Hidden Scans - Using Side Channels to Map Targets

Using idle scanning can reveal sensitive configuration information about targets via a side channel. Not only can this type of scan show services that might otherwise be invisible, it is also completely passive. This means that the target of the scan will never observe traffic from the actual source of the scans. Only the idle host will be aware of any contact with the scanning machine. This can allow attackers to perform reconnaissance to either perform a completely hidden scan, for instance by using an idle zombie in a third party organization making it extremely difficult to trace the origin of the scan, or to map trust relationships in an organization by using a zombie target within the target organization.

Using the Nikto Web Application Vulnerability Scanner

Nikto is an extremely popular web application vulnerability scanner. Web application vulnerability scanners are designed to examine a web server to find security issues. Identifying security problems proactively, and fixing them, is an important step towards ensuring the security of your web servers. Nikto checks for a number of dangerous conditions and vulnerable software. Running Nikto on a regular basis will ensure that you identify common problems in your web server or web applications. Because most web servers host a number of web applications, with new software deployed over time, it is a good idea to run a scanner like Nikto against your servers on a routine basis.

Using Metasploit for Security Defense

Metasploit is a well known penetration testing tool that can be used quite effectively to test new exploits and plan defensive strategies. Using Java run time exploits is a perfect example. Metasploit allows defensive practitioners to test exploits and evaluate mitigations in a controlled environment to make well reasoned and grounded recommendations for mitigation to 0 day vulnerabilities.

Using ClamAV to Prevent Malware and Data Loss

Maximizing the use of existing resources and bundling capabilities is becoming an increasingly common trend in information security. Using the applications and data sources that you have to their fullest capabilities and trying to limit the number of applications deployed in support of an information security program streamlines processes, reduces complexity and overhead, lowers cost, and ensures maximum return on investment for existing solutions. This concept can be extended to many products, from desktop security suites to log management software.

SSHatter 1.0

SSHatter is a Perl based tool for brute force guessing SSH login credentials. Since I last wrote about SSHatter several new versions have been released. The latest version is 1.0 which has several improvements, but which still suffers from a few bugs.

Combating XSS with HTMLPurifier

Cross site scripting (XSS) is a pervasive problem facing web applications these days. In a typical cross site scripting attack an attacker will utilize a portion of a web application to supply data that will result in the rendering of malicious HTML or JavaScript to other users. Many developers ask how to prevent XSS vulnerabilities in their applications quickly and easily. The simplest answer is to never trust user supplied data.

Mallory is More than a Proxy

Raj Umadas and Mike Zusman of Intrepidus Group gave an amazing talk on Mallory last night at the Philadelphia OWASP chapter meeting. At first glance Mallory seems like a simple tool, just a proxy application that sits on the wire. Closer inspection, however, reveals that Mallory offers functionality above and beyond traditional tools for packet inspection. Mallory looks like an exceptional tool that could be a valuable part of any software security assessor's toolkit.

Hydra Brute Force Utility

Hydra is a powerful, multi-protocol brute force attack tool. Brute force attacks involve guessing authentication credentials in an attempt to gain access to a system. Brute force is, over time, the most successful way to break simple authentication. The main disadvantages of brute force attacks are the time required to try username and password combinations, and the fact that these types of attacks are extremely noisy. Noise, in this instance, means that brute force attacks generate a lot of traffic, and potentially quite a bit of evidence of the attack. It is even possible to perform a denial of service attack using brute force tools. By attempting authentication repetitively over periods of time it may be possible to tie up system resources to such an extent that legitimate users cannot access the resource.

Monitoring Drupal with OSSEC

Drupal 6 provides the syslog module by default which allows Drupal to write some log entries directly to the system log. OSSEC open source host based intrusion detection system is a perfect system for monitoring events in a system log. By implementing a custom decoder and a few rules you can easily modify your OSSEC installation to monitor your Drupal site for common attacks, including brute force attacks or other malicious activity.

OSSEC HIDS 1.6 Released

On September 1, OSSEC announced the release of the latest version of the OSSEC-HIDS tool (version 1.6).

OWASP Releases DirBuster 0.11.1

Two days ago OWASP announced the release of a new version of their DirBuster tool. DirBuster is a Java based web application scanner. Basically you give it a host and it scans that host for directories on the host. DirBuster can utilize a list of directories and files or it can brute force them. DirBuster is nice because it can find files directories that might not be directly linked to. This can be used to expose information on the host that you might not find otherwise. DirBuster will also parse the HTML of files that it does discover, allowing it to follow links present in discoverable files as well. You can find more information about DirBuster at the OWASP site at https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project.

OSSEC Intrustion Detection System

OSSEC is an open source host based intrusion detection system (IDS). An IDS is one of the most important tools available to a security administrator. As a host based IDS (or HIDS), OSSEC is uniquely advantaged to monitor activity from the server side. Although a network based IDS may be able to spot malicious traffic and identify attacks based on traffic, a HIDS can look directly at log files and system behavior to spot oddities such as successful brute force attacks or evidence of rootkit installation.

botHunter Released

I've been reading about botHunter, which is a recently announced free bot net detection utility. botHunter is a new system designed by researchers at the Georgia Institute of Technology and the Computer Science Laboratory of SRI International. It is an interesting approach to detecting bot infection in local networks. Designed to be deployed at the perimeter of a network, botHunter looks for patterns in dialogues between computers in search of well known sequences that indicate bot activity. Whereas typical bot detection is carried out by virus/worm detection tools like host based virus scanners and network intrusion detection tools using signature analysis, botHunter uses an analysis distributed over time rather than packets or files. The main advantage of botHunter, as I see it, is that it can extremely accurately identify hosts that conform to it's predefined behavior patterns.

