Doug Bryant

Tech thoughts and notes

OCON2005 - the Latest and Craftiest Attacks and Penetration Techniques and Tools

by Nitesh Dhanjani

Closed source tools not good for monitoring your own networks. Lots of times they give false positives and there is no way to verify whether the positive is correct or not.

  • Methodology
  • finding vulnerabilities using Google.com
  • Using the Nessus framework
  • Web application vulnerabilities
  • Other useful AP tools

Attack and penetration methodology

  • Discovery (whois, traceroute, search engines, etc)
  • Scanning (ping sweeping, port scanning – find the live computers and scan)
  • Enumeration (service Identification, banner grabbing)
  • Exploiting known vulnerabilities (research on internet)
  • Installing rootkits/cleaning logs (ador on linux)

Googling for Vulnerabilities

  • Find private information that inadvertently have been made public
  • Stealth: find info on google – does not tell site you are looking at them (especially w/ google cache)
  • looking for patterns /*/admin
  • looking for error messages
  • find vnc desktops “VNC Desktop” inurl:5800 – no username – only passwords – user password generators to crack
  • Webcams – /view/view.shtml axis /ViewerFrame?Mode=Motion /home/homeJ.html sample/LvAppl/ etc

Go to oreilly.net and search for his name for article on how to do this.

The Nessus Framework

  • utomated vulnerability scanner
  • Opensource
  • Client Server Arch
  • Extend (write plugins) using NASL (Nessus Attack Scripting Language)

Writing a simple NASL Plugin
Web application serves /src/passwd.inc

This file contains username and passwords

the plugin will scan for this vulnerability and report it as a security whole (severe)
precode
if(description)
BLOCK
script_category (ACT_GATHER_INFO)
script_family (english:“CGI abuses”)
script_copyright(english:“foo bar baz”)

include (“http_func.inc”); port = get_http_port(default:80) if (… vunerability…)

report it
end
/code/pre

SQL Injection

causes: Dynamic SQL and lack of input validation

Authors preference for SQL injection prevention are stored procedures.

There is also Blind SQL Injection. Does not rely on verbose SQL error messages. Attempt to fetch database data. Check out Absinthe ( http://0×90.org/ )

Cross Site Scripting (XSS)

  • Occurrs when a webapplication does not html output encode user supplied data
  • Example http://example.com/cgi-bin/welcome?cgi?text=lt;scriptgt;alert(document.cookie);lt;/scriptgt;
  • Replace above example with any JS Code (steal cookies, hijack users sessions)

Burp Proxy

  • Java based HTTP web proxy
  • Alter http GET and POST requests on the fly
  • get it from http://

Other tools -

  • Metasploit (point, click,root) Framework for developing and testing exploit code – http://metasploit.com
  • Wikto: automated google and webserver vulnerability scanning (and much more)
  • http://sensepost.com/research/wikto/
  • Ettercap Network MITM attacks, content filtering, sniffing, etc http://ettercap.sourceforge.net/
  • Whax – live linux distro – Most AP tools/exploits included – http://iwhax.{com/net/org}?
  • good book is Network Security Tools – O’Reilly

Update Doh! Guess what – typo does not escape the content of a blog post. So when I posted the straight text, I started getting javascript popups with my session id an name from the above javascript code – updated to escape with lt gt symbols.