yet another OWASP Project
gal to run active scans without legal consent).          JBroFuzz. ‘Fuzz testing or fuzzing is a software
  Damn Vulnerable Web Application (DVWA) as it           testing technique, often automated or semi-au-
is aptly named is an excellent resource for viewing,     tomated, that involves providing invalid, unex-
and learning about vulnerabilities. Once you’ve          pected, or random data to the inputs of a com-
completed the above steps above you should be            puter program. The program is then monitored
able to see the results of the mappings and vulner-      for exceptions such as crashes or failing built-in
abilities in your application in the Alerts tab Imme-    code assertions or for finding potential memory
diately you can see a number of alerts for vulner-       leaks. Fuzzing is commonly used to test for se-
abilities found.                                         curity problems in software or computer systems’
                                                         - Wikipedia’
Brute Force                                                To Fuzz a request string such as a password:
Use the brute force scanner to find unreferenced
files and directories. You can use the built in or       • 	Select a request in the Sites or History tab
custom input files for Brute Force Scanner. ZAP          • 	 Highlight the string you wish to fuzz in the re-
Uses OWASP DirBuster and Fuzzing using anoth-                quest tab
er OWASP Project JBroFuzz and Fuzzdb                     • 	 Right-click in the Request tab and select ‘Fuzz’
   ZAP uses OWASP DirBuster, a multi threaded            • 	Select the Fuzz Category and one or more of
java application designed to brute force directories         the Fuzzers
and files names on web/application servers. Often        • 	 Press the Fuzz Button
is the case now of what looks like a web server in       • 	The results will then be listed in the Fuzzer tab
a state of default installation is actually not, and     • 	Select them to see the full requests and re-
has pages and applications hidden within. DirBus-            sponses
ter attempts to find these.
   However tools of this nature are often as only        Additional fuzzing text files are added continu-
good as the directory and file list they come with. A    ously with each ZAP release and as stated earli-
different approach was taken to generating Dirbus-       er you can also create and import your own cus-
ter. The Dirbuster list was generated from scratch,      tom files.
by crawling the Internet and collecting the direc-
tory and files that are actually used by develop-        Manual test
ers! DirBuster comes a total of 9 different lists,       The above steps will find basic vulnerabilities. More
this makes DirBuster extremely effective at finding      vulnerabilities become apparent when you to manu-


            01/2012                                 Page 9                            http://pentestmag.com
F
                   R
                   E
                   E                                                                               attack
ally test the application by giving it some data, try-        mation about a particular alert in the ‘Other info’.
ing loginsetc. In an advanced web application pen-            tab, and best of all there is a solution and refer-
etration test scenario, a number of other tools such          ence material provided for the alert.
as Nikto, Curl, SQLMap, Cewl etc would be used,                 You will see how intuitive and educationally ben-
See the OWASP Testing Guide for more details on               eficial ZAP really is to developers/pentesters, es-
comprehensive Penetration Testing at https://www.             pecially ones in the early stages of their careers.
owasp.org/index.php/OWASP_Testing_Project.
                                                              Break Points
Basic Penetration Test – Exploitation:                        A break point allows you to intercept a request from
Once you have performed your basic pentest map-               your browser and to change it before is is submit-
ping and discovery, you are ready for exploitation            ted to the web application you are testing. You can
or remediation depending on your role, develop-               also change the responses received from the appli-
er or pentester. The considerable information that            cation.The request or response will be displayed in
ZAP provides under the Alerts tab is key to a pen-            the Break tab which allows you to change disabled
tester’s next move.                                           or hidden fields, and will allow you to bypass cli-
                                                              ent side validation (often enforced using javascript).
Alerts                                                        It is an essential penetration testing technique. You
ZAP provides comprehensive information relating               can set a ‘global’ break point on requests and/or re-
to all alerts and vulnerabilities it finds. All the exploi-   sponses using the buttons on the top level toolbar.
tation material you need is here listing active and              All requests and/or responses will then be inter-
passive vulnerabilities. Each alert gets flagged in           cepted by ZAP allowing you to change anything
the History tab, gets a Risk Rating – Informational,          before allowing the request or response to con-
Low, Medium or High. Also, they get an alert reli-            tinue. You can also set break points on specific
ability rating – False Positive, Suspicious, Warning.         URLs using the “Break...” right click menu on the
                                                              Sites and History tabs. Only those URLs will be
Tip                                                           intercepted by ZAP. URL specific break points are
I find it easiest at this point to review the alerts if       shown in the Break Points tab.
you expand the Alert tab by double clicking it as in
Figure 4.                                                     Anti CSRF Tokens
  For each alert a description is provided. You can           Another advanced feature of ZAP that is not read-
save your own developer/pentester specific infor-             ily available in similar, free versions of tools in this




Figure 4. Alerts tab expanded


             01/2012                                     Page 10                             http://pentestmag.com
F
                                                                                                                      R
                                                                                                                      E
                                                                                                                      E

area is Anti-CSRF token handling and token gen-                  was an app built by a developer, for a developer
eration. CRSF vulnerabilities occur by the way that              and you can tell. It has subsequently been adopted
browsers automatically submit cookies back to an                 by an international community of information secu-
issuing web server with each subsequent request.                 rity professionals.
If a web application relies solely on HTTP cook-
ies for tracking sessions, it will inherently be at risk         ZAP – Fully Automated Security Tests
from an attack like this.                                        To conclude this extensive article, I am going to
   Anti CSRF tokens are (pseudo) random param-                   change the context of how we see use of ZAP
eters used to protect against Cross Site Request                 and show how functional testing can be improved,
Forgery (CSRF) attacks.                                          even fully automated and with adding security in to
   They tokens may make a penetration testers job                the process. sounds good eh!
hard if the tokens are regenerated every time a                    Many Web developers use applications like Se-
form is requested. ZAP detects anti CSRF tokens                  lenium, Webdriver and Watir to test their Web-Ap-
by attribute names – the list of attribute names                 plications. In this example we are using Selenium
considered to be anti CSRF tokens can be edited                  to drive the browser. Selenium records your ac-
using the Tools->Options->Anti-CSRF screen.                      tions in the browser such as mapping, clicking, in-
   When ZAP detects these tokens it records the to-              puts etc.. and then can re-test doing exactly the
ken value and which URL generated the token. The                 same tests while you complete iterations of say a
active scanner and the fuzzer both have options                  web application under development.
which cause ZAP to automatically regenerate the
tokens when it is required. If fuzzing a form with an            Seleniumhq.org
anti CSRF-tokens on it, ZAP can regenerate the to-               ‘Selenium automates browsers. That’s it. What you
ken for each of the payloads you want to fuzz with.              do with that power is entirely up to you. Primar-
   If you are a developer testing your own web ap-               ily it is for automating web applications for testing
plication make sure the names of your anti-csrf to-              purposes, but is certainly not limited to just that.
kens are included in ZAP for ease of use.                        Boring web-based administration tasks can (and
   It’s clear to see that considerable effort has been           should!) also be automated as well.
embedded in Zed Attack Proxy by Simon Bennetts                      Selenium has the support of some of the largest
and Axel Neumann and also the Global communi-                    browser vendors who have taken (or are taking)
ty of developers and individuals contributing. ZAP               steps to make Selenium a native part of their brows-




Figure 5. Example ZAP setup for fully automated regression tests with security testing


              01/2012                                       Page 11                           http://pentestmag.com
F
                  R
                  E
                  E                                                                              attack
er. It is also the core technology in countless other        ner would be run. The REST API is asynchronous
browser automation tools, APIs and frameworks.’              and the will poll the scanner to see how it has pro-
   A build tool such as Apache Ant can control a tool        gressed.
like Selenium which will drive the browser.                    ZAP will detect passive vulnerabilities such as
   We can then insert ZAP as a proxy and also drive          missing HttpOnly or Secure Cookie Flags where-
zap from the Apache Ant build tool as in Figure 5.           as the active scanner finds critical XSS and SQ-
   So selenium records and drives a browser with             Li other vulnerabilities It is important to remember
ZAP inserted as in intercepting proxy. This can be           that there are some types of errors that can not be
very useful for functional and regression tests and          found with automated scanning, so its important if
is a very effective way of testing web UI’s. Devel-          security is taken seriously in your organisation, to
opers can write test cases to use their apps in the          have the security team to have a review and pen-
way they expect users to use them and then imple-            etration test of your application.
ment and record and re-test them with Selenium.                By using ZAP in this way, the basic vulnerabilities
   Regression tests give you a level of confidence           in your web application should have been found
that any changes you have made haven’t caused                and then are able fixed in the early stages of the
any issues or broken anything. They can’t test ev-           development lifecycle.
erything, so you still want QA to give your applica-           For more information and a full video example
tion a good independent test.                                go to Simon Bennetts video tutorial: http//code.
   In the above example we would use Apache Ant              google.com/p/zaproxy/wiki/SecRegTests.
to control ZAP by the rest api, to kick off things like
spider and active scanner. This gives some lev-              Summary
els of automated security testing that you can use           If you’re a developer interested in security or a pro-
in your continuos integration. The mapping/spi-              fessional pen tester, ZAP definitely has something
der can be set to complete first, then active scan-          for you. It is a powerful tool to aid developers and
                                                             QA testers with easily integrating security in to the
 References                                                  SDLC and also serves from beginner up to ad-
 Thanks to Simon Bennetts (@psiinon ) and Axel Neu-          vanced penetration testers in their line of duty.
 man (@a_c_neumann), OWASP, ZAP Guide & Creative
                                                                It’s going to take a lot of work to change the cul-
 Commons Attribute Share-alike License:
                                                             ture of Information Security. It’s a risk management
 • 	 https://www.owasp.org/index.php/ZAP                     project on a grand scale. Get involved, educate,
 • 	 https://www.owasp.org/index.php/OWASP_Zed_At-           spread the work, take action and help change the
     tack_Proxy_Project                                      culture.
 • 	 http:///www.owasp.org                                      The extensible architecture and constant devel-
 • 	 https://www.owasp.org/index.php/Category:OWASP_
                                                             opment of ZAP makes for an exciting future for this
     DirBuster_Project
 • 	 https://www.owasp.org/index.php/JBroFuzz                Open Source project.
 • 	 http://samurai.inguardians.com/                            For full instructions and a wealth of ZAP informa-
 • 	 Justin Searle (@meeas)                                  tion, see the OWASP project page:
 Google Summer Of Code 2012 Projects
 There are 3 ZAP related google summer of code proj-         WARNING Active scans must not be performed on Public
 ects:                                                                          websites
                                                             without the owners written permission as it
 • 	 Redesign of site crawler with sessions awareness –                         illegal.
     Student: Cosmin Stefan – Org: OWASP – Mentor: Si-
     mon Bennetts
 • 	 Enhanced AJAX integration – Student: Guifre Ruiz –
     Org: OWASP – Mentor: Skyler Onken
 • 	 Websocket Testing Tool – Student: robert Koch –         Gareth Watters (@gwatters) – CISSP,
     Org: Mozilla – Mentor: Yvan Boily                                 CISA, CPTE, MCSE, ITIL
                                                                            Gareth Watters is an Information
 ‘This is really great news – its a great opportunity for                   Security specialist based out of Mel-
 the students to work on a high profile security project,                   bourne Australia.
 and ZAP will be significantly enhanced by their work!’ –
 Simon Bennetts http://code.google.com/p/zaproxy/wiki/
 GSoC2012.



             01/2012                                    Page 12                            http://pentestmag.com
Virscent Technologies Pvt. Ltd. a Brainchild of a team of IIT Kharagpur Graduates has
                             Ltd.,                                      Graduates,
been Incubated in E-Cell IIT Kharagpur It is an IT Solutions & Training Company,
                       Cell      Kharagpur.
Offering Web, Security and Network Solutions, IT Consulting and Support Services to
  ffering
numerous clients across the Globe.

We provide the following services:

   a.   Penetration Testing
   b.   Multimedia Services
   c.   Web Development
   d.   Training:
        a. Corporate Training
        b. Classroom Training
        c. Training programs for Educational Institutions.

Our Partners:

   1. E-Cell IIT Kharagpur
   2. Education Project Council of India



Website: www.virscent.com

Blog    : www.virscent.com/blog
F
                     R
                     E
                     E                                                                    attack


Wireless Eurynomus
A Wireless (802.11) Probe Request Based Attack



In the recent years, the proliferation of laptop computers and
smart phones has caused an increase in the range of places people
perform computing. At the same time, network connectivity
is becoming an increasingly integral part of computing
environments.




A
        s a result, wireless networks of various       connect is a simple and one of the most conniving
        kinds have gained much popularity. But         facility provided by all the clients of wireless Ac-
        with the added convenience of wireless ac-     cess Points. This feature can also be used to com-
cess come new problems, not the least of which         promise a client and the attack is counted as one
are heightened security concerns. When transmis-       of the deadliest silent attacks.
sions are broadcast over radio waves, interception
and masquerading becomes trivial to anyone with        Target Audience
a radio, and so there is a need to employ additional   This attack can affect any of the technical and non
mechanisms to protect the communications.              technical users of the 802.11 interface. But the
  In this article we want to focus on some of the      technical details of this attack require usage of
hidden flaws that were never taken seriously. Auto-    Wireshark, a little understanding of packet details




Figure 1. Non-data transfer




Figure 2. Data transfer to the Internet


               01/2012                            Page 14                           http://pentestmag.com
F
                                                                                                                        R
                                                                                                                        E
                                                                                                                        E

over wireless and some of the details about the
probe and beacon frames.

Scope Of Attack
This attack is almost new born to the world of wire-
less and the Internet. This attack is fully capable
of creating an intermediate connection between
any client and attacker. Talking about the scope of
this attack, it can be of wide variety. For example
if an attacker walks into a company premises and
just by monitoring the air, he can easily find out the
probes in air and can attack any laptop or he can
attack any smartphone and can collect contact de-         Figure 4. Implementation
tails of clients. This is just a simple scenario; cases   Hardware And Software Requirements
can be like T.J maxx credit card incident. (http://       To perform this attack, we will need an entire lab
news.cnet.com/2100-7348_3-6169450.html)                   setup with specific software requirements and
                                                          some hardware requirements. Hardware require-
Flow Diagrams For Attacks                                 ments include:
Case -1
Attacker just wants to have connectivity (Non-data        •	   Access point
transfer; Figure 1). In this scenario, the attacker       •	   2 laptop (1 as attacker and 1 as victim)
just wants to have connectivity over the victim, af-      •	   Wireless card (internal or external)
ter that he might be interested to do some of the         •	   1 smartphone (optional requirement)
post tasks like launching a Metasploit module or
some of the custom coded exploits. And since the          Software requirement
victim is only sending the gratuitous request, he
will only get some connectivity to the attacker’s fic-    • 	 Backtrack operating system (4-revision2 or
titious network. After that no data transfer will hap-        higher version).
pen because of lack of internet connectivity.             • 	 All other required tools are preconfigured in it.

