Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP.
Due to popular demand, in this new version, Tunna (v1.1a) can be set up to be a local SOCKS proxy, that will accept any TCP traffic and send over to the webserver using HTTP requests. The traffic will be unwrapped at the server and forwarded to the specified address/port. Tunna effectively pivots connections through a webserver; thus bypassing firewall restrictions.
Secondary functionality added in the new version:
Tunna is now able to connect to the local proxy (if exists) and through the internal proxy, then tunnel the connection to the webserver.
A standalone Tunna webserver has been added for situations were a webserver is not available.
Windows compiled binaries for both “Tunna Client” and “Tunna webserver” have been added.
Ping delay increases (up to 60 sec) whenever data is not received. This minimises network traffic to the webserver with a small hit on waiting time that should be unnoticeable.
Tunna v1.1a Changelog:
Added SOCKS4a support
Support for UpStream Proxy
Removed Ruby version of Client
python proxy.py -u <remoteurl> -l 8000
This will set up Tunna and start a SOCKS4a proxy server on port 8000
SOCKS Operation Details:
Local ports are “mapped” to remote ports. For this, a header is added in every HTTP packet sent to/from the webserver that shows the originating/remote port. Once the packet is received, the header port is read and the rest of the data gets redirected to the correct port on the local side.
The SOCKS server is a simple implementation based on SOCKS protocol version 4 RFC. Currently “SOCKS BIND” method is not supported and protocols such as FTP cannot be used.
Bypassing Firewall restrictions:
As in the previous version if inbound HTTP traffic is allowed a webshell or Tunna webserver can be used to pivot connections.
For example, an external user can upload a Tunna webshell (or use Tunna webserver) on a remote webserver and request a service on the local host or any other host that will normally be blocked by the firewall. The request will be forwarded to the webserver in the form of an HTTP request (must be allowed by the firewall). The webserver is going to establish the connection for the user and redirect all traffic to that service. Response data will be transferred back to Tunna’s client in the form of HTTP responses.
Tunna can be used in situations where the firewall restricts access to certain hosts or services.
A user controlled Tunna webserver is needed as well as HTTP access to the remote webserver.
For example, an internal user can set Tunna (client) as his system’s proxy and request any website/service that is blocked. The request will be forwarded to the webserver in the form of an HTTP request. The webserver will establish the connection to the requested service and redirect all traffic to that service. Response data will be transferred back to Tunna’s Client in the form of HTTP responses.
In many companies, internal connections to the internet go via an internal proxy that restricts access to certain services or websites. Tunna can be configured to use that proxy for requests to Tunna’s webserver.
Tunna will get the proxy settings from the system (internet) options and use them for all requests. If this is not possible, then the proxy parameters can be set up as an argument (currently DIGEST and BASIC authentications are supported)
This is a python standalone webserver for Tunna. The functionality is the same as a webserver that has a Tunna webshell.
python webserver.py -r 0.0.0.0:8000
Will start a Tunna webserver listening on port 8000
Append –ssl to add SSL support (https)*
* In Windows (webserver.exe) the certificate file (certificate.pem) needs to be present in the same folder as the executable
Tunna SOCKS webshells:
For Tunna to be used as a SOCKS server when webshells are used, an executable that will handle the SOCKS traffic will be uploaded to the remote webserver and executed.
As well as Tunna generating a massive overhead for every TCP packet, theconnections are tunnelled through a single channel using HTTP requests. Consequently, large amounts of traffic translate to large amounts of HTTP requests. When a Tunna webshell is used, then this can lead to a Denial of Service condition where the webserver will not be able to cope with all the requests.The standalone Tunna webserver is significantly less prone to DOS.
Some functionality is still experimental; therefore it is recommended that Tunna webshells are not to be used as a permanent solution.
Although the mechanisms for clean-up and graceful shutdown are in place, in certain situations,when a Tunna webshell is used andthe “SOCKS Server” executable is not properly stopped and/or removed from the disk; then it will require a manual clean-up.
We are liaising with UK Trade & Investment and the British Embassy in Brussels to deliver a seminar about “How Exposed are we to the Cyber Threat?” on Thursday 24 April
We will be talking about penetration testing and delivering a demo about the Heartbleed vulnerability. The purpose of the seminar is to inform Professional Service Providers about the potential threats of cyber attacks, providing clear information about the key strategies to minimize the risk of an unauthorised compromise.
It is a known fact that all hackers like terminals but most (good) hackers also like efficiency and automating repetitive tasks. This is where SPARTA comes in.
SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little time is spent setting up commands and tools, more time can be spent focusing on analysing results.
Have a look:
What are the goals?
