Thursday, April 10, 2014

Web application Penetration Testing concepts


A web application is any application that uses a web browser as a client. This can be a simple message board or a very complex spreadsheet. Web applications are popular based on ease of access to services and centralized management of a system used by multiple parties. Requirements for accessing a web application can follow industry web browser client standards simplifying expectations from both the service providers as well as the hosts accessing the application.

Web applications are the most widely used type of applications within any organization. They are the standard for most Internet-based applications. If you look at smartphones and tablets, you will find that most applications on these devices are also web applications. This has created a new and large target-rich surface for security professionals as well as attackers exploiting those systems.

Penetration Testing web applications can vary in scope since there is a vast number of system types and business use cases for web application services. The core web application tiers which are hosting servers, accessing devices, and data depository should be tested along with communication between the tiers during a web application Penetration Testing exercise.

An example for developing a scope for a web application Penetration Test is testing a Linux server hosting applications for mobile devices.

The scope of work at a minimum should include:        

Evaluating the Linux server include:

operating system
  • network configuration
  • applications hosted from the server
  • how systems and users authenticate
  • client devices accessing the server and communication between all three tiers
  • Additional areas of evaluation that could be included in the scope of work are how devices are obtained by employees
  • how devices are used outside of accessing the application, the surrounding network(s)
  • maintenance of the systems, 
  • and the users of the systems



Posted by at No comments:
Labels:

Penetration Testing and Setup

Difference between security audit, network or risk assessment, and Penetration Test

Many organizations offer security services and use terms such as security audit, network or risk assessment, and Penetration Test with overlapping meanings.

By definition, an audit is a measurable technical assessment of a system(s) or application(s).

Security assessments are evaluations of risk, meaning services used to identify vulnerabilities in systems, applications, and processes.

Penetration Testing goes beyond an assessment by evaluating identified vulnerabilities to verify if the vulnerability is real or a false positive. For example, an audit or an assessment may utilize scanning tools that provide a few hundred possible vulnerabilities on multiple systems. A Penetration Test would attempt to attack those vulnerabilities in the same manner as a malicious hacker to verify which vulnerabilities are genuine reducing the real list of system vulnerabilities to a handful of security weaknesses.

The most effective Penetration Tests are the ones that target a very specific system with a very specific goal. Quality over quantity is the true test of a successful Penetration Test. Enumerating a single system during a targeted attack reveals more about system security and response time to handle incidents than wide spectrum attack. By carefully choosing valuable targets, a Penetration Tester can determine the entire security infrastructure and associated risk for a valuable asset.


Penetration Testing evaluates the effectiveness of existing security. If a customer does not have strong security then they will receive little value from Penetration Testing services. As a consultant, it is recommended that Penetration Testing services are offered as a means to verify security for existing systems once a customer believes they have exhausted all efforts to secure those systems and are ready to evaluate if there are any existing gaps in securing those systems.
Posted by at No comments:
Labels:

Wednesday, April 2, 2014

Containing the Airwaves


Many companies expose themselves to attack because they don’t attempt to control the radio signals leaking from their organization. In such cases, a cracker could sit in your parking lot or stand across the street and monitor your network.

Signal Strength
A first step to testing your network is to determine the bounds of your network. You can use sophisticated tools like AiroPeek or a spectrum analyzer, but that would really be overkill. All you need are various software programs that supply link-quality information. Several freeware products run on Linux.

Using Linux Wireless Extension and Wireless Tools

  • iwconfig: Changes the basic wireless parameters.
  • iwpriv: Changes the Wireless Extensions specific to a driver (private).
  • iwlist: Lists addresses, frequencies, and bit rates.
  • iwspy: Gets per-node link quality.


Linux Wireless Extensions are powerful additions to your ethical hacking utility belt. Linux Wireless Extensions are available from http://pcmcia-cs.sourceforge.net/ftp/contrib. Look for the entry wireless_tools.27.tar.gz near the bottom of the available documents and programs. Wireless Extensions v.14 is bundled in the 2.4.20 kernel, and v.16 is in the 2.4.21 kernel.


iwlist and the others are great tools. They get their information from the standard kernel interface /proc/net/wireless. But these tools provide only a snapshot in time; they do not provide statistics over time. If you favor the Windows platform, you can use a great tool like NetStumbler.


