Monthly Archives: March 2016

Offensive Security Certified Professional (OSCP) Study Guide Links & Material

Vulnerable By Design – VulnHub – https://www.vulnhub.com

 

https://www.offensive-security.com/blog/

 

Metasploit Unleashed

 

0x2 Course Review: Penetration Testing with Kali Linux (OSCP)

 

http://www.fuzzysecurity.com/tutorials.html

 

https://www.corelan.be/index.php/articles/

 

https://blog.g0tmi1k.com/

 

Complete training series of videos:

HACKING THE GHOST MACHINE IN OFFENSIVE SECURITY COMPETITION

OFFENSIVE SECURITY 2013 – WEB APPLICATION HACKING 101

OFFENSIVE SECURITY 2013 – ROOTKITS / CODE AUDITING

 

OFFENSIVE SECURITY 2013 – FUZZING – EXPLOIT DEV 101

 

OFFENSIVE SECURITY 2013 – REVERSE ENGINEERING (X86) WORKSHOP DAY 2

 

Hacking A Mature Security Program

Offensive Security Real Live Pentest

Advanced White Hat and Penetration Testing Tutorial | Starting Up Metasploit

Offensive Security Part 1 – Basics of Penetration Testing by KernelMeltdown.org

Offensive Security Training

Armitage and Metasploit Training (2011) – 1. Introduction

SecurityTube Metasploit Framework Expert Part 1

Symantec Cyber Security Training: nmap and Metasploit Framework

Share Button

REINCARNA Linux.Wifatch Malware Whitehat Backdoor made by the good guys? How illegal is this?

So last night I did a little banner grabbing from some IP ranges that have been historically extremely insecure, I”m not a blackhat hacker anymore so my intentions weren’t to exploit these hopeless incompetent victims but I would have notified them. I have considered the idea of compromising them just to patch them and save them from themselves but I don’t need issues from the fuzz. While banner grabbing I started noticing a trend, someone else had the same idea that I did, since security isn’t common in these ranges a whitehat hacker decided to take measures into his own hands and compromise entire netranges to backdoor and patch them.

Realistically, a huge percentage of accessible Linux, Solaris, Irix, *BSD, SCO, Ultrix and other *nix based servers are compromised. The backdoors used are extremely hard to detect, for instance some of the underground backdoors that I’ve had my hands on trojan sshd/telnetd/ftpd and allow remote root access with special keys, an example of one of my favorites was bj.c which never was released publicly and I had that back in 1999 which would defeat tripwire and every other pathetic host based security solutions for *nix. BJ.c would work by replacing the telnet daemon, SSH or ftp daemons allowing the hacker to login remotely over port 21,22,23 (which ever you wanted) by setting a term value in the code. An example would be TERM=vs690 telnet 1.1.1.1 and you would be dropped into a rootshell without creating entries in /etc/messages, syslog, utmp or any other logs. The SSH backdoor version would use encryption and a special username that wouldn’t show up in /etc/passwd or anywhere else for that matter. Simply doing a ssh j00rpwn3d@1.1.1.1 would drop you into a rootshell. Since these underground private backdoors have never been released and white hat hackers typically only have academic knowledge they have never been detected by any host based security solution I’ve seen as I have submitted them for scanning over the years with a zero percent detection rate. The only chance of detecting these backdoors on your network is by using network traffic monitoring tools to identify odd incoming traffic over periods of time with large packet counts and be smart enough to know something seems off. I would recommend re-imaging if you see traffic that seems off as this is the case because Ncase, qtip or whatever your using won’t find them. I have literally seen these backdoors stay on systems for 10+ years and usually aren’t mitigated until the OS is actually updated.

 

Is this legal? uhhh….well…..No! Is it morally and ethically right? I would have to lean on the side of YES! I scanned ten /16 ranges that in the past I could own virtually anything public facing and this hacker had compromised and backdoored over 1200 hosts that I counted. I would suspect that based off the small sample size he/she has compromised over 10,000 hosts on the Internet.

 

I am going to examine the backdoor that REINCARNA is using and examine the source code of Linux.Wifatch which is available at https://gitlab.com/rav7teif/linux.wifatch to see if these hosts really are only being compromised to protect them, on the surface that seems very unrealistic as this would take a considerable amount of time unless a worm was launched to auto compromise and patch these hosts but that would be extremely risky as the worm could attempt to exploit hosts of foreign governments and military systems. Even as a blackhat in the old days I avoided hacking government hosts, 2600 defacements using one of my various tag names would support this although legally I’m not admitting I had anything to do with them.

 

Banner grabbing is not illegal, so here is an example of a few hosts that I came across that were hacked by REINCARNA supposedly for their protection.

 

Add your comments to the section below – I am interested to see the opinions of other security professionals and outside sources on this practice and should this “good guy” hacker be brought to justice? Given the ranges I was scanning he might be compromising hosts that don’t commonly extradite or he himself may live in a place without extradite laws. The e-mail listed is a Russian one but as any hacker knows, you conceal your true identity, he would very well be living in California, USA

 

root@wittyserver:~# telnet 91.220.205.*
Trying 91.220.205.*…
Connected to 91.220.205.*.
Escape character is ‘^]’.