Case – 2                                                  Understanding Probes And Beacons
Attacker wants to have connectivity as well as data       When a client turns on its wireless interface, at
transfer to the Internet (Figure 2). In this scenar-      the same time the wireless interface starts to send
io, the attacker wants the victim to connect with         many probe requests to find if there is an access
the attacker’s machine so he could send the data          point available or not. Similarly any access point is
packets to the Internet. In this case he only wants
to monitor the data.




Figure 3. Connecting over the Acess point                 Figure 5. Probe requests by clients


              01/2012                                Page 15                                    http://pentestmag.com
F
                   R
                   E
                   E                                                                                attack


Figure 6. airbase-ng

also sending the beacon frames to show its pres-         Figure 8. # ifconfig -a
ence. Once the client gets connected to an access
point, there is a facility provided by different ma-     is destined for it or not. This is very similar to pro-
chines to remember that access point. Whenev-            miscuous mode over the wired network, used for
er the client comes into the range it automatically      the purpose of sniffing. After finding the probes
gets connected. This is simply because the client        of the clients, we will create a soft AP or known
is continuously sending probe requests in the air to     as virtual AP. A soft access point is created by a
find if any saved AP is available.                       set of software which continuously sends out the
                                                         beacon frames to show all nearby clients about its
Types Of Attacks                                         presence. Since the client is already attempting to
                                                         connect to that access point. It will automatically
• 	 IP level connectivity attacks (Metasploit based)     connect to the attacker. Now, if a DHCP is running
• 	 Relay the packets to AP (MITM based attacks)         over the attacker it will automatically receive an IP
• 	 Depending upon the usage, attacks can be in-         or if there is no DHCP is running then client will re-
    tegrated and the client is still unknown.            ceive an IP of the range 169.xxx.xxx.xxx will sent
                                                         gratuitous packets. Once the IP is assigned, the
Attack Scenario                                          tap interface created by soft AP, can have IP level
To understand (Figure 3) this attack, the working        connectivity with the client and the best part is that
of the Access Point must be clear. So, what we           the client remains unaware of the situation.
are trying to implement is, a client who is not con-
nected to any wireless AP and having his wireless        Implementation
interface up and running. The wireless interface al-     We have used a BackTrack machine (attacker) and
ways transmits some probe request from its PNL           a I-Phone (victim) to implement our attack scenar-
i.e. Preferred Network List. It is just a sense of in-   io. A monitor mode interface is being created at the
security and a shocking fact that it is independent      top of a wireless interface, this monitor mode inter-
of any AP. First of all we will try to make a moni-      face can be easily created by using airmon-ng set
tor mode interface in the air, which can accept all      of tools. The wlan0 (wireless) interface is up and
the packets over the air regardless if the packet        running (Figure 4).

                                                         # airmon-ng start wlan0

                                                         Monitor mode enabled on mon0 indicates that the
                                                         monitor mode has been created and now we can
                                                         monitor the air. To monitor the air, simply airodump
                                                         can be used over the mon0 interface. This along




Figure 7. Connection to Hitesh network                   Figure 9. # ifconfig at0; # ping 169.254.28.3


              01/2012                               Page 16                                  http://pentestmag.com
F
                                                                                                                                 R
                                                                                                                                 E
                                                                                                                                 E


  References                                                      • 	 Type/model of wireless cards have been used for te-
                                                                      sting – an alfa wireless external card AWUS036H se-
  [1] 	www.aircrack-ng.org                                            ries, but anyone can use their laptop inbuilt card
  [2] 	www.aircrack-ng.org/doku.php?id=airodump-ng                • 	 Victim can have any operating system like windows
  [3] 	www.wireshark.org/                                             xp or 7 or even linux machine, the probe request
  [4] 	Interception Mobile Communications, The Insecuri-              will always be sent into the air, since this is how the
       ty of 802.11 – ISAAC www.isaac.cs.berkeley.edu/isaac/          the wireless auto connect feature works in all ope-
       mobicom.pdf                                                    rating system. I didn’t tested it on MAC, and cannot
  [5] 	An Overview of 802.11 Wireless Network Security                say much about it. Regarding the antivirus that co-
       Standards & Mechanisms                                         mes to the post exploitation task, and if any ATTAC-
  [6] 	By: Luis Wong (posted on January 19, 2005)                     KER wants to have Man In the Middle attack to per-
  [7] 	Remote Access Point/IDS                                        form, then a fully patched (with antivirus and firewall)
  [8] 	By: Jared Kee (posted on April 10, 2012)                       machine can be compromised. because its the victim
                                                                      who is trying to connect to us.
  Comments                                                        • 	 I used a IOS4 – jail breaked version for this experi-
  • 	 Type of access point used for testing – a zxdsl router          ment purpose.
      for this attack as a lab setup, but it will hardly matter   Acknowledgment
      if you use any other also, since all router broadcast       Acknowledgment to Igneustech for providing appropri-
      same beacon frames                                          ate equipment and lab environment.

with the AP will also give the details of the clients             to send DHCP request and failing so that finally it is
that are associated or trying to associate with the               getting an IP range 0f 169.xxx.xxx.xxx.In the mean
network in the surroundings (Figure 5)                            while one can also set a DHCP and can easily trans-
                                                                  fer the packets to the Internet via its bridge interface
# airodump-ng mon0                                                and can perform Man In The Middle Attacks. Now
                                                                  the final step is to just up the at0 interface and set
After finding the probe request name, the attacker                the ip of the same range and same subnet that can
can easily create a soft AP or virtual access point               be easily done with the ipconfig utility (Figure 8)
with any of the bssid as well as any essid. Here
I have used an essid of name Hitesh just for the                  # ifconfig -a
sake of example.
                                                                  Finally the proof of the IP level connectivity, Post
# airbase-ng     -a <bssid>     -e   <essid/name>     mon0        that one can easily launch some Metasploit mod-
                                                                  ules or other various set of attacks (Figure 9).
The Airbase set of tools has got a lots of options,
it can send responses to any of the probe re-                     # ifconfig at0
quests that client is transmitting via its radio but              # ping 169.254.28.3
for the sake of simplicity we have used this sce-
nario. The interesting thing about this soft AP is                Hitesh Choudhary
that it also creates a tap interface. It’s little basic                            Hitesh Choudhary is a Jaipur based eth-
that our access point always have 2 cards in it,                                   ical hacker serving free to Rajasthan
one is wireless and other is for wired interface.                                  police to handle cyber crimes as well as
This tap interface is the same clone of wired in-                                  pursuing his wireless research at M.I.T. ,
terface named as at0. (Figure 6). As a result of                                   California. He has completed his RHCE,
this client will automatically get connected to this                               RHCSA, CEH and various other security
“hitesh” network since there is no DHCP running                                    certifications.
over the attacker machine (Figure 7).
   The client will get an IP address of the range 169.                                Pankaj Moolrajani
xxx.xxx.xxx and will try to send gratuitous packets.                                  Pankaj Moolrajani is Jaipur based se-
One can also use these packets as an ARP packet                                       curity researcher at Igneustech. He is
to send it back to the IP. So, there is can be attack at                              RHCE & RHCSS Certified.
every phase. One can also verify this by using Wire-
shark and capturing each and every packet. These
packet will show that client is again and again trying


              01/2012                                        Page 17                                 http://pentestmag.com
F
                 R
                 E
                 E                                                                           attack


Securing Users
from Phishing, Smishing & Social Media Attacks


Some experts believe one of the best solutions to thwart phishing
attacks is end-user training, but can we really train every computer
user to be sufficiently security literate? Will it ever be the case that
anyone can distinguish a phishing message from a genuine
bank email?




T
        he volume of phishing attacks has in-          attains financial or personal login details that can
        creased, as have their variety and sophis-     be used to commit fraud or theft. Of course, it was
        tication. Even security experts struggle to    only a matter of time before people caught on to
identify some of the fakes. The phishers cast their    email scams. Users read again and again not to
rods farther and with more efficiency than ever be-    click on such links. Mail solutions became better
fore. They can easily download phishing site cre-      at spotting phishing emails and filtering them into
ation tools and produce convincing messages and        a junk email folder. Even free Web mail providers
pages. Expecting an average PC user to beat            now catch the majority of these attacks.
these guys without any help is tantamount to pit-        Once cybercriminals noticed their tradition-
ting an average golfer against Tiger Woods.            al phishing approaches were returning lower re-
   It can seem at times the only people who like       sponse rates, they rapidly adjusted to new medi-
change are Internet attackers. And they don’t just     ums. As a result, a new trend emerged: smishing
like it – they need it. Technology’s rapid chang-      (social media phishing and SMS phishing) became
es give cybercriminals new attack vectors to ex-       the new trend in cyber attacks.
ploit, and new ways to turn a profit out of someone      The underlying concept is the same, but the at-
else’s misfortune.                                     tack mechanism is different. Instead of targeting
   Internet attackers have made a profession out       users via email, cybercriminals use social media
of rapid change of a multitude of factors – attack     messaging and text messaging advertising to lure
vector, sophistication, volume and approach. The       victims.
malware market has been monetised and we are             For hackers, it’s the perfect opportunity. They can
seeing the strongest ever driving forces to come       cheaply buy lists of Facebook login details, hack in-
up with new approaches to beat security products       to users’ accounts, and send personal-looking mes-
and users common sense.                                sages to an individual’s entire friend list. The majority
   For example, take phishing. The concept is sim-     of users are more trusting of a post from a friend than
ple: Send an email disguised as a message from         a suspicious email in their in-box, making smish-
a bank, PayPal, or UPS. Wait for the user to click     ing more effective at luring users to phishing sites.
a link in the message, and enter their private de-       We seem to take phishing attacks for granted
tails into a phishing site, and presto! The attacker   these days, in much the same way that we’ve ac-


            01/2012                               Page 18                              http://pentestmag.com
F
                                                                                                                  R
                                                                                                                  E
                                                                                                                  E

cepted spam as a natural, and inevitable, by-prod-            ple into losing their wallet at Three-card Monte. We
uct of email. Some experts believe one of the best            let curiosity get the best of us, and at times can be
solutions to thwart phishing attacks is end-user              gullible. Like street hustlers, cybercriminals aren’t
training, but I doubt training alone is a viable solu-        afraid to experiment with hacking our inclinations
tion. Can we really train every computer user to be           (or, as many security experts call it, social engi-
sufficiently security literate, such that anyone can          neering). The volume of phishing attacks has in-
distinguish a phishing message from a genuine                 creased, as have their variety and sophistication.
bank email? I doubt its possibility, especially given         Even security experts struggle to identify some of
how specific the details in spear phishing (phishing          the fakes.
targeted at specific people and/or companies) at-               The phishers cast their rods farther and with more
tacks have become.                                            efficiency than ever before. They can easily download
  It used to be that thieves could satiate their hunger       phishing site creation tools (yes they exist) and pro-
for evil (and money) merely through the emulation of          duce convincing messages and pages. Expecting
a consumer bank or a PayPal login screen. While               an average PC user to beat these guys without
these low-hanging-fruit scams show no signs of                any help is tantamount to pitting an average golfer
abating, even following major busts of phishing               against Tiger Woods (albeit a few years ago; no of-
rings, we’ve seen new types of phishing attacks               fense, Tiger). The criminal’s job is to create online
that wear the mask of a Web security product,                 scams that work, and the returns on their invest-
persuading users to follow through on fake spam               ments are huge. Why would we expect non-crim-
quarantine messages, or security update alerts,               inally-minded users to be more adept at spotting
sometimes using the name of real vendors. It’s all            scams, than scammers are at reeling in the users?
very plausible.                                                 Technology has to step up its game. We need to
  Unfortunately, the average user is not a trained            continue to make it harder and less lucrative for
security expert – and why should he or she be?                online scammers to do their “jobs.” That’s really
Criminals lure users into phishing and email scams            the most effective way to stop phishers from at-
in much the same way street cons lure some peo-               tacking our end users.

               a      d      v      e      r      t       i        s      e      m       e      n      t
F
                 R
                 E
                 E                                                                               attack
  Phishing is a good example of how the Cy-               to all linked friends of the individual, sending a
bercriminal utilises Social Engineering tech-             ‘have you see this site’ message, an advert or
niques combined with technology to grift mon-             simply a link to a fake site. Users are lulled into
ey from an innocent Internet bystander. Send an           a greater trust of the message, having not been
email to the victim purporting to be from some-           use to receiving this sort of message in this new
one else, be it a bank, paypal or from a spy-             more trusted medium.
ware infected machine disguising the email in the           SMS Phishing involves criminals switching their
form of a genuine email from a friends address.           attacks to target a weaker link. Users are constant-
Wait on the susceptible user to click on it believ-       ly educated to maintain suspicion when opening
ing it to be genuine, enter their private details into    messages in email on a PC device and typical-
a fake site and hey presto the attacker has hood-         ly have security software running on these ma-
winked you and has financial or personal login de-        chines, be it antivirus, spyware protection, firewalls
tails of yours. The average phishing site that stays      and other mediums of protection. Users have be-
online for an average of 5.9 days does enough             come rapidly more mobile and take for granted the
damage to afford change (stat from APWG.com –             ability to now access the internet from devices oth-
the Anti-Phishing Workgroup).                             er than their PC. Text messaging has become a
  Users have read again and again in articles,            ‘taken for granted’ communications medium with
in warnings on bank sites, in email services and          many youngsters sending/receiving upwards of
from friends not to click on such links, but they still   100 messages a day.
do! Mail solutions have gotten better at discerning         Attackers have found ways to send masses of
Phishing attacks and putting them correctly in to         automated and believable looking text messages
anti-spam filters. Even in free webmail solutions         to users including URL links for the user to view.
Phishing attacks are put into the junk folder the           Major PC based web browser software now has
majority of the time. So users believe the Phish-         phishing protection built in to alert the user to sus-
ing mails won’t reach them and they think twice           picious sites, and users generally can hover over
before they click on a suspicious email.                  a link to display the true web site, but on mobile
  So have the criminals sat on their laurels!? When       phones we are not seeing the same browsers, the
they noticed the traditional Phishing approaches          same versions nor the same protection levels to
returning a lower response rate they rapidly ad-          help users avoid malicious fake sites.
justed to new mediums and we now have this new              So user beware, what you see may not always
format of Smishing with two definitions, both harm-       be what you get, particularly in the world of the cy-
ful and both sophisticated enough to be impacting         ber transaction. When you see a message from
users. Variously termed as meaning Social Media           someone you think you know, don’t assume it was
phishing or SMS Phishing they are both a progres-         them who sent it from their account, look once,
sion of attackers approaches.                             think twice before you click, whether it be an email,
  Social Media Phishing means instead of                  a social media message or a text message!
sending the advert, fake link, or message in
email they are utilising social media messag-             IAN MOYSE
ing and advertising to direct the user through to                              Ian Moyse has over 25 years of ex-
their fake site location. Getting a posting on-                                perience in the IT Sector, with nine
to your Facebook page for example or receiving                                 of these specialising in security For
a Social Media message seemingly has more trust                                the last 8 years he has been focused
equity with users than email, with users believing                             in Cloud Computing and has be-
fakes only come to them in email as Spam. On So-                               come a thought leader in this are-
cial web sites they seemingly have entered into a                              na. He now holds the role of Sales Di-
different mindset of trust.                               rector at Cloud CRM provider Workbooks.com. He also
  You can cheaply buy lists of Facebook login de-         sits on the board of Eurocloud UK and the Governance
tails on the web – for example a recent site was          Board of the Cloud Industry Forum (CIF) and in early
seen offering 1000 facebook account login de-             2012 was appointed to the advisory board of SaaSMax.
tails for L16.50, very affordable at the worst of         He was named by TalkinCloud as one of the global top
times. With such easy ammunition it’s not a big           200 cloud channel experts in 2011 and in early 2012 Ian
step for someone to utilise each of these ac-             was the first in the UK to pass the CompTIA Cloud Essen-
counts and to send personal looking messages              tials specialty certification exam.


