PenTest Mag - 2013 May

Cyber Security Auditing Software

www.titania.com

Improve your Firewall Auditing As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and rewall devices. Any security issues identied within those technologies will then have to be explained in a way that both management and system maintainers can understand.

he network scanning phase of a penetration assessment will quickly identify a number of security

weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices.

Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve.

www.titania.com

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titanias products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.

With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other infrastructure devices, you can speed up the audit process without compromising the detail.

You can customize the audit policy for your customers specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues.

Why not see for yourself, evaluate for free at titania.com

http://pentestmag.comOPEN 05/2013

Editor in Chief: Ewa [email protected]

Managing Editor: Ewa [email protected]

Zbigniew [email protected]

Editorial Advisory Board: Larry Karisny, Amit Chugh, Jeff Weaver, Arnoud Tijssen, Varun Nair, Horace Parks, Jr.

ProofreadersEwa Duranc, Patrycja Przybyowicz, Gavin Inns, Larry Karisny

Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a PenTest magazine.

Senior Consultant/Publisher: Pawe Marciniak

CEO: Ewa Dudzic [email protected]

Art Director: Ireneusz Pogroszewski [email protected]

DTP: Ireneusz Pogroszewski

Production Director: Andrzej Kuca [email protected]

Publisher: Hakin9 Media02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.pentestmag.com

Whilst every effort has been made to ensure the high quality of

the magazine, the editors make no warranty, express or implied,

concerning the results of content usage.

All trade marks presented in the magazine were used only for

informative purposes.

All rights to trade marks presented in the magazine are

reserved by the companies which own them.

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Dear PenTest Readers,

We have entered a new month. Therefore, it is high time we summarized May. As usual, in order to provide you with a detailed summary of what we did and what will be done this month, we have prepared PenTest Open our regular line of PenTest Magazine which is available for free.

We have chosen several articles for this issue, the majority of them has not been published yet, so its a great chance to take a look at our in-coming issues on Smartphone Pentesting, ICS for Pentesters and Starter Kit. Thus, you wil learn what your smartphone is capable of!

What is more, in this months PenTest Open you have a chance to read two articles selected from the newest ebook on Cybersecurity by William F. Slater, III. Equipped with this knowledge, you will be able to protect not only yourself, but also your company and the whole world from cyber attacks. Cybersecurity, cyberwarfare and cyberdeterrence generate a great deal of heated debate nowadays and that is why we wanted to provide you with this valuable souce of Information.

Enjoy your reading!Ewa Duranc & PenTest Team

http://pentestmag.comOPEN 05/2013

PENTESTING TRICKS

06Social Engineering and Phishing Attacks Using Android DeviceBy Domagoj Vrataric

Picture this: you are involved in penetration testing of a serious client, a bank or telecommunication company. Besides usual testing of corporate network and Web ap-plications, it is very important to make sure that all em-ployees are introduced to risk of social engineering and phishing attacks.

14 Using XSS in a Spear-Phishing AttackBy Carlos A. LozanoWhen a client asks for a social engineering tests, most part of security consultants try to perform a phishing. However, there is a lot of other possibilities to get better results without complexity. By reading this article you will learn how to mix simple techniques with malicious ones to evaluate security controls where people are involved.

20 Wireless Penetration Testing: Beyond the IEEE 802.11 Family of StandardsBy Francesco Perna

The wireless penetration testing covers a large family of wireless protocols. Usually the penetration testing com-panies offer to their Customer only WiFI (IEEE 802.11 fam-ily of standards) penetration test, leaving out the others widespread wireless technologies.

CASE STUDIES

26 Hacking a BankBy Andrei BozeanuA couple of years ago, I was contacted by a major commer-cial bank in my country to conduct a series of Blackbox penetration tests against their external network, recently after they acquired a very costly Information Security Man-agement System from a major international audit firm.

28 Do No HarmBy Jack JonesThere is no question that penetration testing, done well, can be incredibly valuable in helping executives make well-informed decisions to better manage their companys risk landscape. A pentest, however, can be worse than useless if it results in wasted resources and unnecessary business impact. The difference often hinges on the critical thinking you apply when interpreting test results.

WAR CAMP

32 Applying a Security Compliance Framework to Prepare Your Organiza tion for Cyberwarfare and Cyberattacks

By William F. Slater, III

One of the main disadvantages of the hyper-connect-ed world of the 21st century is the very real danger that countries, organizations, and people who use networks computer resources connected to the Internet face be-cause they are at risk of cyberattacks.

46 Integration of Cyberwarfare and Cyberdeterrence Strategies into the U.S. CONOPS Plan to Maximize Responsible Control and Effectiveness by the U. S. National Command Authorities

By William F. Slater, IIIThis paper deals with issues related to the present situ-ation of lack of a clearly defined national policy on the use of cyberweapons and cyberdeterrence, as well as the urgent present need to include strategies and tactics for cyberwarfare and cyberdeterrence into the national CONOPS Plan, which is the national strategic war plan for the United States.

LETS TALK ABOUT SECURITY

59 SECUCON 2013 Conference SummaryBy PenTest TeamSECUCON 2013 A conference hosted by SECUGENIUS A unit of HARKSH Technologies Pvt Ltd at GGNIMT, Ludhiana with a vision to create awareness for the need of SECURITIES in social living and to spread a message of generating opportunities in the same field. The article covers a short summary of the event.

60 Smartphone a win-win product for both consumers and sellersBy Rajiv Ranjan

Nowadays, Smartphones are the basic part of life for every corporate employee. They use smartphone devices to gain access to the companies credential and to check company specific mails and data. Thus security remains a big con-cern at the workplace. So penetration testing needs to be done at every available aspect whenever it is possible.

INTERVIEW

64 Interview with Ian Whiting, CEO of Tita-nia CompanyBy PenTest Team

PRODUCT REVIEW

68 Titanias Paws Studio ReviewBy Jim Halfpenny

CONTENTS

PENTESTING TRICKS

6 http://pentestmag.comPageOPEN 05/2013

I n my opinion, every professional penetration testing should have social engineering and phishing attacks implemented as obligatory part of penetration testing solution offered to your clients. That is what makes the difference between good and better service. Imagine that you are giv-en the assignment by CSO of Company X to test their employees to social component in malicious attacks. And now what ? Human weakness fac-tor is easier to exploit than network security. You can have safest firewalls and VPN's, but in the end if you have a security senseless employees, you have potential problem. The idea is to make se-curity assessment using Android device and ap-plications, to be less suspicious it's good idea to use tablet or smartphone, not a laptop. The article describes the tools, techniques, strategy, prepara-tion and the realization of such attacks. Complete Scenario section of article is fictional, does not re-flect real situation in the wild. Idea is to bring closer thinking of performing penetration testing with mo-bile devices, in this case Android tablet. It is very hard to perform attack like one described in this ar-ticle, but on the other side, it is not impossible, and in general, there is a real threat to companies from attacks using social engineering and weakness in human psychology. And remember, focus of this article is to show penetration testers in which ways

they could conduct penetration testing, and not to make universal way to test any corporation, bigger or smaller.

Platform and ToolsIn my previous article I wrote about modified An-droid OS and few Android applications for pene-tration testing, including dSploit, penetration test-ing application with plenty of options for Man in The Middle (MITM) attacks. This Android pene-tration suite can help you while you're perform-ing social engineering tricks. dSploit (see Figure 1) has an option to disconnect clients from wire-less network, thus it's buying time for further im-provisation. It also has ability to redirect clients to the specific website, so you'll have additional help for phising attack. The core of this application are features from nmap, iptables,tcpdump, ettercap and hydra. With Android PCAP Capture, which is essentially Kismet for Android, you're able to get more detailed informations, such as list of clients connected to accessible network, their MAC ad-dress, and other useful informations. The thing is, application doesn't work without external wireless card, on their official Web site is list of supported Android devices and USB cards which works with-out problems. For using of this application out-of-the-box, you'll need OTG USB adapter or cable,

Picture this, you're involved in penetration testing of serious client, a bank or telecommunication company. Besides usual testing of corporate network and Web applications, it's very important to make sure that all employees are introduced to risk of social engineering and phishing attacks. In this article I will show how is possible to make such attacks with Android device and a few applications.

