Security Consultant

/Security Consultant

Why pen test?

Let’s first separate the differences between a pen test/penetration test and a vulnerability assessment. A pen test is exactly that – testing to see if the systems can be penetrated by an attacker. Remaining within the agreed scope, a pen test is done with a hacker’s mind set. Different tools and methods may be used, different services may be attacked and combination attacks may be leveraged in order to penetrate the target systems. A vulnerability assessment on the other hand involves testing a systems or services for known vulnerabilities alone. It is often achieved partially or wholly through an automated software scan using a tool such as Nessus. A vulnerability scan will typically check for enabled software features or specific running versions of software that are known to be vulnerable. Vulnerability assessments can also be used as part of a larger pen test. So a pen test is better right? Not necessarily – it depends on the aims of the test and the business requirements. Vulnerability assessments are often used as a pre-cursor to a pen test, but also where specific risks need to be assessed. They won’t however provide an accurate picture of security posture vs an external hacker. Hackers often won’t just run vulnerability assessment tools against a target but will attempt to leverage coding, policy and all manner of trust weaknesses in order to gain access to a target. […]

By | July 9th, 2014|Security Consultant|0 Comments

Nikto – Open Source Web Server Scanner

Nikto is a crucial part of any web penetration test. It sits firmly in both the ‘web application audit’ and ‘web server audit’ camps. Nikto will comprehensively test web servers for a whole range of items. Tests include the presence of dangerous files and CGIs, outdated versions of web server software and specific configuration problems with web servers. So whether you have an open WebDAV setup, outdated Joomla installations or phpinfo test development files lying around – expect Nikto to find them. Nikto publishes regular updates, and so to fetch the latest definitions, just use: ./ -update Once we have the latest version, we can go ahead and run a scan with: ./nikto -host […]

By | December 12th, 2013|Security Consultant|0 Comments

Blind SQL injection with sqlmap

When an SQL injection vulnerability is attacked, the application will often display error messages from the database. We are able to retrieve the data we are trying to retrieve from the database by constructing a query that ensures it ends up in the error message passed back to us. This is the method we used in the previous SQL injection example. This is a very quick and efficient way of mining data through SQL injection vulnerabilities. Sometimes, code is constructed in a way that whilst it is vulnerable to injection, it’s not possible to get the data we want returned by the database. Consider the following code – <?php $link = mysql_connect("localhost", "twl", "XXXX"); mysql_select_db("twl"); $sql = "SELECT * FROM wp_posts WHERE ID=’" . $_GET[‘id’] . "’;"; $res = @mysql_query($sql); if (@mysql_numrows($res)) { echo "We have rows!\n"; } else { echo "We have no rows.\n"; } ?> […]

By | December 11th, 2013|Security Consultant|0 Comments

SQL injection with sqlmap

sqlmap is web application & database penetration testing tool that automates detecting and exploiting many types of SQL injection flaw, and then taking over the database server. It’s able to detect a huge range of injection types. Let’s take the following code – <?php $link = mysql_connect("localhost", "twl", "XXXX"); mysql_select_db("twl"); echo "This is a page\n"; $sql = "SELECT * FROM wp_posts WHERE ID=’" . $_GET[‘id’] . "’;"; $res = mysql_query($sql); mysql_free_result($res); echo "This is some text\n"; mysql_close($link); ?> […]

By | December 10th, 2013|Security Consultant|0 Comments

wfuzz – Powerful web asset bruteforcer and vulnerability detector

Brute-forcing is a powerful technique for detecting hidden or mis-configured assets on web servers. One of the most common issues I come across when pen testing web services is temporary, old or other development files left lying around. Most pen testers I speak to rely on ‘dirb’ as the standard tool for web application directory brute-forcing. dirb is a great tool, although I’ve always favored wfuzz. I’ve found it to be faster and far more configurable. Using wfuzz, we can specify exactly what part of a URL to fuzz. Here are a couple of examples – wfuzz also allows us to filter matches based on web server response code, as well as number of lines, size of response, and text matched within the response. […]

By | December 9th, 2013|Security Consultant|0 Comments

Location header is optional not mandatory

I thought I’d write a short post about this issue as I’ve seen it come up a couple of times in PHP code audits. The incorrect assumption is that the Location header somehow forces a browser or forces execution to move elsewhere. Take a look at the following code sample – <?php $logged_in = 0; /* Do login verification routine here */ if (!$logged_in) { /* User is not logged in and shouldn’t be here */ header("Location: /index.php"); } /* User is logged in */ echo "Secret Member Content"; ?> […]