            01/2012                                  Page 20                               http://pentestmag.com
scanning isn’t enough
Cyber Security Auditing Software
                                           Device Auditing                                                 Scanners   Nipper Studio
• Device information remains               Audit without Network Traffic
  confidential
                                           Authentication Configuration
• Settings that allow you to hide          Authorization Configuration
  sensitive information in the             Accounting/Logging Configuration
  report
                                           Intrusion Detection/Prevention Configuration
• Low cost, scalable licensing             Password Encryption Settings
• Point and click GUI or CLI               Timeout Configuration
  scripting                                Physical Port Audit
• Audit without network traffic            Routing Configuration
                                           VLAN Configuration
                                           Network Address Translation
  	         It was refreshing              Network Protocols
            to discover Nipper and
  to find that it supported so many        Device Specific Options
  devices that Cisco produces.             Time Synchronization
  Nipper enables Cisco to test
  these devices in a fraction of           Warning Messages (Banners)                                           *
  the time it would normally take          Network Administration Services                                      *
  to perform a manual audit. For
  many devices, it has eliminated          Network Service Analysis                                             *
  the need for a manual audit to           Password Strength Assessment                                         *
  be undertaken altogether.
                                           Software Vulnerability Analysis                                      *
  Cisco
                                           Network Filtering (ACL) Audit                                        *
  Business Benefits to Cisco
                                           Wireless Networking                                                  *
  •	 Nipper	quickly	produces	
                                           VPN Configuration	                                                   *	
     detailed	reports,	including	
                                           *	Limitations	and	constraints	will	prevent	a	detailed	audit
     known	vulnerabilities.
  •	 By	using	Nipper,	manual	         Nipper Studio reduces manual auditing time by quickly producing a consistent,
     testing	has	been	altogether	     clear and detailed report. This report will;
     eliminated	for	particular	       1.   Summarize your network’s security
     Cisco	devices.
                                      2.   Highlight vulnerabilities in your device configurations
                                      3.   Rate vulnerabilities by potential system impact and ease of exploitation
                                           (using CVSSv2 or the established Nipper Rating System)
      Multi-Platform Support for      4.   Provide an easy to action mitigation plan based on customizable settings
                                           that reflect your organizations systems and concerns.
                                      5.   Allow you to add previous reports and enable change tracking functionality.
                                           You can then easily view the progress of your network security.


                                                                                                                          for free at

                                                                                                         www.titania.com
       enquiries@titania.com
       T: +44 (0)845 652 0621
F
                 R
                 E
                 E                                                                   Cyberwar


Digital Apocalypse
The Artillery of Cyber War


Cyberspace is now the digital frontier of choice for executing many
combat operations, by extending the medium in which greater levels
of power can now be accessed by Machiavelli agents, militants and
nation-states. Squads of cyber militants going under the banner of
Anonymous and LulzSecare, motivated by the ease in which they can
now execute high impact operations whilst avoiding detection, are just
a few of the much publicised names synonymous with cyber terrorism.



T
        he multi-dimensional characteristics of cy-       the world is really prepared for the possibility of a
        ber space have dissolved the boundaries           “digital apocalypse”. Throughout the analysis this
        between digital landscape and physical se-        paper aims to emphasise that deterring Cyber War
curity, facilitating cyber-attacks that produce dev-      is the key to addressing this challenge.
astating impacts to critical infrastructure, as well as
Corporate and Government assets.                          Cyber Warfare – A Definition
   Global security experts face the challenge of at-      Over the past few decades experts and academics
tempting to develop techniques to deter and prevent       have explored whether the possibility of a Cyber
these global threats. This challenge is complicated       War was in fact a plausible threat. Early pioneers
further by the rate at which the digital paradigm con-    navigating through this new landscape had con-
tinues to evolve at a rate which is often considerably    jured up post-apocalyptic visions of the impact of
faster than the ability to keep up with these develop-    Cyber War, bearing resemblances to scenes from
ments. This disparity has, unsurprisingly, created an     a science fiction film. Today, Cyber War is no lon-
impression, shared throughout the cyber communi-          ger being examined from a theoretical perspective,
ty, that implementing strategies to control the digi-     as these dynamic threats have emerged through-
tal domain has become unachievable. As a result of        out the global systems and networks. Experts are
these challenges and many others, Cyber Warfare           no longer debating the possibility of Cyber War but
is set to be one of the greatest challenges posed to      what can be done to stop these threats.
the 21st Century.                                           Despite the widespread acknowledgement of
   This article will examine the characteristics of       Cyber War, the definition of these threats remains
Cyber War operations in order to clarify the ambi-        under scrutiny. Experts such as Bruce Schneier
guities surrounding these concepts. Such an ex-           have stated that many definitions of Cyber War in
amination is necessary in order to ensure that the        current circulation are flawed as they confuse a
components of Cyber War are not confused with in-         range of other computer security related concepts
terrelated disciplines such as Information Warfare.       such as Information Warfare, Hacking and Net-
Real world examples of Cyber Attacks will then be         work Centric Warfare. In order to, clarify ambigui-
discussed in order to assess the “nuts and bolts”         ties surrounding Cyber War, for the purpose of this
of cyber-attack operations and to examine whether         discussion, Cyber War is defined as:


            01/2012                                  Page 22                           http://pentestmag.com
F
                                                                                                                                              R
                                                                                                                                              E
                                                                                                                                              E

                                                                    worm. First launched in to the digital landscape in
“Internet-based conflict involving politically motivated at-        June 2009, Stuxnet has become one of the heavily
tacks on information and information systems. Cyber war-            scrutinised, real world examples of Cyber Warfare
fare attacks can disable official websites and networks, dis-       attacks, with global security and technology com-
rupt or disable essential services, steal or alter classified da-   munities still struggling to fully comprehend the com-
ta, and cripple financial systems – among many other possi-         plexities of its design almost two years on since its
bilities.” (Rouse, 2010)                                            initial release. Stuxnet’s international attention has
                                                                    been achieved from the sheer sophistication in de-
For the purpose of this discussion, the focus of                    sign which is composed of a comprehensive array of
Cyber War conflicts will be examined in terms of                    attack exploits and covert methods for avoiding de-
its impact to the physical realm, in particularly to                tection. Stuxnet is the magnum opus in the malware
its impact to critical infrastructures.                             hall of fame.
                                                                       The Stuxnet worm infects computers running
The First Warning Shots                                             Windows OS, and is initially distributed via USB
Recorded examples of the impact of cyber-attacks                    drives thereby enabling it to gain access to sys-
on critical infrastructures have been around for over               tems logically separated from the Internet. Once
a decade. One of the earliest cyber-attacks on criti-               access has been gained it then orchestrates a va-
cal infrastructure took place in January 2000, in                   riety of exploits from its toolkit designed to specifi-
Queensland, Australia. Where a disgruntled former                   cally target vulnerabilities its intelligent design is
employee at a manufacturing company hacked into                     able to identify in the target host.
the organisations computer, using privileged knowl-                    Stuxnet’s artillery includes uses an array of ex-
edge of the system, and took control of the Super-                  ploit methods, meticulously designed to circumvent
visory Control and Data Acquisition (SCADA) sys-                    the logical sequence security measures, one lay-
tem. The protagonist was able to maliciously attack                 er at a time. Exploits included Stolen Digital Cer-
the system causing physical pumps to release raw                    tificates, Rootkits, Zero-Day Exploits, methods for
sewage, producing a considerable amount of dam-                     evading Anti-Virus detection, hooking codes, com-
age. Although this attack is not constituted as cyber               plex process injections, network injection, to name
warfare, it demonstrated the possibility for a digital              a few. These exploits however do not affect just any
attack to create a detrimental financial impact and                 old computer, aside from propagating further. The
create havoc on critical infrastructures. Since this                extraordinarily designed piece of malware has one
time, there have been a number of attacks classed                   solitary target in mind – Industrial Control Systems/
as acts of cyber war, such as the 2007 attacks,                     Supervisory Control and Data Acquisition* (ICS/
launched against the Government of Estonia. In                      SCADA) and attached computer systems. With a
this example, attackers utilised a variety of different             specific ICS/SCADA being targeted in Iran, Stux-
attack methods such as Denial of Services (DoS),                    net reprograms the Programmable Logic Controller
website defacement and other malware. This was                      (PLC), made by Siemens, to execute in the manner
one of the earliest examples demonstrating the in-                  that the attack designers have planned for them to
creased level of sophistication of cyber-attacks to                 operate within.
be launched against a nation-state.                                 * Bruce Schneier argues that Stuxnet only targets ICS and press re-
                                                                    leases have mis-referenced Stuxnet to also target SCADA “is technical-
The Digital Artillery                                               ly incorrect”. For further details refer to: http://www.schneier.com/blog/ar-
The arsenal of a Cyber War attack consists of the                   chives/2010/10/stuxnet.html
usual suspects, such DoS, attacks on DNS infra-
structure, anti-forensic techniques, and wide-scale                 While experts are still dissecting Stuxnet, it is ap-
use of Worm, Zombies, Trojan and clichéd meth-                      parent that the creation is the work of a team of
ods of electronics attack. However Cyber War rep-                   highly skilled professionals. Some estimates
resents much more than a DoS attack. When as-                       have stating that it would have taken a team of 8
sessing state-of-the-art Cyber War Artillery, one                   – 10 security experts to write over the course of
name comes to mind – Stuxnet.                                       6 months (Schneier). Many are referring to Stux-
                                                                    net’s creation as a “marksman’s job” due to its tar-
State-of-the-Art: Stuxnet                                           geted approach and expert precision.
The ultimate state-of-the-art weapon identified in                    Given Stuxnet is considered to be one of the
the cyber warfare arsenal, so far, is the Stuxnet                   greatest malware masterpieces the temptation


               01/2012                                         Page 23                                         http://pentestmag.com
F
                  R
                  E
                  E                                                                     Cyberwar
to examine its architecture in greater detail could            The attack vector used is based on the operating
not be resisted. Symantec’s “W32.Stuxnet Dos-               system of the compromised computer. If the oper-
sier Version 1.4” provides a detailed analysis de-          ating system is Windows Vista, Windows 7, or Win-
lineating the technical attributes composed with-           dows Server 2008 R2 the currently undisclosed
in Stuxnet and this 69 page document created                Task Scheduler Escalation of Privilege vulnerabil-
by members of their Security Response Team                  ity is exploited. If the operating system is Windows
is used as the basis for the following examina-             XP or Windows 2000 the Windows Win32k.sys Lo-
tion. The full array of technical features is outside       cal Privilege Escalation vulnerability (MS10-073) is
of the scope of this article so a brief overview of         exploited.
Stuxnet’s architectural components will be sum-
marised below.                                              Load Points
                                                            Stuxnet loads the driver “MrxCls.sys” which is digi-
Breaking Down Stuxnet                                       tally signed with a compromised Realtek certificate
The Core – .DLL files                                       (which Verisign previously revoked). Another ver-
At the core of Stuxnet is a large .dll file containing an   sion of this driver was also identified to be using a
array of resources, diverse exports as well as en-          digital certificate from JMicron.
crypted configuration blocks. In order to load these          The aim of the Mrxcls.sys is to inject copies of
.dll files, Stuxnet has the capability to evade detec-      Stuxnet into specific processes therefore acting as
tion of a host intrusion protection programs which          the central load-point for exploits. Targeted process-
monitor any LoadLibrary calls. These .dlls and en-          es include – Services.exe; S7tgtopx.exe; CCPro-
crypted configuration blocks are stored in a wrapper        jectMgr.exe.
referred to as the ‘stub’. Two procedures are then
employed to call Exported function. Extract .dll is         The Target: Programmable Logic Controllers
then mapped into memory module and calls one of             We now arrive at Stuxnet’s ultimate goal – in-
the exports from mapped .dll. A pointer to the stub is      fecting Simatic’s Programmable Logic Controller
then passed as a parameter. Stuxnet then proceeds           (PLC) devices. Stuxnet accomplishes this by load-
to inject the entire DLL into another process, once         ing blocks of code and data (written in SCL or STL
exports are called. Injecting processes can include         languages) which are then executed by the PLC in
existing or newly created arbitrary process or a pre-       order to control industrial processes. In doing so,
selected trusted process.                                   Stuxnet is able to orchestrate a range of functions
                                                            such as:
The Process of Injection
Targeted trusted processes are directed at a num-           • 	 Monitoring Read/Writes PLC blocks
ber of standard Windows processes associat-                 • 	Covertly masks that the PLC is compromised
ed with a range of security products, including –           • 	Compromise a PLC by implementing its own
McAfee (Mcshield.exe); Kaspersky KAV (avp.exe);                 blocks or infecting original blocks.
Symantec (rtvscan.exe); Symantec Common Cli-
ent (ccSvcHst.exe); Trend PC-cillin (tmpproxy.exe)          The Grand Finale
to name a few. Stuxnet then searches the registry           Now that Stuxnet has finally exploited the PLC
for any indication that McAfee, Trend PC-cillin or          it has achieved it has reached its final destina-
Kaspersky’s KAV (v.6-9) software is in operation.           tion. Where Stuxnet is then able to execute its
If Stuxnet is able to identify any of these technolo-       final exploits which is to slow down or speed up
gies it then extracts the version which is used to          frequency motors. For example when the fre-
target how to process injections or whether it is un-       quency of motor is running between 807Hz and
able to by-pass these security products.                    1210Hz, Stuxnet adjusts the output frequency
                                                            for shorter periods of time to 1410Hz and subse-
Elevation of Administrative Access Rights                   quently to 2Hz and then back to 1064Hz. These
Another feature of Stuxnet is in its ability to elevate     frequencies are typically used by centrifuges in
access rights to run with the highest level of privi-       uranium enrichment plants. Ultimately Stuxnet is
leges possible. Stuxnet detects the level of privi-         designed to destabilize ICS/SCADA by chang-
leges assigned to it and if these are not Admin-            ing the speeds in uranium centrifuges to sabo-
istrative Access Rights it then executes zero-day           tage operations, with the potential for devastat-
privilege escalation attacks, such as MS10-073.             ing consequences.


