Xtreme Web Hacking with Akash and Riyaz

All set to take you through the journey of one of the best hacking time which I had with two of the most prestigious hackers. Before I start, everyone must know these 2 wonders of the cyber world. Akash Mahajan(aka @makash) and Riyaz Walikar (aka @riyazwalikar ), as title of the course suggests they are “Xtreme Web Hackers”. I will be referring them as “Masters” further as they are. They are the one who knows how to break the web applications in most efficient manner because they know how to build one. Once you know the fundamentals of building the things you can easily find the ways of breaking them. And that’s their secret in my view. Sorry but I have to stop here otherwise I need to write another blog then to describe these 2 legends of cyber world.
Coming back to the course, it was not just normal 2days workshop with bunch of slides to go through and forget about. It will all start with building up of war room to embark the journey towards Xtreme web hacking. As I said war room, it was not just machine but man as well and that’s too supermen 😉 with their strategy to break in.

Training Moto: As they say “War games are best way to learn hacking” and “A story can put whole brain to work”. This reflects in their 2 days of workshop.
Xtreme Web Hacking

Lab setup:
1) Target web app Machine
2) Intermediate target for lateral movement
3) Offender’s League setup
4) And of course most important offensive strategy

XWH journey:

Day I : It all started with setting up a lab infrastructure which was most important part of the journey including installing virtual machines, configuring virtual network, testing connectivity and be ready with your observation book for making a note of each and every observation during this journey.
Whole 2 day’s journey go by their words or we can say strategy of our Masters to put our brains on wheels by narrating, executing and involving everyone into the story woven by them.
It all starts with the target given to you for penetration which is of course a web application. It’s our turn now to wear a devil’s hat and start breaking into application but remember we had 2 Masters along directing our force where exactly we should go. We started with performing a DNS recon on our target domain to get the idea of different web application it is running. Proceeding with finding SQL injection vulnerability on our target for hunting sensitive data from database, but this was done manually and not using any automated tool particularly to make you understand the basics of hacking along with the understanding of application behavior. Next step was to get the admin access of the web application and try to execute the arbitrary code on the server to achieve our goal. Moving forward we started with another target which we found during the time of initial recon of the DNS. Through next course of actions we learned abusing PHP wrapper, using LFI, attack serialization, using hash function, bit padding, and executing final exploit. We reached our final target for Day 1 where we learnt more on XSS, SOP, CORS Headers, setting up XSS payload, hosting your payload, uploading the payload, tricking admin user into executing the payload, cookie stealing, binary stuffing and finally uploading & executing your payload using LFI. So much of offensive security stuff loaded on our mind at the end of day one. In our Master’s language, we were drunk with hacking at the end of Day I.

Day II:
We started with our focus on moving laterally within the network to find out other hidden servers which were serving internally. We used the previously collected information to hunt internal target with the plan of tunneling the traffic to internal network using pivoting. We tried 2 methods for pivoting, pwfd script and Socat. Then we created our PHP shell using meterpreter and hosted the same on python http server followed by uploading the shell on our target using LFI. Our shell reached the target now it was our turn to ready our metasploit and run the shell on target. Bingo! We have the active meterpreter connection now. Using this connection we started moving further into the network by tunneling the traffic using pivoting. In last we learnt Server Side Request Forgery (SSRF)/ Cross site port attack (XSPA) and also learnt how Riyaz earned Bug bounty using this 😉
We declared the overflow of knowledge but our Master were wearing devil’s hat and they decided to take our exam in the form of CTF where we need to apply the knowledge of 2 days. This CTF helped us in understanding the web application security and methodological sequence to apply while performing any application security.

Key Learning’s: As I always say, what all matters is strategy rather than tools. You might be knowing hundreds of tools but if you don’t know when and where to apply them, then everything fails.

To conclude, we learnt:
How to identify vulnerable application
How to identify exact vulnerability
How to Use the identified vulnerabilities to exploit and gain system access
How to Escalate the privileges and moving laterally to other systems

Advertisements

The Nullcon Social Engineering CTF and Team Hackster

Finally Nullcon fever is over and I am back to pavilion. Everyone must be settled now to their day to day routine of corporates. Here I take a chance to write down my first ever experience of Social Engineering Capture the flag event hosted @ Nullcon 2016, Goa. This is not just about participating in such event first time but winning it as well.