– One of the most important goals of the project is the ability to fully customise what tools/commands you run from SPARTA. Every penetration tester has his/her own methods and toolkit and we do not want to change that. SPARTA tries to simplify the way you run tools and centralises their outputs, displaying them in a meaningful way.
– Automation of repetitive tasks is a must. You will always need to check for default credentials. You will always need to enumerate users. You always run certain tools when you find certain services. You can now perform these actions (on several hosts) in one click.
Any cool features?
– Nmap XML output importer
– Any tool that can be run from a terminal, can be run from SPARTA
– Default credentials check for most common services
– If any usernames/passwords are found by Hydra they are stored in internal wordlists which can then be used on other targets in the same network (breaking news: people reuse passwords)
– Ability to mark hosts that you have already worked on so that you don’t waste time looking at them again
– Screenshot taker so that you don’t waste time on less interesting web servers
What are the requirements?
– A Linux OS preferably Kali Linux as all the tools are already there
– A few extra python libraries
This project is very much a work in progress but hopefully the first release will be out in a few months. So stay tuned!
A couple of months ago SECFORCE was set to create the ultimate webshell. The idea behind it was to include all the tools a pentester needs in one webshell and make our lifes easier by for example dropping a meterpreter shell on the remote webserver with as less user interaction as possible.
Soon it was apparent that it would be much “cooler” for the webshell to communicate with a meterpreter shell without the need for meterpreter to expose or bind an external port. The benefits of it are obvious – this would effectively bypass any firewall rules in place.
It was realised that this could be a nice tool on its own so the project was forked and development started. Some time later a set of webshells and the client proxies were created. The task was not as easy as it seems, mostly because it is hard to keep it simple and at the same time make the same code work across different languages. Still there are some “programming language” quirks that could not be bypassed or made transparent to the end user. Given the different technologies in play (web servers / web languages / client languages) and all the possible combinations it would be very hard to tackle some of the issues and make it seamless to the end user without loosing some of the tools flexibility. Having said that, Java proved to be the most problematic language of the whole bunch – this needs to be said. Java was eating bytes in large packets – reasons for this are still not obvious – making both debugging and optimisation a pain. Apart from that, the PHP webshell also works in a somehow different way where it stalls a thread on the remote server to keep the connection alive. However, the latter is seamless to the user.
Tunna Framework - Penetration Testing
What Tunna does is to open a TCP connection (socket) between the webserver (webshell) and a socket on the local machine (webserver). It is also possible to open a connection to any other machine but lets keep this example simple. The client also opens a local socket and starts listening for connections. When a connection is established on the local client any communication would be sent over to the webshell in an HTTP request. The webshell will extract the data and put write them its local socket (remote socket for the client). Now the problem with HTTP is that you cannot really have asynchronous responses. The easiest way to tackle this issue was to keep querying the webshell for data. This creates a lag but it is nothing a pentester cannot live with – at this point it must be noted once more that this is a tool “to get a remote meterpreter shell if the firewall is blocking external connections” and not for critical/real-time applications.
After that, we went back to the original idea and created the metasploit module. It is still under development and should be used with extreme caution. It is still recommended to upload a meterpreter shell and use Tunna main module to connect to it. The metasploit module can be summarised as a “half rewrite of the existing code to work with or around metasploit API” (mostly around). This means that “code hacks” were created as needed to make it work. To be architecturally correct with metasploit, the original idea was to create a new metasploit “handler” … however, this proved to be harder than expected and what you get is a bastardisation of handler-exploit … but it works.
Lastly, any comments, bugs or improvement ideas are welcome.
This September the Director General of GCHQ wrote to many business leaders providing them with a top ten list of priorities for achieving and maintaining a strong resilience to cyber attack.
The challenge for many board members is how to ascertain the validity of what they are being told in relation to the health of their defences. What unknown risks are being carried? There is a high risk of false assurance from internal departments reporting up the chain.
What is the state is your business in when it comes to cyber security?
Ask yourself the following questions;
Â·How effective are my perimeter defences?
Â·How much business impact can an anonymous attacker cause on my network?
Â·What is state of health of my internal systems and networks?
Â·What level of security awareness is held my staff?
Â·How effective are my IT and security team are at identifying and mitigating an attack?
If you are sure you know the answer and you are happy with it then you are doing well.
Many of the security assessments we are asked to undertake, although providing value, miss the point when it comes to identifying key risks. The reason is that an advanced and sophisticated attacker would not play by the rules set out in a typical test engagement. If I wanted to attack your organisation, I would carefully target your people, compromise their browsers, infiltrate their laptops or workstations, and from there begin to slowly gain a foothold and control of your network. In my 10 years working at the cutting edge of penetration testing, we have performed this testing but a handful of times; however the majority of successful extrusion attacks would use this method.