             01/2012                                   Page 24                            http://pentestmag.com
F
                                                                                                             R
                                                                                                             E
                                                                                                             E

Little Brother – Duqu                                   • 	 Like Stuxnet, Duqu’s utilities include stolen
In the September of 2011, researchers at the Bu-            signing certificates for signing drivers stolen
dapest University’s Laboratory for Cryptography             from a company in Taiwan, with an expiry date
and System Security (CrySyS) made the alarming              of August 2nd 2011. These certificates were
discovery of a Trojan resembling Stuxnet. Their             later revoked on October 14th 2011.
fears were confirmed after dissecting this new
threat revealed components were close to being          The resemblances in design of Stuxnet and Duqu
identical to Stuxnet indicating that the writers were   indicate that they were most likely developed by
indeed the same authors, or persons with access         the same authors. Kaspersky Lab’s Analysts ex-
to the source code of Stuxnet. They labelled this       amining the source code of both programs state
new threat “Duqu” due to its design in which it cre-    that – “We believe Duqu and Stuxnet were simul-
ates file names with the prefix ~DQ.                    taneous projects supported by the same team of
  Duqu is a remote access Trojan designed to            developers”.
steal information from the victim machine and is
designed to act as a precursor to a future mal-         The Launch Pad – Tilded
ware attack, similar to the Stuxnet operation.          How did Stuxnet and Duqu manage to launch
Duqu is designed to act in much the same way            some of the most effective cyber-attacks on re-
as a reconnaissance agent gathering intelligence        cord so far? The “launch pad” for this cyber artil-
from a variety of targets, and like Stuxnet; Duqu’s     lery goes by the name of Tilded.
primary targets are industrial infrastructure. Da-        The Tilded platform is modular in nature and is
ta sources collected by this Trojan include design      designed to conceal the activities of malicious soft-
documents, keystrokes records and other sys-            ware by employing techniques such as encryption,
tem information. Once this intelligence has been        thereby evading detection by anti-virus solutions.
gathered by the Trojan, it is then returned to the      By utilising the Tilded platform developers of cy-
command and control servers, over HTTP and              ber weapons can simply change the payload, en-
HTTPS, positioned across global locations such          cryption techniques or configuration files in order
as China, Germany, Vietnam, India and Belgium.          to launch any number of exploits against a range
This information can then be used by Duqu’s cre-        of targets. File naming conventions used by Til-
ators to then launch a premeditated cyber assault       ded’s developers employed the Tilde symbol and
against the designated target. By default Duqu is       the letter “d” combining the two resulted in adopt-
designed to operate for a set period of time (either    ing the name – Tilded. The Tilded team of develop-
30 or 36 days depending on the configuration).          ers however still remain unknown.
After which the Duqu will automatically remove it-        What we do know about Tilded is that it has un-
self from the system. A comparison of Duqu and          dergone significant changes since its inception in
Stuxnet demonstrates:                                   2007 with subsequent revisions created through
                                                        to 2010. The researchers at Kaspersky have been
• 	 Duqu’s executables were created using the           able to confirm that a number of projects were
    same source code as Stuxnet.                        undertaken between this period where programs
• 	 Duqu’s payload resembles no similarity to that      based on the “Tilded” platform were circulated in
    of Stuxnet. Duqu’s payload is written with the      cyberspace, Stuxnet and Duqu being two exam-
    intention of conducting remote access capabil-      ples. While other researchers have indicated an-
    ities whereas Stuxnet’s payload is designed to      other variant exists, the Stars worm (also target-
    sabotage an ICS/SCADA.                              ing ICS/SCADA systems) resembles Stuxnet. How
• 	 Duqu’s Payload aims to capture keystrokes           many other programs have also been created but
    and system information rather than modify tar-      may not yet have been detected remains to be de-
    get systems.                                        termined. What is clear is that as Tilded and simi-
• 	 Duqu (being a Trojan) do not contain any self-      lar programs continue to develop, we will see en-
    propagation capabilities as found in worms like     hanced prototypes being catapulted into the digital
    Stuxnet.                                            limelight.
• 	 Duqu in one example is distributed by attack-
    ers using specially crafted email containing a      Are We Prepared for a Digital Apocalypse?
    word document which exploits an unpatched           On the May 6th 2012, the US Department of
    0-day vulnerability to                              Homeland Security reported that a major Cy-


            01/2012                                Page 25                           http://pentestmag.com
Pen test free_01_2012
Pen test free_01_2012
Pen test free_01_2012
Pen test free_01_2012
Pen test free_01_2012
Pen test free_01_2012
Pen test free_01_2012
Pen test free_01_2012
Pen test free_01_2012
Pen test free_01_2012
Pen test free_01_2012
Pen test free_01_2012
Pen test free_01_2012
Pen test free_01_2012
Pen test free_01_2012

More Related Content

What's hot

ATI Technical CONOPS and Concepts Technical Training Course Sampler
ATI Technical CONOPS and Concepts Technical Training Course SamplerATI Technical CONOPS and Concepts Technical Training Course Sampler
ATI Technical CONOPS and Concepts Technical Training Course SamplerJim Jenkins
 
Mena Fire Safety Conference Qatar April 2011
Mena Fire Safety Conference Qatar April 2011Mena Fire Safety Conference Qatar April 2011
Mena Fire Safety Conference Qatar April 2011harrissafety
 
BCM Institute MTE Dr Thomas Phelan - Closing the Gap on Emergency Management ...
BCM Institute MTE Dr Thomas Phelan - Closing the Gap on Emergency Management ...BCM Institute MTE Dr Thomas Phelan - Closing the Gap on Emergency Management ...
BCM Institute MTE Dr Thomas Phelan - Closing the Gap on Emergency Management ...BCM Institute
 
CCNA Security - Chapter 7
CCNA Security - Chapter 7CCNA Security - Chapter 7
CCNA Security - Chapter 7Irsandi Hasan
 
Software Compliance Management Overview
Software Compliance Management OverviewSoftware Compliance Management Overview
Software Compliance Management Overviewkevino80
 
All About CCIE Certification
All About CCIE CertificationAll About CCIE Certification
All About CCIE CertificationIPexpert
 
2011 year-end-report
2011 year-end-report2011 year-end-report
2011 year-end-reportDSS CDSE
 
Rapid Deployment Service
Rapid Deployment ServiceRapid Deployment Service
Rapid Deployment ServiceSsgstubbs
 

What's hot (13)

Commo Resume
Commo ResumeCommo Resume
Commo Resume
 
PLN9 Security Services
PLN9 Security Services PLN9 Security Services
PLN9 Security Services
 
ATI Technical CONOPS and Concepts Technical Training Course Sampler
ATI Technical CONOPS and Concepts Technical Training Course SamplerATI Technical CONOPS and Concepts Technical Training Course Sampler
ATI Technical CONOPS and Concepts Technical Training Course Sampler
 
Mena Fire Safety Conference Qatar April 2011
Mena Fire Safety Conference Qatar April 2011Mena Fire Safety Conference Qatar April 2011
Mena Fire Safety Conference Qatar April 2011
 
30 minutes g
30 minutes g30 minutes g
30 minutes g
 
BCM Institute MTE Dr Thomas Phelan - Closing the Gap on Emergency Management ...
BCM Institute MTE Dr Thomas Phelan - Closing the Gap on Emergency Management ...BCM Institute MTE Dr Thomas Phelan - Closing the Gap on Emergency Management ...
BCM Institute MTE Dr Thomas Phelan - Closing the Gap on Emergency Management ...
 
CCNA Security - Chapter 7
CCNA Security - Chapter 7CCNA Security - Chapter 7
CCNA Security - Chapter 7
 
Software Compliance Management Overview
Software Compliance Management OverviewSoftware Compliance Management Overview
Software Compliance Management Overview
 
Ccna PrepCenter - IP Subnetting from Networkers
Ccna PrepCenter - IP Subnetting from NetworkersCcna PrepCenter - IP Subnetting from Networkers
Ccna PrepCenter - IP Subnetting from Networkers
 
All About CCIE Certification
All About CCIE CertificationAll About CCIE Certification
All About CCIE Certification
 
2011 year-end-report
2011 year-end-report2011 year-end-report
2011 year-end-report
 
Rapid Deployment Service
Rapid Deployment ServiceRapid Deployment Service
Rapid Deployment Service
 
OSS Legal issues method
OSS Legal issues methodOSS Legal issues method
OSS Legal issues method
 

Similar to Pen test free_01_2012

IT & Security opportunities 2015
IT & Security opportunities 2015IT & Security opportunities 2015
IT & Security opportunities 2015Sumeer Sharma
 
EC-Council Certified Network Defender
EC-Council Certified Network DefenderEC-Council Certified Network Defender
EC-Council Certified Network DefenderITpreneurs
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireGlobal Knowledge Training
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedJames '​-- Mckinlay
 
Cisco Phy Sec Overview Netversant
Cisco Phy Sec Overview   NetversantCisco Phy Sec Overview   Netversant
Cisco Phy Sec Overview NetversantJayCase
 
During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...Cisco Canada
 
2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinarAlgoSec
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Cybersecurity Training Seminars, 44 Courses : Tonex Training
Cybersecurity Training Seminars, 44 Courses : Tonex TrainingCybersecurity Training Seminars, 44 Courses : Tonex Training
Cybersecurity Training Seminars, 44 Courses : Tonex TrainingBryan Len
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
CompTIA Security+ Objectives
CompTIA Security+ ObjectivesCompTIA Security+ Objectives
CompTIA Security+ Objectivessombat nirund
 
Ccnsp course outline
Ccnsp course outlineCcnsp course outline
Ccnsp course outlineRalbary
 
Ccnsp course outline
Ccnsp course outlineCcnsp course outline
Ccnsp course outlineRalbary
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerForAllSecure
 

Similar to Pen test free_01_2012 (20)

CEH
CEHCEH
CEH
 
IT & Security opportunities 2015
IT & Security opportunities 2015IT & Security opportunities 2015
IT & Security opportunities 2015
 
El Sisi
El SisiEl Sisi
El Sisi
 
EC-Council Certified Network Defender
EC-Council Certified Network DefenderEC-Council Certified Network Defender
EC-Council Certified Network Defender
 
Security
SecuritySecurity
Security
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and Sourcefire
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
 
Cisco Phy Sec Overview Netversant
Cisco Phy Sec Overview   NetversantCisco Phy Sec Overview   Netversant
Cisco Phy Sec Overview Netversant
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 
Resume - Varsharani
Resume - VarsharaniResume - Varsharani
Resume - Varsharani
 
During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...
 
2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar2021 01-27 reducing risk of ransomware webinar
2021 01-27 reducing risk of ransomware webinar
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Cybersecurity Training Seminars, 44 Courses : Tonex Training
Cybersecurity Training Seminars, 44 Courses : Tonex TrainingCybersecurity Training Seminars, 44 Courses : Tonex Training
Cybersecurity Training Seminars, 44 Courses : Tonex Training
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
 
CompTIA Security+ Objectives
CompTIA Security+ ObjectivesCompTIA Security+ Objectives
CompTIA Security+ Objectives
 
Ccnsp course outline
Ccnsp course outlineCcnsp course outline
Ccnsp course outline
 
Ccnsp course outline
Ccnsp course outlineCcnsp course outline
Ccnsp course outline
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a Hacker
 
Mohamed-Fathy
Mohamed-FathyMohamed-Fathy
Mohamed-Fathy
 

More from Amiga Utomo

Thesis of Amiga Utomo
Thesis of Amiga UtomoThesis of Amiga Utomo
Thesis of Amiga UtomoAmiga Utomo
 
Sql injection pen_test_07_2011_teasers
Sql injection pen_test_07_2011_teasersSql injection pen_test_07_2011_teasers
Sql injection pen_test_07_2011_teasersAmiga Utomo
 
Pen test pavol.luptak
Pen test pavol.luptakPen test pavol.luptak
Pen test pavol.luptakAmiga Utomo
 
Pen test 06_2012__teasers
Pen test 06_2012__teasersPen test 06_2012__teasers
Pen test 06_2012__teasersAmiga Utomo
 
Pen test press_kit_2012_2
Pen test press_kit_2012_2Pen test press_kit_2012_2
Pen test press_kit_2012_2Amiga Utomo
 
Pen test press_kit_2012
Pen test press_kit_2012Pen test press_kit_2012
Pen test press_kit_2012Amiga Utomo
 
Cloud penetrator-hakin9-review-march-2012
Cloud penetrator-hakin9-review-march-2012Cloud penetrator-hakin9-review-march-2012
Cloud penetrator-hakin9-review-march-2012Amiga Utomo
 
Ce hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversCe hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversAmiga Utomo
 
Web appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasersWeb appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasersAmiga Utomo
 

More from Amiga Utomo (10)

Thesis of Amiga Utomo
Thesis of Amiga UtomoThesis of Amiga Utomo
Thesis of Amiga Utomo
 
Sql injection pen_test_07_2011_teasers
Sql injection pen_test_07_2011_teasersSql injection pen_test_07_2011_teasers
Sql injection pen_test_07_2011_teasers
 
Pen test pavol.luptak
Pen test pavol.luptakPen test pavol.luptak
Pen test pavol.luptak
 
Pen test 06_2012__teasers
Pen test 06_2012__teasersPen test 06_2012__teasers
Pen test 06_2012__teasers
 
Pen test press_kit_2012_2
Pen test press_kit_2012_2Pen test press_kit_2012_2
Pen test press_kit_2012_2
 
Pen test press_kit_2012
Pen test press_kit_2012Pen test press_kit_2012
Pen test press_kit_2012
 
Cloud penetrator-hakin9-review-march-2012
Cloud penetrator-hakin9-review-march-2012Cloud penetrator-hakin9-review-march-2012
Cloud penetrator-hakin9-review-march-2012
 
