The Bug Bounty List - Bug Hunting

I started finding serious security issues and vulnerabilities back in 1998. Back then the community was so immature that I was getting so much grief every time I was trying to explain what I had found. The common response was "why did you check our system/application", "who told you to alter the input", "this was not suppose to happen, you broke it", "the others don't know to do this; why did you do it" and all sort of similar discussions. Unfortunately, back then they weren't any bug bounty or recognition programs for the poor security enthusiast like myself.

I am glad to see that the community starts becoming more mature and understands how valuable can be for a business the discovery of a security issue or a vulnerability by a "white hacker". I am also glad there are bug bounty programs out there which reward security researcher and security enthusiasts who discover security issues.

POODLE SSLv3 Vulnerability

Bodo Möller, Thai Duong and Krzysztof Kotowicz from Google who discovered this, released a security advisory which you can find on OpenSSL website [2]. 
The Padding Oracle On Downgraded Legacy Encryption aka #POODLE vulnerability, has already a good write-up [1]. Jesper Jurcenoks explains the vulnerability on his blog [3] in a very detailed manner but at the same time, easy to understand. I am happy to see that Jesper used for his blog-post the logo I made for the poople vulnerability! :) Also, if you are thirsty for more technical details, you should also read this blog-post from ImperialViolet [4]. If you want to see some statistics on how vulnerable we are today in regards to this, you should read this article on netcraft [5]. The following post outlines the steps on how to disable SSLv3 [6]. If you wanna do a quick test and see if your browser supports SSLv3 regarding the poodle vulnerability, then you can visit: www.poodletest.com. On the other hand, www.howsmyssl.com can provide some useful information about the SSL/TLS client you used to render its page. Last but not least, if you need to a server given its domain name for this vulnerability, you may use www.poodlescan.com

CVE­-2014-­3566 has been allocated for this protocol vulnerability.

I had an idea for a logo for this vulnerability which I posted on twitter when the vulnerability came out and I would like to share it with you. We are trying to ditch SSLv3 for quite some time now, the logo had to look a little bit old style, retro and maybe vintage. Let me know what you think. ( you are free to use this logo, it would be nice if you reference it with: @drgfragkos )

Do you want to test manually?
Use this command: 
openssl s_client -connect google.com:443 -ssl3
If the handshake fails then the server doesn't support SSLv3 

Using On-line Services for Reconnaissance

Ever wanted to use only existing online services to do reconnaissance without having to install or use any other tools. Well, the following URLs will give you a nice starting point. This list is to be expanded and updated with more links. If you believe you know of an online service which can be useful for this purpose do not hesitate to share it with the rest of us. Let me know and I will add it to the list! :)

Bash-ing (Bash Bug, Shell Shock) - All the information you need

The Bash Bug is a severe vulnerability discovered by by Stephane Chazelas of Akamai, who most probably deserves a pwnie award [1]. 
The discovery of this particular vulnerability is a serious risk, similar (maybe proven to be a lot bigger) to the Heartbleed bug [2]. Mostly because Linux not only runs the majority of the servers but also in a large number of embedded devices. Keep in mind that there are approximately about 25 years’ worth of Bash versions! Effectively, Mac OS X [11] and Android devices may also be running the vulnerable version of bash. 
Also, for Windows systems, msysgit contains a vulnerable version of bash (by Joshua McKinney) [12]. Which means, we are going to have more of these popping up very soon under the Windows platform as well.
Just to give you a hint about the severity of this vulnerability, NIST Vulnerability DataBase rated this with "10 out of 10". [3]

UnPHP - The PHP decoder

UnPHP is a free service for analysing obfuscated and potentially malicious PHP code. 

Test your PHP code online

For various reasons you might want to test your PHP code (or code written by others) and see if it works or check what it does. If this is something you would like to do, then you can use a couple of websites which will do this for you. 

upnp.ninja

U Plug, We Play, was the title of David Middlehurst’s (@dtmsecurity) presentation at the BSides Manchester conference. The presentation was about a new open source tool called 'UPnP Pentest Tookit' [1]  he developed and released on the day of the conference. I had the chance to catch up with David at the London Trust Forum the other day and shared some thoughts about the tool. I am 'a bit' of a geek so the next day after the BSides Manchester conference, it was the first thing I wanted to test. I downloaded the tool and started scanning my home devices. 

Well done David!

[1] upnp.ninja

London Trust Forum

I was invited to attend the London Trust Forum organised by NCC where Andy Davis talked about CANimation and highlighting the security threats to automotive systems. A very interesting talk on how you can hack into cars when you have physical access to them or in some occasions, remotely! 

It was really nice to see familiar faces at the event and catch up with Dr. Jessica Barker (@drjessicabarker), David Middlehurst (@dtmsecurity) , @netbiosX and @Emil_i.

Looking forward to the next Trust Forum event already!

The Subterfuge Project called Artemis

Artemis [1] is an advanced malware simulation suite capable of emulating the Advanced Persistent Threat (APT). Artemis raises the bar allowing ethical hackers and penetration testers the luxury of an advanced set of features equivalent to many of the tools employed by criminal gangs today. By abstracting polymorphism to a server based platform at cevincere.com Artemis is able to stay one step ahead of anti-virus vendors, and ensure that penetration testers can give their clients the value that they deserve.

[1] https://code.google.com/p/subterfuge/

Critical OpenSSL vulnerability

OpenSSL released a security advisory yesterday (7/Apr/2014) regarding the TLS heartbeat read overrun (CVE-2014-0160). [1] This is a CRITICAL vulnerability affecting 1.0.1 and 1.0.2-beta releases of OpenSSL, including 1.0.1f and 1.0.2-beta1.