There is a miss-match therefore â€“ the skills exist to measure organisations resilience to this form of attack method, the majority of successful breaches would use this technique, but penetration tests typically do not cater for this form of scenario.
A realistic attack would take the form of a discrete engagement to identify and quantify key areas of critical risk – We like to call it offensive security; the best form of defence is to know what the enemy are capable of. If you want to know the truth then you need to test combining the following elements;
Â·Physical â€“ how easy would it be for an individual to gain access one of your premises/gain access to the network/steal a laptop, PDA device or similar (and attempt to extract the data) Can a remote access device be planted and will this go unnoticed?
Â·Technicalâ€“ can your systems be penetrated? How effective are your perimeter and internal controls?
Â·Social â€“ can your people be easily compromised, what level of control over your systems, data and networks can be achieved?
So to ask the question again â€“ how well equipped are you for fending off an advanced and persistent cyber attack?
The gas and energy sectors face significant challenges in regard to IT security. An evolving industry where reliance on IT systems has become key, being a potential target of terrorism attacks and where high availability and business continuity is a must, IT security shouldn’t be overlooked.
SECFORCE presented the challenges faced by Gas and Energy corporations in the IGEMÂ annualÂ conference:
Giving fake details to social networking sites is “a very sensible thing to do”
The reason for this is the high volume of websites that ask for highly privileged information such as date birth on their users where this information is not strictly necessary. Because of the vast number of websites involved, the overall challenge of keeping an individualâ€™s information confidential is becoming virtually impossible.
As an individual working for a well respected penetration testing company I see the effects of this on a daily basis when SECFORCE are asked to perform social engineering attacks and client side browser exploitation against unsuspecting company employees. For us, without the rich source of information leakage on organisationâ€™s employees in social media and other websites, our job of either tricking the user, or using their identity to trick others would be much harder.
The trick with a client side attack is to encourage an individual to perform an action of some kind, the chances of this being successful are increased a thousand fold if you use specific information pertaining to that user that puts them at ease, and elevates their misplaced trust in you – Â â€˜the attackerâ€™. This is why social media is so powerful â€“ a message from a friend on Facebook, an email from a colleague on LinkedIn, each containing a specific piece of information (for example a happy birthday message on your birthday), and prompting an action to click or download such as – here is a picture of your daughter from the party last weekend, or good luck with the presentation today.
Messages that are backed by some truth and privileged information are likely to result in the desired result (compromise of the user).
Cyber criminals have exactly the same access to this information as legitimate penetration testers and they are putting it to good use. Client side browser attacks are exponentially increasing. The attackerâ€™s goal is often being to form a bridgehead into an organisation for further significant impact. This form of attack can be sustained against an organisation and its employees for a period of months, so the odds of success are on the side of the attacker, and the only real countermeasures are the awareness and vigilance of your employees.
So, is Andy Smith from the Cabinet Office correct to give this advice? It is clear that there are a number of challenges to protect an individualâ€™s identity online, however at the same time, websites such as Facebook, Twitter and LinkedIn as well as the hundreds of others that store information on you are here to stay. We are at a point of transition, not fully equipped or aware of the risks our online behaviour expose us to, but at the same time reliant on the benefits this new technology brings to our lives.
SECFORCE has been accredited to ISO27001:2005 by the British Assessment Bureau.
SECFORCEâ€™s Operations and Commercial Director Sam Temple said:
â€œThis marks an important milestone for us in security management. It is one thing to strive to operate in a secure manner, but fantastic to have it confirmed by a respected external auditing body. Having achieved ISO27001 will not mean that we can relax about our security though, although we can be confident that the systems and procedures put in place are effective now, we will continue to invest effort in to this area to ensure that they remain so. â€
SECFORCE handles confidential information in a daily basis. This achievement contributes to ensure that our client’s information is kept secure.
SECFORCE Technical Director, Rodrigo Marcos, impressed bankers at an IT Cyber-Security workshop in Germany on Tuesday treating them to a live hacking demonstration. The presentation comes as financial institutions focus more and more on how to foil the dangerous and cutting-edge cyber criminals hiding behind their computer screens around the globe.
During the two day conference Marcos demonstrated how an unsuspecting online banking customer could be targeted and their life-savings stolen without them even noticing that their browser had been compromised.
“It is not common to see competitors in the same industry sharing information security knowledge and organising events like this one. To my mind, it clearly shows the increasing security awareness in the market today.” said Rodrigo Marcos.
The experienced ethical hacker also advised the banks to provide more security tips to their customers such as opening a new browser session when conducting online banking.