Ce hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversCe hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database servers
 
Web appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasersWeb appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasers
 
Tugas ahp amiga
Tugas ahp amigaTugas ahp amiga
Tugas ahp amiga
 

Pen test free_01_2012

  • 2. ITOnlinelearning offers Network Security courses for the beginner through to the professional. From the CompTIA Security+ through to CISSP, Certified Ethical Hacker (CEH), Certified Hacking Forensic Investigator (CHFI) and Security Analyst/Licensed Penetration tester (ECSA/LPT). Tailored Advice and Discounts 0800-160-1161 or Please Call one of our Course Advisors for help and Tailored Advice -during office hours (Mon-Fri 9am-5.30pm) Telephone: 0800-160-1161 International: +44 1795 436969 Email: sales@itonlinelearning.co.uk support@itonlinelearning.co.uk Registered Office: 16 Rose Walk, Sittingbourne, Kent, ME10 4EW
  • 3. Global I.T. Security Training & Consulting www.mile2.com IS YOUR NETWORK SECURE? In February 2002, Mile2 was established in response to the TM critical need for an international team of IT security training experts to mitigate threats to national and corporate secu- rity far beyond USA borders in the aftermath of 9/11. mile2 Boot Camps A Network breach... Could cost your Job! Available Training Formats 1. F2F Classroom Based Training GENERAL SECURITY TRAINING 2. CBT Self Paced CBT CISSPTM CISSP & Exam Prep 3. LOT Live Online Training C)ISSO Certified Information Systems Security Officer 4. KIT Study Kits & Exams C)SLO Certified Security Leadership Officer 5. LHE Live Hacking Labs (War-Room) ISCAP Info. Sys. Certification & Accred. Professional Worldwide Locations PENETRATION TESTING (AKA ETHICAL HACKING) Other New Courses!! C)PTETM Certified Penetration Testing Engineer ITIL Foundations v.3 & v.4 C)PTCTM Certified Penetration Testing Consultant CompTIA Security+, Network+ ISC2 CISSP & CAP SECURE CODING TRAINING C)SCETM Certified Secure Coding Engineer SANS GSLC GIAC Sec. Leadership Course SANS 440 Top 20 Security Controls WIRELESS SECURITY TRAINING SANS GCIH GIAC Cert Incident Handler C)WSETM Certified Wireless Security Engineer C)WNA/PTM Certified Wireless Network Associate / Professional We practice what DR&BCP TRAINING we teach..... INFORMATION ASSURANCE DR/BCP Disaster Recovery & Business Continuity Planning SERVICES Other Mile2 services available Globally: 1. Penetration Testing VIRTUALIZATION BEST PRACTICES 2. Vulnerability Assessments C)SVMETM Certified Secure Virtual Machine Engineer 3. Forensics Analysis & Expert Witnesses 4. PCI Compliance DIGITAL FORENSICS 5. Disaster Recovery & Business Continuity C)DFETM Certified Digital Forensics Examiner (ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of 1-800-81-MILE2 CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC. +1-813-920-6799 11928 Sheldon Rd Tampa, FL 33626
  • 4. F R E E Editors note Dear Readers! Attacks Get it on with ZAP 06by Gareth Watters To thank you for your support with creating PenTest community we decided to publish PenTest Free. Every month you will get five great articles that will Let’s take a look around Zed Attack Proxy and see what teach and keep you up to date with IT security is- it’s all about, but before we go on let’s emphasize some of sues. the greatest ZAP’s attributes. It’s easy, it’s free and open In the first issue you will find articles devoted to source, ZAP in fully internationalized, has extensive user attacks. We have chosen the most popular titles and guides and unlike some similar tools, has the ability to here you can read the best articles devoted to Zed save sessions to go back to later for reports, which is an Attack Proxy, internationalized, free and of great imperative requirement for pen testers as report writing help as far as report writing is concerned. Probe Re- tends sometimes not to be our strongest area. quest Based Attack article is a great technical tuto- Wireless Eurynomus: A Wireless 14(802.11) Probe Request Based Attack rial for anyone interested in wireless attacks. Can we train a computer user to be sufficiently security liter- ate? What's the best way to defend one from phish- by Hitesh Choudhary and Pankaj Moolrajani ing attacks? You can read about this in the article of In the recent years, the proliferation of laptop computers Ian Moyse. and smart phones has caused an increase in the range of In the section Cyberwar you can read about digi- places people perform computing. At the same time, net- tal frontier and the impact of cyber attacks on our work connectivity is becoming an increasingly integral lives. Are we living in the times of an ongoing cy- part of computing environments. berwar? See what our author has to say about this Securing Users from Phishing, 18Smishing & Social Media Attacks problem. Last but not least, we would like you to read article about pentesting SCADA written by our regular author Stefano Maccaglia. by Ian Moyse I hope that you will find this issue a valuable com- Some experts believe one of the best solutions pilation and encouragement to stay with us for good. to thwart phishing attacks is end-user training, If you have any suggestions for us concerning top- but can we really train every computer user ics, problems you want to read about or people you to be sufficiently security literate? Will it would like to know better thanks to PenTest please, ever be the case that anyone can distin- feel free to contact us at en@pentestmag.com. guish a phishing message from a genu- ine bank email? Thank you all for your great support and invalu- able help. Enjoy reading! Malgorzata Skora & PenTest Team 01/2012
  • 5. F R E CONTENTS E Cyberwar Digital Apocalypse: The Artillery of Cyber 22War by Cecilia McGuire Cyberspace is now the digital frontier of choice for executing many combat operations, by extending the medium in which greater levels of power can now be accessed by Machiavelli agents, militants and nation-states. Squads of cyber militants going under the banner of Anonymous and LulzSecare, moti- vated by the ease in which they can now execute high impact TEAM operations whilst avoiding detection, are just a few of the much Supportive Editor: Ewa Dudzic publicized names synonymous with cyber terrorism. The multi- ewa.dudzic@software.com.pl dimensional characteristics of cyber space have dissolved the Product Manager: Małgorzata Skóra boundaries between digital landscape and physical security, fa- malgorzata.skora@pentestmag.com cilitating cyber-attacks that produce devastating impacts to criti- Betatesters / Proofreaders: Robert Keeler, Daniel Wood, cal infrastructure, as well as Corporate and Government assets. Scott Christie, Massimo Buso, Hussein Rajabali, Aidan Carty, Jonathan Ringler, Thomas Butler, Dan Felts, Gareth Watters, SCADA Stefanus Natahusada, Francesco Consiglio, Harish Chaudhary, Wilson Tineo Moronta, Scott Stewart, Richard Harold, The Box holes. Pen Testing a SCADA plat- Ryan Oberto, William R. Whitney III, Marcelo Zúñiga Torres 28 form Senior Consultant/Publisher: Paweł Marciniak by Stefano Maccaglia In the last decade SCADA systems have moved from propri- CEO: Ewa Dudzic ewa.dudzic@software.com.pl etary, closed, networks to open source solutions and TCP/ IP enabled networks. Their original “security through ob- Art Director: Ireneusz Pogroszewski scurity” approach, in terms of protection against un- ireneusz.pogroszewski@software.com.pl authorized access, has fallen, together with their in- DTP: Ireneusz Pogroszewski terconnection limits. This has made them open to Production Director: Andrzej Kuca communicate with the rest of the world, but vul- andrzej.kuca@software.com.pl nerable, as our traditional computer networks. Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by Mathematical formulas created by Design Science MathType™ DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
  • 6. F R E E attack Get it on with Zed Attack Proxy Let’s take a look around Zed Attack Proxy and see what it’s all about, but before we go on Iet’s emphasize some of the greatest ZAP’s attributes. It's easy, it’s free and open source, ZAP is fully internationalized, has extensive user guides and unlike some similar tools, has the ability to save sessions – a great help as far as writing reports is concerned. Y ou can download Zed Attack Proxy from code.google.com/p/zaproxy/wiki/HelpStartProx- http://code.google.com/p/zaproxy/. Note: If ies. you don’t already have it installed, you need When you open ZAP for the first time you will be to download and install java http://www.java.com. prompted to create an SSL Root CA Certificate as ZAP is at it’s heart an interception proxy and has in Figure 2. In the context of this article, we will be to be configured in-line between your browser and working with the secure login to a vulnerable web your application. For instructions to configure ZAP application. Therefore we shall create a SSL Root as a proxy for all the major browsers go to http:// CA certificate. Figure 1. Setup of ZAP for use in a Penetration Test 01/2012 Page 6 http://pentestmag.com
  • 7. F R E E Option Dynamic SSL Certificates tem (browser). In other words when you’re not OWASP ZAP allows you to transparently decrypt testing in a safe environment, but on productive SSL connections. For doing so, ZAP has to encrypt machines, be aware that you could be opening an each request before sending to the server and de- additional attack vector to your system if your cer- crypt each response, which comes back. But, this tificate was in the wrong hands. ZAP generates a is already done by the browser. That’s why, the on- certificate that is unique to you, so keep this cer- ly way to decrypt or intercept the transmission, is tificate safe. to do a ‘man in the middle’ approach. Next you configure ZAP’s Local Proxy port: Go To Tools -> Options -> Local Proxy -> localport Set- Overview tings: Localhost 8090. In other words, all data sent to and received from Then configure your browser to use ZAP as a the server is encrypted/decrypted by using the proxy. In this example we are using Firefox run- original server’s certificate inside ZAP. This way, ning Foxyproxy: Go To Edit ->- Preferences -> Net- ZAP knows the plain text. To establish a SSL pro- works – > Settings -> Choose to Use ZAP for all tected session from you (your browser), ZAP is URLs. using it’s own certificate. This is the one you can Now you’re ready to go. All you need is your tar- create. Every certificate created by ZAP will be get application (Pentester) or your own Web Appli- signed for the same server name. This way, your cation that’s under development (Developer). for browser will do regular SSL encryption. the context of this article we will use DVWA (Damn Import Certificate in to Mozilla Firefox – Firefox Vulnerable Web Application) is using it’s own certificate store. Installation and late on validation is done in the same preferences DVWA – Damn Vulnerable Web App dialog: (User: admin Password: password) Damn Vulnerable Web App (DVWA) is a PHP/ • Go to Preferences MySQL web application that is damn vulnerable. • Tab Advanced It’s main goals are to be an aid for security profes- • Tab Cryptography/Certificates sionals to test their skills and tools in a legal envi- • Click View certificates ronment, help web developers better understand • Click tab Trusted root certificates the processes of securing web applications and • Click Import and choose the saved owasp_ aid teachers/students to teach/learn web applica- zap_root_ca.cer file tion security in a class room environment. • In the wizard choose to trust this certificate to identify web sites (check on the boxes) WARNING! • Finalize the wizard Damn Vulnerable Web App is damn vulnerable! Do not upload it to your hosting provider’s pub- Attention Risks lic html folder or any working web server as it will When adding self generated Root CA certificates be hacked. I recommend downloading and install- to your list of trusted root certificates, anyone with ing XAMPP onto a local machine inside your LAN the root certificate can smuggle data into your sys- which is used solely for testing. http://code.google. com/p/dvwa/ Tip If you fancy skipping past the installation and setup of dvwa, I suggest downloading SamuraiWTF, you will find that this great distro already has DVWA al- ready installed setup and ready to go. The next thing to do for a beginner new to de- velopment or pentesting is explain how ZAP’s ad- vanced components can be useful as a tools in a basic web application penetration test. Basic Web Application Penetration Test: Recon -> Mapping -> Discovery/Enumeration -> Exploi- Figure 2. SSL Root CA Certificate tation. 01/2012 Page 7 http://pentestmag.com
  • 8. F R E E attack ZAP is useful in the Mapping context using the • Sites tab – A Hierarchical representation of proxy and spider. ZAP is useful in the Discovery con- your application text with the active vulnerability scanner and fuzzer, • History Tab – Lists all the requests (GET/ brute forcing web directories and files with DirBuster. POST) and the order they are made ZAP is useful in the Exploitation phases when • Search tab – Search ZAP gathered information you combine it’s findings with exploitation tools • Port Scan – a basic port scanner allows you to such as like SQLMap,BeEf and Metasploit. scan and shows which ports are open on the target sites. Basic Web Application Penetration Test • Output tab – This shows various informational – Mapping messages.These can include the stack traces To do comprehensive mapping, you must navigate of unexpected exceptions through your web application. Ensure to follow and • Alerts tab – Shows you any potential issues explore through all of the functionality of the appli- and vulnerabilities ZAP has found. (See Ex- cation. Click each link, traverse through all tabs and ploitation for more info.) areas of your application. Press all buttons, fill in and submit all forms. If your application supports Click on entries in Sites or History – correspond- multiple roles then do this for each of the roles e.g. ing requests and responses will be visible in the User, Admin. Note: In order to use multiple roles, it’s Request and Response Tabs If you right-click on best to save each role as a separate ZAP sessions. any item – A whole load of extra options and func- Zap maps out the web application in a hierarchi- tionality becomes available. cal manner as in the sites tab displayed in Figure 3. Zap passively scans the Requests and Re- The lower pane brings together all the tabs for web sponses and reports any potential problems, application pen. testing in a universal status bar. but does not submit any responses on your behalf. Tip In Zap – Double click on a tab and it the tab for a Spider better view – Double click and it will revert back to Can be activated by the play button on the Spider the lower status bar. tab or Right-Click Attack on the sites tree. Figure 3. A completed mapping of DVWA 01/2012 Page 8 http://pentestmag.com
  • 9. F R E E The spider looks for pages that weren’t found in those hidden files and directories. And if that was the manual recon/mapping. Running the spider, not enough DirBuster also has the option to per- will crawl the website and find URLs that you may form a pure brute force, which leaves the hidden have missed are hidden. It places them in the directories and files nowhere to hide! Sites page with a spider icon. It is recommend to manually explore and map the web application Tip first and then use spider. If the spider does find ZAP also allows for custom files to be used, in the unseen links, revert back through the application SamuraiWTF training course we used CeWL (Cus- through your browser and visit those URLs. tom Word List generator) by DigiNinja. CeWL is a ruby app which spiders a given url to a specified Tip depth, optionally following external links, and re- A good crawl will enable you to have a better ac- turns a list of words which can then be used for tive scan. password crackers such as John the Ripper. John the Ripper can aswell be used to create a wordlist Basic Penetration Test – Discovery that has different versions of the words that CeWL Active scanner collected for example – ex@mpl3 These custom Active vulnerability scanner attacks the application wordlists can then be imported and used by ZAP and performs a number of known attacks. for Brute Forcing and Fuzzing. Active scanner is there to find basic vulnerabili- ties (Only to be used in development environment Fuzzer unless explicitly permitted in writing by the Web ZAP also has fuzzing capabilities through its in- App. owner in case of a Penetration test – It is ille- tegrated use of yet another OWASP Project gal to run active scans without legal consent). JBroFuzz. ‘Fuzz testing or fuzzing is a software Damn Vulnerable Web Application (DVWA) as it testing technique, often automated or semi-au- is aptly named is an excellent resource for viewing, tomated, that involves providing invalid, unex- and learning about vulnerabilities. Once you’ve pected, or random data to the inputs of a com- completed the above steps above you should be puter program. The program is then monitored able to see the results of the mappings and vulner- for exceptions such as crashes or failing built-in abilities in your application in the Alerts tab Imme- code assertions or for finding potential memory diately you can see a number of alerts for vulner- leaks. Fuzzing is commonly used to test for se- abilities found. curity problems in software or computer systems’ - Wikipedia’ Brute Force To Fuzz a request string such as a password: Use the brute force scanner to find unreferenced files and directories. You can use the built in or • Select a request in the Sites or History tab custom input files for Brute Force Scanner. ZAP • Highlight the string you wish to fuzz in the re- Uses OWASP DirBuster and Fuzzing using anoth- quest tab er OWASP Project JBroFuzz and Fuzzdb • Right-click in the Request tab and select ‘Fuzz’ ZAP uses OWASP DirBuster, a multi threaded • Select the Fuzz Category and one or more of java application designed to brute force directories the Fuzzers and files names on web/application servers. Often • Press the Fuzz Button is the case now of what looks like a web server in • The results will then be listed in the Fuzzer tab a state of default installation is actually not, and • Select them to see the full requests and re- has pages and applications hidden within. DirBus- sponses ter attempts to find these. However tools of this nature are often as only Additional fuzzing text files are added continu- good as the directory and file list they come with. A ously with each ZAP release and as stated earli- different approach was taken to generating Dirbus- er you can also create and import your own cus- ter. The Dirbuster list was generated from scratch, tom files. by crawling the Internet and collecting the direc- tory and files that are actually used by develop- Manual test ers! DirBuster comes a total of 9 different lists, The above steps will find basic vulnerabilities. More this makes DirBuster extremely effective at finding vulnerabilities become apparent when you to manu- 01/2012 Page 9 http://pentestmag.com