Social Engineering and Phishing Attacks Using Android Device

wireless USB card with RTL8187 chipset, Android 4.0 or higher and support for USB host mode on your Android device. For phishing attacks, kWS Android Web Server can help you with serving cloned Web sites. Wireless Mac Changer is used to change MAC address of your wireless adapter, so we could pretend to be wireless access point from specific vendor, and thus sniff network traf-fic. Besides that, there are standard Man in The Middle applications such as: DroidSheep, (see Figure 2) Droidsniff andDroidsteal, which are

Figure 2. DroidSheep hijacking featuresFigure 1. dSploit MiTM options in suite

a d v e r i s e m e n t

PENTESTING TRICKS


essentially the same application with features for capturing accounts (Facebook, Gmail, Twit-ter and similar Web services) when you're con-nected to wireless network. If you have special needs for applications such as Social engineering toolkit (SET), Metasploit or Aircrack-ng, you can install Kali Linux on your device with Complete Linux Installer (see Figure 3). For easier control of distribution, you can enable and configure VNC or SSH server on local device. By installing Kali you're getting full feature penetration testing dis-tribution on your mobile device. Installation is very simple and it's done in few steps, first you need to download archive with image from official Web site of Complete Linux Installer. After download-ing, extract archive to /sdcard/kalidirectory, add widget to tablet workspace and choose image file to load. Great feature of Kali is multi platform sup-port, which also includes ARM architecture, usu-ally running on Android devices (see Figure 4). Device used in this example is Nexus 7 GSM with 32 GB of storage, and to use Kali Linux, you will need at least 4 GB of free space on device.

StrategyAt the very beginning, you need to develop a strat-egy for attack. If you're performing white box pen-etration testing, you'll probably have access to in-ternal network. If you're lucky, organization has wireless network, and if you want to gain unauthor-ized access to it, try with social engineering. Know

your target and inform yourself about it, the more informations you possess, the bigger is chance to succeed, information gathering and target research are crucial steps while performing social engineer-ing. You could introduce yourself as someone who is highly ranked in target company, that fact will give you some credibility. To gain trust you can tell that you've come for a meeting with IT manager, or simple that you're someone from another divi-sion of the same organization who is in hurry or need help to connect to wireless network. If you are trying to get passwords from employees, play on empathy card and you'll have more chances to succeed, in human psychology there is a deep-seated need to help others in trouble. If a company has vendor specific equipment you could introduce yourself as vendor technician, and to look convinc-ingly get some t-shirt with vendor logo and name. If you can't get access to the wireless network as described above, try to make rogue wireless ac-cess point, in the other words, your own wireless network from where you can start sniffing network traffic, including hijacking sessions and using them with built-in browser. The attack with rogue access point is quite interesting way to obtain information you need. If the victim uses a wireless network and if it's located far from the access point, you can get close up to victim with your rogue access point (Android device). Your wireless beacon will have

Figure 5. Scrapbook options overview

Figure 3. Complete Linux Installer loading image

Figure 4. Running Kali on Android


stronger signal than the actual access point, and victim wireless card will probably connect to your device. It's a good idea to change MAC address of your wireless card on tablet or smartphone to address of nearest access point with the best sig-nal so it looks more convincing, same SSID, same MAC address. There is one important detail with raising rouge access point. If company has a wire-less network, it is probably encrypted, but remem-ber that when raising rouge access point, don't setup any encryption, so victim's laptop will au-tomatically connect to rouge access point. Every big IT organization has its own information system which probably has some kind of internal Web ap-plication with login page, perhaps a CMS or web-mail application. There are several ways to make a phishing Web site, one of them is to use Scrap-book, a Firefox add-on which has many options for saving Web pages (see Figure 5). Unfortunately, this plugin doesn't work on Firefox for Android on my device (Nexus 7) so I cloned website on desk-top machine, and later transfer it to Android device. Now, when we have cloned Web page ready for phishing, we have to figure out a way to lure em-ployees into our trap. One more thing you could do is installing trojan horse or password stealer on USB stick and leave the stick somewhere on the floor, so it looks like someone dropped it. Curious employee will pick up the stick and connect it into his PC or laptop to see the content on them. Chose place where you can be sure that someone will see it, not under desk, rather on place where peo-ple gather at pause break or a place where people naturally put things down, such as space around coffee machine.

PreparationBefore you start with social engineering, it is wise decision to inform yourself about the target com-pany before entering company area. That is most important thing in every type of penetration test-ing. Try to gather as much informations you can about employees, does they use some special phrases in their everyday communication, when is launch break, small hint: empty workspace in time of lunch, ideal time to explore area in search for valuable informations. Small things counts as most important in social engineering, they could make or break penetration test. Inform yourself which operating system does employees use, and thus you will have lesser testing scope in later testing. A great tool for information gathering about a spe-cific person is recon-ng (see Figure 6), it is similar

to Metasploit and SET (Social Engineering Tool-kit, but intended for information gathering, with many modules specially dedicated to find informa-tions about employees, from auxiliary, contacts to pwnedlist module used to determine if email ad-dresses are associated with leaked credentials. You can stalk people via Twitter module to get to know them better and find out what things they like to be able to more easily develop communi-cation and extract information we want from them. LinkedIn and Jigsaw are also supported with this tool. Another thing you could do is to create stick-ers with QR codes on them, that lead to malicious URL, SET has option to generate QR code and as-sist with that type of attack. For this type of attack you'll need to be patient for a while, a few days, just to be sure that enough number of employees no-ticed the QR code and depending on their curiosity and knowledge about QR codes, did or didn't scan QR. A good example would be to create a simple script that will record which employees scan the QR code, that redirected them to the script. Re-member, you are trying to test employees, not to harm them in any way, and that includes install-ing malicious applications on their devices. Make good preparation for attack before you start it.

Figure 7. kWS Web server

Figure 6. Recon-ng list of basic commands

PENTESTING TRICKS


Launching The AttackSo, now when you have both tools and strategy, you can start off another side of penetration test-ing, social engineering. Enter into organization area with self-confidence, so that no one would ever suspect that you came to test them, don't be too suspicious with you behavior. There is always someone at the entrance to the working area in organization. Introduce yourself as new network technical who received a call about problem with wireless network and ask for permission to test current wireless network. That is pretexting, the act of creating an invented scenario to persuade a targeted victim to release information or per-form some action. Raise rogue access point on Android device and persuade someone to help you while you're testing network issues by con-necting to it and surfing, so you can check if cor-porate network and Internet are both working. In background, run dSploit and start sniffing traf-fic and hijacking sessions. Later, you could ana-lyze .pcap file with Shark Reader or with Wire-shark on laptop or PC. Leave dSploit sniffing in the background and run DroidSheep to capture sessions for Webmail, CMS or something simi-lar which could be useful to malicious attack-er. DroidSheep has a couple of helpful options to help you manage to capture user sessions, such as option to save cookies or export them

via email and add host to blacklist. Tell employee you're told that the most of Web services such as Webmail doesn't work, so both of you need to check them while you're capturing all network traffic with sessions. Next thing you could do is to clone targeted Web site to your Android device, run Web server and lure employee to visit phish-ing site after you fixed a problem with wireless network. Setup your /etc/hosts file on Android de-vice, for example, on line should look like this: 127.0.0.1 webmail.companyx.com. So, when vic-tim open specific URL such as above URL for cor-porate Webmail, while they are connected to you software access point on your device, you will re-direct them to your cloned version of Webmail. The trick with phishing attack is that after victim tries to log-in into Webmail, a script will save cre-dentials into text file, throw an error about wrong password, and redirect victim to real corpo-rate Webmail. With little luck, penetration tester should easily obtain password (see Figure 7).