Network Physical Security Countermeasures

Radio waves travel. This means that crackers don’t need to physically attach to your network. Most likely you have locks on your doors. You might even have an alarm system to protect your physical perimeter. Unfortunately, the radio waves don’t respect your perimeter security measures. Consequently, you need to walk your perimeter whether you’re an individual wanting to protect your access point or a large organization wanting to protect its wired network. While walking the perimeter, monitor the quality of the signal using the tools already discussed. When you find the signal in places where you don’t want it, then turn down the power or move the access point to shape the cell shape.


Other than checking for leakage, you can monitor access points for unauthorized clients.

Checking for unauthorized users

Most access points allow you to view either the DHCP clients or the cache of MAC addresses. This is a good feature for a small network. 

You can review the cache from time to time to make sure that only your clients are using the access point. If you have only five clients, but you see six MAC addresses, then it just doesn’t add up. After you figure out the one that doesn’t belong, you can use MAC filtering to block that client.

For a large network, this feature is not very useful. Keeping track of all the MAC addresses in your organization is too difficult. As well, someone running a packet analyzer or sniffer could grab packets and get legitimate MAC addresses. A hacker could then use a MAC address changer like SMAC (www.klcconsulting.net/smac), which allows him to set the hardware or MAC address for any interface, say your wireless adapter or Ethernet network interface card (NIC). Figure 6-1 shows the SMAC interface. All you do is put in the hardware address you want and restart the system (or simply disable and re-enable your NIC). Your interface will have the new hardware address.


An organization can do any number of things to limit its exposure from the escaping radio waves. The controls are not really technical but rather commonsense. For example, you can change your antenna type.



Antenna type

When placing your access point, you must understand the radiation pattern of the antenna type you choose. The type of antenna you choose directly affects your network’s performance, as well as its security.


Before you purchase your antenna, try to obtain a sample radiation pattern. Most antenna vendors supply the specifications for their equipment. You can see a representative radiation pattern and specification for a SuperPass 8 dBi 2.4 GHz antenna at www.superpass.com/SPDG16O.html. You can use the specification to determine how far a signal may travel from a particular antenna before becoming unusable; it’s just a matter of mathematics.


By understanding the radiation pattern of the antenna you choose, you can do RF signal shaping to “directionalize” the RF signals emitted from your access point. You could switch from an omnidirectional antenna to a semidirectional antenna to control the radiation pattern. Remember, not controlling your signal is equivalent to pulling your UTP cable to the parking lot and letting anyone use it.

Four basic types of antennas are commonly used in 802.11 wireless networks:


  • Parabolic grid
  • Yagi
  • Dipole
  • Omnidirectional

Each antenna has a unique radiation pattern determined by its construction.

Parabolic grid

  • Parabolic grid antennae are primarily used for site-to-site applications. 
  • A parabolic grid antenna may look like a satellite TV dish or like a wire grid without a solid central core. 
  • The parabolic antenna is a unidirectional antenna, meaning that it transmits in one specific direction — the direction that you point the antenna.
Yagi

  • A yagi antenna focuses the beam, but not as much as the parabolic antenna.
  • It’s suitable for site-to-site applications in which the distance does not require a parabolic grid. Like the parabolic antenna, a yagi antenna is unidirectional.
Dipole

  • A dipole is a bidirectional antenna, hence the use of the suffix di-. 
  • You generally use a dipole antenna to support client connections rather than site-to-site applications.

Omnidirectional

An omnidirectional antenna is one that radiates in all directions, losing power as the distance increases.
Posted by at No comments:
Labels:

Tuesday, April 1, 2014

Human (In)Security Countermeasures


You can combat the human insecurities your wireless network faces in several ways. These come in the form of policy, education, proactive monitoring, and simple prevention. The solutions are fairly straightforward. The real trick is getting users, and most importantly, upper management to buy into them. Here’s what you can do.