Let me start with introducing to our “Team Hackster”. We are 2 member team participating SECTF(Social Engineering CTF) at Nullcon Hacker village myself “Avkash Kathiriya” and my friend “Hemang Soni”(@Galactic_Master what he loves to call himself). We are definitely not professional penetration testers nor are we any social engineering champions. We are just infosec professional with few years of experience.

Coming back to the SECTF, It was all about expecting the unexpected. Contest was well conceptualized to be a realistic con event that can put you think like a conmen and take out every little devil inside you. All kudos to Neelu Tripathy (aka br3ckp0int), the mastermind of SECTF. Rules were explained, targets were given and each team was eagerly waiting to hunt their target with their social engineering skills. Each team was given a time of 30 min for capturing the flags with all possible tools but without launching any offensive test against the target company. Team could collect the phone numbers for their social engineering target within the given time, but we were not supposed to call ourselves. Instead each team needs to call the target in presence of SECTF volunteer in separate sound proof room using voice internet callers.

Avkash_SECTF

 Targets:

We were really surprised when handed over the target details. As targets were good choices for the CTF being no dummy targets to hunt, and all teams were given with unique real companies to target.

Flags:

There were 20 flags which need to be captured. Each flags were mainly categorized as below.

  • TECH
  • General
  • Physical pen-test

Each flag was having unique id for reporting. As one can figure out from the type of information we needed to gather from each flag was valuable information asset for any company. By looking at the flags, I was of the opinion that if one gets hold this information it could fetch a lot of value. In my view flags were designed in such a way to collect the information from targeted company which will be linked to each phase in Cyber Kill Chain. And which can be used to launch targeted attacks. Starting from techy stuff like operating system details, pdf reader version details, mail client details, etc. to general details like domain names, email id’s was covered .

Here we go hunting!

Ok, here is the time to get our hands dirty.

As a team our strategy was clear to break the flag list into 2 parts -> Man vs Machine. One team member to focus on using machine tools to captures technical details and other member to focus on available social media platforms to target humans with social engineering tactics. We went ahead with DNS dumping to capture all domain details, public ip range and then identifying company owned domains. Getting the valid company email id were easy with the help of so information rich social platforms and hunting for the company employee for targeted company. Job postings by the company were the most rich information source in terms of technologies being used by the company and people structure within the company. Our efforts on techie tools to render through the company details have helped us in capturing most of the flags. Now time has come to use humans to get our remaining flags and confirm the information which already got online. Our simple hunt was to identify the technical staff of the company and getting their contact details to call upon. Thanks to social networking sites like LinkedIn, Facebook, and Google which helped us in getting contact details of our target, background research of the target company and background research of our target human. We had planned to target the human ambition by offering more lucrative and more ambitious job offer to the human target which we identified and giving us back the flags we were hunting for. Call placed to our identified target was live and was relayed to the main room for all other audiences to listen. Care was taken not to disclose the real targets to ensure safety of the person receiving the call and the company itself. Bang on, Social engineering one more time proved its metal. All your technology investment is at toss in a matter of time if people behind them are not security aware. Before securing any technology, one must secure human knowledge.

Tools Used:

  • Google Dorks
  • Social Engineering platforms like Facebook, LinkedIn, Twitter
  • Job portals
  • DNS dumping tools
  • OSINT

Conclusion we were able to make out was the information we found out through passive searching were the actual information company leaks out to build an easy case for attacker to make a targeted attack. Finally, we documented all the flags along with all the required evidences collected and wherever required attached screenshots and submitted in the format shared by the CTF team. Mainly we were able to get the details like operating system, Antivirus, security technologies being implemented, head quarter landmark, etc. of the target company through the call. Although targets were real, all rounds were carried out in controlled environment to ensure safety.

Overall it was fun along with some scary truth of the Social Engineering. Hope to see many such events happening in India in near future. And special thanks to Nullcon for encouraging such events.

POODLE Uncovered.