Figure 11. Running SSHDroid

Figure 10. SET running inside Kali on Android

Figure 9. SET generating malicious QR code

Figure 8. Wireless MAC changer simple interface


ScenarioCompany X is corporation with more than 300 employees, which gives Peter big chance to suc-ceed in attack. Peter is penetration tester who works in a security company, and was commis-sioned to test the company Company X's employ-ees on social engineering attacks. With recon-ng he manage to find out who are key people in company, in case he needed to cover up, he will know which person to mention to gain trust. He also discover which sectors does company have, and make sorted list of people which he previ-ously put together, by the sector. That gave him good background. Before attack, he scanned wireless networks around the company building, and what he saw is that corporate wireless ac-cess points had first three column MAC address of vendor specific network equipment. So armed with this information, he decided to change MAC address and SSID of his wireless network card on tablet. With Wireless Mac Changer (see Fig-ure 8) that was piece of cake. On the entrance he met doorman who's checking documents, em-ployees had ID cards hanging from their neck, so they could enter without doorman checking them. He introduced as network support, wearing ven-dor t-shirt, which he got on E-bay, and noticed that hes received call from company's CTO to fix or replace broken network device, which enables

Internet link. Doorman let Peter inside office ar-ea, knowing that it's necessary for them to have Internet working. Peter drops few different USB sticks around the office, one in toilet, one next to coffee machine, and two on random office desks. While he was on way to coffee machine, he paste QR code to the wall next to machine, previously generated with Social engineering toolkit (SET) (see Figure 9, 10), so while waiting for coffee, people will surely notice that QR code, and if he's lucky, scan it. Peter left his tablet on the one of-fice desk and turned on software wireless access point, connect it to the charger so he will solve two things with this move, battery will not drawn and it will be less suspicious if somebody see tab-let connected to charger, because it's logical that employees charge their devices when they are empty. To lure people into connecting on his tablet he told few employees that he made backup solu-tion for wireless, as network technician, while he launched deauthentication attack with aircrack-ng to proove them that corporate wireless network is not working as it should work. After that, clients start disconnecting from corporate wireless and start connecting on his backup wireless SSID, he run DroidSheep, a tool for man in the middle attack, set up fake phishing corporate Webmail for those who connect to his access point, and also traffic sniffer for Android Shark. He turned

QR codesWireless Mac Changer on Google Play

Complete Linux Installer on Google Play

Android PCAP Capture Google Play

kWS Android Web Server on Google Play

Shark for Root on Google Play

SSHDroid on Google Play

DroidSheep: http://forum.xda-developers.com/showthread.php?t=1593990

dSploit: http://cloud.github.com/downlo-ads/evilsocket/dsploit/dSploit-1.0.31b.apk

PENTESTING TRICKS


on kWS Android Web Server and start hosting phishing sites. Now, he will have spying device inside company, without suspicious look from the employees. He installed the SSH server to his de-vice so he could easily have access to Kali Linux from outside world, and run various attacks (see Figure 11). After few days, Peter manage to col-lect dozens of accounts trough phishing Web sites he cloned from original ones and trough Man in The Middle attack with Droidsheep. Also, few employees became victim of malicious QR codes and trojan horse dropper from USB sticks which infected their devices. After this demon-stration about social engineering, managers from Company X realized that education of employees on social engineering attacks is essential part of education on IT security.

SummaryIn this article I have tried to inspire and encourage readers to engage their imagination while they are planning their next penetration testing. Today, we're living in the era when managers invest into hard-ware and software protection, from firewalls to IPS/IDS, but weakest link in an organization are still se-curity uneducated employees. It isn't hard to ex-ploit employees who don't know much about such attacks and protection from them. You don't need to have much experience with social engineering to conduct above described attacks with mobile de-vices, for example tablets are widely used in orga-

On the Webhttp://ctrlaltnarwhal.wordpress.com/2012/10/29/173/ Phishing Using Only a Android Phone,https://www.os3.nl/_media/2009-2010/students/laurens_bruinsma/ssnproject_android_v1.0.pdf Compromising WiFi

Security with Android,http://www.kismetwireless.net/android-pcap/ Kismet (for Android) documentation.http://www.social-engineer.org/framework/Pretexting_Defined Pretexting Definedhttps://afreak.ca/blog/social-engineering-using-qr-codes/ Social engineering using QR codeshttp://www.csoonline.com/article/479038/social-engineering-anatomy-of-a-hack Social Engineering: Anatomy of a

Hackhttp://hackaday.com/2011/10/04/wifi-jamming-via-deauthentication-packets/ WiFi jamming via deauthentication

packets

GlossaryAndroidSocial engineeringPhishingdSploitKaliPentestRecon-ngComplete Linux InstallerSocial engineering toolkit (SET)DroidSheep

nizations, so when you see somebody using tab-let or smartphone, it's common and everyday stuff. The thing is that nobody will suspect you're hold-ing hacking device in your hands. Devices for above described attacks, are tablet Nexus 7 and Nexus S, a mobile phone. Nexus 7 isn't expensive and it has sufficient resolution for comfortable work, 1280800 WXGA pixels, quad-core ARM Cortex-A9 CPU, and Nexus S could be a good backup device if some-thing doesn't work as planned.

DOmAGOj VRATARicDomagoj Vrataric is IT Security Man-ager at Aduro Ideja Ltd., a company from Croatia who offer software so-lutions for telecom industry, high vol-ume data processing, real-time sys-tems, penetration testing services and mobile application security. He has ex-

perience with penetration testing (OWASP methodolo-gy), mostly in telecommunication industry, eCommerce (osCommerce, ZenCart, OpenCart) and media indus-try. 10 years experience with Linux, 8 with IT security, knowledge about hackers culture and way of thinking. He is currently involved in penetration testing and proj-ect manager on several security projects. Additionally in charge of security in Aduro Ideja, from monitoring IT in-frastructure, administration of Debian servers, securi-ty policies on computers and mobile phones, to Android reverse engineering.

Cyber attacks are on the rise.

So, you think your systems and networks are secure?

Think again youve already been attacked and compromised. And, we should know because we did it in less than four hours. Heres the good news: were the good guys. We can tell you what we did and how we did it, so youll be prepared when the bad guys try it and they will. Well show you how.

Visit www.KnowledgeCG.com to learn how KCGs experienced, certified cybersecurity

professionals help our government and commercial customers protect their cybersecurity programs by knowing the threat from the inside out.

4 Combat cyber attacks 4 Ensure resilience 4 Mitigate risk 4 Improve operational efficiency

Trusted Cyber Advisor

PENTESTING TRICKS


Using XSS in a Spear-Phishing AttackWhen a client asks for a social engineering tests, most part of security consultants try to perform a phishing. However, there is a lot of other possibilities to get better results without complexity.

Nowadays, it is very common for the compa-nies to use security services that include social engineering and physical security evaluations. Sometimes, as a part of an integral analysis or only as unitary tests to accomplish with corporate or government requirements.

However, the concept of social engineering is very broad. Formally, it refers to the practice of getting confidential information through legitimate user manipulation. Likewise when we think about social engineering the first thing to come into our minds are Kevin Mitnicks stories where hes com-promising information systems leveraging human weaknesses.

From here we can conclude that the real purpose of social engineering evaluations is analyzing the corporate process consistency. For example, analyz-ing a financial information consulting process where no employee is allowed to offer sensitive information without a lot of identity validations controls.

At the same time at the beginning I mentioned the physical security evaluations because I believe that both the physical security and the social en-gineering are tightly related due to the fact that by getting sensitive information mal-intentioned users can perform physical security control violations.

The complexity and the number of companies processes, which are directly proportional to the

companies size reminds us of endless possibili-ties to analyze the reliability of the security con-trols implemented. The main idea for this article is to demonstrate some kind of attacks I conduct-ed on companies as part of security evaluations, showing the vulnerabilities that allowed successful attacks, as well as possible implications and cor-rections. Those last needs to be analyzed by each company due to the fact that the security controls to implement will differ because of company size, business focus, resources, internal politics, etc.

conducting a Phishing Attack I have found that XSS is common, especially be-cause the majority of penetration testers show in their reports pop-ups from a JavaScript such like this one: alert(Hello world!); Although it is true that this is evidence of the vulnerability, a really mal-intentioned user will not limit his attack to the pop-up, he will exploit the simple vulnerability to get more benefits.

What follows is the most common, easy and very effective scenario to exploit a XSS.

This test mix different vulnerabilities and infor-mation obtained in the scouting phase to exploit a XSS with a lot of effectiveness.

