Security Consultant

/Security Consultant

First Steps in Oracle Penetration Testing

In this article, I’ll discuss a range of basic Oracle 9 testing principles from the SID and account enumeration to query execution and finally, you guessed it, remote code execution. If you’re looking for professional oracle penetration testing, please contact me. Firstly, we’ll check to see that TCP port 1521 which is the Oracle Net Listener is open using nmap: nmap -p 1521 192.168.15.205 Oracle Net Listener Nmap Once done, we can use the ‘status’ and ‘version’ commands to get more information, using ‘tnscmd.pl’ from a tool called ‘oracle_checkpwd’: ./tnscmd.pl version -h 192.168.15.205 ./tnscmd.pl status -h 192.168.15.205 tnscmd Version and Status […]

By | August 12th, 2013|Security Consultant|2 Comments

Accessing and Hacking MSSQL from Backtrack Linux

In this article, we’ll cover connecting to a Microsoft SQL (MSSQL) server from the Backtrack/Linux command line, executing system commands through the ‘sa’ or other administrative account, and finally exploiting the ‘sa’ account through metasploit. To start with, let’s cover a quick HOWTO on getting an MSSQL client working under Backtrack/Linux. We’ll need freetds and sqsh for this: apt-get install sqsh freetds-bin freetds-common freetds-dev Once done, we’ll need to edit /etc/freetds/freetds.conf, and append the following to it: [MyServer] host = 192.168.1.10 port = 1433 tds version = 8.0 And lastly, we’ll edit ~/.sqshrc: \set username=sa \set password=password \set style=vert […]

By | August 10th, 2013|Linux, Security Consultant|1 Comment

Two paid wifi attacks to bypass hotspot payment

Most hotels around the world offer paid wireless internet services. There are various different ways that these operate on a technical level, however in general terms; Your device connects to the paid network The network router puts your ‘MAC address’ into the unpaid pool Any traffic from your device is blocked aside from DNS traffic which is hijacked by the router and resolves any query to the router’s IP, and web traffic which is also hijacked by the router and redirected to a page presenting a signup and payment page The router will only allow traffic to the internal payment system and perhaps allowed IPs such as the hotel web site servers. Once payment is made, the payment system notifies the router and your MAC address is added into the paid list Enjoy surfing the net Basic WiFi Hotspot Network A basic wifi hotspot will contain a wireless access point allowing wireless devices to connect, and a router that performs, you guessed it, routing, hotspot authentication and so on acting as the ‘gatekeeper’. This router will then be connected to the internet. More complex systems may include more access points to span multiple floors or locations, more routers, separate authentication servers and so on, although the basic principle is the same, and the network layout is largely irrelevant to our attack scenario in any case. To the non technical readers, there are a few terms we are interested in – MAC Addresses & IP Addresses: A MAC address is a hardware address assigned to your network device – the ethernet (network) card has one, the wireless card has one, the wireless device in a mobile phone has one. It’s not the same as an IP address. A MAC address is (or should be) unique to your device but most importantly, unique to the current network segment. In this case, the network segment that we are on extends through the wireless network and up to the top connection on the internet router. The secondary connection between the router and the internet provider is a second segment. Routers break up segments and MAC addresses do not pass through the router. To simplify, in this case, every device connected to the wireless network will have a different MAC. IP addresses are ‘routed’ i.e. passed across the internet and translated, MAC addresses are not. This point is important to know in understanding one of the attacks. Of course as with every rule there are exceptions and for more advanced reading, ‘proxy ARP’ is one such exception however this scenario has specifically been kept basic to illustrate a successful attack. DHCP: When you connected to the wireless network, your device sent out a ‘DHCP request’. Basically – “I’m new to this network, please let me have the details”. The DHCP server then responds providing a private IP address, router, DNS server and so on. As all of your traffic is passed through the network router, the network router can mangle it and modify it in any way that it wishes. DNS: DNS is the service that turns addresses such as ‘www.adampalmer.me/iodigitalsec’ into an IP address such as 54.236.191.54 which are what the IP networks on the internet run on. Other protocols also exist that we don’t need to be concerned with here. DNS actually does a lot more than just turning names into IP addresses but that’s all that’s relevant here. As an unpaid user, when you fire up your browser and visit www.adampalmer.me/iodigitalsec your browser will contact the DNS server (router in this case) and ask for the IP address. The router will respond with it’s own address, perhaps 192.168.0.1 rather than the real address. This means that your browser will then attempt to connect to the web server on 192.168.0.1 – the paid hotspot signup page. Attempting to enter 54.236.191.54 in to your browser directly will bypass the DNS query, but the router will nevertheless hijack the request and redirect it to the payment page – if it didn’t that would be a simple method for bypassing the payment system. […]

