Penetration Testing Part 3 – Scan Me, Baby

 Security  Comments Off on Penetration Testing Part 3 – Scan Me, Baby
Nov 192014
 

Scanning is a crucial tool in the arsenal of penetration testers as well as hackers out to inflict catastrophic damage on your computer server or web site.

Without scanning, there’s no possibility for exploitation of your system.

Scanning in short provides the raw material for attackers or penetration testers to work on.

When a penetration tester starts scanning a host (computer/server, IP address, web site etc), he is basically identifying ‘live’ systems and any and all services on the host.

Note: Again, as I’ve said in the past do not attempt any kind of scanning on computer systems unless you have legal authorization to do so or you’re doing it on systems owned by you for learning purposes.

Ping

In scanning, the first step is to check if a computer or server is ‘live’ by doing a Ping test.

ping xxx.xxx.xxx.xxx

ping example.com

Besides telling you that a host is ‘live,’ a ping also provide information on the time taken by an ICMP Echo Request packet to reach the host and return.

If you have Kali Linux installed on your PC, you can run fping for a wider suite of ping tests.

With fping, you can check individual IPs, do a sweep of multiple IP addresses, send pings indefinitely, have only ‘alive’ hosts show up in the ping results etc.

Note: But don’t expect to always get a response from a ping request. Some servers are configured not to respond to a ping.

So even if you don’t get a response from ping tests, you must proceed to the next two types of scanning:

* Port Scanning
* Vulnerability Scanning

Let’s examine each of these scanning types in some detail. Continue reading »

Nessus 6 Promises to Reduce Attack Surface

 Security  Comments Off on Nessus 6 Promises to Reduce Attack Surface
Nov 182014
 

November 18, 2014 – Tenable Network Security today rolled out version 6.1 of its popular Nessus vulnerability scanning tool featuring a dozen ready-made scanning templates and 100 system hardening guidelines to help organizations identify more vulnerabilities and malware and better implement best security practices.

In an age of frequent and destructive online attacks, Tenable Network’s promise to reduce the attack surface must come as welcome news to beleaguered organizations of all sizes.

Nessus 6.1 Enhancements

* Support for customizable compliance and system hardening policies out of the box (v6 comes with 100 built-in policies for network products, firewalls, storage devices, virtualization and cloud platforms and major operating systems) Continue reading »

Tcpkill – When Only the Nuclear Option Will Do

 Security  Comments Off on Tcpkill – When Only the Nuclear Option Will Do
Nov 152014
 

Sometimes in life, the conventional options just won’t do.

Unique circumstances force upon us the urgency and necessity of non-routine responses.

For those rare moments and with the responsibility to use it prudently, we have nuclear options like tcpkill for handling attacks on your server.

Tcpkill – Powerful Tool

Let’s face it.

There are far too many whackos out there who think it’s great sport to deface your web site or blog or even crash your network.

As seasoned Linux administrators are aware, hackers have an endless number of IP addresses at their disposal.

So even if you drop one, two, three or a dozen IP addresses via IP Tables, sometimes the ferocity of attacks won’t let up because the criminals quickly resume their attack from a different IP.

When the attack from a particular IP becomes so overwhelming that it threatens to rain havoc on your server or computer, you don’t call the hitman but beckon tcpkill to your aid.

Part of the dsniff network auditing and penetration testing tools suite, tcpkill is a powerful command line tool that can be used to kill/terminate tcp connections on a LAN, WAN or Internet from ports or hosts. You can install dsniff via the Software Manager on Linux Mint or through the Ubuntu Software Center if you’re running Ubuntu.

Alternatively on Ubuntu systems, you can get dsniff by running the below command via the terminal :

$ sudo apt-get install dnsiff

On RedHat or CentOS servers, the command would be:

$ yum install dsniff

Tcpkill – Commands

The syntax of tcpkill is: tcpkill [-i interface] [-1…9] expression.
-i Interface to listen on.
1-9 Refers to the degree of brute force you wish to apply to kill a connection. Although the default is 3, I usually go to 9, the most powerful.
expression – You must specify a tcpdump expression to select the connection to kill.

tcpkill -i eth0 [expression]
* Here’s an example to kill traffic to port 22:

$ tcpkill -i eth0 port 22

* Sometimes you may suspect a single IP address showing up in your netstat results to be malicious. In such circumstances, instead of killing all IPs on a port you can kill only the offending IP with the below command:

