Archive for the ‘SECFORCE’ Category
Making Tunna (… or bypassing firewall restrictions with HTTP tunneling)
Friday, August 9th, 2013
A couple of months ago SECFORCE was set to create the ultimate webshell. The idea behind it was to include all the tools a pentester needs in one webshell and make our lifes easier by for example dropping a meterpreter shell on the remote webserver with as less user interaction as possible.
Soon it was apparent that it would be much “cooler” for the webshell to communicate with a meterpreter shell without the need for meterpreter to expose or bind an external port. The benefits of it are obvious – this would effectively bypass any firewall rules in place.
It was realised that this could be a nice tool on its own so the project was forked and development started. Some time later a set of webshells and the client proxies were created. The task was not as easy as it seems, mostly because it is hard to keep it simple and at the same time make the same code work across different languages. Still there are some “programming language” quirks that could not be bypassed or made transparent to the end user. Given the different technologies in play (web servers / web languages / client languages) and all the possible combinations it would be very hard to tackle some of the issues and make it seamless to the end user without loosing some of the tools flexibility. Having said that, Java proved to be the most problematic language of the whole bunch – this needs to be said. Java was eating bytes in large packets – reasons for this are still not obvious – making both debugging and optimisation a pain. Apart from that, the PHP webshell also works in a somehow different way where it stalls a thread on the remote server to keep the connection alive. However, the latter is seamless to the user.
Tunna Framework - Penetration Testing
What Tunna does is to open a TCP connection (socket) between the webserver (webshell) and a socket on the local machine (webserver). It is also possible to open a connection to any other machine but lets keep this example simple. The client also opens a local socket and starts listening for connections. When a connection is established on the local client any communication would be sent over to the webshell in an HTTP request. The webshell will extract the data and put write them its local socket (remote socket for the client). Now the problem with HTTP is that you cannot really have asynchronous responses. The easiest way to tackle this issue was to keep querying the webshell for data. This creates a lag but it is nothing a pentester cannot live with – at this point it must be noted once more that this is a tool “to get a remote meterpreter shell if the firewall is blocking external connections” and not for critical/real-time applications.
After that, we went back to the original idea and created the metasploit module. It is still under development and should be used with extreme caution. It is still recommended to upload a meterpreter shell and use Tunna main module to connect to it. The metasploit module can be summarised as a “half rewrite of the existing code to work with or around metasploit API” (mostly around). This means that “code hacks” were created as needed to make it work. To be architecturally correct with metasploit, the original idea was to create a new metasploit “handler” … however, this proved to be harder than expected and what you get is a bastardisation of handler-exploit … but it works.
Lastly, any comments, bugs or improvement ideas are welcome.
For more information, visit our Tunna Framework page.
Download: Tunna v0.1
Is traditional penetration testing effective at identifying risk?
Friday, December 14th, 2012
This September the Director General of GCHQ wrote to many business leaders providing them with a top ten list of priorities for achieving and maintaining a strong resilience to cyber attack.
The challenge for many board members is how to ascertain the validity of what they are being told in relation to the health of their defences. What unknown risks are being carried? There is a high risk of false assurance from internal departments reporting up the chain.
What is the state is your business in when it comes to cyber security?
Ask yourself the following questions;
Â· How effective are my perimeter defences?
Â· How much business impact can an anonymous attacker cause on my network?
Â· What is state of health of my internal systems and networks?
Â· What level of security awareness is held my staff?
Â· How effective are my IT and security team are at identifying and mitigating an attack?
If you are sure you know the answer and you are happy with it then you are doing well.
Many of the security assessments we are asked to undertake, although providing value, miss the point when it comes to identifying key risks. The reason is that an advanced and sophisticated attacker would not play by the rules set out in a typical test engagement. If I wanted to attack your organisation, I would carefully target your people, compromise their browsers, infiltrate their laptops or workstations, and from there begin to slowly gain a foothold and control of your network. In my 10 years working at the cutting edge of penetration testing, we have performed this testing but a handful of times; however the majority of successful extrusion attacks would use this method.