REINCARNA / Linux.Wifatch

Your device has been infected by REINCARNA / Linux.Wifatch.

We have no intent of damaging your device or harm your privacy in any way.

Telnet and other backdoors have been closed to avoid further infection of
this device. Please disable telnet, change root/admin passwords, and/or
update the firmware.

This software can be removed by rebooting your device, but unless you take
steps to secure it, it will be infected again by REINCARNA, or more harmful
software.

This remote disinfection bot is free software. The source code
is currently available at https://gitlab.com/rav7teif/linux.wifatch

Team White <rav7teif@ya.ru>

Connection closed by foreign host.

root@wittyserver:~# telnet 91.220.204.*
Trying 91.220.204.*…
Connected to 91.220.204.*.
Escape character is ‘^]’.

REINCARNA / Linux.Wifatch

Your device has been infected by REINCARNA / Linux.Wifatch.

We have no intent of damaging your device or harm your privacy in any way.

Telnet and other backdoors have been closed to avoid further infection of
this device. Please disable telnet, change root/admin passwords, and/or
update the firmware.

This software can be removed by rebooting your device, but unless you take
steps to secure it, it will be infected again by REINCARNA, or more harmful
software.

This remote disinfection bot is free software. The source code
is currently available at https://gitlab.com/rav7teif/linux.wifatch

Team White <rav7teif@ya.ru>

Connection closed by foreign host.

root@wittyserver:~# telnet 91.220.204.*
Trying 91.220.204.*…
Connected to 91.220.204.*.
Escape character is ‘^]’.

REINCARNA / Linux.Wifatch

Your device has been infected by REINCARNA / Linux.Wifatch.

We have no intent of damaging your device or harm your privacy in any way.

Telnet and other backdoors have been closed to avoid further infection of
this device. Please disable telnet, change root/admin passwords, and/or
update the firmware.

This software can be removed by rebooting your device, but unless you take
steps to secure it, it will be infected again by REINCARNA, or more harmful
software.

This remote disinfection bot is free software. The source code
is currently available at https://gitlab.com/rav7teif/linux.wifatch

Team White <rav7teif@ya.ru>

Connection closed by foreign host.

Share Button

What Poor Security Practices Does your Organization Employ? What are best security practices?

Even in 2016 poor security practices are ubiquitous and provide a medium for hackers to compromise networks and critical infrastructure.

What are some examples of poor security practices you may be guilty of?

Implementing insecure services:

  • Telnet – this is one of the worst services that you can have open on your network, telnet provides no encryption which means your login and password are sent across the network every time you login. Once logged in, every action that you take at the command line can be captured in ASCII clear text. Even using telnet internally is a poor practice as an insider can still capture this traffic. Common devices and servers that still run telnet regularly are legacy unix servers, these reveal OS information and kernel information as well allowing an attacker the chance to find an exploitable vulnerability for this host. Additionally, virtually every telnet daemon has an exploit for it that will brute force offsets until it successfully exploits the system. Common unix systems vulnerable to these attacks are every version of Linux, Solaris, IRIX and *BSD. If you must use telnet, use it with SSL over port 993.

 

  • FTP – Just like telnet, all credentials are sent over clear text and exploits exist for virtually all major distributions of FTP services. Some prime examples are Wu-ftpd and proftpd. To use FTP in a secure manner you should use a program such as filezilla and connect via SFTP using SSH

 

  • E-mail sending and reading, the use of SMTP over port 25 and reading e-mail via POP3 over port 110 and IMAP4 over 143 basically means you are inviting others to view your conversations. These are not secure protocols by themselves. Always run these services with SSL or encrypt e-mails prior to sending them.

 

  • Network Printers – one of the most commonly vulnerable devices within your organization. Printers may seem harmless and after turning them on are usually neglected. The administrator account is usually not password protected, allowing anyone with physical access to walk up and enable services or install software directly onto the machine. Printers by default usually have unnecessary services running such as TELNET, FTP, SNMP and unencrypted remotely accessible HTTP servers for management. High end printers these days are equipped with enough RAM or hard drive space that an attacker can install a small linux operating system on the machine or a backdoor service such as dropbear SSH daemon allowing them remote access to the device. Printers are often left off network scan lists which prevent their vulnerabilities from even being discovered until it is too late.

 

  • Lack of proper ACLs that allow remote access to services such as SNMP, DNS, NTP, SSDP, TFTP and Chargen to name a few. These services should be ACL protected to allow only internal and trusted systems to query them, they should never respond to outside request. Attackers can leverage these UDP based services to become attack machines in a DrDoS botnet. For instance if an NTP service responds to a request for the monlist, the server will return the list back to the host which requested it and the data is around 512 bytes. This may seem harmless but given that there are 10,000+ NTP servers on the internet today that will respond to this request from the outside and it only requires a few bytes to send the request an attacker can issue this command thousands of times leveraging thousands of servers and spoofing the return address to a target for attack resulting in gigabytes per second flooding a network.