By | July 4th, 2013|Security Consultant, Wireless|0 Comments

Security Through Obscurity – Fail

I was pen testing a web application last week, when I fired up ‘wfuzz’ using a custom large dictionary for file and directory brute forcing. To the non technical readers, this means that whilst there might be links on the site to say /login, /register, /contact-us and so on, I’m looking for files and directories on the web server (site) that don’t have links to them. Perhaps hidden functionality or testing and debugging files that the developers left behind and so on. I often find ‘phpinfo.php’ or ‘test.php’ type files and I once even remember finding a ‘psd.zip’ which was a zip file containing PSD files for the entire site layout. Another common issue I find, is that while ‘index.php’ will be interpreted on the server side and the resulting data sent to the client as expected, ‘index.php.old’ and ‘index.bak’ will be sent directly to the client. This is down to the server being configured that .php files are interpreted by php, whilst unknown extensions such as .old and .bak are assumed to be plain text assets. The problem with this, is that these files will contain all kinds of goodies such as variable names, paths, business information and possibly database or other credentials. Whilst under development, pages will often undergo editing and revisions, and developers often forget to remove old versions, test and backup files. This inadvertently leaves them available to the public through the web server with just a little poking around. You did WHAT?! Last week was something entirely different when I found ‘/nickreport’. This directory contained scripts allowing me to download a full report of customer signups and sales stats for the past 14 days for, you guessed it, Nick the sales director. The authentication prompt was defeated with credentials of ‘nick/nick’. When I confronted the application developer about this complete fail, his response was that the password authentication wasn’t for security but was just to prevent Google from crawling the site, and that there was no way that anyone would guess the URL anyway. He didn’t seem to understand the link between that statement and the fact that a) I HAD ‘guessed’ it and b) his password authentication was an attempt to prevent Google from indexing it. This alone implies that he was aware that search engines had or may in future have ‘guessed’ it. […]

By | July 3rd, 2013|Security Consultant|0 Comments

Fully Automatic Wireless Hacking Station

This article describes a working all-in-one standalone mobile wireless attack station that can perform MITM type attacks on clients automatically and without any internet access or other external connectivity or influence. In laypersons terms; this portable battery powered device can automatically entice wireless devices to connect to it, be that iPhones/iPads, Androids and other phones or laptops and PCs. Most devices will connect to it automatically without the user even realizing. The device will provide a fake network running fake email and web servers and using some network trickery, will capture the hostname, username and password of any attempted connection and log it, along with the GPS co-ordinates of where the details were captured. This device could be used to hijack corporate and personal email logins, facebook logins, and so on. Messing around with airbase-ng, part of the aircrack-ng suite over the last few months and researching wireless client vulnerabilities has led to an interesting proof of concept project. There are several weaknesses within the current wireless technologies in widespread use. First however, an explanation of the project. The project description was to launch a wireless man in the middle (MITM) attack, without having another end to connect the victim to. We need to create a MITM attack without having any internet access. Such an attack could theoretically be used on the tube, in locked down buildings, on the move, and so on, and without the use of a mobile data card. Built on top of a modified raspberry pwn release, although any Linux distribution would have been suitable, I have set my wireless device with a power output of 30dBm and started the following automated process: Firstly, an airbase instance on my rtl8187 card as follows; /usr/local/sbin/airbase-ng -c 3 wlan0 –essids “/root/pen/code/scripts/essids” -P -C 60 -I 60 -vv|grep –line-buffered  “directed probe request”|tee /run/probes This starts an access point on channel 3, beaconing the SSIDs contained within /root/pen/code/scripts/essids as well as any probe requests that the access point may receive from clients looking to connect to an access point. Now, in a little more detail, regular ‘non-hidden’ access points will broadcast ‘beacons’ which are pieces of data that specify the SSID (wireless network name) as well as the supported encryption types and so on. These beacons are usually sent every 100msec. Wireless clients will send probe packets, containing the SSIDs of all wireless networks that they have stored, and asking if any of them are here. The -P switch to airbase-ng will have airbase respond to all probes saying “yes, that’s me” at which point assuming the encryption or lack thereof matches the stored profile, the client will attempt to associate. Mid way through building this test however, Apple released IOS 6, and one of the changes seems that the iPhone will now only send out broadcast probes rather than directed probes, rendering the -P feature useless against them. The broadcast probe is where the device sends out a “is anyone there?” probe, and waits to see which access points reply. Most iPhones however have connected at some point to a wireless hotspot, and so the SSIDs I chose for the essids file are “Boingo Hotspot”, “BTOpenzone” and “BTWiFi” in the UK. I believe that “attwifi” is a popular one in the US. […]

