OSI Security - Penetration Testing & Web Application Security Consultants
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers

NSA IPSec IKE Vulnerability BENIGNCERTAIN analysis and example

30/8/2017

 
The NSA ShadowBrokers exploit leak included a tool known as “BenignCertain” which triggers an information leak which may result in credential and private key disclosure to unauthenticated parties. Cisco IOS routers, PIX and ASA firewalls with VPN IKE IPSec enabled may be affected.

The NSA toolkit's 
bc-genpkt, bc-id and bc-parser binaries can be used to generate vulnerability triggering packets, send the packet and store the response, and parse the information leak to reveal VPN credentials such as username and password. Alternatively, the Metasploit Framework contains a module to scan for and trigger this vulnerability known as cisco_ike_benigncertain.

Example:

The device appears to leak RAM contents when the fault is triggered:

0000   00 00 00 00 00 00 00 02 00 00 00 00 00 00 2e e0
0010   00 00 2e e0 12 a1 fb 48 00 00 00 00 00 00 00 00
0020   00 00 09 ec 00 00 09 d0 00 00 00 01 01 00 00 0e
0030   00 00 09 c4 00 00 00 01 00 00 00 01 0b 83 d4 d4
... [ snip ] ...
0470   0f ff ff ff 0f ff ff ff 00 00 00 00 00 00 00 00
0480   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0490   00 00 00 00 00 00 00 06 A1 44 93 40 00 00 00 00

When conducting subsequent tests, the memory bytes disclosed appear to change which indicates that this is likely vulnerable. Non-Cisco IPSec devices to not dump excessive bytes when responding to the vulnerability trigger (e.g. 10 bytes vs 2500+ bytes for vulnerable devices device).
However, it is important to note that the usable exploit only affects Cisco PIX devices. This device may be vulnerable but due to slightly different implementation may be leaking less valuable information to an attacker or requires tweaking using the NSA bc-genpkt tool.
Recommendation:
​Ensure the latest patched IOS firmware is installed. If the firmware is confirmed as vulnerable, the preshared VPN keys should also be changed and private keys on the device should be regenerated.
Risk:
High.

Samba SMB remote code execution vulnerability

26/5/2017

 
Please be aware there is a Samba remote code execution vulnerability that has been published today in Metasploit and mass exploitation is likely to follow or be used to self-propagate in the form of a worm.

The vulnerability affects all versions of Samba over the past 7 years, the open source Unix/Linux implementation of the Microsoft File and Print Sharing service, and a patch was released yesterday.

The vulnerability is triggered by connecting to a writeable file share (it can be abused as an anonymous user or with credentials) then uploading a Unix .so shared object file which is then executed on the server.

Many Linux and Unix based operating systems are vulnerable, as are products like NAS (Network Attached Storage) file servers such as Synology, mediacentres and modems etc.

CVE-2017-7494 has been assigned to this issue and reports indicate over 100,000 internet accessible systems are currently vulnerable.
​
If you are unable to patch immediately, the vulnerable feature can be disabled by setting the 'nt pipe support = no' directive within the /etc/samba/smb.conf file and restarting the service.

Test your SSL anti-malware defences!

3/4/2017

 
Many of you would have seen our anti-malware solution test website known as WICAR (think EICAR AV Test File, but for web based attacks).
Picture
This is just a quick email to let you know we now have SSL enabled for our test malware attacks, so not only can you test your firewall, IDS/IPS, proxies, content filtering and desktop antivirus, but you can also check if you are protected against payloads delivered over HTTP/S or verify your SSL-inspection products are working.
​
Simply open the Test Malware page and click the [SSL] hyperlink to conduct the test over SSL to ensure your organisation is adequately protected (most attacks today are delivered over SSL to get around proxy inspection).
Picture

Auditing SonicWALL Firewall Rulesets

10/4/2013

 
Introduction:
At some point you may be required to audit the configuration of a SonicWALL device.
If you have physical/admin access to the management interface, then this is probably the easiest method - drill down every option and check for misconfiguration.

If not, obtain a configuration export file (file name is generally 'sonicwall-name-date.exp') such as sonicwall-SydneyDC-20100607.exp.

You will notice the file is a single line of Base64 encoding.
​
Method:
Either use software such as nipper (a tool to automatically decode multi-vendor firewall, router, switch etc.. configurations then analyse the settings and make recommendations in a pretty report) or Base64 decode it yourself and read the variables.