Enforce a wireless security policy

The first step is to create a company policy that no unauthorized wireless systems are to be installed. The following is an example of a wireless policy statement:

Users shall not install or operate any wireless-network system (router, AP, adhoc client, etc.) within the organization.

If you choose to allow wireless systems inside your organization or allow remote users to have wireless networks at home, your wireless security policy should outline specific minimum requirements. The following is an example of such a policy:

Users shall not install or operate any wireless-network system (router, AP, adhoc client, etc.) within the organization without written permission from the Information Technology Manager. Additionally, all wireless systems must meet the following minimum requirements:

  • WEP is enabled.
  • Default SSIDs are changed to something obscure that doesn’t describe who owns it or what it is used for.
  • Broadcasting of SSIDs is disabled.
  • Default admin passwords are changed to meet the requirements of organizational password policy.
  • APs are placed outside the corporate firewall or in a protected DMZ.
  • Personal firewall software such as Windows Firewall or BlackICE is installed and enabled.

Train and educate

One of the best ways to get users to adhere to your wireless security policy is to make them aware of it — teach them what the policy means, along with the consequences of violating the policy. 

Educate users on what can happen when the policy is not adhered to and try to relate these issues to their everyday job tasks. For example, where a project manager is using a wireless network, describe to her how a hacker could capture detailed information about the project she’s working on, such as user lists, network diagrams, costs, and other confidential information.

If management doesn’t get user sign-off on your policies showing that they understand and agree to the terms of the policies, the policies are as good as nothing. Make sure sign-off takes place.

Also, talk to your users about how a hacker can make it look like the user actually committed the crime by spoofing the user’s address, using the user’s login information, sending e-mails on the user’s behalf, and so on. 


Keep people in the know

If you want to keep security on top of everyone’s minds, the training and awareness has to be ongoing. Keep people aware of security issues by passing out items (such as the following) with security messages on them:

  • Screen savers
  • Mouse pads
  • Pens and pencils
  • Sticky-note pads
  • Posters in the break room



Several organizations specialize in these security awareness products.

Check out

  • www.securityawareness.com
  • www.thesecurityawarenesscompany.com
  • www.greenidea.com
  • www.privacyposters.com


Your best defense is your people, so keep them in the know and make sure you put a positive spin on your security initiatives so you don’t tire them out. 



Scan for unauthorized equipment

A great way to help enforce your wireless security policy is to install a centrally managed wireless gateway or IDS system, such as the products offered from Bluesocket (www.bluesocket.com) and AirDefense (www.airdefense.net). These systems can prevent problems from the get-go through strong authentication or alerts when they detect unauthorized wireless systems, can monitor for malicious wireless behavior, and more. 

Secure your systems from the start

Another great defense against people-related security vulnerabilities on your wireless network is to prevent them in the first place. Set your users and your systems up for success. You should not only make it policy to harden wireless systems but also help users do the hands-on work if possible. Also, ongoing ethical hacks and audits (comparing what is supposed to be done according to policy to what is actually being done) are essential. This can help you make sure that wireless systems haven’t been changed back to include the insecure settings you’re trying so hard to prevent.
Posted by at No comments:
Labels:

Social Engineering

Social engineering is a technique used by attackers to take advantage of the natural trusting nature of most human beings. Criminals often pose as an insider or other trusted person to gain information they otherwise wouldn’t be able to access. Hackers then use the information gained to further penetrate the wireless and quite possibly the wired network and do whatever they please. 

Social engineering shouldn’t be taken lightly. It can allow confidential or sensitive information to be leaked and cause irreparable harm to jobs and reputations. 

Proceed with caution and think before you act.