Three researchers from Google published findings about a vulnerability in SSL 3.0, a cryptographic protocol designed to provide secure communication over the internet. Although SSL 3.0 is nearly 15 years old, it’s still used widely, including browers, VPNs, and email clients.
POODLE (Padding Oracle On Downgraded Legacy Encryption) is the attack that exploits this vulnerability. It allows an attacker to steal information over time by altering communications between the SSL client and the server (also known as a man in the middle attack, or MITM). Successful exploitation of this vulnerability can result in an attacker exposing data encrypted between an SSL 3.0 compatible client and a SSL 3.0 compatible server. Overall, the issue is relatively difficult to exploit but you’re going to want to address it quickly.
The Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability allows a man-in-the-middle attacker to decrypt ciphertext.

All implementations of SSLv3 are affected. This vulnerability does not affect the newer encryption mechanism known as Transport Socket Layer (TLS).

Additional notes on exploitability:

  • If SSL2 and SSL3 is disabled in the web browser, the issue is not exploitable
  • If SSL2 and SSL3 is disabled on the server, the issue is not exploitable


Recommendations:

  • Disable SSL3.0 on all clients and servers.
  • Keep a tab on traffic logs for SSL3 communication and have a impact analysis done.
  • Keep a close track of your IPS vendor for the signature availability for POODLE Exploits and update the same once it arrives.
  • To track the POODLE Signature in SIEM create the rule matching IPS POODLE Signature.

I request all the member to share there experience and the measure they have taken to tackle the POODLE.

Vulnerability Alert: CVE-2014-6271 – Remote Exploitation of Bash

By the time i am writing this, you might have heard about Linux Bash Shell flaw CVE-2014-6271, also known as the “bash bug”, or even “Shell Shock”.
Experts say it’s a 20-year-old vulnerability uncovered in the Bash shell, found in Unix-based operating systems including Linux and Mac OS, could lead to a dangerous worm outbreak unlike anything seen in more than a decade.

New packages were released, but further investigation made it clear that the patched version may still be exploitable, and at the very least can be crashed due to a null pointer exception. The incomplete fix is being tracked as CVE-2014-7169.

US-CERT’s has rated the flaw’s severity as a “10”, which is the highest possibly severity, based on the common vulnerability scoring system (CVSS), because it is so easily exploited: the bug can be triggered remotely without any form of authentication.

What is the immediate step for me?

The most straightforward answer is to deploy the patches that have been released ASAP. Even though CVE-2014-6271 is not a complete fix, the patched packages are more complicated to exploit. We expect to see new packages arrive to address CVE-2014-7169 in the near future. If you have systems that cannot be patched (for example systems that are End-of-Life), it’s critical that they are protected behind a firewall. And test whether that firewall is secure.

By the time you can also start preparing your Vulnerability management teams to get your systems being scanned for the avaialble vulnerabilities & also pentest the same against the exploits available.
Most of the Vulnerabilioty management companies has already released updates for the vulnerability, so just make sure your Vulnerability database is upto-date.

And of course, the first thing one should not miss is checking your Vulnerability Management system itself for any of the available Bash shell vulnerability. 😉

It’s Facebook Again….

“The more you are Popular, more chances of YOU getting HACKED“…

Same might be the case with Facebook, new significant security vulnerability has been uncovered with Facebook SDK which allows an attacker access to a user’s Facebook account using a session hijacking method on the grounds of Access Token being used.

Generally when we login into many of the web apps we use Facebook as our key source to login and get access to that page. When we login, the web app connects to a third party server and uses a token in between.  This Vulnerability allows an attacker to steal users’ authentication token and use them to login in his/her account, and can steal information, post anything on your behalf.

facebook vulnerability

See the image below where one of the webapp has option to login using the Facebook account, and here is the attacker comes into the picture to steal your tokens & eventually to get the access of your FB account.

FB Login

Security Researchers at METAINTELL has uncovered this FB Vulnerability. “MetaIntell discovered the vulnerability in May 2014 and Tamir and his team conducted further research to confirm it and evaluate the pervasiveness of the problem. The vulnerability along with MetaIntell’s research findings was reported to Facebook within two weeks of its initial discovery. ” Metaintell, confirmed in it’s Press Release.

How to be on safer side:

If you have ever used your FB credential to login into web apps, then there is a chance that the third party exploits your token. The safer practice at this time is to revoke all accounts from the web applications. Other option is to change your Facebook account password immediately.