Why pen test?

By | July 9th, 2014|Security Consultant|

Let’s first separate the differences between a pen test/penetration test and a vulnerability assessment. A pen test is exactly that – testing to see if the systems can be penetrated by an attacker. Remaining within the agreed scope, a pen test is done with a hacker’s mind set. Different tools and methods may be used, different services may be attacked and combination attacks may be leveraged in order to penetrate the target systems. A vulnerability assessment on the other hand involves testing a systems or services for known vulnerabilities alone. It is often achieved partially or wholly through an automated software scan using a tool such as Nessus. A vulnerability scan will typically check for enabled software features or specific running versions of software that are known to be vulnerable. Vulnerability assessments can also be used as part of a larger pen test. So a pen test is better right? Not necessarily – it depends on the aims of the test and the business requirements. Vulnerability assessments are often used as a pre-cursor to a pen test, but also where specific risks need to be assessed. They won’t however provide an accurate picture of security posture vs an external hacker. Hackers often won’t just run vulnerability assessment tools against a target but will attempt to leverage coding, policy and all manner of trust weaknesses in order to gain access to a target. […]

Nikto – Open Source Web Server Scanner

By | December 12th, 2013|Security Consultant|

Nikto is a crucial part of any web penetration test. It sits firmly in both the ‘web application audit’ and ‘web server audit’ camps. Nikto will comprehensively test web servers for a whole range of items. Tests include the presence of dangerous files and CGIs, outdated versions of web server software and specific configuration problems with web servers. So whether you have an open WebDAV setup, outdated Joomla installations or phpinfo test development files lying around – expect Nikto to find them. Nikto publishes regular updates, and so to fetch the latest definitions, just use: ./ -update Once we have the latest version, we can go ahead and run a scan with: ./nikto -host […]

Blind SQL injection with sqlmap

By | December 11th, 2013|Security Consultant|

When an SQL injection vulnerability is attacked, the application will often display error messages from the database. We are able to retrieve the data we are trying to retrieve from the database by constructing a query that ensures it ends up in the error message passed back to us. This is the method we used in the previous SQL injection example. This is a very quick and efficient way of mining data through SQL injection vulnerabilities. Sometimes, code is constructed in a way that whilst it is vulnerable to injection, it’s not possible to get the data we want returned by the database. Consider the following code – <?php $link = mysql_connect("localhost", "twl", "XXXX"); mysql_select_db("twl"); $sql = "SELECT * FROM wp_posts WHERE ID=’" . $_GET[‘id’] . "’;"; $res = @mysql_query($sql); if (@mysql_numrows($res)) { echo "We have rows!\n"; } else { echo "We have no rows.\n"; } ?> […]

SQL injection with sqlmap

By | December 10th, 2013|Security Consultant|

sqlmap is web application & database penetration testing tool that automates detecting and exploiting many types of SQL injection flaw, and then taking over the database server. It’s able to detect a huge range of injection types. Let’s take the following code – <?php $link = mysql_connect("localhost", "twl", "XXXX"); mysql_select_db("twl"); echo "This is a page\n"; $sql = "SELECT * FROM wp_posts WHERE ID=’" . $_GET[‘id’] . "’;"; $res = mysql_query($sql); mysql_free_result($res); echo "This is some text\n"; mysql_close($link); ?> […]

wfuzz – Powerful web asset bruteforcer and vulnerability detector

By | December 9th, 2013|Security Consultant|

Brute-forcing is a powerful technique for detecting hidden or mis-configured assets on web servers. One of the most common issues I come across when pen testing web services is temporary, old or other development files left lying around. Most pen testers I speak to rely on ‘dirb’ as the standard tool for web application directory brute-forcing. dirb is a great tool, although I’ve always favored wfuzz. I’ve found it to be faster and far more configurable. Using wfuzz, we can specify exactly what part of a URL to fuzz. Here are a couple of examples – wfuzz also allows us to filter matches based on web server response code, as well as number of lines, size of response, and text matched within the response. […]