Social engineering is more common and easier to carry out in larger organizations, but it can happen to anyone. Testing for social-engineering exploits usually requires assuming the role of a social engineer and seeking vulnerabilities by approaching people and subtly probing them for information. If your organization is large enough that most people won’t readily recognize you, carrying out the tests yourself should be pretty easy. You can claim to be a
  • Customer
  • Business partner
  • Outside consultant or auditor
  • Service technician
  • Student at a university
If there’s any chance of being noticed, or if you simply don’t feel comfortable doing this type of testing, you can always hire a third party to perform the tests. Just make sure you hire a trusted third party, preferably someone you’ve worked with before. Be sure to check references, perform criminal background checks, and have the testing approved by management up front.

Passive tests

The easiest way to start gathering information you can use during your social engineering tests is to simply search the Internet. You can use your favorite search engine to look up public information such as phone lists, organizational charts, network diagrams, and more. You can then see, from an outsider’s perspective, what public information is available that can be used as an inroad for social engineering and ultimate penetration into your network.


One of the best tools for performing this initial reconnaissance is Google.

You can also perform some more advanced Google queries that are specific to your network and hosts. Simply enter the following directly into Google’s search field to look for information that could be used against you:

  • site: your~public~host~name/IP keywords to search for Look for keywords such as wireless, address, SSID, password, .xls (Excel spreadsheets), .doc (Word documents), .ppt (Power Point slides), .ns1 (Network Stumbler files), .vsd (Visio drawings), .pkt (sniffer packet captures), and so on.
  • site: your~public~host~name/IP filetype:ns1 ns1 This searches for Network Stumbler files that contain wireless network configuration information. You can perform this query on any type of file, such as .vsd, .doc, and so on.
  • site: your~public~host~name/IP inurl:”h_wireless_11g.html” or inurl:”ShowEvents.shm”

This searches publicly accessible APs (yikes!) such as D-Link and Cisco Aironet for wireless setup pages and event logs, respectively. You may not think your systems have such a vulnerability, but do this test — you may be surprised.

These are just a few potential Google queries you can perform manually, just to get you started. Be sure to perform these queries against all of your publicly accessible hosts. 

If you’re not sure which of your servers are publicly accessible, you can perform a ping sweep or port scan from outside your firewall to see which systems respond. (This is not foolproof because some systems don’t respond to these queries, but it’s a good place to start.)

For in-depth details on using Google as an ethical-hacking tool, check out Johnny Long’s Web site, http://johnny.ihackstuff.com.

This site has a wealth of information on using Google for advanced queries. It also includes a query database, called the Google Hacking Database (GHDB), where you can run various queries directly from the site. 

You can also use sitedigger 3.0

Active tests

You can use various methods to go about gathering information from insiders. Two simple and less in-your-face methods are e-mail and the telephone. Simply pick up the phone, make a call to the help desk or to a random user, and start asking questions. Use a phone on which your caller ID won’t give away your identity, such as a phone in the reception area or break room, a

pay phone, or perhaps a colleague’s office. You can even use your own phone if you think your users are gullible enough or won’t recognize your name or number. You can do the same with e-mail. Change your e-mail address in your e-mail client (if possible) or use an obscure Webmail account and pose as an outsider.


A common method of social engineering is to gain direct physical access to wireless clients and APs. However, the good thing (or bad thing, depending on how you look at it) about wireless networks is that physical access is not necessary.


You can also just show up in person, acting as an outsider. Whichever method you choose, your goal is to glean information from employees and other users on your network that would essentially give you the “keys” you need for gaining external access to the wireless network. This includes:

  • SSIDs
  • WEP key(s)
  • Computer and network login passwords
  • Preshared secret passphrases used by authentication systems such as WPA
  • Legitimate MAC or IP addresses used to get onto the network

You could call up your help desk or any random user, pose as a legitimate employee or business partner, and ask for wireless configuration information such as the SSID or WEP key(s). You can ask practically anyone for this information.They may

  • Know it off the top of their head
  • Have it written down and readily available
  • Let you walk them through looking the information up on their computer
  • Refer to someone else who can help

After you gather as much information as you feel comfortable gathering, you should check to see just how far you can penetrate the network as an outsider.



