Category: Security

Seattle: A Vulnerable Web Application (Walkthrough)

Currently, I’ve been gearing up for a cyber security conference which includes a CTF (Capture the Flag) competition. Being a newbie in the realm of computer security, I have been practicing my ethical hacking skills with the help of open source applications. There are so many free tools on the Internet. One of them being Seattle, an open source Linux distribution that includes a vulnerable web application. For more information, please follow this link: https://www.gracefulsecurity.com/vulnvm/

To give you an idea of what this application looks like, here is a screenshot:

The web application appears to be an online music store. This application includes some of the following vulnerabilities:

SQL Injection (Error-based)
SQL Injection (Blind)
Reflected Cross-Site Scripting
Stored Cross-Site Scripting
Insecure Direct-Object Reference
Username Enumeration
Path Traversal
Exposed phpinfo()
Exposed Administrative Interface
Weak Admin Credentials

During this walkthrough, I will point out two of the vulnerabilities:

The first thing I would do in any hacking situation would be reconnaissance. This includes using port scanners such as nmap. Even though the application is listening on port 80 (HTTP), it’s still wise to see if any other attack vectors exist.

As I suspected, only 80 is open. Now, I will run nikto (from my Kali Linux VM) in order to see which HTTP vulnerabilities can be found.

nikto produced all sorts of different things. However, two things pop out at me. One of those things include detecting phpinfo() output. On web servers running PHP, you can create a file that outputs information about the PHP environment. Though useful to a system administrator, information provided by phpinfo()can be detrimental if fallen into the hands of an attacker.

Typically, this file is created by using the following PHP script:

<?php

phpinfo();

?>

If this file is in the web server root, an attacker can navigate to this file and see all of that precious information. Below is an example:

This is something we would definitely need to address, especially when dealing with web server security.

For the second vulnerability, we’ll perform directory traversal. This vulnerability allows an attacker to utilize an improperly programmed script in order to “traverse” the system’s file directories from outside the web server root. Using directory traversal can allow an attack to see important files that might contain passwords, configurations, etc.

Luckily, referring back to our nikto scan, I found something really interesting.

I feel that there might be some more PHP vulnerabilities. The first thing I check is the dynamic PHP pages. After a couple of tries, I eventually find a vulnerable PHP page (download.php). Using the netcat application on port 80, I was able to inject some malicious traffic in order for me to see the /etc/passwd file. The attack is illustrated below:

Using the “dot dot slash” technique, I was able to traverse up the directories and uncover the /etc/passwd file. This is a high risk vulnerability and would need to get addressed as soon as possible.

I uncovered other vulnerabilities, however, for the sake of brevity, I am not going to discuss those. If you would like to give this challenge a try, please refer to the link above. I used my trusty Oracle VM VirtualBox to setup my pentesting lab. The other cool addition to the Seattle practice application is the ability to auto-import the system into Oracle VM VirtualBox for a quick setup.

(Originally posted on July 1st, 2016. Updated on December 29th, 2020)

SANS Holiday Hack 2015: Gnome in Your Home

The SANS Institute created a fun hacking challenge for this year’s Holiday Hack. Everything from packet analysis to web exploits were included. The packet capture showed how the devious Gnomes were taking pictures of children and receiving them through DNS queries. To be honest, I didn’t think this type of malicious intent was possible (especially through DNS queries). Here’s what I’m talking about:

The following is the packet capture with the image encoded in Base64. Using tools such as Burp Suite and the Linux base64 utilities will help uncover the image secretly hiding within.

Here is the packet capture with the UDP stream of DNS requests being sent to the SuperGnomes. SuperGnomes were the super computers that housed the data collected from the individual GIYH’s.

After exporting the UDP stream to a RAW format, I then used foremost (a tool contained within Kali Linux) to carve out the picture. The JPG was found after decoding the base64 encoding within the capture.

Here is 00000000.jpg, which was the file being sent over the Gnome’s command and control channel:

The packet capture challenge was just one of many activities in this year’s Holiday Hack. For the sake of brevity, I am only going to post this one. However, if you are interested in doing this challenge next year, please check out the website at https://holidayhackchallenge.com or by going to https://sans.org.

(Originally posted on January 10th, 2016. Updated on December 29th, 2020)

Primer to Cryptography

I watched a video on Coursera through Stanford University titled Cryptography. Here are some things that I learned from the first week:

Cryptography = secure communication between two entities.

Cryptography consists of two parts:

  • Secret key establishment
  • Secure communication

Both entities need to have a shared key in order to communicate with each other. Cryptography provides confidentiality and integrity for the data being transmitted.

Cryptography also provides bi-directional anonymity though mix net (i.e. onion routing (Tor), anonymous re-mailers).

Mix net – Alice sends Bob messages through a series of proxies (i.e. different public IP’s 65.87.234.34, 123.3.234.12, 89.24.124.35, etc.) so Bob will not know where Alice is.

Anonymous digital cash – Can I spend a “digital coin” without anyone knowing who I am? How to prevent double spending?

Cryptography is a rigorous science.

The three steps of cryptography:

  • Precisely specify threat model (i.e. How to make something un-forgeable?)
  • Propose a construction
  • Prove that breaking construction under threat mode will solve an underlying problem (i.e. How to keep your data safe no matter what?)