First, we need to send the XSS to the application users. There is a lot of ways, but the most common


is sending e-mails. We can try to send an e-mail of the corporate format from public address using Gmail, Outlook, etc, but that will reduce the effec-tiveness to zero. Also there are anonymous e-mail senders, but the most part of these public services is banned by the e-mail servers, so our e-mails will be detected by the company.

The best way to send e-mails effectively is us-ing open relays of the companies servers directly. It is very common that companies have a lot of e-mail servers on UNIX platforms which arent con-figured, merely executing because of bad or de-fault configurations.

First of all you need to detect the mail servers. To do so you can use the following command:

nmap -vv -sV -P0 p25 [range of IP]

After that you need to verify the open relay in each mail server, with the purpose to check if it is possible to use it for sending our XSS attack pay-load. You can use Telnet to test each server:

>helo domain.com from: [email protected] rcpt to: [email protected] subject: Test DataHello world!.

If were skilled developers we can write and script to perform this verification automatically for each mail server detected by Nmap.

Once we have verified the mail server permits send anonymous e-mails, we can use them to send our XSS attack using the corporate image to an only a reduced number of users.

Why a reduced number of users and not to all the employees? Because if we send a lot of e-mail is more possible that someone call to security office to validate the information. If you send an e-mail to specific targets is most effectiveness and gener-ates less noise into the company.

While it is known by a lot of people that manag-ers and directors are the most vulnerable targets because of their poor knowledge of IT sector, my recommendation is to abstain to select those kind of people at the first time, and only do so if it is the only way to perform an attack. It is because usu-ally this group of people have more influence into the internal security processes, and a warning by them has faster impact than warnings by others.

After that, all warnings will be attended by the IT or security department, so in this kind of attacks speed is very important.

Now we can use a web server installed and con-figured by us to exploit the XSS vulnerability or directly inject a frame into the web application. It depends on attackers imagination and skills. Re-member that this is an authorized evaluation, and for our client would be important not only to log ac-cess credentials in our attack, also it is important to save timestamps in each event, for example when the users read the e-mail, when access to the fake website took place, when entering information and when leaving from our fake website.

Using this information we can evaluate the time taken by users, IT and security areas to manage the incident.

The reason for this kind of attack being success-ful, in spite of its simplicity, is the trusted behavior. In the first instance, the victim reads the corporate domain address of the e-mail sent by the attacker which can be considered to be very trusted and if the user follows the link attached into the e-mail and notices a copy of the corporate website the trust increases.

As a curious fact, in penetration tests, where I performed this kind of attack, the kind of people who detected attacks where assistants, which are skilled people who can detect differences between previous e-mails and the malicious one. Actually a lot of attacks were detected because of misspell-ings (Figure 1).

Attacking From a cafeteriaI declare myself a fan of Hak5, and for me some of their devices are great. One of the most versa-

Figure 1. The most common XSS exploitation

PENTESTING TRICKS


tile devices is the WiFi Pineapple (http://hakshop.myshopify.com/products/WiFi-pineapple). Thanks to using this device it is possible to perform social engineering attacks.

The WiFi pineapple is a small device modified with an installation of OpenWRT, which a Linux distribution oriented towards little network devices. And Jassager, an interface that permits to interact with the WiFi Pineapple. In its most simple attack, the Pineapple has an option called Karma which accepts all the request generated by the near de-vices, when they are looking for their preferred net-works. The WiFi Pineapple always accepts these connections, and we have the option to redirect the traffic intercepted with the Pineapple to an-other networks, for example the Internet or an In-tranet, if youre testing an internal network.

With the WiFi Pineapple we have an option to perform DNS spoofing attacks. We can redirect websites visited by the users to fake websites mounted by us. So we can copy the index from any internal or external website and put into our web server, inclusive into the WiFi Pineapples web-server, modify the HTML code and use the fields to save users and passwords. After saving impor-tant information we can then redirect the user to the real site and start a session for the attack to be transparent to the user.

At the Pineapples wiki you can get common-ly used pages like Facebook, Gmail, Yahoo, etc. which can be used to catch users from these pub-lic services or you can use a personalized page, depending on your requirements.

What follows is a snippet of code shown in List-ing 1, you can use to catch users, passwords or whatever you want.

This simple code was used in a real example mixed with the WiFi Pineapple against an internal application. Using this code we cached more than 100 Windows domain and mainframe accounts. Also the characteristic of the WiFi Pineapple per-mitted that it wasnt required for the attack to be performed from company facilities. Perfoming it from a cafeteria located at side was enough. This avoids the complicated physical access.

That code doesnt use a DBSM or sophisticated modules, even it can be saved into the WiFi Pine-apples webserver and then the attacker can ac-cess by SSH to review the information captured.

I have to say that the complexly around the at-tack is not the important thing here, opposite, the important thing here is the easiness with a mal in-tentioned user can access to sensitive information and resources in a network without complex task as exploit execution, ARP poisoning or another other resource.

Other important feature of the WiFi Pineapple is the use of rechargeable batteries, so an attacker can put inside a company a Pineapple to catch in-formation forgetting it for some hours. It would be very complicated to locate.

Unauthorized AccessAs I said at the beginning, physical security and social engineering tests are close related. Below I will describe some examples in which is mixed social engineering attacks to get physical access to facilities with the purpose of extract information, laptops and devices or only to review security con-trols implemented by the company.

Figure 2. WiFi Pineapple

Figure 3. Basic MITM using a WiFi Pineapple


Usually the first security control is the identifica-tion of a person to get access to facilities, is com-mon the use of PVC credentials with the employee photograph, name, charge, etc.

These credentials can be printed in a stationery with a proximally cost of $1.5 dollars per creden-tial. We can print the information we want, and can show as a valid credential with our data in the se-curity control as an authorized person.

In my experience, even with this kind of creden-tials, can be complicated access to unauthorized areas, mainly when we want access to principal facilities, however small facilities or branches are easier.

For example, during an evaluation a client ask me for determine the complexly level to access to a bank facilities. After studied the bank, I de-termined access to main facilities was very, very complex.

First security control was a policeman at the door, to access to the bank I needed present a credential and write my personal information and the serial number of my laptop. This control should be passed by employees and guests, after that I needed to wait for a personal who sign my access, writing the visit purpose; el guest needed to be es-corted by an employee, even if you wanted visit the bathroom. Try to impersonate an employee will be failed because of biometric access control for open the doors.

There are techniques to avoid this kind of con-trols, like pass the doors closed to other person, pretend be an office boy, etc. but if you tried to perform this kind of techniques you know is not very easy.

After my analysis, I determined that access to main facilities was impossible, however during a tour with the CSO I saw a branch office, and in

Listing 1. Getting passwords

>

alert(Ocurrio un error en la transaccion\nIntentelo mas tarde)

PENTESTING TRICKS


each branch office there are servers to commu-nicate local financial operations to the main serv-ers. The physical security controls at branch offic-es were poor; the CSO only presented a business card to the manager, said Hi, Im the CSO and I member of the directors board, presented his cre-dential and the manager officer all kind of support to his work.

After I saw that, I printed a PVC credential with my photograph, name and the charge security au-ditor. Also, I printed business cards with same da-ta; and at the next I arrive a random branch office, I dressed a suit and tie; and I asked for the man-ager; I showed my credential and give him a busi-

ness card. I explained I was performing an auditory and as part of it I needed access to the server. The manager, very friendly gave me access to servers.

During my visit I performed two tests; first I asked to an employee for access to the bank system, us-ing his user and password, which were domain credentials; he, very friendly again, gives me in a post-tip his credentials.

After I asked for access to the rack where server a network devices were. Employees at local branch

office never perform any operation on the server, but sometimes support area call them for help, to avoid move from the main facilities to all local branch of-fices, support area create generic users and ask to local employees for easy activities like reboots serv-er, turn down devices, etc. I asked to the manager for this generic user, he gave me another post-tip.

I started a little scouting on the networking, us-ing an old Windows Server 2003, I downloaded windows hashes, looked installed software where I found a SQL Server 2005. The generic user was into the built in group and I accessed to the data-base to see in detail the content. I found all opera-tions performed by this local branch office.