Unauthorized Equipment

A very common problem network administrators and security managers face is the introduction of unauthorized wireless systems onto the network. Some users — especially those who are technically savvy — don’t like to be told they can’t use wireless network technology in their workspace, so they may take the initiative to do it themselves, often in direct defiance of organizational policy.



You can even have a malicious insider or, worse, an outsider on an adjacent floor, who has set up a rogue AP for your users to connect to. This is a very simple setup for the hacker. All he has to do is set up an AP using your SSID and wait for your wireless systems to associate with it. There are also programs that automate the process of creating “fake” APs. If this occurs, hackers can capture virtually all traffic flowing to and from your wireless clients.



A more common problem is the naïve introduction of wireless systems by users who either don’t understand the security issues associated with their actions or aren’t aware of company policies. Either way, you’ve got a potential mess on your hands.



Let’s take a look at an unauthorized AP scenario. When it comes to users installing unauthorized wireless systems, here’s how it usually happens:

1. An employee, Lars, wants to be able to work on his laptop in an adjacent, more plush, cubicle. However, that cubicle doesn’t have an Ethernet network drop.



2. Lars thinks of a solution: ‘Instead of dealing with IT to get a new drop installed or asking them to come up with another solution, I can just install a wireless AP in my main work area and communicate wirelessly from my laptop to the network!’



3. Lars strolls merrily down to the local consumer electronics store during his lunch break and buys a “wireless-network-in-a-box” solution. What a deal — he can get an AP, a wireless PC Card for his laptop, and 5,000 free hours on AOL for the low price of $59.95. Subtracting the $50 in mail-in rebates, Lars has a newfound freedom from network cabling for only $9.95!



4. Lars returns to the office, unpacks his treasure, plugs the AP into the network jack in his original cubicle, and installs the wireless NIC in his laptop.



5. Lars powers up the AP, which, in typical fashion, has a valid IP address for your network preprogrammed into it. Remember, to make things convenient for the end users, no security settings are enabled on the AP — no WEP, broadcasting of the default SSID, blank admin password — nothing. He thinks to himself, ‘Wow, who would’ve thought it’d be this easy!?’



6. Lars boots his laptop, which grabs an IP address from the AP that is running its own DHCP server, and he’s off! He’s now able to log on to your network and browse the Internet. Again, Lars can’t believe how easy this was to set up and thinks that maybe IT is his calling.



Total elapsed time: 45 minutes. Consequences of Lars’s actions: Complete and unlimited exposure of your network to the outside world.


This is a typical scenario, and it didn’t require a whole lot of know-how on Lars’s part. But some people are savvier. They know that they don’t need an AP to communicate with other wireless users directly. These peer-to-peer or ad hoc systems can be even trickier to track down because no AP is involved. 


We often hear “my users wouldn’t do that” or “I know my network,” but believe it or not, regardless of the size of the organization, this scenario happens very easily and very often.



If you’re on a limited budget and want to get a general view of wireless APs in your building, you can use a wireless laptop running Windows XP. Here’s a quick test you can run to look for unauthorized APs and wireless clients before they get the best of your network:


1. On the Windows XP desktop, right-click My Network Places and select Properties.

     The Network Connections window opens.

2. Double-click your wireless network card.

     The Status window opens.

3. Select View Wireless Networks.

    You can walk around your building to see what comes up. Unfortunately, in order for new APs     to show up, you have to click Refresh Network List in the upper-left corner of the window, or         simply press F5 on your keyboard. 


Notice how one AP shows up with the Lock icon labeled Security-enabled wireless network, and

the other two (including Lars’) don’t. The one that has security enabled is using WEP encryption. The other two (including Lars’) are, well, wide open. Shame on Lars!