$ tcpkill -9 host xxx.xxx.xxx.xxx

* If we wish to kill traffic for port 25 from a suspicious IP, we’d run the following command:

$ tcpkill -9 port 25 host xxx.xxx.xxx.xxx

* You can also kill by domain name like below:

$ tcpkill -9 host example.com

* If you’re a liberal with no sympathy for Republicans, you’d run the below command and prevent your employees from visiting a nasty site: 😉

$ tcpkill −9 host www.foxnews.com

* Another way to handle a malicious IP is by looking at its ID number and then running the below command:

$ tcpkill host 46783

* To kill all IP packets between 192.168.1.2 and any host except 192.168.1.111, use below command:

$ tcpkill ip host 192.168.1.2 and not 192.168.1.111

* In the below command, all traffic to port 80 will be killed:

$ kill -9 $( lsof -i:80 -t )

To test the above command, I ran it without thinking of the consequences. It killed traffic to all my web sites and I had to restart Apache to restore traffic to the sites.

Related Commands

Closely related to tcpkill is the netstat network monitoring command.

Results from running netstat are what lead you to use the tcpkill command.

A favorite target of hackers is the MySQL database, a backend element of WordPress blogs. Recently, a friend running a WordPress blog was the victim of a DOS attack on his MySQL Server.

There are a gazillion useful options in netstat including a few commands that give you the number of connections from a single IP address (useful in detecting DDOS attacks).

For instance, running the below command displays a list of current active connections by IP address. The culprit IP is oftentimes the one with a high number of connections:

$ netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

By running the following command, we could quickly get a look at the “Established” connection and get the attacking IP:

$ netstat -atnp | grep ESTA

But getting details of the IP and the server under attack was only the first step.

We still needed to stop the attacks that were seemingly immune to IPTables since the malicious hackers already had an “Established” connection to the server.

So the next step was to run the following command:

$ tcpkill -9 host xxx.xxx.xx.xx

[where xxx.xxx.xx.xx is the attacking IP Address]

If the attack is severe, it’ll take some time for the command to complete its work. Be patient.

The attacks stopped on my friend’s server although unfortunately the criminals are resorting to other forms of online harassment.

Here’s another useful netstat command:

$ netstat -ant

Tcpkill Limitations

TCPkill is not a panacea for all attacks.

But it’s a nuke of a tool to handle small attacks, allows you a breather while you ponder the next move, get to your tech support guys and devise a suitable long-term response to plug the security dykes.

If you’re confronted with a large-scale DDOS attack, just fold your hands and pray. 😉

Related tcpkill content:
dsniff tools – Information and Download
tcpkill on Wikipedia

WordPress Security Plugins – Staying Alive

 Security  Comments Off on WordPress Security Plugins – Staying Alive
Nov 072014
 

The blog publishing world is fraught with peril.

Write something that someone does not like and soon the wrath of an irate individuals or the mob descends upon you.

Your WordPress blog is now under relentless attack from around the world.

Suddenly you start to see ruthless attackers from Romania, Colombia, Mexico, NYC, Mumbai, Buffalo, Kolkata and Russia mount ferocious attacks on your blog, mail server, Apache server etc day in and day out.

And then there are those who attack web blogs for the mere thrill of destroying someone’s labor of love.

Staying live itself becomes a herculean task and all resistance seems futile, right?

From experience, I can tell you that it’s impossible to prevent determined attackers (be they hired hackers or government agents) from wreaking havoc on your blog.

The best you can hope for is to minimize the damage by following a few security measures.

Some must-dos are updating WordPress software to the latest version, keeping regular backups, changing the admin user name from “admin” to something more complex and hiding the “Powered by WordPress” phrase in the footer of the page.

Security Plugins

You can further secure your WordPress blog by installing security plugins.

Some security plugins are all-encompassing while others address specific parts like bad logins, captchas or passwords.

I have listed a bunch of WordPress security plugins that you might want to consider to secure your blog.

My suggestion is to install each one for a few days, test the performance and then stay with the one that best addresses your needs. Some of these security plugins require a fee for features like country blocks, real-time comment filtering or scan scheduling.

* BulletProof Security is one of those comprehensive security plugins that addresses database backup, .htaccess security filters, performance optimization, login security and monitoring, HTTP error logging and brute force attacks. The latest version is .51.2.

* All In One WP Security & Firewall is true to its name and offers login, database and file system protection, addresses comment spam, brute force logins and firewalls, and enables security scanning, htaccess and wp-config.php file backup and restore. The latest version is 4.0. Continue reading »

Penetration Testing Part 2 – Reconnaissance

 Security  Comments Off on Penetration Testing Part 2 – Reconnaissance
Oct 312014
 

In penetration testing, as in life, there’s no substitute for reconnaissance.

