From the category archives:

Information Security

Secure Your WordPress | Tool Explained wpscan

WordPress is one of the most popular CMS among its entire open source competitor. WordPress has very simple and open framework. It is the most desirable choice of any hacker to start learning hacking with it.

Today we will look at tool called wpscan. This tool is vulnerability scanner for any WordPress installation. It will let you know following things

  1. Version of the WordPress
  2. Known list of information disclosure files (ex. Readme.html)
  3. WordPress usernames
  4. WordPress Plugin names
  5. Bruteforce for password (Password list needs to be generated)

How this information is useful to me/attacker?

  1. You can check your WordPress installation version against current available version
  2. You can check known vulnerability using Google for the version you have installed
  3. Information disclosure files are easiest way to get installed version of WordPress
  4. Enumerated usernames can be brute-forced
  5. Plugins can be attacked against known vulnerability

How to use this tool?

  1. For basic WordPress information   #ruby wpscan.rb –url  <URL>
  2. For username enumeration #ruby wpscan.rb –url <URL> –enumerate u
  3. For plugin enumeration #ruby wpscan.rb –url <URL> –enumerate p
  4. For password brute force attack #ruby wpscan.rb –url <URL> –wordlist <Password file> –username <user name>

All commends are explained in following video

Download and installation

Please use the up to date instructions found here; http://code.google.com/p/wpscan/wiki/README

VN:F [1.9.10_1130]
Rating: 10.0/10 (1 vote cast)

  

{ 0 comments }

Information Gathering — Web Application Analysis

Till now we have seen theory part of web application security. Now I will try to include various ethical hacking/ penetration testing aspects with visual / video. At initial level we will cover at least one tool from each module.

Today we will look at WHATWEB – A web scanner to identify Content Management System.

WhatWeb can identify any popular CMS from its large CMS database. It has also power to identify javascript library for example jQuery or YUI. When we visit any website there are some hidden parameters from which we can identify any CMS easily. For example if we are using WordPress then visible identification is “Powered By:WordPress” By looking at view source some visible information is having folders named “wp-contents” or META GENERATOR tag

Apart from CMS name, WhatWeb can identify email address, account id. WhatWeb hase both passive and active plugins, passive plugins use information on the page, in cookies and in the URL to identify the system. A passive request is as light weight as a simple GET / HTTP/1.1 request. Aggressive plugins guess URLs and request more files. Plugins are easy to write, you don’t need to know ruby to make them.

Active plugins can identify versions of Joomla, phpBB, etc by making extra requests to the webserver.

WhatWeb has extensive logging mechanism which can give 3 types of output (Brief logging, Full logging, XML logging)

WhatWeb required Ruby 1.8 to run. In video I have demonstrated whatweb <url> and whatweb –v <url> command. –v will give result in verbose mode.

More on what web: http://www.morningstarsecurity.com/research/whatweb

VN:F [1.9.10_1130]
Rating: 10.0/10 (2 votes cast)

  

{ 0 comments }

Vulnerability Assessment IV

Scan Types: Central Scan or Individual Scan?

It is always the question which type of scan is more effective? Both scans have pros and cons. For example Central Scan is comparatively slow while as individual scan is fast. Central scan can be invoked and monitored form one location while as individual scan should be done on each system.

But major advantage of central scan is database update. If we miss out database update on any of the system then it may lead us to wrong results, but in the case of centralized scan we need to update only one database and invoke the scan.

Defense in Depth:

Defense in depth plays major role in information security. One layered security can be cracked but if we have multiple layer of security then it will become very difficult for any attacker to hack in your system. For example at Physical Security level we can have locks and secured area. We can have some authentication mechanism at hardware and software. Antivirus should be available at network and host level. Firewalls should be in place at hardware and software both layer to prevent system from attacks,

DMZ (De-militarized Zone) should be properly configured. IDS and IPS with proper logging mechanisms. Packet filters and routers and Switches with proper ACLS. Proprietary Hardware or Software should not be available to public access.

Network Scanners:

Nessus : Premier UNIX vulnerability assessment tool

Nessus was a popular free and open source vulnerability scanner until they closed the source code in 2005 and removed the free “registered feed” version in 2008. A limited “Home Feed” is still available, though it is only licensed for home network use. Some people avoid paying by violating the “Home Feed” license, or by avoiding feeds entirely and using just the plugins included with each release. But for most users, the cost has increased from free to $1200/year. Despite this, Nessus is still the best UNIX vulnerability scanner available and among the best to run on Windows. Nessus is constantly updated, with more than 20,000 plugins. Key features include remote and local (authenticated) security checks, a client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plugins or understanding the existing ones

GFI LANguard : A commercial network security scanner for Windows

GFI LANguard scans IP networks to detect what machines are running. Then it tries to discern the host OS and what applications are running. It also tries to collect Windows machine’s service pack level, missing security patches, wireless access points, USB devices, open shares, open ports, services/applications active on the computer, key registry entries, weak passwords, users and groups, and more. Scan results are saved to an HTML report, which can be customized/queried. It also includes a patch manager which detects and installs missing patches. A free trial version is available, though it only works for up to 30 days.