Linux: 'base64 -d file'
Windows (if you have ActiveState Perl): 'c:\bin\decode-base64.bat file'
​
Recommendation:
Often issues such as SSH v1 and SNMP will be present. Also check the firmware as SonicWALL is notorious for format string bugs.

ZeroAccess / Sirefef Rootkit removal - no internet or DNS connectivity issue

9/4/2013

 
Over the past 6 months, a new rootkit known as Max++, ZeroAccess, Sirefef (and others) has been impacting a significant number of businesses and home users.
​
Recently, OSI Security responded to a client affected by this malware:
  • The infected machine had been cleaned by a third party and the rootkit was no longer present. Despite removal, the machine was in a damaged state: it could detect a phyical network connection (i.e. ethernet link) but no connectivity.
  • If you view the network adapter properties, the state is connected however the details of the connection is blank - no IP address, netmark, gateway, DNS servers etc.
  • ipconfig results in an error:An internal error occurred: The request is not supported.
    Please contact Microsoft Product Support Services for further help.
    Additional information: Unable to query host name.

To fix this issue, the TCP/IP stack needs to be working (check Device Management, Hidden Devices and TCP/IP may have the yellow exclamation mark if the device is not working).

In our situtation, TCP/IP would not start because a group dependency failed. The IPSEC Service wouldn't start, and a check of the system32\drivers directory showed ipsec.sys driver was missing.

To fix, get the ipsec.sy_ (cab) file from the Windows CD-ROM in the i386 directory and extract it to C:\Windows\system32\drivers\ipsec.sys.

For example, go to Start -> Run -> cmd.exe, then in the command prompt type (assuming D:\ is your Windows install CD).
extract d:\i386\ipsec.sy_ c:\Windows\system32\drivers\ipsec.sys

If the above command worked as expected, you should now be able to go to Services (services.msc) and start the IPSEC Service. If it started as hoped, you should now reboot and find that the issue with ipconfig / the network adapter not being able to obtain an IP address is now resolved. If not, consider doing the same extract for tcpip.sy_ and doing a 'netsh ip reset all' and 'netsh winsock reset catalog' then rebooting.

Once we resolved this matter, we encountered another issue:
  • ipconfig works as expected.
  • Internet Explorer, Chrome, Firefox... is unable to browse the Internet (or almost any program for that matter).
  • nslookup is able to correctly resolve DNS records such as www.google.com.
  • ping www.google.com or any other host results in:Ping request could not find host www.google.com. Please check the name and try again.
  • telnet www.google.com 80 also results in a DNS lookup error (making sure your hosts file does not have the trojaned www.google.com entry for 94.63.147.22 or 94.63.147.23 for www.bing.com in our client's infection).
  • if you do a nslookup for www.google.com, then telnet directly to the DNS IP address resolution, telnet works correctly.
  • Internet Explorer's diagnose connectivity problem tool may state that an error occurred of type WSAEINVAL, error code 10022 (0x2726).

This occurs because the Microsoft Windows TCP/IP stack or Winsock API is corrupted. Specifically, the nslookup tool works because it is sending DNS lookup information directly across the wire, whereas everything else uses the Windows host operating system's Winsock gethostbyname() API which is broken.

To fix, firstly reboot into the Microsoft Windows Recovery Console, then (where D:\ is the Windows install CD-ROM);

expand D:\i386\dnsapi.dl_ C:\Windows\system32\dnsapi.dll
expand D:\i386\dnsrslvr.dl_ C:\Windows\system32\dnsrslvr.dll

Reboot and you should find that nslookup, ping, Internet Explorer etc is now functioning as expected.

Note 1: Under normal Windows, the command is 'extract' to extract a CAB file (the .sy_ or .dl_ files). Under the Recovery Console, the command is 'expand'. Using either is fine for ipsec, tcpip, dnsapi, dnsrslvr files however you will likely find using 'extract' is denied as the destination file is in use by Windows and cannot be replaced - thus, you may wish to use the Recovery Console and 'expand' for all 4 files to avoid the file in use / access denied message.

Note 2: We observed other users with similar issues i.e. nslookup works but ping does not. The above dnsapi.dll and dnsrslvr.dll replacement should in theory resolve the issue, irrespective of presence of any malware. Worth trying..

Good luck!