  • 10. F R E E attack ally test the application by giving it some data, try- mation about a particular alert in the ‘Other info’. ing loginsetc. In an advanced web application pen- tab, and best of all there is a solution and refer- etration test scenario, a number of other tools such ence material provided for the alert. as Nikto, Curl, SQLMap, Cewl etc would be used, You will see how intuitive and educationally ben- See the OWASP Testing Guide for more details on eficial ZAP really is to developers/pentesters, es- comprehensive Penetration Testing at https://www. pecially ones in the early stages of their careers. owasp.org/index.php/OWASP_Testing_Project. Break Points Basic Penetration Test – Exploitation: A break point allows you to intercept a request from Once you have performed your basic pentest map- your browser and to change it before is is submit- ping and discovery, you are ready for exploitation ted to the web application you are testing. You can or remediation depending on your role, develop- also change the responses received from the appli- er or pentester. The considerable information that cation.The request or response will be displayed in ZAP provides under the Alerts tab is key to a pen- the Break tab which allows you to change disabled tester’s next move. or hidden fields, and will allow you to bypass cli- ent side validation (often enforced using javascript). Alerts It is an essential penetration testing technique. You ZAP provides comprehensive information relating can set a ‘global’ break point on requests and/or re- to all alerts and vulnerabilities it finds. All the exploi- sponses using the buttons on the top level toolbar. tation material you need is here listing active and All requests and/or responses will then be inter- passive vulnerabilities. Each alert gets flagged in cepted by ZAP allowing you to change anything the History tab, gets a Risk Rating – Informational, before allowing the request or response to con- Low, Medium or High. Also, they get an alert reli- tinue. You can also set break points on specific ability rating – False Positive, Suspicious, Warning. URLs using the “Break...” right click menu on the Sites and History tabs. Only those URLs will be Tip intercepted by ZAP. URL specific break points are I find it easiest at this point to review the alerts if shown in the Break Points tab. you expand the Alert tab by double clicking it as in Figure 4. Anti CSRF Tokens For each alert a description is provided. You can Another advanced feature of ZAP that is not read- save your own developer/pentester specific infor- ily available in similar, free versions of tools in this Figure 4. Alerts tab expanded 01/2012 Page 10 http://pentestmag.com
  • 11. F R E E area is Anti-CSRF token handling and token gen- was an app built by a developer, for a developer eration. CRSF vulnerabilities occur by the way that and you can tell. It has subsequently been adopted browsers automatically submit cookies back to an by an international community of information secu- issuing web server with each subsequent request. rity professionals. If a web application relies solely on HTTP cook- ies for tracking sessions, it will inherently be at risk ZAP – Fully Automated Security Tests from an attack like this. To conclude this extensive article, I am going to Anti CSRF tokens are (pseudo) random param- change the context of how we see use of ZAP eters used to protect against Cross Site Request and show how functional testing can be improved, Forgery (CSRF) attacks. even fully automated and with adding security in to They tokens may make a penetration testers job the process. sounds good eh! hard if the tokens are regenerated every time a Many Web developers use applications like Se- form is requested. ZAP detects anti CSRF tokens lenium, Webdriver and Watir to test their Web-Ap- by attribute names – the list of attribute names plications. In this example we are using Selenium considered to be anti CSRF tokens can be edited to drive the browser. Selenium records your ac- using the Tools->Options->Anti-CSRF screen. tions in the browser such as mapping, clicking, in- When ZAP detects these tokens it records the to- puts etc.. and then can re-test doing exactly the ken value and which URL generated the token. The same tests while you complete iterations of say a active scanner and the fuzzer both have options web application under development. which cause ZAP to automatically regenerate the tokens when it is required. If fuzzing a form with an Seleniumhq.org anti CSRF-tokens on it, ZAP can regenerate the to- ‘Selenium automates browsers. That’s it. What you ken for each of the payloads you want to fuzz with. do with that power is entirely up to you. Primar- If you are a developer testing your own web ap- ily it is for automating web applications for testing plication make sure the names of your anti-csrf to- purposes, but is certainly not limited to just that. kens are included in ZAP for ease of use. Boring web-based administration tasks can (and It’s clear to see that considerable effort has been should!) also be automated as well. embedded in Zed Attack Proxy by Simon Bennetts Selenium has the support of some of the largest and Axel Neumann and also the Global communi- browser vendors who have taken (or are taking) ty of developers and individuals contributing. ZAP steps to make Selenium a native part of their brows- Figure 5. Example ZAP setup for fully automated regression tests with security testing 01/2012 Page 11 http://pentestmag.com
  • 12. F R E E attack er. It is also the core technology in countless other ner would be run. The REST API is asynchronous browser automation tools, APIs and frameworks.’ and the will poll the scanner to see how it has pro- A build tool such as Apache Ant can control a tool gressed. like Selenium which will drive the browser. ZAP will detect passive vulnerabilities such as We can then insert ZAP as a proxy and also drive missing HttpOnly or Secure Cookie Flags where- zap from the Apache Ant build tool as in Figure 5. as the active scanner finds critical XSS and SQ- So selenium records and drives a browser with Li other vulnerabilities It is important to remember ZAP inserted as in intercepting proxy. This can be that there are some types of errors that can not be very useful for functional and regression tests and found with automated scanning, so its important if is a very effective way of testing web UI’s. Devel- security is taken seriously in your organisation, to opers can write test cases to use their apps in the have the security team to have a review and pen- way they expect users to use them and then imple- etration test of your application. ment and record and re-test them with Selenium. By using ZAP in this way, the basic vulnerabilities Regression tests give you a level of confidence in your web application should have been found that any changes you have made haven’t caused and then are able fixed in the early stages of the any issues or broken anything. They can’t test ev- development lifecycle. erything, so you still want QA to give your applica- For more information and a full video example tion a good independent test. go to Simon Bennetts video tutorial: http//code. In the above example we would use Apache Ant google.com/p/zaproxy/wiki/SecRegTests. to control ZAP by the rest api, to kick off things like spider and active scanner. This gives some lev- Summary els of automated security testing that you can use If you’re a developer interested in security or a pro- in your continuos integration. The mapping/spi- fessional pen tester, ZAP definitely has something der can be set to complete first, then active scan- for you. It is a powerful tool to aid developers and QA testers with easily integrating security in to the References SDLC and also serves from beginner up to ad- Thanks to Simon Bennetts (@psiinon ) and Axel Neu- vanced penetration testers in their line of duty. man (@a_c_neumann), OWASP, ZAP Guide & Creative It’s going to take a lot of work to change the cul- Commons Attribute Share-alike License: ture of Information Security. It’s a risk management • https://www.owasp.org/index.php/ZAP project on a grand scale. Get involved, educate, • https://www.owasp.org/index.php/OWASP_Zed_At- spread the work, take action and help change the tack_Proxy_Project culture. • http:///www.owasp.org The extensible architecture and constant devel- • https://www.owasp.org/index.php/Category:OWASP_ opment of ZAP makes for an exciting future for this DirBuster_Project • https://www.owasp.org/index.php/JBroFuzz Open Source project. • http://samurai.inguardians.com/ For full instructions and a wealth of ZAP informa- • Justin Searle (@meeas) tion, see the OWASP project page: Google Summer Of Code 2012 Projects There are 3 ZAP related google summer of code proj- WARNING Active scans must not be performed on Public ects: websites without the owners written permission as it • Redesign of site crawler with sessions awareness – illegal. Student: Cosmin Stefan – Org: OWASP – Mentor: Si- mon Bennetts • Enhanced AJAX integration – Student: Guifre Ruiz – Org: OWASP – Mentor: Skyler Onken • Websocket Testing Tool – Student: robert Koch – Gareth Watters (@gwatters) – CISSP, Org: Mozilla – Mentor: Yvan Boily CISA, CPTE, MCSE, ITIL Gareth Watters is an Information ‘This is really great news – its a great opportunity for Security specialist based out of Mel- the students to work on a high profile security project, bourne Australia. and ZAP will be significantly enhanced by their work!’ – Simon Bennetts http://code.google.com/p/zaproxy/wiki/ GSoC2012. 01/2012 Page 12 http://pentestmag.com
  • 13. Virscent Technologies Pvt. Ltd. a Brainchild of a team of IIT Kharagpur Graduates has Ltd., Graduates, been Incubated in E-Cell IIT Kharagpur It is an IT Solutions & Training Company, Cell Kharagpur. Offering Web, Security and Network Solutions, IT Consulting and Support Services to ffering numerous clients across the Globe. We provide the following services: a. Penetration Testing b. Multimedia Services c. Web Development d. Training: a. Corporate Training b. Classroom Training c. Training programs for Educational Institutions. Our Partners: 1. E-Cell IIT Kharagpur 2. Education Project Council of India Website: www.virscent.com Blog : www.virscent.com/blog
  • 14. F R E E attack Wireless Eurynomus A Wireless (802.11) Probe Request Based Attack In the recent years, the proliferation of laptop computers and smart phones has caused an increase in the range of places people perform computing. At the same time, network connectivity is becoming an increasingly integral part of computing environments. A s a result, wireless networks of various connect is a simple and one of the most conniving kinds have gained much popularity. But facility provided by all the clients of wireless Ac- with the added convenience of wireless ac- cess Points. This feature can also be used to com- cess come new problems, not the least of which promise a client and the attack is counted as one are heightened security concerns. When transmis- of the deadliest silent attacks. sions are broadcast over radio waves, interception and masquerading becomes trivial to anyone with Target Audience a radio, and so there is a need to employ additional This attack can affect any of the technical and non mechanisms to protect the communications. technical users of the 802.11 interface. But the In this article we want to focus on some of the technical details of this attack require usage of hidden flaws that were never taken seriously. Auto- Wireshark, a little understanding of packet details Figure 1. Non-data transfer Figure 2. Data transfer to the Internet 01/2012 Page 14 http://pentestmag.com
  • 15. F R E E over wireless and some of the details about the probe and beacon frames. Scope Of Attack This attack is almost new born to the world of wire- less and the Internet. This attack is fully capable of creating an intermediate connection between any client and attacker. Talking about the scope of this attack, it can be of wide variety. For example if an attacker walks into a company premises and just by monitoring the air, he can easily find out the probes in air and can attack any laptop or he can attack any smartphone and can collect contact de- Figure 4. Implementation tails of clients. This is just a simple scenario; cases Hardware And Software Requirements can be like T.J maxx credit card incident. (http:// To perform this attack, we will need an entire lab news.cnet.com/2100-7348_3-6169450.html) setup with specific software requirements and some hardware requirements. Hardware require- Flow Diagrams For Attacks ments include: Case -1 Attacker just wants to have connectivity (Non-data • Access point transfer; Figure 1). In this scenario, the attacker • 2 laptop (1 as attacker and 1 as victim) just wants to have connectivity over the victim, af- • Wireless card (internal or external) ter that he might be interested to do some of the • 1 smartphone (optional requirement) post tasks like launching a Metasploit module or some of the custom coded exploits. And since the Software requirement victim is only sending the gratuitous request, he will only get some connectivity to the attacker’s fic- • Backtrack operating system (4-revision2 or titious network. After that no data transfer will hap- higher version). pen because of lack of internet connectivity. • All other required tools are preconfigured in it. Case – 2 Understanding Probes And Beacons Attacker wants to have connectivity as well as data When a client turns on its wireless interface, at transfer to the Internet (Figure 2). In this scenar- the same time the wireless interface starts to send io, the attacker wants the victim to connect with many probe requests to find if there is an access the attacker’s machine so he could send the data point available or not. Similarly any access point is packets to the Internet. In this case he only wants to monitor the data. Figure 3. Connecting over the Acess point Figure 5. Probe requests by clients 01/2012 Page 15 http://pentestmag.com
  • 16. F R E E attack Figure 6. airbase-ng also sending the beacon frames to show its pres- Figure 8. # ifconfig -a ence. Once the client gets connected to an access point, there is a facility provided by different ma- is destined for it or not. This is very similar to pro- chines to remember that access point. Whenev- miscuous mode over the wired network, used for er the client comes into the range it automatically the purpose of sniffing. After finding the probes gets connected. This is simply because the client of the clients, we will create a soft AP or known is continuously sending probe requests in the air to as virtual AP. A soft access point is created by a find if any saved AP is available. set of software which continuously sends out the beacon frames to show all nearby clients about its Types Of Attacks presence. Since the client is already attempting to connect to that access point. It will automatically • IP level connectivity attacks (Metasploit based) connect to the attacker. Now, if a DHCP is running • Relay the packets to AP (MITM based attacks) over the attacker it will automatically receive an IP • Depending upon the usage, attacks can be in- or if there is no DHCP is running then client will re- tegrated and the client is still unknown. ceive an IP of the range 169.xxx.xxx.xxx will sent gratuitous packets. Once the IP is assigned, the Attack Scenario tap interface created by soft AP, can have IP level To understand (Figure 3) this attack, the working connectivity with the client and the best part is that of the Access Point must be clear. So, what we the client remains unaware of the situation. are trying to implement is, a client who is not con- nected to any wireless AP and having his wireless Implementation interface up and running. The wireless interface al- We have used a BackTrack machine (attacker) and ways transmits some probe request from its PNL a I-Phone (victim) to implement our attack scenar- i.e. Preferred Network List. It is just a sense of in- io. A monitor mode interface is being created at the security and a shocking fact that it is independent top of a wireless interface, this monitor mode inter- of any AP. First of all we will try to make a moni- face can be easily created by using airmon-ng set tor mode interface in the air, which can accept all of tools. The wlan0 (wireless) interface is up and the packets over the air regardless if the packet running (Figure 4). # airmon-ng start wlan0 Monitor mode enabled on mon0 indicates that the monitor mode has been created and now we can monitor the air. To monitor the air, simply airodump can be used over the mon0 interface. This along Figure 7. Connection to Hitesh network Figure 9. # ifconfig at0; # ping 169.254.28.3 01/2012 Page 16 http://pentestmag.com