 

  • Auto-lockout and lazy employees are also another concern, employees that do not lock or logout of their workstations when leaving the room or area leave their system available for an insider threat to simply walk up and install a backdoor or access sensitive data.

 

  • Web servers – In particular web servers that allow authentication over port 80 and don’t force SSL. Once again, registation information is passed in clear text which may include PII or personally identifiable information and username and passwords. Administration login pages should also force HTTPS but additionally they should not allow public access to them, this means that your admin login page must be ACL restricted to prevent brute force attacks and other attacks such as passing the hash and authentication bypass.

 

  • PKI & Tokens – Public Key Infrastructure is crucial in today’s world, all employees and administrators should take login and passwords out of the picture completely. Users write down their login information, they put it on sticky notes, they are vulnerable to shoulder surfing and keylogger attacks. Using smart cards and multi-factor authentication is the best protection from this, even if someone is able to guess a users PIN number for the smart card they would still need physical access to the card itself to login. Taking it a step further the use of RSA tokens for instance is an even stronger technique as the token will generate a new PIN every 60 seconds, if someone is able to guess or identify the PIN a user logged in with after 60 seconds it will no longer be of any use to them. An additional layer should be added when using tokens which requires the owner of the token to also set a password or pin of their own so when they login to a site they have to type in their pin/password and then the RSA token PIN.
Share Button

What is the IEEE? What Standards are Bluetooth, Wireless, Cable, Fiber

The IEEE is an acronym for the Institute of Electrical and Electronics Engineers. These are a bunch of scientists and students who together are a leading authority in the aerospace, telecommunications, biomedical engineering, electric power, etc. The IEEE consists of more than 365000 members from around the world.
The IEEE was formed in 1963 by the merging of:
 AIEE – the American Institute of Electrical Engineers, that was responsible for wire Communications, light and power systems.
 IRE, the Institute of Radio Engineers, responsible for wireless communications.

 

The IEEE is separated into different committees. The “802” committee develops Local Area Network standards and Metropolitan Area Network standards. The most well known standards include Ethernet, Token Ring, Wireless LAN, Bridging and Virtual Bridged LANs.

The IEEE specifications map the two lowest OSI layers which contain the “physical layer” and the “link layer”. The “Link layer” is subdivided in 2 sub-layers called “Logical Link control” (LLC) and “Media access control” (MAC).

 

The following table was taken from the Wikipedia – listing the different committees:

Working group Description

IEEE 802.1 Higher layer LAN protocols

IEEE 802.2 Logical link control

IEEE 802.3 Ethernet

IEEE 802.4 Token bus (disbanded)

IEEE 802.5 Token Ring

IEEE 802.6 Metropolitan Area Networks (disbanded)

IEEE 802.7 Broadband LAN using Coaxial Cable (disbanded)

IEEE 802.8 Fiber Optic TAG (disbanded)

IEEE 802.9 Integrated Services LAN (disbanded)

IEEE 802.10 Interoperable LAN Security (disbanded)

IEEE 802.11 Wireless LAN (Wi-Fi certification)

IEEE 802.12 Demand priority IEEE 802.13 (not used)

IEEE 802.14 Cable modems (disbanded)

IEEE 802.15 Wireless PAN

IEEE 802.15.1 (Bluetooth certification)

IEEE 802.15.4 (ZigBee certification)

IEEE 802.16 Broadband Wireless Access (WiMAX certification)

IEEE 802.16e (Mobile) Broadband Wireless Access

IEEE 802.17 Resilient packet ring

IEEE 802.18 Radio Regulatory TAG

IEEE 802.19 Coexistence TAG

IEEE 802.20 Mobile Broadband Wireless Access

IEEE 802.21 Media Independent Handoff

IEEE 802.22 Wireless Regional Area Network

 

 

In the IEEE 802.11 Working Group, the following IEEE Standards and Amendments exist: IEEE Working group Description

802.11 The original wlan standard 1 Mbit/s and 2 Mbit/s, 2.4 GHz RF and IR standard

802.11a 54 Mbit/s, 5 GHz standard

802.11b Enhancements to

802.11 to support 5.5 and 11 Mbit/s

802.11c Bridge operation procedures; included in the IEEE 802.1D standard 802.11d International (country-to-country) roaming extensions

802.11e Enhancements: QoS, including packet bursting

802.11F Inter-Access Point Protocol (withdrawn in February 2006)

802.11g 54 Mbit/s, 2.4 GHz standard (backwards compatible with 802.11b)

802.11h Spectrum Managed 802.11a (5 GHz) for European compatibility

802.11i Enhanced security 802.11j Extensions for Japan 802.11k Radio resource measurement enhancements 802.11l Reserved and will not be used

802.11m Maintenance of the standard 802.11n Higher throughput improvements using MIMO 802.11o Reserved and will not be used 802.11p

WAVE: Wireless Access for the Vehicular Environment

802.11q Not used because it can be confused with 802.1Q VLAN trunking

802.11r Fast roaming Working “Task Group r” 802.11s ESS Extended

Service Set Mesh Networking

Share Button