An attacker can read memory contents of the remote server . The server will not crash or otherwise exhibit suspicious behaviour. Successful exploitation leaks usernames, passwords, web application session cookies or other sensitive information. 

Currently, some of the vulnerable websites are: 
yahoo.com
okcupid.com
flickr.com

The quickest way to test your server is by using the following link:
http://filippo.io/Heartbleed/

Remediation:
Affected users should upgrade to OpenSSL 1.0.1g. The alternaltive at this point if you cannot upgrade to OpenSSL 1.0.0g is to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS

For remediating against an Apache install you will also need to upgrade libssl (libssl1.0.0).

Note that Ubuntu 1.0.1-4ubuntu5.12 of OpenSSL resolves the issue.

Temporary Snort signatures:
a) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack with ssltest.py";flow:to_server,established; content:"|18 03 02 00 03 01 40 00|"; rawbytes; isdataat:!1,relative; reference:cve,2014-0160; sid: 6000000; rev:1;)

b) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack";flow:to_server,established; content:"|18 03|"; rawbytes; depth:2; byte_test:1, &, 3, 0, relative; byte_test:2, >, 200, 3, relative, big; reference:cve,2014-0160; sid: 6000001; rev:2;)


[1] http://www.openssl.org/news/secadv_20140407.txt

Kali Linux Virtual Box Resolution

There are several ways people are suggesting for adjusting Kali Linux [1] resolution in Virtual Box. First of all, make sure you have the latest Virtual Box [2] along with the latest Extension Pack. 

Lets assume that you downloaded a VM image of Kali Linux from the aforementioned URL. I suggest you make sure your Kali Linux is up-to-date. To update your system, bring up the terminal and run the following command in order to fetch all the new updates: 
apt-get update

Then, run this command to upgrade your system: 
apt-get upgrade

It is not necessary to restart  your system at this state, but for those of you who might want to do this, just type in the terminal: reboot

Guest Speaker for Derby University (Digital Forensic Investigation Course) - Penetration Testing

I had the pleasure to be invited for the first time as a guest speaker to Derby University in order to give a talk about Penetration Testing in the real world and more specifically for the Digital Forensic Investigation course.

The talk included an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participant had an opportunity to understand what is an Approved Scanning Vendor (ASV), a Qualified Security Assessor (QSA) and last but not least a PCI Forensics Investigator (PFI).

The students were introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and comparison of ASV, Vulnerability Assessment and Penetration Testing was given.

The second part of the talk focused on malware and included a more practical approach with a hands-on session. The talk focused on how easy could it be to create malware that is capable of evading AntiVirus detection (including reputation based detection). The students were given an executable file and a hex editor which allowed them to modify the given binary. Social engineering and spear phishing were also discussed. The purpose was to raise their awareness and allow them to understand with examples why we say there is no 100% security.

I had a wonderful day at the University, the students were very excited and I do hope they learned a lot. All the best with their course. I am looking forward to be invited again by the university in the future and have the opportunity to discuss in more detail CyberSecurity and Cyber-Threats.

KYOCERA default passwords

It is not uncommon to find KYOCERA systems while onsite conducting a penetration test. I had to find a comprehensive list of default usernames and passwords and these are the links where I could find some of the default credentials.


[1] http://blog.primaryschooltech.co.uk/2012/04/kyocera-command-center-default-admin.html


[2] http://www.gfbm.net/selfhelp_kma_copier_username_password.htm

Arachni: Web Application Security Scanner Framework

Arachni Web Application Security Scanner [1], is a Free/Open Source project, the code is released under the GNU General Public License, version 2 and you are free to use it as you see fit. On the January the 12th of 2012 the software Arachni is moving away from GPLv2 and towards Apache License v2.0. This is due to several license reasons [2].


[1] http://arachni-scanner.com/overview
[2] http://trainofthought.segfault.gr/2012/01/12/arachni-is-moving-away-from-gplv2-and-towards-apache-license-v2-0/

Metasploit - How to log the output of what you are doing

Yes, I admit it, I also was one of the people scrolling up and down to find the information I was looking for in a module's output, or copying the whole stdout to a file in order to make my life a bit easier. As of revision r13028 [1] the console now supports the spool command.
(To access the new command, use the msfupdate command on Linux (or just "svn update") or the Metasploit Update link on Windows)


No more hassle, you can use the spool command to log all the stdout to a file automatically! So, while in metasploit, you can type:


spool on


or


spool /root/msfoutput.txt


and anything you do will be logged in that file (all output will always append).




If you want to stop this just type:


spool off




As a quick tip, you can either check the contents of the log file by using the 'cat' command or follow the stream as it is being generated by using the 'tail -f' command


Hope you find this helpful as I did! :D







[1] https://community.rapid7.com/community/metasploit/blog/2011/06/25/metasploit-framework-console-output-spooling

Wireless HotSpot using your laptop (Windows 7 and Windows 8)

I get to travel around and I have stayed in a number of hotels. One of the most important things for me is Internet access during my stay. I have been to hotels (major hotel chains) where the WiFi signal is so weak in the room that sometimes you need stand by the open door in order to send an email. That is not very convenient, so I needed a quick solution in such cases. By creating a hotspot using your laptop's Wireless adapter, you can have a very strong signal anywhere in the room to access the Internet from any other devices you may have with you (e.g. mobile phone).

I am assuming that your laptop has both an Ethernet port and a Wireless adapter. Before you start check Windows Updates to make sure you have all the latest security updates and the latest drivers for your Ethernet card and the Wireless adapter (consider rebooting if needed).