  • 17. F R E E References • Type/model of wireless cards have been used for te- sting – an alfa wireless external card AWUS036H se- [1] www.aircrack-ng.org ries, but anyone can use their laptop inbuilt card [2] www.aircrack-ng.org/doku.php?id=airodump-ng • Victim can have any operating system like windows [3] www.wireshark.org/ xp or 7 or even linux machine, the probe request [4] Interception Mobile Communications, The Insecuri- will always be sent into the air, since this is how the ty of 802.11 – ISAAC www.isaac.cs.berkeley.edu/isaac/ the wireless auto connect feature works in all ope- mobicom.pdf rating system. I didn’t tested it on MAC, and cannot [5] An Overview of 802.11 Wireless Network Security say much about it. Regarding the antivirus that co- Standards & Mechanisms mes to the post exploitation task, and if any ATTAC- [6] By: Luis Wong (posted on January 19, 2005) KER wants to have Man In the Middle attack to per- [7] Remote Access Point/IDS form, then a fully patched (with antivirus and firewall) [8] By: Jared Kee (posted on April 10, 2012) machine can be compromised. because its the victim who is trying to connect to us. Comments • I used a IOS4 – jail breaked version for this experi- • Type of access point used for testing – a zxdsl router ment purpose. for this attack as a lab setup, but it will hardly matter Acknowledgment if you use any other also, since all router broadcast Acknowledgment to Igneustech for providing appropri- same beacon frames ate equipment and lab environment. with the AP will also give the details of the clients to send DHCP request and failing so that finally it is that are associated or trying to associate with the getting an IP range 0f 169.xxx.xxx.xxx.In the mean network in the surroundings (Figure 5) while one can also set a DHCP and can easily trans- fer the packets to the Internet via its bridge interface # airodump-ng mon0 and can perform Man In The Middle Attacks. Now the final step is to just up the at0 interface and set After finding the probe request name, the attacker the ip of the same range and same subnet that can can easily create a soft AP or virtual access point be easily done with the ipconfig utility (Figure 8) with any of the bssid as well as any essid. Here I have used an essid of name Hitesh just for the # ifconfig -a sake of example. Finally the proof of the IP level connectivity, Post # airbase-ng -a <bssid> -e <essid/name> mon0 that one can easily launch some Metasploit mod- ules or other various set of attacks (Figure 9). The Airbase set of tools has got a lots of options, it can send responses to any of the probe re- # ifconfig at0 quests that client is transmitting via its radio but # ping 169.254.28.3 for the sake of simplicity we have used this sce- nario. The interesting thing about this soft AP is Hitesh Choudhary that it also creates a tap interface. It’s little basic Hitesh Choudhary is a Jaipur based eth- that our access point always have 2 cards in it, ical hacker serving free to Rajasthan one is wireless and other is for wired interface. police to handle cyber crimes as well as This tap interface is the same clone of wired in- pursuing his wireless research at M.I.T. , terface named as at0. (Figure 6). As a result of California. He has completed his RHCE, this client will automatically get connected to this RHCSA, CEH and various other security “hitesh” network since there is no DHCP running certifications. over the attacker machine (Figure 7). The client will get an IP address of the range 169. Pankaj Moolrajani xxx.xxx.xxx and will try to send gratuitous packets. Pankaj Moolrajani is Jaipur based se- One can also use these packets as an ARP packet curity researcher at Igneustech. He is to send it back to the IP. So, there is can be attack at RHCE & RHCSS Certified. every phase. One can also verify this by using Wire- shark and capturing each and every packet. These packet will show that client is again and again trying 01/2012 Page 17 http://pentestmag.com
  • 18. F R E E attack Securing Users from Phishing, Smishing & Social Media Attacks Some experts believe one of the best solutions to thwart phishing attacks is end-user training, but can we really train every computer user to be sufficiently security literate? Will it ever be the case that anyone can distinguish a phishing message from a genuine bank email? T he volume of phishing attacks has in- attains financial or personal login details that can creased, as have their variety and sophis- be used to commit fraud or theft. Of course, it was tication. Even security experts struggle to only a matter of time before people caught on to identify some of the fakes. The phishers cast their email scams. Users read again and again not to rods farther and with more efficiency than ever be- click on such links. Mail solutions became better fore. They can easily download phishing site cre- at spotting phishing emails and filtering them into ation tools and produce convincing messages and a junk email folder. Even free Web mail providers pages. Expecting an average PC user to beat now catch the majority of these attacks. these guys without any help is tantamount to pit- Once cybercriminals noticed their tradition- ting an average golfer against Tiger Woods. al phishing approaches were returning lower re- It can seem at times the only people who like sponse rates, they rapidly adjusted to new medi- change are Internet attackers. And they don’t just ums. As a result, a new trend emerged: smishing like it – they need it. Technology’s rapid chang- (social media phishing and SMS phishing) became es give cybercriminals new attack vectors to ex- the new trend in cyber attacks. ploit, and new ways to turn a profit out of someone The underlying concept is the same, but the at- else’s misfortune. tack mechanism is different. Instead of targeting Internet attackers have made a profession out users via email, cybercriminals use social media of rapid change of a multitude of factors – attack messaging and text messaging advertising to lure vector, sophistication, volume and approach. The victims. malware market has been monetised and we are For hackers, it’s the perfect opportunity. They can seeing the strongest ever driving forces to come cheaply buy lists of Facebook login details, hack in- up with new approaches to beat security products to users’ accounts, and send personal-looking mes- and users common sense. sages to an individual’s entire friend list. The majority For example, take phishing. The concept is sim- of users are more trusting of a post from a friend than ple: Send an email disguised as a message from a suspicious email in their in-box, making smish- a bank, PayPal, or UPS. Wait for the user to click ing more effective at luring users to phishing sites. a link in the message, and enter their private de- We seem to take phishing attacks for granted tails into a phishing site, and presto! The attacker these days, in much the same way that we’ve ac- 01/2012 Page 18 http://pentestmag.com
  • 19. F R E E cepted spam as a natural, and inevitable, by-prod- ple into losing their wallet at Three-card Monte. We uct of email. Some experts believe one of the best let curiosity get the best of us, and at times can be solutions to thwart phishing attacks is end-user gullible. Like street hustlers, cybercriminals aren’t training, but I doubt training alone is a viable solu- afraid to experiment with hacking our inclinations tion. Can we really train every computer user to be (or, as many security experts call it, social engi- sufficiently security literate, such that anyone can neering). The volume of phishing attacks has in- distinguish a phishing message from a genuine creased, as have their variety and sophistication. bank email? I doubt its possibility, especially given Even security experts struggle to identify some of how specific the details in spear phishing (phishing the fakes. targeted at specific people and/or companies) at- The phishers cast their rods farther and with more tacks have become. efficiency than ever before. They can easily download It used to be that thieves could satiate their hunger phishing site creation tools (yes they exist) and pro- for evil (and money) merely through the emulation of duce convincing messages and pages. Expecting a consumer bank or a PayPal login screen. While an average PC user to beat these guys without these low-hanging-fruit scams show no signs of any help is tantamount to pitting an average golfer abating, even following major busts of phishing against Tiger Woods (albeit a few years ago; no of- rings, we’ve seen new types of phishing attacks fense, Tiger). The criminal’s job is to create online that wear the mask of a Web security product, scams that work, and the returns on their invest- persuading users to follow through on fake spam ments are huge. Why would we expect non-crim- quarantine messages, or security update alerts, inally-minded users to be more adept at spotting sometimes using the name of real vendors. It’s all scams, than scammers are at reeling in the users? very plausible. Technology has to step up its game. We need to Unfortunately, the average user is not a trained continue to make it harder and less lucrative for security expert – and why should he or she be? online scammers to do their “jobs.” That’s really Criminals lure users into phishing and email scams the most effective way to stop phishers from at- in much the same way street cons lure some peo- tacking our end users. a d v e r t i s e m e n t
  • 20. F R E E attack Phishing is a good example of how the Cy- to all linked friends of the individual, sending a bercriminal utilises Social Engineering tech- ‘have you see this site’ message, an advert or niques combined with technology to grift mon- simply a link to a fake site. Users are lulled into ey from an innocent Internet bystander. Send an a greater trust of the message, having not been email to the victim purporting to be from some- use to receiving this sort of message in this new one else, be it a bank, paypal or from a spy- more trusted medium. ware infected machine disguising the email in the SMS Phishing involves criminals switching their form of a genuine email from a friends address. attacks to target a weaker link. Users are constant- Wait on the susceptible user to click on it believ- ly educated to maintain suspicion when opening ing it to be genuine, enter their private details into messages in email on a PC device and typical- a fake site and hey presto the attacker has hood- ly have security software running on these ma- winked you and has financial or personal login de- chines, be it antivirus, spyware protection, firewalls tails of yours. The average phishing site that stays and other mediums of protection. Users have be- online for an average of 5.9 days does enough come rapidly more mobile and take for granted the damage to afford change (stat from APWG.com – ability to now access the internet from devices oth- the Anti-Phishing Workgroup). er than their PC. Text messaging has become a Users have read again and again in articles, ‘taken for granted’ communications medium with in warnings on bank sites, in email services and many youngsters sending/receiving upwards of from friends not to click on such links, but they still 100 messages a day. do! Mail solutions have gotten better at discerning Attackers have found ways to send masses of Phishing attacks and putting them correctly in to automated and believable looking text messages anti-spam filters. Even in free webmail solutions to users including URL links for the user to view. Phishing attacks are put into the junk folder the Major PC based web browser software now has majority of the time. So users believe the Phish- phishing protection built in to alert the user to sus- ing mails won’t reach them and they think twice picious sites, and users generally can hover over before they click on a suspicious email. a link to display the true web site, but on mobile So have the criminals sat on their laurels!? When phones we are not seeing the same browsers, the they noticed the traditional Phishing approaches same versions nor the same protection levels to returning a lower response rate they rapidly ad- help users avoid malicious fake sites. justed to new mediums and we now have this new So user beware, what you see may not always format of Smishing with two definitions, both harm- be what you get, particularly in the world of the cy- ful and both sophisticated enough to be impacting ber transaction. When you see a message from users. Variously termed as meaning Social Media someone you think you know, don’t assume it was phishing or SMS Phishing they are both a progres- them who sent it from their account, look once, sion of attackers approaches. think twice before you click, whether it be an email, Social Media Phishing means instead of a social media message or a text message! sending the advert, fake link, or message in email they are utilising social media messag- IAN MOYSE ing and advertising to direct the user through to Ian Moyse has over 25 years of ex- their fake site location. Getting a posting on- perience in the IT Sector, with nine to your Facebook page for example or receiving of these specialising in security For a Social Media message seemingly has more trust the last 8 years he has been focused equity with users than email, with users believing in Cloud Computing and has be- fakes only come to them in email as Spam. On So- come a thought leader in this are- cial web sites they seemingly have entered into a na. He now holds the role of Sales Di- different mindset of trust. rector at Cloud CRM provider Workbooks.com. He also You can cheaply buy lists of Facebook login de- sits on the board of Eurocloud UK and the Governance tails on the web – for example a recent site was Board of the Cloud Industry Forum (CIF) and in early seen offering 1000 facebook account login de- 2012 was appointed to the advisory board of SaaSMax. tails for L16.50, very affordable at the worst of He was named by TalkinCloud as one of the global top times. With such easy ammunition it’s not a big 200 cloud channel experts in 2011 and in early 2012 Ian step for someone to utilise each of these ac- was the first in the UK to pass the CompTIA Cloud Essen- counts and to send personal looking messages tials specialty certification exam. 01/2012 Page 20 http://pentestmag.com
  • 21. scanning isn’t enough Cyber Security Auditing Software Device Auditing Scanners Nipper Studio • Device information remains Audit without Network Traffic confidential Authentication Configuration • Settings that allow you to hide Authorization Configuration sensitive information in the Accounting/Logging Configuration report Intrusion Detection/Prevention Configuration • Low cost, scalable licensing Password Encryption Settings • Point and click GUI or CLI Timeout Configuration scripting Physical Port Audit • Audit without network traffic Routing Configuration VLAN Configuration Network Address Translation It was refreshing Network Protocols to discover Nipper and to find that it supported so many Device Specific Options devices that Cisco produces. Time Synchronization Nipper enables Cisco to test these devices in a fraction of Warning Messages (Banners) * the time it would normally take Network Administration Services * to perform a manual audit. For many devices, it has eliminated Network Service Analysis * the need for a manual audit to Password Strength Assessment * be undertaken altogether. Software Vulnerability Analysis * Cisco Network Filtering (ACL) Audit * Business Benefits to Cisco Wireless Networking * • Nipper quickly produces VPN Configuration * detailed reports, including * Limitations and constraints will prevent a detailed audit known vulnerabilities. • By using Nipper, manual Nipper Studio reduces manual auditing time by quickly producing a consistent, testing has been altogether clear and detailed report. This report will; eliminated for particular 1. Summarize your network’s security Cisco devices. 2. Highlight vulnerabilities in your device configurations 3. Rate vulnerabilities by potential system impact and ease of exploitation (using CVSSv2 or the established Nipper Rating System) Multi-Platform Support for 4. Provide an easy to action mitigation plan based on customizable settings that reflect your organizations systems and concerns. 5. Allow you to add previous reports and enable change tracking functionality. You can then easily view the progress of your network security. for free at www.titania.com enquiries@titania.com T: +44 (0)845 652 0621