Enumerating and Hacking NFS

By | December 4th, 2013|Networking|

Network File System (NFS) is used to share files and directories over the network through ‘exports’. When a client wants to gain access to a share on the remote server, the client will firstly attempt to mount the share. The list of allowed clients per share is located in /etc/exports on the server. The problem with this approach is that the only credential for access is the client’s IP address. If a trusted machine is taken over or otherwise spoofed, the attacker has full access to the share. All versions of NFS prior to version 4 utilize this same security model. The next issue to take into account is that wildcard ‘*s’ are permitted within the exports file. Site administrators often use wildcards without thinking through the implications to allow a range of hosts access to a share. Future changes to the network or network breaches may allow a user access to a share that the administrator had not intended. […]

Location header is optional not mandatory

By | September 13th, 2013|PHP, Security Consultant|

I thought I’d write a short post about this issue as I’ve seen it come up a couple of times in PHP code audits. The incorrect assumption is that the Location header somehow forces a browser or forces execution to move elsewhere. Take a look at the following code sample – <?php $logged_in = 0; /* Do login verification routine here */ if (!$logged_in) { /* User is not logged in and shouldn’t be here */ header("Location: /index.php"); } /* User is logged in */ echo "Secret Member Content"; ?> […]

mysql_real_escape_string won’t magically solve your SQL Injection problems

By | August 18th, 2013|MySQL, PHP, Security Consultant|

Edited: 5th Oct 2014 after bug fixing and reader feedback Edited: 6th Oct 2014 after reader feedback I was engaged by an online retailer to test their custom web application CMS and store. I attended their premises and sat down with the tech manager and his lead developer to discuss with them from both a business management and a technical perspective some of the vulnerabilities that should be tested for, as well as to gain a solid understanding of the business needs and logic. When I came on to SQL injection, I was assured by the lead developer that owing to their secure coding practices, SQL injection is completely impossible. All expected user entered integers are cast as integers, and all expected user entered strings are run through mysql_real_escape_string before being passed back to the database. Once code is committed by a developer to the development Subversion server, the lead developer then manually reviews it before deciding to push it live. Great, I thought, it’s certainly a good start. I did point out that this might not always work, but he didn’t seem too phased, and I didn’t want to get too much into a discussion about why or when that might not always work at that stage. […]

Multithreaded TCP Proxy Tunnel Code

By | August 18th, 2013|C/C++, Development, Technology|

Further to my earlier article, I went ahead and developed this application. Here’s a beta! File: tcp_tun.c Version: 0.3-beta Title: TCP reassembling client-server application Date: 17 Aug 13 Author: Adam Palmer <adam [AT] sasdataservicesĀ [DOT] com> URL: […]

SNMP Network Attacks

By | August 17th, 2013|Security Consultant|

Neither SNMPv1 and SNMPv2c have any security beyond a plaintext community string. The default community strings for read and write access are ‘public’ and ‘private’ respectively. Some Cisco devices use ‘ilmi’ as the default community string. We can use the tool ‘onesixytyone’ to attempt to brute force the name of the community string from a dictionary: root@pwn:/pentest/enumeration/snmp/onesixtyone# ./onesixtyone -c dict.txt Scanning 1 hosts, 51 communities Cant open hosts file, scanning single host: [public] Linux dev1 2.6.32-5-686 #1 SMP Sun Sep 23 09:49:36 UTC 2012 i686 The community string was successfully brute forced, and is set to the default, ‘public’. We can now use ‘’ to enumerate the host based on this information (some parts truncated to save space) […]

DNS Zone Transfer (AXFR) Vulnerability

By | August 16th, 2013|Security Consultant|

A vulnerability exists when DNS servers are [mis]configured to allow for public zone transfers. A zone transfer is literally that – the transfer of an entire zone file, intended primarily for replication and availability between multiple DNS servers. A DNS zone transfer is attempted as follows: dig axfr <domain> @<DNS server> […]

PHP Local and Remote File Inclusion (LFI, RFI) Attacks

By | August 15th, 2013|Linux, PHP, PHP, PHP Articles, Security Consultant|

PHP supports the ability to ‘include’ or ‘require’ additional files within a script. If unsanitized data is passed to such functions, an attacker may be able to get remote code execution access to the server. A typical include block might look something like this: <?php require("config/"); require("lib/db.lib.php"); require("lib/parser.lib.php"); include("contrib/users/user.contrib.php"); die("This is a test"); ?> Now, it’s also possible to dynamically require or include files based on variables or user input, say for example: […]