Retina : Commercial vulnerability assessment scanner by eEye

Like Nessus, Retina’s function is to scan all the hosts on a network and report on any vulnerabilities found. It was written by eEye, who are well known for their security research.

Core Impact : An automated, comprehensive penetration testing product

Core Impact isn’t cheap (be prepared to spend tens of thousands of dollars), but it is widely considered to be the most powerful exploitation tool available. It sports a large, regularly updated database of professional exploits, and can do neat tricks like exploiting one machine and then establishing an encrypted tunnel through that machine to reach and exploit other boxes. If you can’t afford Impact, take a look at the cheaper Canvas or the excellent and free Metasploit Framework. Your best bet is to use all three.

ISS Internet Scanner : Application-level vulnerability assessment

Internet Scanner started off in ’92 as a tiny open source scanner by Christopher Klaus. Now he has grown ISS into a billion-dollar company with a myriad of security products

X-scan : A general scanner for scanning network vulnerabilities

A multi-threaded, plug-in-supported vulnerability scanner. X-Scan includes many features, including full NASL support, detecting service types, remote OS type/version detection, weak user/password pairs, and more

Sara : Security Auditor’s Research Assistant

SARA is a vulnerability assessment tool derived from the infamous (at least in 1995) SATAN scanner. They ceased development after releasing version 7.9.1 in June 2009.

QualysGuard : A web-based vulnerability scanner

Delivered as a service over the Web, QualysGuard eliminates the burden of deploying, maintaining, and updating vulnerability management software or implementing ad-hoc security applications. Clients securely access QualysGuard through an easy-to-use Web interface. QualysGuard features 5,000+ unique vulnerability checks, an Inference-based scanning engine, and automated daily updates to the QualysGuard vulnerability KnowledgeBase.

SAINT : Security Administrator’s Integrated Network Tool

SAINT is another commercial vulnerability assessment tool (like Nessus, ISS Internet Scanner, or Retina). It runs on UNIX and used to be free and open source, but is now a commercial product.

MBSA : Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS) and Microsoft Operations Manager (MOM). Apparently MBSA on average scans over 3 million computers each week.

(Tools list taken form http://sectools.org/vuln-scanners.html)

VN:F [1.9.10_1130]
Rating: 9.5/10 (2 votes cast)

  

{ 1 comment }

Vulnerability Assessment III

Goal of Vulnerability Assessment

Goal of network vulnerability assessment is to verify whether all deployed applications / special purpose servers are working normally without any major vulnerability/flaws or not. If we look at basic network structure we have some Antivirus , HIPS (Host based intruder prevention system), NIDS (Network based intruder detection system), NIPS(Network based intruder prevention system). We can verify these applications/servers by assessing then against various known vulnerability.

Vulnerability Assessment:

Scan for live HOST:

To assess any network for vulnerability we need to map the network. Network mapping can be done by scanning the network for live hosts. People do prefer some tools like NMAP which are capable of scanning the HOST against known vulnerability, operating system, services, known ports scanning, some worms/viruses like conflicker.

NMAP creates some RAW packets and send it to HOST and after getting reply from HOST it measures whether vulnerability exist or not. In most of the cases any vulnerability scanner uses NMAP as backend application to scan vulnerability. NMAP mostly works with command line but for beginners and windows users ZENMAP is the GUI version of NMAP. GUI version has some extra facility like profile save, tabbed environment.

As beginner I would prefer to go with ZENMAP but once you are expert of using NMAP move to command line to explore more of NMAP. We will look at more about how to use NMAP or ZENMAP in special post. Following are the screenshots from NMAP command line which will help to understand the look and feel.

Some systems may be disconnected from the network, make sure to scan those systems as well. For example there is one system with windows XP sp2 and that is not connected to network, This system may have firewire exploit within it. One can attach firewire device and try to exploit it.  This vulnerability is not a network vulnerability it is OS level vulnerability and should be fixed.

Vulnerability Scanners:

As above image shows we require various types of vulnerability scanners. For example at user level we need to verify Anti-virus, Anti-adware, Anti-Spyware and Anti phishing, at Transport layer we need to verify protocol level vulnerability, At Access layer we need to check for Access control, Authentication, Cryptography, Firewalls, VPN, Web Application Firewalls.  At network layer we need to access Firewall, Network Scanners, VPN and Intrusion Detection. At last At application layer we need to verify application vulnerability and source code.