By | September 13th, 2013|PHP, Security Consultant|0 Comments

mysql_real_escape_string won’t magically solve your SQL Injection problems

Edited: 5th Oct 2014 after bug fixing and reader feedback Edited: 6th Oct 2014 after reader feedback I was engaged by an online retailer to test their custom web application CMS and store. I attended their premises and sat down with the tech manager and his lead developer to discuss with them from both a business management and a technical perspective some of the vulnerabilities that should be tested for, as well as to gain a solid understanding of the business needs and logic. When I came on to SQL injection, I was assured by the lead developer that owing to their secure coding practices, SQL injection is completely impossible. All expected user entered integers are cast as integers, and all expected user entered strings are run through mysql_real_escape_string before being passed back to the database. Once code is committed by a developer to the development Subversion server, the lead developer then manually reviews it before deciding to push it live. Great, I thought, it’s certainly a good start. I did point out that this might not always work, but he didn’t seem too phased, and I didn’t want to get too much into a discussion about why or when that might not always work at that stage. […]

By | August 18th, 2013|MySQL, PHP, Security Consultant|13 Comments

SNMP Network Attacks

Neither SNMPv1 and SNMPv2c have any security beyond a plaintext community string. The default community strings for read and write access are ‘public’ and ‘private’ respectively. Some Cisco devices use ‘ilmi’ as the default community string. We can use the tool ‘onesixytyone’ to attempt to brute force the name of the community string from a dictionary: root@pwn:/pentest/enumeration/snmp/onesixtyone# ./onesixtyone -c dict.txt Scanning 1 hosts, 51 communities Cant open hosts file, scanning single host: [public] Linux dev1 2.6.32-5-686 #1 SMP Sun Sep 23 09:49:36 UTC 2012 i686 The community string was successfully brute forced, and is set to the default, ‘public’. We can now use ‘’ to enumerate the host based on this information (some parts truncated to save space) […]

By | August 17th, 2013|Security Consultant|0 Comments

DNS Zone Transfer (AXFR) Vulnerability

A vulnerability exists when DNS servers are [mis]configured to allow for public zone transfers. A zone transfer is literally that – the transfer of an entire zone file, intended primarily for replication and availability between multiple DNS servers. A DNS zone transfer is attempted as follows: dig axfr <domain> @<DNS server> […]

By | August 16th, 2013|Security Consultant|2 Comments

PHP Local and Remote File Inclusion (LFI, RFI) Attacks

PHP supports the ability to ‘include’ or ‘require’ additional files within a script. If unsanitized data is passed to such functions, an attacker may be able to get remote code execution access to the server. A typical include block might look something like this: <?php require("config/"); require("lib/db.lib.php"); require("lib/parser.lib.php"); include("contrib/users/user.contrib.php"); die("This is a test"); ?> Now, it’s also possible to dynamically require or include files based on variables or user input, say for example: […]

By | August 15th, 2013|Linux, PHP, PHP, PHP Articles, Security Consultant|0 Comments

MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux

Once a MySQL database server has been compromised at root level, it’s often possible to escalate this access to full system level access using User Defined Functions (UDFs). We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often. Firstly, you’ll want to check out a copy of sqlmap. For this attack you’ll want to browse to the ‘udf’ directory and select the appropriate library depending on your target platform: udf/mysql/linux/32/ udf/mysql/linux/64/ udf/mysql/windows/32/lib_mysqludf_sys.dll udf/mysql/windows/64/lib_mysqludf_sys.dll The steps for escalation on both Windows and Linux are the same. Firstly, we need to get a copy of the correct library on to the target machine in a known location – this could be by uploading to a user account we have access to, or uploading via a website image/file upload, or anonymous FTP account. The second step is issuing a SQL query to load this file in to a newly created table row. Third, we then want to dump that table row out to a new file in either the ‘/usr/lib’ directory or the ‘c:\windows\system32’ directory depending on whether we are on Linux or Windows respectively. The reason we need to do this, is that our regular web application or user account does not have permission to create files in these directories, however the MySQL root user does. Next, we want to instruct MySQL to create a new function to point to the code in our malicious library. Lastly, we execute this new function with arbitrary system commands that we wish to run. […]

By | August 13th, 2013|MySQL, Security Consultant|8 Comments