  • 22. F R E E Cyberwar Digital Apocalypse The Artillery of Cyber War Cyberspace is now the digital frontier of choice for executing many combat operations, by extending the medium in which greater levels of power can now be accessed by Machiavelli agents, militants and nation-states. Squads of cyber militants going under the banner of Anonymous and LulzSecare, motivated by the ease in which they can now execute high impact operations whilst avoiding detection, are just a few of the much publicised names synonymous with cyber terrorism. T he multi-dimensional characteristics of cy- the world is really prepared for the possibility of a ber space have dissolved the boundaries “digital apocalypse”. Throughout the analysis this between digital landscape and physical se- paper aims to emphasise that deterring Cyber War curity, facilitating cyber-attacks that produce dev- is the key to addressing this challenge. astating impacts to critical infrastructure, as well as Corporate and Government assets. Cyber Warfare – A Definition Global security experts face the challenge of at- Over the past few decades experts and academics tempting to develop techniques to deter and prevent have explored whether the possibility of a Cyber these global threats. This challenge is complicated War was in fact a plausible threat. Early pioneers further by the rate at which the digital paradigm con- navigating through this new landscape had con- tinues to evolve at a rate which is often considerably jured up post-apocalyptic visions of the impact of faster than the ability to keep up with these develop- Cyber War, bearing resemblances to scenes from ments. This disparity has, unsurprisingly, created an a science fiction film. Today, Cyber War is no lon- impression, shared throughout the cyber communi- ger being examined from a theoretical perspective, ty, that implementing strategies to control the digi- as these dynamic threats have emerged through- tal domain has become unachievable. As a result of out the global systems and networks. Experts are these challenges and many others, Cyber Warfare no longer debating the possibility of Cyber War but is set to be one of the greatest challenges posed to what can be done to stop these threats. the 21st Century. Despite the widespread acknowledgement of This article will examine the characteristics of Cyber War, the definition of these threats remains Cyber War operations in order to clarify the ambi- under scrutiny. Experts such as Bruce Schneier guities surrounding these concepts. Such an ex- have stated that many definitions of Cyber War in amination is necessary in order to ensure that the current circulation are flawed as they confuse a components of Cyber War are not confused with in- range of other computer security related concepts terrelated disciplines such as Information Warfare. such as Information Warfare, Hacking and Net- Real world examples of Cyber Attacks will then be work Centric Warfare. In order to, clarify ambigui- discussed in order to assess the “nuts and bolts” ties surrounding Cyber War, for the purpose of this of cyber-attack operations and to examine whether discussion, Cyber War is defined as: 01/2012 Page 22 http://pentestmag.com
  • 23. F R E E worm. First launched in to the digital landscape in “Internet-based conflict involving politically motivated at- June 2009, Stuxnet has become one of the heavily tacks on information and information systems. Cyber war- scrutinised, real world examples of Cyber Warfare fare attacks can disable official websites and networks, dis- attacks, with global security and technology com- rupt or disable essential services, steal or alter classified da- munities still struggling to fully comprehend the com- ta, and cripple financial systems – among many other possi- plexities of its design almost two years on since its bilities.” (Rouse, 2010) initial release. Stuxnet’s international attention has been achieved from the sheer sophistication in de- For the purpose of this discussion, the focus of sign which is composed of a comprehensive array of Cyber War conflicts will be examined in terms of attack exploits and covert methods for avoiding de- its impact to the physical realm, in particularly to tection. Stuxnet is the magnum opus in the malware its impact to critical infrastructures. hall of fame. The Stuxnet worm infects computers running The First Warning Shots Windows OS, and is initially distributed via USB Recorded examples of the impact of cyber-attacks drives thereby enabling it to gain access to sys- on critical infrastructures have been around for over tems logically separated from the Internet. Once a decade. One of the earliest cyber-attacks on criti- access has been gained it then orchestrates a va- cal infrastructure took place in January 2000, in riety of exploits from its toolkit designed to specifi- Queensland, Australia. Where a disgruntled former cally target vulnerabilities its intelligent design is employee at a manufacturing company hacked into able to identify in the target host. the organisations computer, using privileged knowl- Stuxnet’s artillery includes uses an array of ex- edge of the system, and took control of the Super- ploit methods, meticulously designed to circumvent visory Control and Data Acquisition (SCADA) sys- the logical sequence security measures, one lay- tem. The protagonist was able to maliciously attack er at a time. Exploits included Stolen Digital Cer- the system causing physical pumps to release raw tificates, Rootkits, Zero-Day Exploits, methods for sewage, producing a considerable amount of dam- evading Anti-Virus detection, hooking codes, com- age. Although this attack is not constituted as cyber plex process injections, network injection, to name warfare, it demonstrated the possibility for a digital a few. These exploits however do not affect just any attack to create a detrimental financial impact and old computer, aside from propagating further. The create havoc on critical infrastructures. Since this extraordinarily designed piece of malware has one time, there have been a number of attacks classed solitary target in mind – Industrial Control Systems/ as acts of cyber war, such as the 2007 attacks, Supervisory Control and Data Acquisition* (ICS/ launched against the Government of Estonia. In SCADA) and attached computer systems. With a this example, attackers utilised a variety of different specific ICS/SCADA being targeted in Iran, Stux- attack methods such as Denial of Services (DoS), net reprograms the Programmable Logic Controller website defacement and other malware. This was (PLC), made by Siemens, to execute in the manner one of the earliest examples demonstrating the in- that the attack designers have planned for them to creased level of sophistication of cyber-attacks to operate within. be launched against a nation-state. * Bruce Schneier argues that Stuxnet only targets ICS and press re- leases have mis-referenced Stuxnet to also target SCADA “is technical- The Digital Artillery ly incorrect”. For further details refer to: http://www.schneier.com/blog/ar- The arsenal of a Cyber War attack consists of the chives/2010/10/stuxnet.html usual suspects, such DoS, attacks on DNS infra- structure, anti-forensic techniques, and wide-scale While experts are still dissecting Stuxnet, it is ap- use of Worm, Zombies, Trojan and clichéd meth- parent that the creation is the work of a team of ods of electronics attack. However Cyber War rep- highly skilled professionals. Some estimates resents much more than a DoS attack. When as- have stating that it would have taken a team of 8 sessing state-of-the-art Cyber War Artillery, one – 10 security experts to write over the course of name comes to mind – Stuxnet. 6 months (Schneier). Many are referring to Stux- net’s creation as a “marksman’s job” due to its tar- State-of-the-Art: Stuxnet geted approach and expert precision. The ultimate state-of-the-art weapon identified in Given Stuxnet is considered to be one of the the cyber warfare arsenal, so far, is the Stuxnet greatest malware masterpieces the temptation 01/2012 Page 23 http://pentestmag.com
  • 24. F R E E Cyberwar to examine its architecture in greater detail could The attack vector used is based on the operating not be resisted. Symantec’s “W32.Stuxnet Dos- system of the compromised computer. If the oper- sier Version 1.4” provides a detailed analysis de- ating system is Windows Vista, Windows 7, or Win- lineating the technical attributes composed with- dows Server 2008 R2 the currently undisclosed in Stuxnet and this 69 page document created Task Scheduler Escalation of Privilege vulnerabil- by members of their Security Response Team ity is exploited. If the operating system is Windows is used as the basis for the following examina- XP or Windows 2000 the Windows Win32k.sys Lo- tion. The full array of technical features is outside cal Privilege Escalation vulnerability (MS10-073) is of the scope of this article so a brief overview of exploited. Stuxnet’s architectural components will be sum- marised below. Load Points Stuxnet loads the driver “MrxCls.sys” which is digi- Breaking Down Stuxnet tally signed with a compromised Realtek certificate The Core – .DLL files (which Verisign previously revoked). Another ver- At the core of Stuxnet is a large .dll file containing an sion of this driver was also identified to be using a array of resources, diverse exports as well as en- digital certificate from JMicron. crypted configuration blocks. In order to load these The aim of the Mrxcls.sys is to inject copies of .dll files, Stuxnet has the capability to evade detec- Stuxnet into specific processes therefore acting as tion of a host intrusion protection programs which the central load-point for exploits. Targeted process- monitor any LoadLibrary calls. These .dlls and en- es include – Services.exe; S7tgtopx.exe; CCPro- crypted configuration blocks are stored in a wrapper jectMgr.exe. referred to as the ‘stub’. Two procedures are then employed to call Exported function. Extract .dll is The Target: Programmable Logic Controllers then mapped into memory module and calls one of We now arrive at Stuxnet’s ultimate goal – in- the exports from mapped .dll. A pointer to the stub is fecting Simatic’s Programmable Logic Controller then passed as a parameter. Stuxnet then proceeds (PLC) devices. Stuxnet accomplishes this by load- to inject the entire DLL into another process, once ing blocks of code and data (written in SCL or STL exports are called. Injecting processes can include languages) which are then executed by the PLC in existing or newly created arbitrary process or a pre- order to control industrial processes. In doing so, selected trusted process. Stuxnet is able to orchestrate a range of functions such as: The Process of Injection Targeted trusted processes are directed at a num- • Monitoring Read/Writes PLC blocks ber of standard Windows processes associat- • Covertly masks that the PLC is compromised ed with a range of security products, including – • Compromise a PLC by implementing its own McAfee (Mcshield.exe); Kaspersky KAV (avp.exe); blocks or infecting original blocks. Symantec (rtvscan.exe); Symantec Common Cli- ent (ccSvcHst.exe); Trend PC-cillin (tmpproxy.exe) The Grand Finale to name a few. Stuxnet then searches the registry Now that Stuxnet has finally exploited the PLC for any indication that McAfee, Trend PC-cillin or it has achieved it has reached its final destina- Kaspersky’s KAV (v.6-9) software is in operation. tion. Where Stuxnet is then able to execute its If Stuxnet is able to identify any of these technolo- final exploits which is to slow down or speed up gies it then extracts the version which is used to frequency motors. For example when the fre- target how to process injections or whether it is un- quency of motor is running between 807Hz and able to by-pass these security products. 1210Hz, Stuxnet adjusts the output frequency for shorter periods of time to 1410Hz and subse- Elevation of Administrative Access Rights quently to 2Hz and then back to 1064Hz. These Another feature of Stuxnet is in its ability to elevate frequencies are typically used by centrifuges in access rights to run with the highest level of privi- uranium enrichment plants. Ultimately Stuxnet is leges possible. Stuxnet detects the level of privi- designed to destabilize ICS/SCADA by chang- leges assigned to it and if these are not Admin- ing the speeds in uranium centrifuges to sabo- istrative Access Rights it then executes zero-day tage operations, with the potential for devastat- privilege escalation attacks, such as MS10-073. ing consequences. 01/2012 Page 24 http://pentestmag.com
  • 25. F R E E Little Brother – Duqu • Like Stuxnet, Duqu’s utilities include stolen In the September of 2011, researchers at the Bu- signing certificates for signing drivers stolen dapest University’s Laboratory for Cryptography from a company in Taiwan, with an expiry date and System Security (CrySyS) made the alarming of August 2nd 2011. These certificates were discovery of a Trojan resembling Stuxnet. Their later revoked on October 14th 2011. fears were confirmed after dissecting this new threat revealed components were close to being The resemblances in design of Stuxnet and Duqu identical to Stuxnet indicating that the writers were indicate that they were most likely developed by indeed the same authors, or persons with access the same authors. Kaspersky Lab’s Analysts ex- to the source code of Stuxnet. They labelled this amining the source code of both programs state new threat “Duqu” due to its design in which it cre- that – “We believe Duqu and Stuxnet were simul- ates file names with the prefix ~DQ. taneous projects supported by the same team of Duqu is a remote access Trojan designed to developers”. steal information from the victim machine and is designed to act as a precursor to a future mal- The Launch Pad – Tilded ware attack, similar to the Stuxnet operation. How did Stuxnet and Duqu manage to launch Duqu is designed to act in much the same way some of the most effective cyber-attacks on re- as a reconnaissance agent gathering intelligence cord so far? The “launch pad” for this cyber artil- from a variety of targets, and like Stuxnet; Duqu’s lery goes by the name of Tilded. primary targets are industrial infrastructure. Da- The Tilded platform is modular in nature and is ta sources collected by this Trojan include design designed to conceal the activities of malicious soft- documents, keystrokes records and other sys- ware by employing techniques such as encryption, tem information. Once this intelligence has been thereby evading detection by anti-virus solutions. gathered by the Trojan, it is then returned to the By utilising the Tilded platform developers of cy- command and control servers, over HTTP and ber weapons can simply change the payload, en- HTTPS, positioned across global locations such cryption techniques or configuration files in order as China, Germany, Vietnam, India and Belgium. to launch any number of exploits against a range This information can then be used by Duqu’s cre- of targets. File naming conventions used by Til- ators to then launch a premeditated cyber assault ded’s developers employed the Tilde symbol and against the designated target. By default Duqu is the letter “d” combining the two resulted in adopt- designed to operate for a set period of time (either ing the name – Tilded. The Tilded team of develop- 30 or 36 days depending on the configuration). ers however still remain unknown. After which the Duqu will automatically remove it- What we do know about Tilded is that it has un- self from the system. A comparison of Duqu and dergone significant changes since its inception in Stuxnet demonstrates: 2007 with subsequent revisions created through to 2010. The researchers at Kaspersky have been • Duqu’s executables were created using the able to confirm that a number of projects were same source code as Stuxnet. undertaken between this period where programs • Duqu’s payload resembles no similarity to that based on the “Tilded” platform were circulated in of Stuxnet. Duqu’s payload is written with the cyberspace, Stuxnet and Duqu being two exam- intention of conducting remote access capabil- ples. While other researchers have indicated an- ities whereas Stuxnet’s payload is designed to other variant exists, the Stars worm (also target- sabotage an ICS/SCADA. ing ICS/SCADA systems) resembles Stuxnet. How • Duqu’s Payload aims to capture keystrokes many other programs have also been created but and system information rather than modify tar- may not yet have been detected remains to be de- get systems. termined. What is clear is that as Tilded and simi- • Duqu (being a Trojan) do not contain any self- lar programs continue to develop, we will see en- propagation capabilities as found in worms like hanced prototypes being catapulted into the digital Stuxnet. limelight. • Duqu in one example is distributed by attack- ers using specially crafted email containing a Are We Prepared for a Digital Apocalypse? word document which exploits an unpatched On the May 6th 2012, the US Department of 0-day vulnerability to Homeland Security reported that a major Cy- 01/2012 Page 25 http://pentestmag.com