This kind of attack, very focused, not repre-sented the same risk that enters to main facilities, and basically I accessed to more sensitive infor-mation than the information I could accessed at the main facilities. While in the main facilities the security area has implement biometric controls, NAC, cameras, etc. at branch offices all the secu-rity was broken by the trust from the manager on my fake credential and business cards. I got more network details and software details with my ap-

Figure 4. Samples of printed credentials


proach, even domain users to start a complex to attack to their infrastructure.

At datacenters is common to perform computer and laptop extractions to evaluate security con-trols, and after that review for information cypher, password policy, BIOS hardening, etc.

At datacenter and companies in general, there are logs about electronic devices access both employees and guests; one of the common ways to control de access is using a sticker with a bar code printed in it. So, I went to stationery to print some stickers, the cost was around $200 dollars per 50 stickers.

I accessed to datacenter facilities as any guest would have done, walked to the main conference room and steal a computer there. Quickly I leave from the datacenter, and in the security control a policeman asked me for the code bar. He scanned my fake sticker and obviously an error was showed by the system; I told to him maybe is because Im new here, excellent answer, the policeman offered me apologies and told me yes, its very common this error with new employees, please write the se-rial number, and I will check later.

I reviewed the computer, this computer was used for all managers and directors to present slides, and I found financial reports, information about new projects, new products, weaknesses, and a big etcetera.

Was very easy extracted a laptop from the data-center, and actually all computers there have cypher, but this computer as a public computer where all people could transfer their files to show them no.

SummaryI could spend a lot of time writing about my profes-sional experience related with social engineering tests, and maybe all of you have your stories, a lot of them very different depending on your coun-try, approach and maturity level of security controls implemented by companies, government and or-ganizations.

However I have some conclusions that you can take regardless all the differences, and these con-clusions beyond about persons trust and goodwill.

Trust and goodwill in persons are good, but the authority is better. Persons feel good helping oth-ers, but the reaction would be faster if the order involves someone of higher authority in the hier-archical structure of the company. As I showed in bank scenario, the manager was very friendly with me because I presented myself as an impor-tant employee from corporate facilities; this gen-

erates a responsibility feeling in people involved in the attack, as result he offered all possible in-formation. However you need to be very careful and not exaggerate also is normal that someone who feels frightened by other try to identify mis-takes in his behavior to not offer support. Its a human reaction; you need to be polite but strong, like a boss.

Dont limit your imagination in simple attacks, use all information gathered to perform complex attacks. Not only attacks to random users, take care selecting a sample of users from the informa-tion gathered previously, take your time in fake im-ages and corporate formats, take care about spell-ing and grammar; if it is possible dont use scripts to send e-mails, write each e-mail by hand and personalize it for each target, be careful with that.

When you show the test results remember ori-ent them to business, the important thing for your clients is not listings with users and passwords, or other kind of sensitive information; but the im-pact to his business, the strategy needed to avoid weaknesses and total cost of it.

Collect all the possible information. As a penetra-tion test has an information gathering phase active and passive, the social engineering tests also has an information gathering phase where you need to obtain a lot of information about security controls implemented and processes. You can get informa-tion using tools like Maltego and FOCA which ones from public information can get private information useful for you tests; as names, key persons into the company, telephones, addresses, documents, formats, e-mails, etc.

Always orient your results to business. Im being very repetitive, but it is important. Mainly because companies pay a lot of money for this kind of tests is to know their weaknesses, but beyond to design a strategy to avoid them in the future, is necessary be detailed with descriptions about access methods, human errors, security awareness, security controls implemented and nice to have recommendations.

cARLOS A. LOzAnOCarlos A. Lozano has been working as Chief Technolo-gy Officer in blue Mammut Computer Security Services, a little company focused on application and network se-curity for past 6 months, before worked as security advi-sor in some companies specialized in security fields. He founded BugCON Security Conference; the largest secu-rity conference in Mexico and hes interested on exploi-tation techniques, research and reverse engineering.

PENTESTING TRICKS


Wireless Penetration Testing Beyond the iEEE 802.11 family of standards

The wireless penetration testing covers a large family of wireless protocols. Usually, the penetration testing companies offer to their customers only WiFi (IEEE 802.11 family of standards) penetration tests, leaving out the others widespread wireless technologies. Wireless protocols like Bluetooh, ZigBee, RFID, NFC, GPRS/EDGE/HSPA, SAT are often used by companies in the mission-critical environments, but the security problems are often upstaged by the business needs until a threat agent learns how expensive is a breach in terms of money and reputation.

While the end users have discovered the joys and sorrows of the wireless commu-nications in the last ten years, the indus-try has been using these technologies at least for thirty years. At the beginning their devices were in-terconnected using very basic proprietary RF tech-nologies meant to transmit few control data, but over the years, systems have evolved adopting more and more sophisticated technologies used for many different purposes: the wireless technologies was initially born from the need to manage devic-es and sensors, regardless of their distance from the control station. It became almost ubiquitous in the companies. Despite the technological evolution, what remains almost the same is the approach to the design of the systems using these technologies: the assumption made by engineers who decide to use wireless communications in their systems is that there is no possible hostility in the usage made by users or by the parties joining the wireless com-munications. We know that it is simply not true, in the Stuxnet era even my mother could be hostile without knowing it. Also, in the rare cases where the engineers designed their systems thinking that the user could be hostile, they fail because too often the

security is implemented trough obscurity instead in-stead of using the best practices and well-known security protocols and algorithms.

In this article we will present an overview of the security problems and the penetration testing tech-niques related to the non WiFI (IEEE 802.11 fam-ily of standards) wireless technologies. Therefore, the use of the term wireless in the next paragraphs, should be explained in this sense.

The Wireless communications Security Big DealThe big innegable problem in wireless communica-tions is represented by the shared communication channel (the air). The sentence may sound trivial, but during the development of systems that will be us-ing the wireless technologies, engineers often seem to forget this fundamental fact. I tell that because in my work experience, also in the case of systems de-signed to be equipped with wireless technologies which provides security features, the security fea-tures were switched off. The point is not purely tech-nological, but resides in the technical background of the system designers that have survived unchanged during the years along the technological evolution.


The paradigm adopted in the design of this kind of system is something like it has to work rather than it must work securely because of the following com-mon belief: the Triassic designers and the compa-nies that rely on their convictions, who do you think would be interested\able to break into our super test-ed proprietary system? The problem becomes most serious considering that such technologies are usu-ally used in costly systems resilient to the changes.

Imagine a company that has just invested hun-dreds of thousands euro to deploy a system. Imag-ine telling them that their system is intrinsecally in-secure, how do you think they would react?

They, for sure, will not change anything unless its practically demonstrated that a threat agent can damage their business. Selling the wireless secu-rity services in this scenario is difficult, and is even more difficult to identify practical and cost effective solutions but our experience says that once you find the key to let your customers understand how risky it is to keep operating a system relying on insecure wireless technologies, they will promote actions to mitigate the risks, involving the security consultants in the review of the whole system.

The question arises: what is the key to let the cus-tomer understand the risks in poorly designed de-vices equipped with wireless technologies in terms of security? In my experience penetration tests in these environment have always been planned and executed following these principles:

Pre Sales\SalesThe approach to the sell of the test has been made with a specific know-how on the topic. We try to sensibilize the customer about the threats affect-ing this kind of technologies without being terror-ists. First of each sales meeting we try to catch the needs for the Customers business and we try to figure out how a threat agent may affect its busi-ness model. Our testing idea is then discussed with the customer to identify exactly its needs. From our point of view, it is crucial that the propo-sition is both technical in the analysis of the attack vectors to test and business oriented in order to allow the customer to uderstand what the test is intended for. In general, be consistent in the propo-sition with an approach inspired by real life security issues more than on the academic concerns.

Penetration Test PlanThe test plan definition is important for each kind of test. In wireless testing it is even more important because unless your company has its own logistic

division equipped with trucks to carry all the devic-es and the stuff you need to test the wireless infra-structure, you have to define the technlogies being tested and the kind of test to perform. Its really im-portant that an highly skilled Analyst, in the field of wireless communications, is involved in this phase. Just to give you a pratical example, the wrong an-tenna choice could compromise your analysis. A dif-ferent story is a black box test, where you defini-tively need a truck to carry all the needed devices to analyze an unknown wireless signals. I definitely do not recommend to plan such a generic wireless test unless you and the customer are really aware of the complexity and the trouble you may have to face.