Sender Policy Framework

3/7/2012

 
Introduction
Visit www.openspf.org for more information on this technology.
​
Method
It is held within a TXT record for the domain. You can query this with the host command under Linux/POSIX.
$ host -t txt [victim].com
[victim].com descriptive text "v=spf1 a mx include:[victim].com"
​
Recommendation
Consider adding SPF records to allow MX records to send email.
SPF helps prevent forging of the FROM address on the receiver end.
Customer MTAs which support SPF will reject fraudulent emails because the SPF record will not match the spammers IP source addresses when forging @[victim].com FROM addresses.

Penetration Testing Tools - Maltego (Data mining)

10/5/2012

 
Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format. Coupled with its graphing libraries, Maltego allows you to identify key relationships between information and identify previously unknown relationships between them.

It can be utilised in searching for the following (entities):
* Autonomous System Number
* DNS Name
* Domain
* Email Address
* IP Address
* Location
* MX Record
* NS Record
* Netblock
* Person
* Phone Number
* Phrase
* URL
* Website

It is offered in 2 editions which are Commercial edition and Community edition. Community edition can be downloaded from the following link:
http://www.paterva.com/web4/index.php/client/community-edition
It is also available as a built in tool with the current backtrack editions.
The following link describes in detail the process of finding information about people and organisations using Maltego in 2 parts.
http://www.ethicalhacker.net/content/view/202/24/

Determining BIND DNS version using dig

8/8/2011

 
Introduction
By default BIND DNS reveals the version number when queried for a certain TXT record.

Command
# dig chaos txt version.bind @ns.[target].com

Result
An example is below:

; <<>> DiG 9.7.1-P2 <<>> chaos txt version.bind @ns.[target].com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18628
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "9.3.6-P1-RedHat-9.3.6-4.P1.el5"
;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.
;; Query time: 329 msec
;; SERVER: [ip]#53([ip])
;; WHEN: Sat Aug 21 03:55:28 2010
;; MSG SIZE rcvd: 87

Recommendation
Using the 'version' directive in the 'options' section will block the 'version.bind' query - usually in /etc/named.conf.

Detecting hostname and software vendor using PPTP

13/10/2010

 
Introduction
If a PPTP service has been detected, as part of the protocol the software (and/or hardware) vendor is meant to disclose this information. Generally the server hostname is also revealed, which may aid in an attack.
​
Method
There are many ways to determine this, but a simple scenario would be to create a new "dial-up" connection within Windows with a connection type of VPN -> PPTP and connect whilst running a Wireshark packet capture.
By following the captured stream within Wireshark and looking at the protocol dissector, the vendor and hostname will be disclosed.
    View my profile on LinkedIn

    Archives

    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    December 2015
    August 2015
    April 2014
    May 2013
    April 2013
    July 2012
    May 2012
    November 2011
    August 2011
    July 2011
    February 2011
    January 2011
    October 2010
    August 2010
    June 2010

    Categories

    All
    Apache
    Backdoor
    Best Practice
    Configuration
    Credentials
    Desktop
    DNS
    Encryption
    Exploit
    Firewall
    Hardening
    HTTP
    HTTP/S
    IDS
    Information Disclosure
    Linux
    Malware
    Man-in-the-middle
    Newsletter
    Patch
    Policy
    Samba
    Server
    Service
    SMB
    SMTP
    Unix
    VPN
    Vulnerability
    Web Browser
    Web Server
    Zero Day

    RSS Feed

NSW Government ICT Services (SCM0020) approved supplier
OSI Security is an approved supplier to the Victorian Government
OSI Security is an approved supplier to the Queensland Government
OSI Security is an approved supplier to the New Zealand Government
Picture
External Penetration Testing
Managed Security Services
​Source Code Review
Web Application Security Testing
Firewall Configuration and Rulesets
WiFi Access Point and Client Auditing
Forensics and Data Recovery
System Hardening and Configuration
Metasploit Pro
Tenable Nessus
Acunetix Web Scanner
Nexpose Vulnerability
Secunia Software Inspection
Elcomsoft Password Cracking
PortSwigger BurpSuite
HP Fortify
 
Contact
Clients
Advisories
Privacy policy
​
Ethics Statement
Disclosure Policy
OSI SECURITY ACN 144 579 751 © 2010 - 2025.
​ALL RIGHTS RESERVED. SYDNEY, AUSTRALIA.
Join newsletter

Picture

OSI Security is proud to support a number of recognised charities, development projects and industry groups...

The Australian Computer Museum Society Incorporated
Hackers Helping Hackers
sqlmap.org
Metasploit Framework
2600-AU Australia