PHP Malware C99 Shell

The c99 shell is a somewhat notorious piece of PHP malware. C99 shell is often uploaded to a compromised web application to provide an interface to an attacker. The c99 shell allows an attacker to hijack the web server process, allowing the attacker to issue commands on the server as the account under which PHP is running.

Using and Extending Kojoney SSH Honeypot

Kojoney (http://kojoney.sourceforge.net/) is a wonderful low interaction SSH honeypot written in Python. Honeypots are systems that are set up in a deliberately vulnerable state in order to capture and observe intruder behaviour. For more information about honeypots see the excellent HoneyNet Project (http://www.honeynet.org/). There are many reasons to run a honeypot, but for the purposes of this discussion we will assume that you want to run a honeypot to observe post compromise behavior in order to fingerprint patterns. This is useful because you can use fingerprints to set up alerting or protective mechanisms that can detect compromise quickly and aid in response. For instance, running a honeypot you might discover that most attackers, after compromising an apache web server, attempt to write a file into the /tmp directory. You can use this information to set up monitoring of the /tmp directory, and alert administrators whenever apache writes new files into /tmp. This can tip off systems administrators to a possible compromise, by alerting them that there is behavior occurring on their system that typically corresponds to post compromise attacker behavior.

Defending Web Applications with PHPIDS

PHPIDS (http://php-ids.org) is a very intriguing project that mimics the functionality of much more involved intrusion detection systems. PHPIDS is written entirely in PHP, so it should be supported by almost any platform that supports PHP applications, although PHP version 5.1.2 or greater is required. PHPIDS also requires SimpleXML support and PDO in order to facilitate database interaction. Because PHPIDS is written in the same language as applications it is designed to defend installation is eased considerably. Chances are that if your PHP application is running you can install PHPIDS.

OSSEC Version 2.0 Released

OSSEC is an open source host based intrusion detection system (IDS). An IDS is one of the most important tools available to a security administrator. As a host based IDS (or HIDS), OSSEC is uniquely advantaged to monitor activity from the server side. Although a network based IDS may be able to spot malicious traffic and identify attacks based on traffic, a HIDS can look directly at log files and system behavior to spot oddities such as successful brute force attacks or evidence of rootkit installation. On February 27th, 2009 OSSEC announced the release of the much anticipated version 2.0. OSSEC fills a critical niche in any Linux security plan. OSSEC provides file integrity checking, so it can spot rootkits, in addition to real time log analysis. OSSEC can alert you to suspicious behavior and can even be configured to actively respond to threats.

Using SQLMap for Automated Vulnerability Assessment

Vulnerability assessors and code auditors are often faced with situations where a large volume of code needs to be audited quickly to enable a deployment. In these situations large web applications need to be reviewed in a fast and efficient manner. Although a code level analysis is often the most effective way to analyse the security of an application it is a time consuming process and not all practical.

Using Paros for Web Application Auditing and Debugging

Paros is a wonderful free Java based tool that is invaluable for web application auditing, testing, and debugging. Although Paros is well known in the web application security circles, it is less known in general web development circles. In this article I'll go over some of the great uses from Paros that cross over both realms. Paros' proxy feature is invaluable for inspecting traffic as it comes to and from your browser. This allows you to investigate things like how cookies are set, redirects being issued to a browser, and queries sent from the browser to the server. While Paros includes some automated scanning tools, these are rather weak and Paros really shows its strength in the hands of a skilled penetration tester who knows what to look for.

Samurai Web Testing Framework

Live CD's for penetration testing are becoming more prevalent these days, with a wider diversity of offerings. Live CD's allow testers the ability to run pre configured tools from operating systems they might not otherwise have easy access to. A live CD comes with a full operating system and several tools already installed on them. The Samurai Web Testing Framework is a bootable Linux CD that contains numerous tools specifically designed for web application penetration testing and vulnerability assessment.

Free AntiVirus for Windows

ClamWin is one of several free antivirus programs availabe for Windows. What makes ClamWin unique is that it is GPL software. This means that it is free, and open source. ClamWin runs in your system tray, and can perform regularly scheduled system scans in addition to scanning Microsoft Outlook e-mail, and allowing you to right click any file and select 'Scan with ClamWin Free Antivirus'.

Installing Nikto on Windows

Nikto is a fast, extensible, free open source web scanner written in Perl. Nikto is great for running automated scans of web servers and application. Because Nikto relies on OpenSSL it is most easily installed and run on a Linux platform. The following tutorial will show you the many convoluted steps needed to install Nikto on Windows XP.

botHunter Released

I've been reading about botHunter, which is a recently announced free bot net detection utility. botHunter is a new system designed by researchers at the Georgia Institute of Technology and the Computer Science Laboratory of SRI International. It is an interesting approach to detecting bot infection in local networks.

SSHatter SSH Brute Forcer

SSHatter is a simple SSH brute forcer written in Perl. Although it is not a very robust tool, it is still useful when combined with other target enumeration tools such as NMAP.

Linux Security Tools

A list of some common and helpful Linux security tools, including brief reviews and links to the tool source.

NT Security Tools

A few good security tools for Windows, reviews, and links to download them.