Any vulnerability scanner consists of following major components.

  1. Database of known vulnerability
  2. Scan engine
  3. Administrator Console
  4. Scan results

When vulnerability scanner administrator starting any scan it will first of all check the database available for scanning, it will then start sending specially crafted packets to target hosts and try to get details about the vulnerability. It is required to update vulnerability database on daily basis / before starting any scanning.

In next post we will look at

  1. Local Scan Vs. Central Scanning
  2. Defense in Depth
  3. Tools for Vulnerability Scanning
VN:F [1.9.10_1130]
Rating: 8.5/10 (4 votes cast)

  

{ 0 comments }

Vulnerability Assessment – ||

In previous blog post we understood about what is vulnerability and what is exploit. In this blog post we will look at why any organization should go for vulnerability assessment? And what is the major difference between Penetration Testing and Vulnerability assessment. We will take a look at ISO 27001 requirement for vulnerability assessment.

Why Vulnerability Assessment?

Organizations are using information technology to make their work fast, efficient and manageable but it is also observed that they do not take care about information security which many times lead in negative impact. Organizations give access to internet along with intranet which can tend to steal data. It is important that an organization should have vulnerability assessment policy and it is implemented properly.

As per the ISO 27001 standard one should look for following vulnerability

  • Access control error – Lack of enforcement
  • Authentication error – inadequate identification mechanisms
  • Boundary error – inadequate checking/validating mechanisms
  • Configuration error – improper configuration
  • Exception handling error – improper setup or coding
  • Input validation error – lack of verification mechanisms
  • Randomization error – mismatch in random data
  • Resource error – lack of resources
  • State error – incorrect process flow

All above mentioned vulnerability are of any application but as I mentioned earlier application is not the limiting factor one should check for physical security as well.

Vulnerability Assessment Vs. Penetration Testing

Majority people feel that Vulnerability Assessment and Penetration Testing both is one and the same thing, but in fact both are different things. Vulnerability assessment is limited to finding and classifying the threats/risks. While as Penetration Testing goes beyond that and it will try to exploit the vulnerability.

Sample Vulnerability Assessment Report file can be downloaded from here

VN:F [1.9.10_1130]
Rating: 10.0/10 (1 vote cast)

  

{ 0 comments }

Vulnerability Assessment – Part I

This series blog post is going to give you some details regarding vulnerability, what is vulnerability assessment, why vulnerability assessment. It will not give you in depth idea about the vulnerability assessment but it will give you basic understating about the above mentioned topics.

In computer terms vulnerability means weakness. This weakness may be due to software fault, programming error, known limitation. Attacker will try to exploit this weakness and get access to the server. For example there is one room in office where we have put all servers; this room does not have any authentication mechanism (no access card, no security guard). In this case attacker has direct access to server and he/she is able to break/breach security and take server with him/her then this is exploit. In majority of cases vulnerability will tend to become exploit.

Now a days when any application (known) has any vulnerability we get details through news group or search engines. The time between exploit found and fixed is known as ZERO days and many times this ZERO days are of many years.

Many times we use automated vulnerability assessment tool and prepare report of many pages but probably it is not the right way. We need to categorize the vulnerability first and then we should take some of them with high priority and put them on paper.

Some tools will try to exploit the same vulnerability with 100 different fuzzing logic/ data driven input but at the end of the day it is only one vulnerability. Many times these reports are very scary in nature to fix the vulnerability. Each and every vulnerability report should contain

  • Category of vulnerability
  • Nature of vulnerability
  • How urgent is it to fix the vulnerability?

It should not contain

  • Repeated vulnerability
  • False positive vulnerability

Vulnerability reporting should be in such a manner where it should highlight critical first then high, medium and low. It should also be differentiated with services.

Reporting should be in the form of PDF is more preferred with digital signature. But we can use excel or word or email format as part of internal audits. Reports should have executive and detailed summary report which will help end user to fix the vulnerability.

Missing out major vulnerability will lead your system to defeat easily. So it is advised to scan your server frequently and not to rely only on automated vulnerability scanners. One should visit different security advisory sites and check for various ZERO days.

If we look at real world scenario many times we hear this will not happen in our network. Why we should secure our network?, My application will not work if I move to higher version. But as part of information security it is advisable to work on patched/ updated server.

In next post we will see…

  • Why Vulnerability Assessment?
  • Difference between Penetration Testing and Vulnerability Assessment.
VN:F [1.9.10_1130]
Rating: 0.0/10 (0 votes cast)

  

{ 1 comment }