By | April 26th, 2013|Linux, Perl, Projects, Raspberry Pi, Security Consultant, Wireless|18 Comments

CMS Development

What is a CMS? A CMS is a Content Management System. WordPress, Joomla, Drupal and osCommerce are 4 popular PHP content management systems that we work with. A CMS at minimum provides you with a user friendly means of managing your site and it’s content. CMS Development Depending on the requirements for your CMS development project, there are two directions to consider: Take an existing CMS, and build on it to meet your needs. Taking WordPress as an example, the possibilities and options for modification are infinite. This is achieved through the development of themes and plugins. There is really no limit to the customization that’s achievable with most popular CMSs and so bespoke CMS development is usually reserved for a project where the majority of functionality would need to be manually built irrespective of existing code and modules. If your needs aren’t reasonably met by an existing CMS, then it may be more time and cost effective to build a CMS from the ground up. With this route, you also get to put exactly what features you want, where you want. We have a base framework that we usually build start our CMS development with. It contains the basics for rich page and text creation, article creation and SEO friendly URL management. In reality, the term ‘CMS’ has been stretched to cover frameworks and beyond. Whilst strictly speaking a CMS is any system that allows content to be managed, the term also describes fully fledged online site management and development platforms. […]

SSL increases confidence

If you run a commerce website, you’ve probably heard about SSL certificates. Depending upon the level of certificate that you have, they verify the validity of your domain, up to detailed information about your company. An SSL certificate isn’t handy just for commerce sites, however. It’s a vital website security component for any site that deals with personal information of any sort. These days, attacks on severs are commonplace, and website users are wary, especially when it comes to entering sensitive information. That’s where an SSL certificate comes in handy. It increases consumer confidence, and confidence of visitors in general. It shows that you’re serious about what you’re doing. […]

By | July 9th, 2010|Linux, Security Consultant, Technology|0 Comments

An easy way to reduce attacks

The server hardening process can be a daunting task for someone who’s new to the process, or who’s new to hosting in general. The good news is that there’s one simple way to help reduce attacks on your server, or at least its PHP applications. If you run an e-commerce site, chances are you run a CMS such as WordPress, and a shopping cart application such as WHMCS. Both of these applications, like nearly all others, have a login module for the administrators. Especially in the case of well-known programs, there are plenty of people know how to find your administrative log in panel, and that includes those with less than honourable intentions. […]

By | July 8th, 2010|Security Consultant|0 Comments

Hardening your server

Hardening your server is perhaps the best way to prevent, or at least reduce, attacks on your server. What follows is a basic overview of what you should do to harden your server. If you are not completely comfortable doing this, you should retain the services of someone who is, to avoid data loss. The key service you want to secure is SSH, as that is perhaps the most vulnerable. If someone should have access through this protocol, they would have complete power over your server, and all the sites on it. […]

By | July 7th, 2010|Security Consultant|0 Comments