Penetration Test ExecutionApart from methodologies which are always impor-tant in penetration testing, remember that dealing with wireless technologies is not a kiddie game, so please consider your safety, and the safety of the people around you, while operating with wireless devices (especially high power ones). Usually we try to carry out these kind of penetration test in a laboratory environment where we can take all the necessary protections in terms of safety and secu-rity but, if the Customer requires the analysis in a production environment, we advice him of the po-tentials security and safety risks. Moreover before starting the analysis we have a meeting with all the Customer staff working in the range of our wireless devices, to inform them about the safety measures to adopt while were working on the penetration test. In a production environment you have also to keep in mind that your test may affect more devices than in your targets scope, so you have to be very care-ful in evaluating every possible side effect resulting from the analysis activity. With this in mind and all the needed precautions, yours analysis can be do-ne without harming anyone or anything outside your targets scope.

Wireless Penetration Testing DomainsDepending on the wireless technology being test-ed, the testing strategy will verify certain aspects related to the information security besides the technologies specific vulnerabilities. In general, during a wireless penetration test you have to ver-ify, if applicable for the technology, at least the fol-lowing security domains:

confidentiality of the informationDue to the shared communication channel the confidentiality of the information should be veri-

PENTESTING TRICKS


fied during a penetration test. The level of confi-dentiality and the impacts depends on the tech-nology being tested, however you have to verify that the transmitted information are accessible only to those who are authorized to access it. For example, imagine an HTTP conversation over an asymmetric satellitar link (eg. DVB satmodem where the upstream channel transit over internet, and the downstream channel transit over the air), if the channel is not properly protected a threat agent could be able to access the response from the server containing sensitive information (eg. cookie, clear text password returned in later re-sponse, company infromation contained in the re-sponse pages, etc.).

communications integrityIt is fundamental to ensure that information is not being corrupted during the transit. Particularly dur-ing a test you have to check that it is not possible to inject forged traffic in a communication, or to reinject part of the listened traffic in the same channel.

Authentication and AuthorizationLike any other communication technology, also for the wireless ones you have to ensure that authori-zation and authentication mechanism work proper-ly. In wireless communications these controls are shared between the parties, so you have to check that each player involved in the communication is doing its job. For example, in a tipical private mobile network (where the Customer has its own APN) the telcos provides the authorization servic-es and the Customer implements the authentica-tion ones. A lack of authorization is represented by the ability to access the network with a generic (U)SIM, not owned by the Customer, to the private mobile network because the CUG (closed user group) is missing.

Depending on the technology, the way you per-form the test may vary both on the used tools and on the attacked area. In the next paragraphs we will briefly cover the tools, the devices and the tech-niques used to perform a wireless penetration test.

RFiD Penetration TestingThe RFID technology was born in military area and at the beginning used as IFF (identification friend or foe, an identification system to determine if a target is a friend or enemy) transponder. Nowadays this technology has many applications such as smart card, cars, retail stores for inventory tracking, chips for animals, corporate badges and so on. In a cor-porate environment usually the following hardware components are parts to be included in the penetra-tion testing process: RFID Readers, RFID Tags and RFID Antennas. Figure 1 shows a typical RFID ar-chitecture. RFID are usually used in two ways:

Unique iD (UiD) TranspondersA transponder operating in this mode uses the LF band (100 to 150 kHz) for the wireless transmis-sion. The transponder is programmed by the man-ufacturer and the chip comes with its own identi-fication number written in the memory. When the transponder is in the range of the reader, the mem-ory content is transmitted to it. In this operating mode there is no communication origin authentica-tion so the transponders can send data to anybody and the reader can receive data from anybody.

miFAREA transponder operating in this mode uses the HF band (13.56 MHz) for the wireless transmission. In this mode you can find basically two ways of us-ages: the first one is equivalent to the Unique ID (UID), the second mode provides a cryptographic technology used to mutual authenticate the tran-sponder and the reader.

Unfortunately for the ones who adopted these technology both the operating modes were totally compromised, leaving several attack scenarios to a threat agent. The following are some of the typi-cal attacking scenario that you can analyze during a penetration test.

Relay AttacksIn this scenario a threat agent is able to perform a man-in-the-middle attack. Using a device, placed be-

Figure 1. Typical RFID architecture


tween a legitimate RFID tag and reader, the threat agent is able to intercept and modify radio signal.

network/Transport LayerIn this scenario are included the attacks based on the way the data are exchanged between the enti-ties (tags, readers) of an RFID network. We have to distinguish the attacks against tags, readers and network protocol. Talking about tags, a threat agent could both clone and spoof the victims tags. Re-garding the readers we could choose both the im-personation and the eavesdropping attacks (an un-authorized user uses an antenna in order to record RFID communications). Also consider that RFID systems are often connected to the back end data-bases and networking devices, so they are suscep-tible to the same vulnerabilities of general purpose network devices.

Application LayerIn this scenario a threat agent could take advan-tage of the aforementioned attacks to exploit the back-end software vulnerabilities. The RFID be-cames the vector for classic attacks such as BoF, SQL-Injection and so on, depending on the back-end business application. Depending on your elec-tronics skills you can build your own professional RFID penetration test kit starting from 250 up to 1500 . For example over the Internet you can find a lot of tutorial to start playing with RFID using the Proxmark III [1], a general purpose RFID device.

zigBee Penetration TestingZigBee (IEEE 802.15.4 which defines the physical and MAC layers) is a wireless transmission tech-nology that operate at 868/915 MHz and 2.4 GHz frequencies range, originally developed in 1998. Zigbee was designed to be a short range protocol to be used in embedded device thanks to its sim-plicity. Figure 2 shows the Zigbee Protocol Stack.

There are a lot of implementation scenarios but the built-in protocol supports both mesh and star-based network topologies. In a typical ZigBee net-work there are two types of devices: the Target and the Controller. The first device type is responsible for the PAN network creation and coordination, the second device type can join the network created by the Target by pairing with it. Although the Zig-Bee protocol stack have been designed with se-curity in mind, the researchers have found vulner-abilities that allow a threat agent to harm a ZigBee PAN. The following are the known ZigBee vulner-abilities you can analyse during a penetration test:

Physical AttackMany ZigBee devices use hard-coded encryption key to encrypt the network traffic. During the boot process the key is moved from the flash memory to the RAM which lets a threat agent with physical ac-cess to the device retrieve it. Consider to plan this kind of test only in a test environment since you will have to disassemble the device in order to connect the probes needed to access the memory.

Key Provisioning AttackZigBee uses a protocol known as Over the Air (OTA) for the delivery of the keys used to encrypt the net-work traffic. ZigBee networks typically utilize OTA in large networks, because the ease of updating, in order to guarantee the transmissions security. Un-fortunately, due to a little lack in the protocol design (the cryptographic keys are sent unencrypted), this mecanism is almost useless from the point of view of a threat agent because once obtained the keys, it should be able to decrypt the PAN traffic.

Replay AttackZigBee has a really basic replay protection so a threat agent able to intercept the network traffic is able to inject any previously observed packet until the key rotation. Especially in a production envi-ronment be careful while playing with this: since you have no idea of what youre injecting consid-er that you can cause service disruption or even worse damages.

Figure 2. Zigbee Protocol Stack, Source Wikipedia

PENTESTING TRICKS


The physical attack to the ZigBee devices could be made using Bus Pirate [2] or GoodFeet [3]. The other attack simulations can be carried out using KillerBee[4] and the suggested ZigBee hardware. Depending on your electronics skills you can build your own professional ZigBee penetration test kit starting from 100 up to 350 .