Simply put, the better prepared man has a much better chance of success.

Reconnaissance a.k.a. information gathering or research is a crucial first step in the penetration testing process.

Unlike other phases of penetration testing, there’s no clear, defined structure or path to reconnaissance.

Depending on the complexity of your task, the reconnaissance exercise may take hours, days or in some instances even weeks (well, nobody ever said Rome was built in a day).

Most reconnaissance tasks can be accomplished with any Linux distro but for quick learning purposes I recommend you install Kali Linux (successor to Backtrack Linux) because the necessary tools are already built into this distro and will save you enormous time.

In this post, I have no intention of writing an encyclopedia on reconnaissance techniques for penetration testing. The options are just far too many to be contained in a single blog post.

Instead, I will provide you with enough information to whet your appetite to explore the topic in greater depth on your own.

Chapter 2 of The Basics of Hacking and Penetration Testing by Patrick Engebretson provides a brief overview of the reconnaissance concept.

Without further ado, I suggest you go ahead and install Kali Linux on your computer.

Reconnaisance – Two Kinds

Now all reconnaissance is not the same in penetration testing.

Specifically, there are two types of reconnaissance in penetration testing:

* Active Reconnaissance – Those that involve interacting directly with the target computer or network
* Passive Reconnaissance – Activities that do not directly touch the target

Both kinds of reconnaissance are indispensable to penetration testing.

As a penetration tester, you must NOT embark on active reconnaissance unless you’re authorized to do so. With active reconnaissance, you are bound to leave digital footprints and your activities will be logged by the target.

Since stealth is not an option in active reconnaissance, you also open yourself to legal jeopardy.

Passive reconnaissance is non-intrusive by nature and carries far less legal risks. Here you will not be sending a single data packet to the target. Instead, you gather information by tapping into publicly available data sources.

During passive reconnaissance, since the target in 99.99% of cases is unaware of your activities there’s no possibility of your steps being logged or tracked. You operate essentially in stealth mode. Continue reading »

There’s Money in Penetration Testing

 Security  Comments Off on There’s Money in Penetration Testing
Oct 282014
 

While you’re relaxing at the beach or barbecuing smoky kebabs over the weekend, unbeknownst to you nasty elements in Mumbai, Turkey, Ukraine, China, Azerbaijan, Russia, Iran, New York, Dallas etc are relentlessly plotting to do your business harm by hacking your web site, stealing customer credit card details, filching Social Security Numbers, vandalizing the web pages and ruining your livelihood.

Some hackers do their nefarious deeds for money by selling the stolen information on shady online black markets while others are in it for the thrill.

As Alfred tells Bruce a.k.a. Batman in Dark Knight:

Some men aren’t looking for anything logical, like money. They can’t be bought, bullied, reasoned, or negotiated with. Some men just want to watch the world burn.

Whether hackers are doing it for money or thrill, the damage is real.

In recent months, hackers have penetrated computer systems of Staples, Morgan Stanley, Target, UPS and countless other American companies and stolen valuable information like customer credit card details, address, social security numbers and other precious private information.

Every day brings worrisome news of a new security breach.

The U.S. Department of Homeland Security recently warned that over 1,000 U.S. retailers could have malware in their cash register computers.

Even employees of the Department of Homeland Security are not immune from the reach of malicious hackers. Media reports in August 2014 said internal records of 25,000 DHS employees containing sensitive information were exposed after a computer attack at a contractor.

Given the numerous security breaches, there’s obviously a good job market for people with solid Linux skills and expertise in penetration testing of computers and networks and who can help to to prevent the next round of attacks or mitigate its severity.

Understanding Penetration Testing

To understand penetration testing, there’s no better place to start than Professor Patrick Engebretson’s book The Basics of Hacking and Penetration Testing.

Although Professor Engebretson’s book is three-years old and the BackTrack Linux OS he describes in its pages has been succeeded by Kali Linux, it’s still a valuable primer on the subject of penetration testing.

Our below discussion on penetration testing draws from his book.

What is Penetration Testing

Simply put penetration testing refers to legally authorized attempts to exploit computers (including servers, desktops and point of sale systems) and networks to make them more secure (see chapter 1 of Prof. Engebretson’s book). Continue reading »

 Older Entries  Newer Entries