Chapter 3 [ 77 ] Here is a sample output you receive from JCheck when something has changed: Additions since the last run Added:/home/public_html/administrator/ov56__JOBID1_20071128_125600.sql.gz Type : le Permissions : -rw-r r Date Modied : Nov 28 2007 12:56:01 Date Changed : Nov 28 2007 12:56:01 Owner : 32401 Group : 902 Size : 70268 MD5 key : ccfe5703a71ab8ccaa6049bf83382a53 Added:/home/ov56/public_html/administrator/components/com_jts The le that is changed or added to our site is a backup le being generated from our backup tool. It has been given an MD5 hash, and this hash will be compared with the next run to ensure that nothing has changed. JCheck can be congured to run as frequently as hourly, alerting you to alterations. While this won't stop an attack on your site, it will minimize downtime by alerting you to potential changes. Publishing the module gives us another security logo, telling our users we are on top of our game. JCheck is a copyrighted commercial software. The core library is encrypted. The supplied Joomla! or Mambo module is open-source software, and is released under the LGPL license. You can obtain this and other great products at: http://www.ravenswoodit.co.uk. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Tools [ 78 ] NMAP—Network Mapping Tool from insecure.org If you are managing your own hardware, such as your own physical installation, gateways, rewalls, and so on, then you will need Nmap to ensure that you have congured your system hardware properly. Nmap is available from insecure.org under GNU/GPL, and offers a veritable host of features that would cost you a lot if you bought them from a commercial vendor. Here is the description according to insecure.org: Nmap (Network Mapper) is an open-source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works ne against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet lters/rewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators nd it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 3 [ 79 ] Running this tool against the server shows several open ports. The 3306/tcp port is wide open for MySQL. A quick search for "vulnerability port 3306" turns up quite a bit of interesting information. There are several exploits available to attack this open port. Typically, you would want to put your MySQL server behind a Demilitarized Zone or DMZ. This will protect it and you won't have to open a port to it. By opening a port such as this, we may not be vulnerable, but we will be leaking information, though minimum. This gives a clever hacker research information to enumerate and map our network, whereas in the example that follows we don't give out that information, nor expose our servers. We access them through a client interface, handling the gory details of hand-off in the background. Note that in both screenshots, the critical information such as IP address, server location/name, etc. have been removed. Here is a scan on a different host. This shows only the fewest open ports necessary and is clearly a much more secure host. Why concern ourselves with this? First, we do not need to remotely access our databases. This is best handled through your administration tools, such as phpMyAdmin located on the box (physically), or through your host's interface. Second, in 2005 a Windows-based "bot" attack was using port 3306 (and others) to create zombies on the Internet. If an attacker were interested in testing your server for vulnerability, and discovered that you had this port open, he/she might use information, such as this, found on www.sans.org. MODERATE: MySQL Authentication Bypass Vulnerability Affected: MySQL versions 4.1.0, 4.1.1, 4.1.2 and early builds of version 5.0 • • This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Tools [ 80 ] Description: MySQL is a widely used, open-source database with a reported ve million installations world-wide. The database runs on a number of operating systems, and is typically deployed as a back-end database for web applications. The software contains multiple vulnerabilities in its authentication module, specically in the "check_scramble_323" function. An attacker can specify a certain value for the "client capability" ag, and obtain an unauthorized access to the database via a null password. The attacker can obtain the privileges of any user on the MySQL server, provided the username is correctly guessed. The attacker can also trigger a stack-based buffer overow by providing an overlong password string. The overow may be exploitable on a few platforms to execute arbitrary code. Note that the aws cannot be exploited using the available MySQL clients. The attacker would have to create a custom MySQL client. The technical details required to leverage the aws and multiple exploits have been publicly posted. Other tools at an attacker's disposal would allow him or her to learn what version of MySQL you are running and launch an attack on you. For instance, if the attackers were able to get the versioning information—say through one of the diagnostic tools—and they learned that the server with an port open is running MySQL 4.0.23, then they would know how to launch an attack. To be fair, if we set up our MySQL to speak only to "trusted hosts", then that would lower our attack surface a bit, but why take the chance? While this chapter was being written, insecure.org released a new graphical version of Nmap. This GUI offers the new user to Nmap the ability to run scans with an easy-to-use point and click interface. The following is an image of the GUI interface: • This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 3 [ 81 ] Wireshark Another useful tool is the packet sniffer. This is a tool that allows you to monitor all in-bound and out-bound trafc on your network. This can serve two purposes: First, it ensures that your personal network is not doing something that it shouldn't. Secondly, it allows you to monitor your web server for attempted attacks. I recently used this tool for a customer in an audit. We discovered that their site had been penetrated by a cracker from China. And he/she was attempting to gain further access. Using this tool, the packets going to and from the server were monitored. There were several suspicious packets in the internal IPC$ share (a Windows internal share). They were not sharing this box with anyone. Further analysis led to the examination of the server logs, thus exposing the break-in. This was quickly dealt with, but may have continued if this tool had not been deployed. The following list of features of this tool is from the website www.wireshark.org: Deep inspection of hundreds of protocols, with more being added all the time Live capture and ofine analysis Standard three-pane packet browser Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others. Captured network data that can be browsed via a GUI, or via the TTY-mode TShark utility The most powerful display lters in the industry Rich VoIP analysis Read/write many different capture le formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer (compressed and uncompressed), Sniffer Pro, and NetXray, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others. Capture les compressed with gzip can be decompressed on the y. Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom). • • • • • • • • • • This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Tools [ 82 ] Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2 Coloring rules can be applied to the packet list for quick, intuitive analysis. Output can be exported to XML, PostScript, CSV, or plain text. This tool was released under the GNU/GPL license, and is considered the de facto and sometimes the de jure network protocol analyzer for IT shops across the world. The following screenshots are broken up into parts for ease in publishing this book. Let's examine them now: The rst column on the left is the packet sequence as it arrived in the network card. The second one is Time. The third and fourth are SOURCE IP and DESITINATION IP. As we move to the right of our screen, we'll see this data, which includes the Protocol in use and also information about the packet: Here, we note the protocol on the wire, and other information pertinent to this. • • • This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 3 [ 83 ] If we select a specic packet, we'll see a lot of information about it. We can drill into each of the above and learn more about the contents of the packet. If an evil cracker is able to insert a sniffer into your network, he or she can learn the passwords very quickly. This tool watches your network for problems, for example conguration issues, and such other things. And lastly, the data that is contained in the packet allows us to see what is being transmitted. As there are several other things that Wireshark can do, I suggest you download it and learn all you can about this tool. It will enable you to keep a close watch on all your network activities. Metasploit—The Penetration Testers Tool Set Metasploit is a complete set of tools running on the Metasploit Framework that has been developed for the purpose of security using penetration testing. The Metasploit Framework or MSF allows for discovery of vulnerabilities, proper disclosure to the vendor or developer of the problem application, analysis of your code or website, and development of new exploits. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Tools [ 84 ] When we launch MSF we see the following control panel, which will guide us through the various functions: As the site administrator, you may wish to run this against your own site to determine if you have any unknown vulnerabilities. To do so, we select Exploits from the MSF menu bar. After the selection, we get the following screenshot: The Search box enables the tester to search for exploits by platform, code, or use. For instance, if you were to choose PHP in the search box, it would yield several exploits. As you scroll down, you would nd this interesting exploit: Do you know if your site suffers from this? Once this exploit is successfully run, MSF will offer you a command shell to interact with it, enabling you to put a payload into the website. There are several payloads available and, of course, you could write your own. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 3 [ 85 ] To nd payloads, click the PAYLOAD button on the console, search out what you wanted, and then go about generating the code. This time Linux was chosen as the target and the exploit payload of Add User. If the exploit were successful, injecting this payload would add a user to the system without anyone's knowledge. Once all the parameters are added, the code generated by MSF looks as follows: # linux/x86/adduser - 1024 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # NOP gen: x86/opty2 # USER=JohnDoe, SHELL=/bin/sh, PASS=Password "\xb2\xba\x86\xe3\x3c\x75\x35\x7b\x0b\xd4\xb9\x32\xf5\x90" + "\x67\x47\xbb\x97\x74\x48\x1c\x83\xe2\x12\xeb\x76\x4e\x99" + . . . "\xfa\xf1\x14\x74\xf8\xa9\x29\x09\x6a\x4b\xea\xc7\xea\x4b" + "\x0a\xd8" This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Tools [ 86 ] Most of the code in the example has been removed; however, you can see the power of MSF. You may be running your Joomla! site on a Windows platform, and thus you may think that this excludes you from the exploit. A quick search for other exploits displays the following screenshot: This, like the Linux payload, will attempt to add a user to the administration group. This payload can be inserted by exploiting a hole in Windows, and the surrounding NetBIOS and shares that may be present on the target system. If an attacker can gain access to your server, he or she can escalate the account, or add it directly to the admin group through various means, thus taking over your box and your website. Are You the Administrator or Owner? If not both then I strongly discourage the use of this tool. ONLY use this if you have permission, or a test server, or an owned site. DO NOT use this on any server or site for which you do not have an express written permission. Any other use may constitute a criminal act. Nessus Vulnerability Scanner The next in our suite of tools is a great product from Tenable Network Security, Inc. The tool known as Nessus is released as a free, open-source vulnerability scanner. They offer paid support in addition to the normal (and abundant) documentation. You may visit their website (http://www.nessus.org/nessus/): Why You Need Nessus With Nessus, you can test your server for unpatched holes, various vulnerabilities, and exploits. Tenable Network Security releases updates on an extremely regular basis and is considered to be one of the top vulnerability scanning tools in the world. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 . run Added:/home/public_html/administrator/ov56__JOBID1_200711 28_ 125600.sql.gz Type : le Permissions : -rw-r r Date Modied : Nov 28 2007 12:56:01 Date Changed : Nov 28 2007 12:56:01 Owner : 32401 Group : 902 Size : 702 68 MD5 key :. follows: # linux/x86/adduser - 1024 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # NOP gen: x86/opty2 # USER=JohnDoe, SHELL=/bin/sh, PASS=Password "xb2xbax86xe3x3cx75x35x7bx0bxd4xb9x32xf5x90". + "x67x47xbbx97x74x 48 x1cx83xe2x12xebx76x4ex99" + . . . "xfaxf1x14x74xf8xa9x29x09x6ax4bxeaxc7xeax4b" + "x0axd8" This material is copyright