Bluetooth Penetration TestingBluetooth (802.15.1) is is a wireless transmission technology that operates at 2.4 GHz frequencies range. Bluetooth was designed to be a short range protocol with low power consumption. The radio technology used by the Bluetooth is known as fre-quency-hopping spread spectrum, which splits and transmits the data being sent to the other devices on up to 79 frequencies. The Bluetooth protocol stack is anything but simple: it can operate in sev-eral different ways and the testing scenarios are as wide as the protocol specifications. While you can find several excellent resources on the Internet regarding the Bluetooth security and penetration testing (eg. [5][6]) I will focus on the analysis of the security testing scenarios related to the embedded devices and industrial automation world. The fol-lowing are the known Bluetooth vulnerabilities you can analyse during a penetration test:

Pairing EavesdroppingDepending on the Bluetooth version the PIN/Lega-cy Pairing and LE Pairing are susceptible to eaves-dropping attacks. A threat agent able to collect all pairing frames can recover the secret key(s) which allows device impersonation and data decryption.

Pin EnumerationOften, especially with older Bluetooth versions, the PIN used to pair with a device is weak. Since the pairing mechanism has no bruteforce prevention, and also considering that often the PIN is a number composed by 4-5 digits, could be trivial for a threat agent to retrieve the PIN used for the devices pairing.

Secure Simple Pairing AttacksThe SSP is a method used to establish a secure connection betwen bluetooth devices. Despite the secure mechanism a threat agent could abuse some of the protocol flaws to perform a man-in-the-middle attack.

Application LayerIn this scenario a threat agent could take advan-tage of the aforementioned attacks to exploit the

back-end/device software vulnerabilities. The Bluetooth becames the vector for classic attacks such as BoF and so on, depending on the backend business application.

Because of the frequency hopping, the hardware investments needed to intercept bluetooth com-munications could be expensive. There are a cou-ple of cheap alternatives that works well with older bluetooth version[5] but a professional solution[7] could be the only choice in certain scenarios.

SAT Penetration TestingProbably the sat link communications is one of the oldest wide band technologies adopted by compa-nies. Originally developed for military uses, this tech-nology have evolved becoming more accessible. Nowdays DVB-S2 is the de facto standard (ratified by ETSI EN 302307) for audio, video and data connec-tions via satellite. The data connection using the DVB technology are implemented in the following way:

Sat modemThe client uses only the satellite downstream, it is not able to transmit data over the sky. The request are made trough internet, usually using a PSTN or an HSPA connection, and the responses are re-ceived trough the satellite link.

Astro modemBoth the client and the provider exchange informa-tion using the satellite link. The requests are sent by the client to the satellite that forwards them to provider. The responses follow the same path.

The following are some of the typical attacking scenarios that you can analyse during a penetra-tion test:

Data AnalysisDepending on the link scenario the impact of this may vary, in fact in the case of sat modem, a threat agent could be able to intercept only the connec-tion responses to its requests. Usually, this kind of connection is not encrypted thus all the unprotect-ed information can be accessed by everyone with sat coverage.

TcP/iP AttacksOver a sat link a threat agent can try to exploit all the known flaws of the TCP/IP suite. For example it is possible to try to poison the DNS cache, or to hi-jack the TCP/IP connections. Moreover, if the sce-nario allows it, you can try to access applications not directly exposed trough the Internet.

OPEN 05/2013

Despite one can think, the equipment needed, at least for the sat modem scenario, is not expensive, you can setup a basic tool kit starting from 100 . All you need is a good parabolic antenna and an adapter SkyStar 2 TV DVB [8].

conclusionAs shown in the article, the wireless technologies could harm your Customer business if the data that are using them are not meant to be delivered across a shared media and the technologies itself are not properly protected. Proposing a wide spectrum of security services for wireless technologies is a plus even if in some cases the initial investment may be significative. Remember that, especially in these kind of penetration test, the analysis itself is only the starting point: the real challenge is to help the cus-tomer find a pratical and cost effective solution to mitigate the identified vulnerabilities.

FRAncEScO PERnAComputer enthusiast since childhood, has spent more than 15 years on the research of security issues related to applications and communication protocols, both from the offensive and defensive point of view. He is a part-ner and technical director of Quantum Leap s.r.l., a com-pany that offers security services to companies and orga-nizations. http://www.linkedin.com/in/francescoperna [email protected] www.quantumleap.it

PiETRO minniTiSecurity Professional from over 10 years, he focused his research mainly in the ERP security field. As applica-tion security specialist in Quantum Leap, he performs the security analisys on corporate networks and nation-al critical infrastructure environment. http://www.linke-din.com/in/pietrominniti [email protected] www.quantumleap.it

References[1] proxmark3 https://code.google.com/p/proxmark3/

wiki/HomePage[2] Bus Pirate http://dangerousprototypes.com/docs/

Bus_Pirate_v3.5[3] GoodFeet http://goodfet.sourceforge.net[4] KillerBee https://code.google.com/p/killerbee/[5] Bluetooth Penetration Testing Framework http://

bluetooth-pentest.narod.ru/[6] Martin Kargerblog http://www.evilgenius.de/cate-

gory/bluetooth/[7] Bluetooth protocol analyzer http://www.fte.com/

products/BPA600.aspx[8] Skystar Adapter https://www.technisat.com/en_XX/

CASE STUDIES


Hacking a BankPutting million dollar locks on Barbies house

This story is a real life event that took place while I had a blackbox external pentest for a client in the financial industry, but actually, the same scenario could happen in any other sector.

A couple of years ago, I was contacted by a major commercial bank in my country to con-duct a series of Blackbox penetration tests against their external network. Recently, after they acquired a very expensive Information Security Management System from a major international audit firm. The real reason they contracted my ser-vices was in fact to see how their newly employed system would react in a real life scenario and the scope of my actions was to gain access to their internal network, and no one, myself included, thought this was going to be an easy task. Chal-lenge accepted!

According to the contract terms, I was permit-ted to perform the attacks at any time, just like a real life attacker. So, at first I thought it would be wise to perform the initial assessment during the day, in order to disguise my probes inside the regular working hour traffic.

The network scan didnt reveal any interesting open ports, in fact, the only open active servers were the two servers running DNS, two different mail servers running on SSL and one server run-ning HTTP and HTTPS. All services were up to date and apparently well enough configured to resist simple attacks, so I decided that I should take a look at their web application in hope of finding a way inside.

The web application was built with PHP and Ja-vascript on a Unix commercial platform. By manu-ally browsing the website, I saw a lot of interesting places that showed a lot of promise for launching further attacks, so, naturally, I decided to start an automatic crawl of the website.

At first sight the application seemed very com-plex and with many pages so I decided to start an aggressive crawl with a few tenths of concurrent threads against it. After few minutes, I noticed my crawler hanged and I realized their IPS was block-ing my probe attempts, probably due to a throttling mechanism. So I changed my IP address (remem-ber, it was a blackbox pentest) and started a new, less aggressive crawl. After a few minutes, the same result: my crawler hangs because my IP ad-dress was blocked again. Getting more and more frustrated I decided to start a manual crawl of the application, just to see how it reacts, and how I should set up the things for a successful automat-ed crawl.

Indeed, the IPS didnt block my manual crawl. But setting the automated crawler to perform its task at a human pace wouldve meant an incred-ible amount of time. I took that bet and I let it crawl while I started poking and probing around, playing with different parameters just to see how the appli-cation would react to a fuzzing tool. And I managed


to make it spill out a few application error messag-es. Nothing great, I know, but still, it was some-thing.

Soon, I started fuzzing the parameters I discov-ered earlier as being prone to errors hoping I can make them spill out even more interesting error messages, such as SQL errors or at least some input validation application errors. To my despair, the IPS rules were perfectly set to match my at-tacks and I was growing way too frustrated to have the patience of discovering the limitations they implied. So I decided to leave it for later, and go out for a hot espresso just to clean up my mind.

I returned to the office at around 22:00 PM, eager to work. I decided I should re-do everything from step 1, just in case I might have missed something earlier, so I started a new external network scan. I never hoped for anything to be different but as soon as I started reading the output file, I noticed a new IP address as active, running a service on a very high port, 56635. Grabbing the banner on this port didnt reveal anything so I decided to run AMAP.

Protocol on xx.xxx.xxx.xx:56635/tcp matches ssl. Immediately I start a browser and.. What do I see? The login page to a PhpMyAdmin inter-face. I find out the version running and start look-ing around the Web for useful information about it, but the only thing I learned was that this was one of the newest versions, bearing little to none vul-nerabilities.

The only place I had left to try was to attack the parameters in the login page itself, so I started fuzzing those in hope of finding SQL injection or similar.