Default Settings

An unbelievable number of APs are deployed with the default settings still intact, including, for example:

  • IP addresses
  • SSIDs
  • Broadcasting of SSIDs
  • Admin passwords
  • Remote management enabled
  • Full power settings
  • Use of omnidirectional antennas that come standard on most APs
  • No MAC-address filtering
  • WEP turned off



Hackers know they can download the documentation for practically any 802.11-based wireless network right off the Internet. This documentation often reveals many of the default settings in use. In addition, several independent Internet sites list default settings, including:

  • www.cirt.net/cgi-bin/passwd.pl
  • www.phenoelit.de/dpl/dpl.html
  • http://new.remote-exploit.org/index.php/Wlan_defaults
  • www.thetechfirm.com/wireless/ssids.htm



If you want to see if your users or any of the systems you’ve set up are using vulnerable default settings, you can perform some basic tests with the information you’ve gathered, including

  • Connecting to APs by using their default SSIDs
  • Remotely connecting to the default admin port
  • Spoofing MAC addresses
Posted by at No comments:
Labels:

Ignoring the Issues

We’re heading toward a wireless world in which we’ll have as much wireless traffic as wired traffic, if not more. The demand for “anywhere all-the-time” wireless network access, from the boardroom to the coffee shop, is continually growing. The bad thing is that many wireless networks are being deployed without concern for the big picture. The long-term consequences of insecurely implementing wireless systems are being ignored from the get-go.


One of the best things IT professionals can do is to consider security at the ground level before installing any type of system. If wireless networks are put in place with security in mind, it’s much easier to make security changes long-term.


Most users, many business executives, and even some administrators ignore warnings that 802.11-based wireless networks are inherently insecure. By now, anyone watching television, reading the paper, or even reading their wireless network user’s guide should know that simply connecting a wireless AP to the network without enabling any of the basic security features can 
have a negative impact on information privacy and security. However, as we often see, the desire for unlimited wireless connectivity usually outweighs any potential risks.



In the ongoing battle of security versus convenience and usability, what’s secure is often not convenient or very usable for the user, and what’s convenient, feature-rich, and user-friendly is often not secure. This mindset is what leads to many wireless network exploits.


Hotspots are now all the rage. Everyone wants connectivity and ease of use, and security is often pushed aside. What most users don’t realize is just how insecure their computers and data are when they connect to an unsecured wireless network. Many people just connect to whatever AP is available, especially if they’re out of the office, without thinking about the consequences.


Making matters worse, newer, more “user-friendly” operating systems such as Windows XP make wireless network connection even more dangerous because the computer automatically connects to the first wireless network it sees — yours, theirs, or someone else’s.


Not all users make the wireless security mistakes we speak of. However, the general tendency is to get things up and running as quickly as possible, overlooking what really needs to be done to secure 802.11-based networks.


The only way to fix this problem is to change the mindset of general computer users, and that means educating users about security vulnerabilities that they might not even realize.
Posted by at No comments:
Labels:

What Can Happen (If you are not secure)

New wireless vulnerabilities come and go, and securing against unknown threats and vulnerabilities is very difficult. However, one thing’s for sure: When the human element is introduced into information systems (and when is it not?), vulnerabilities start popping up everywhere and often remain indefinitely.

The big picture must not be forgotten. In fact, securing the technical piece is pretty easy — it’s securing the human element that takes more time and effort.

Remember that both types of security must be accounted for. Otherwise, you’re running a partially secured wireless network that can provide only limited information security.

What sorts of things can happen when human vulnerabilities are ignored?

Well, for starters, things like this:

  • Managers and network administrators deploy wireless network connectivity just because it’s the latest and greatest technology or to appease their users who think it’d be neat to have all without considering the security issues or consequences involved with their actions.
  • Social engineers work their way into your building or computer room.
  • Users install APs for the sake of convenience and end up bypassing security controls, extending your network, and letting in unauthorized users without your knowledge.
  • Hackers or malicious insiders exploit physical security weaknesses, leading to theft, reconfiguration of APs, cracking of WEP keys, and more.
  • Network administrators and security managers deploy wireless networks with security requirements that are too stringent, which leads to users ignoring policies and bypassing controls any chance they get.

The possibilities are limitless.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)