(Originally posted on March 8th, 2015. Updated on December 29th, 2020)

Defending Yourself From Cyber Attacks

People have asked me what they can do to protect themselves from being hacked. First, let me clarify something very important: NO ONE WILL EVER BE 100% SAFE FROM A HACK. With the constant changes in technology, there will always be new vulnerabilities that hackers will try to exploit. This is unfortunately the world we live in. That being said, the inevitability of an attack shouldn’t deter you from adopting good security practices. Here are some basic steps in protecting yourself from hackers:

1.) There’s always antivirus

Years ago, I would’ve recommended antivirus on all devices. Unfortunately, background processes associated with antivirus applications consume an excessive amount of computing power. Personally, I don’t use antivirus. Being a Debian guy, I run ufw. If I notice anything suspicious, I’ll investigate network/socket traffic and system processes. If you want to use antivirus, there are several providers to choose from. Remember, smartphones are computers too. Smartphones are just as vulnerable as a computer when it comes to malware.

2.) Always use HTTPS when you can

HTTPS stands for “Hypertext Transport Protocol with Security” or “Secure Hypertext Transfer Protocol”.  The HTTPS protocol uses an encryption framework known as SSL or “Secure Sockets Layer”. This provides a bidirectional encryption tunnel between the data you are sending and receiving. Using SSL makes it very difficult for a hacker to eavesdrop on a connection. Think of HTTPS as creating a “protection tunnel” between you and a website. Your data is being transmitted through this tunnel of encryption so that no third-parties can know what you’re doing.

You can check to see if a site has HTTPS by requesting it (i.e. https://www.bing.com or https://www.google.com). If you type your site in with HTTPS and a lock comes up, then you should be going over an encrypted connection. Now, a big misconception about HTTPS is that if a site has HTTPS, it’s legit. THE PRECEDING IS NOT TRUE! Just because a site provides HTTPS, doesn’t mean it’s legit. Always do a background check before submitting data to a site, no matter what type of encryption and protection it offers.

3.) Secure your wireless network

Securing your wireless network is another way of protecting yourself from hackers. Hackers can perform an action called “wardriving”. Wardriving is when a hacker scans around for insecure networks. If they find a network that is insecure, they will connect to it and sniff the traffic. Network traffic may contain sensitive information about yourself (e.g. credit card numbers). Always implement strong passphrases and use modern security frameworks (e.g. WPA2 or WPA2-EAP).

4.) Incorporating a network firewall

Adding a network firewall & web filter increases your security greatly. However, this requires more technical knowledge. Network firewalls can run on a dedicated computer and intercept all data that goes out to the Internet. This can provide the capability of scanning websites for malware and blocking users from getting to them. There are many different types of open source firewalls available (e.g. pfSense).

5.) VPNs

Just as incorporating a network firewall can be difficult, VPNs can be equally challenging. However, many home routers now provide a built-in VPN implementation (e.g. OpenVPN). When people are on the go and need to access resources from home securely, VPNs are a perfect solution. VPNs or Virtual Private Networks enable users to access data from a different network without physically being there. For example, someone can connect to a VPN provided by their employer and access work-related documents from home. You can also implement a VPN at home for Internet privacy. Let’s say you’re browsing the web at a local cafe. The cafe’s WiFi is public, so a malicious user could sniff around and intercept your traffic. However, if you connect to your home VPN and route your Internet traffic through the VPN, the only traffic that may be visible is an encrypted request to your VPN. Everything else will go out your home’s Internet connection.

(Originally posted on February 8th, 2015. Updated on December 29th, 2020)

How Safe Is Your Wireless Network?

People will come up to me and ask, “Is my Wi-Fi password strong enough?” or “Is my wireless network secured?”. This is often a difficult question to answer because no matter how secure a network is, there are always vulnerabilities. Wireless networks can be exploited several ways. Some common causes include: weak passwords, insufficient encryption, and believe it or not, huge data transfers. If a wireless network has a weak password, then access could be achieved within minutes. Passwords should never be predictable. Weak security mechanisms, such as using outdated encryption, can also leave your wireless network exposed. If you are going to secure your home wireless network, at least use WPA2 (Wi-Fi Protected Access v2). WPA2 uses AES encryption, and when compared to TKIP, can stand a chance against a more powerful attack (see this link to read a little more about AES vs. TKIP encryption). WEP is also highly susceptible to replay attacks and should be avoided at all costs.

Just the other day, I got familiar with aircrack-ng. aircrack-ng allows you to lock onto a specific BSSID and capture traffic that comes in contact with your network adapter. If your network adapter can support airodump-ng, then you can sniff packets from an AP and potentially crack a Wi-Fi password. In order to execute attacks like that, massive data transfers must be occurring when the hacker sniffs the wireless network. If there’s not a lot of data being transmitted, then the attack will take longer to execute. Packet injection via aireplay-ng can come in handy for generating noise. An attack that could take days to execute can happen within minutes if a hacker’s network card supports packet injection.

If you really want to be secure (to the point of inconvenient), here are some security mechanisms you can implement:

  • Using a strong encryption mechanism
  • Enable hidden SSID
  • Configure a MAC address filter
  • Implement an IDS endpoint
  • Use WPA2 Enterprise (802.11x) in order to add authentication/accounting via an intermediary (e.g. Microsoft NPS/RADIUS)

(Originally posted on April 27th, 2014. Updated on September 13th, 2020)