But I never expected what was next to happen. My fuzzing tool warned me that something really weird was happening. Not in terms of error mes-sages. Instead the server replied with HTTP/1.1 200 OK to a request that was specially crafted to be erroneous. Analyzing the messy request, I re-alized it was a command injection request, one that should have never worked, not since 2003 anyway: I couldnt believe my eyes, but there was an Apache webserver running a vulnerable mod_auth_any, an Apache Module which allows the use of third-party authentication programs. The prob-lem with the module is a command injection vul-nerability, and only feeding the ; character in ei-ther the username or password field granted me access to the PhpMyAdmin interface. But that was nothing. By crafting a special request I managed

to bind a netcat to a free port, thus granting me ac-cess to the operating system: MISSION ACCOM-PLISHED!

From what I learnt later, that server was an inter-nal web portal, with file sharing capabilities. Nor-mally, no services were running on the public in-terface of the server, but because administrators needed remote access to the administration panel, they thought it would be safe to have PhpMyAdmin binding a high port on internet facing interface af-ter work hours. That is why the first audit firm didnt discover the cloaked service; this is why my initial working hours, assessment didnt find it either.

This is how, due to laziness, system administra-tors can introduce risks even in the most expensive information security management system, making hundreds of thousands of dollar worth as much as an outdated Apache version running a vulnerable and outdated authentication module.

The contractor was shocked that I was able to circumvent very expensive security mechanisms, especially because, being a hacker I could have easily gotten access to the internal network, thus being able to further expand the compromise. The biggest problem was that the attack went unde-tected, all they could catch on their IDS was my initial crawl of their main application, as no tools were needed to perform the actual attack, all I did was typing ;nc l p 31337 e /bin/bash in the authentications form username field. The conclu-sion I might draw is that expensive security can be rendered useless using only tools like nmap, amap and pure intuition.

AnDREi BOzEAnUAB Consultancy Software SRL is a newly merged com-puter security company located in Bucharest, Romania whose main area of activity is penetration testing and forensics examination. Our experts have over 20 years of international experience in the field of computer se-curity research, both offensive and defensive security, ranging from malware and antimalware research, soft-ware audit, exploit developpment or cryptology. Our customers are government, military or financial indus-tries, both based in Romania or abroad.

CASE STUDIES


Do no Harm

A few years ago I engaged a global security consulting practice to perform an attack and penetration exercise on the company I worked for as the CISO. Shortly into the engagement, the consultants approached me with some dire news. They had discovered several High Risk vulnerabilities in one of the most important corporate web applications, and were recommending aggressive remediation measures.

More recently, I worked with a company that had just completed a security scan of its primary web application and had discov-ered literally hundreds of High Risk vulnerabilities. I was in the meeting when the CISO presented this information to executives, and you could almost see the blood drain from their faces. Very quickly, the dialog in the room began focusing on aggres-sive options for attacking the problems.

Infosec to the rescue, right? Unfortunately, no.

misinformationThese days, everyone is pretty aware of the need to minimize the likelihood for penetration testing activities to adversely affect production data and systems. In most cases, significant care is taken to coordinate activities and get appropriate approvals before work begins. Yet a more subtle but equally critical problem is often overlooked misinforming the people we serve.

An executives plate is filled with aggressive com-petitors, regulators who seem to want to bury them in paperwork, technology that can fail at just the wrong moment, market forces that seem to change on a whim, human resource issues that would make Ghandi reach for a stick, and, oh yeah, cyber se-curity issues. Improperly managed, any of these is-sues can ruin an organization. Because there are

never enough resources to cover everything, exec-utives must choose which of the many challenges they face will get their limited resources. To make good choices they need good information regarding expected costs and benefits. Relying upon impaired or incomplete information can seriously affect deci-sion quality and company welfare.

Back to the ScenariosIn the first scenario at the beginning of the article, I examined the pen test findings and pushed back on the consultants. Yes, they had identified weak-nesses, but had they considered the frequency of the kinds of attacks that would leverage those weaknesses? How about the frequency of any sort of attack against that application and especial-ly the part of application where the weaknesses existed? How much skill was required to exploit those weaknesses? What kind of access to under-lying sensitive data would be gained and/or what level of control over the underlying systems? After talking through these considerations, the consul-tants backpedaled and changed the High severity of their findings to Medium, and in several instanc-es, to Low. As a result, my organization was able to appropriately prioritize its remediation efforts and avoid unnecessarily impacting key projects and business operations.

OPEN 05/2013

In the second scenario, I intervened with some questions for the CISO before the decision-making went too far:

Was the application new, or had it been on the Internet for some time? (Answer: It had been in place for years.)

Were these weaknesses new, or had they like-ly been there a while? (Answer: Most were be-lieved to have been there for months or years.)

Was the application subject to threat events with any regularity? (Answer: Yes, it was con-stantly being attacked.)

Given the above, how come their company was still in business? (Answer: Blank stare)

Had the organization regularly engaged out-side consultants to attack the application? (An-swer: Yes, annually.)

Were they hiring competent consultants? (An-swer: Yes)

Had those consultants successfully breached the application at any time? (Answer: No)

Clearly, something wasnt making sense. Was the application scanning tool to be believed, or the penetration testers? Or, perhaps neither? Regard-less, everyone recognized that to rationally solve the problem and to avoid wasting resources we needed more, and better, information.

Whats Wrong?Risk management is a probability issue. You can talk to me all day long about whats possible, but until I understand the probable frequency and magnitude of an event, I have no way to properly gauge its relevance among all of the other issues I face. Only when you apply some critical thinking and a reasonably accurate understanding of risk can you make decent estimates of the probable frequency and magnitude of an event..

Unfortunately, too often, Ive seen testers rely on their tools risk ratings. Newsflash folks I have never seen testing tools get risk right because they use models and analytic formulas that are broken in a number of important ways. At other times, Ive seen pen test results that clearly reflect the testers techni-cal understanding of whats possible but completely disregard whats probable. For example The hack-ers could take control of this machine, navigate to that machine, and then have access to the organiza-tions crown jewels! Yes, certainly, that could hap-pen. In some cases, though, the odds of an asteroid striking the organizations data center next year may

CASE STUDIES


be higher. If executives had to address everything bad that could happen to their organizations they would be out of business very quickly.

Getting Risk RightA full treatise on risk analysis would require a book. Nonetheless, some basic critical thinking is all thats required in most cases to avoid gross misrepresentation of pen test results. Risk boils down to How often bad things are likely to occur, and how bad they will likely be when they do oc-cur. When we think in these terms from a pen test perspective, some basic considerations and ques-tions will help us more accurately interpret the lev-el of risk our findings represent. Think of these as critical thinking litmus tests for pen test results.

How long have the weaknesses existed in the system/application? Consider the two dimen-sions to this question 1) how long an exploit for the weakness has existed, and 2) how long the system/application being tested has had this weakness. In some cases, the system/application may have had this defective code from its inception, but the discovery of exploita-tion methods is recent.

Have there been any known compromises at this organization as a result of these weak-nesses?

What can/do the logs tell us about how often the system/application comes under attack? (And it is often critical to differentiate casual scanning/probing from focused attacks.)

Which threat communities would consider the organization to be a target, and what threat in-telligence do we have that helps to inform us about the level of attention this organization is getting from the bad guys?

What is the value proposition of the target or or-ganization to the relevant hacking communities?

How often is this weakness subject to attack in the wild?

What kinds of skills are required to leverage this weakness? As the exploits difficulty ris-es, the number of capable threat agents falls, which should reduce the frequency of attacks.

Would an automated attack work for this weak-ness or would it require a manual effort?

How noisy would an attack have to be in order for the attacker to discover and then leverage the weakness? In other words, how likely is it that an attack would be noticed (given the de-tection technologies in place)?

Where does the weakness reside within the system/application? Do attackers have to au-thenticate before they even have the ability to discover and leverage the weakness?

Are there controls in place or inherent difficul-ties that reduce the likelihood that an attack will be successful?

How large in volume is the sensitive data at risk? Could it be acquired quickly, or would it require a prolonged effort?

Criti

PenTest Mag - 2013 May

Documents

Transcript of PenTest Mag - 2013 May