There is a miss-match therefore â€“ the skills exist to measure organisations resilience to this form of attack method, the majority of successful breaches would use this technique, but penetration tests typically do not cater for this form of scenario.
A realistic attack would take the form of a discrete engagement to identify and quantify key areas of critical risk – We like to call it offensive security; the best form of defence is to know what the enemy are capable of. If you want to know the truth then you need to test combining the following elements;
Â· Physical â€“ how easy would it be for an individual to gain access one of your premises/gain access to the network/steal a laptop, PDA device or similar (and attempt to extract the data) Can a remote access device be planted and will this go unnoticed?
Â· Technicalâ€“ can your systems be penetrated? How effective are your perimeter and internal controls?
Â· Social â€“ can your people be easily compromised, what level of control over your systems, data and networks can be achieved?
So to ask the question again â€“ how well equipped are you for fending off an advanced and persistent cyber attack?
SECFORCE presented at the IGEM conference
Wednesday, November 14th, 2012
The gas and energy sectors face significant challenges in regard to IT security. An evolving industry where reliance on IT systems has become key, being a potential target of terrorism attacks and where high availability and business continuity is a must, IT security shouldn’t be overlooked.
SECFORCE presented the challenges faced by Gas and Energy corporations in the IGEMÂ annualÂ conference:
The talk provided an overview of the threats of the companies in the energy sector, the current threats affecting SCADA systems, attackers’ motivations and a roadmap towards an increase on security.
Should you protect your identify from cybercriminals and would be penetration testers?
Monday, October 29th, 2012
Andy Smith, an internet security chief at the Cabinet Office, has said people should only give accurate details to trusted sites such as government ones. (http://www.bbc.co.uk/news/uk-politics-20082493)
Giving fake details to social networking sites is “a very sensible thing to do”
The reason for this is the high volume of websites that ask for highly privileged information such as date birth on their users where this information is not strictly necessary. Because of the vast number of websites involved, the overall challenge of keeping an individualâ€™s information confidential is becoming virtually impossible.
As an individual working for a well respected penetration testing company I see the effects of this on a daily basis when SECFORCE are asked to perform social engineering attacks and client side browser exploitation against unsuspecting company employees. For us, without the rich source of information leakage on organisationâ€™s employees in social media and other websites, our job of either tricking the user, or using their identity to trick others would be much harder.
The trick with a client side attack is to encourage an individual to perform an action of some kind, the chances of this being successful are increased a thousand fold if you use specific information pertaining to that user that puts them at ease, and elevates their misplaced trust in you – Â â€˜the attackerâ€™. This is why social media is so powerful â€“ a message from a friend on Facebook, an email from a colleague on LinkedIn, each containing a specific piece of information (for example a happy birthday message on your birthday), and prompting an action to click or download such as – here is a picture of your daughter from the party last weekend, or good luck with the presentation today.
Messages that are backed by some truth and privileged information are likely to result in the desired result (compromise of the user).
Cyber criminals have exactly the same access to this information as legitimate penetration testers and they are putting it to good use. Client side browser attacks are exponentially increasing. The attackerâ€™s goal is often being to form a bridgehead into an organisation for further significant impact. This form of attack can be sustained against an organisation and its employees for a period of months, so the odds of success are on the side of the attacker, and the only real countermeasures are the awareness and vigilance of your employees.
So, is Andy Smith from the Cabinet Office correct to give this advice? It is clear that there are a number of challenges to protect an individualâ€™s identity online, however at the same time, websites such as Facebook, Twitter and LinkedIn as well as the hundreds of others that store information on you are here to stay. We are at a point of transition, not fully equipped or aware of the risks our online behaviour expose us to, but at the same time reliant on the benefits this new technology brings to our lives.
SECFORCE achieves ISO27001:2005
Thursday, October 11th, 2012
SECFORCE has been accredited to ISO27001:2005 by the British Assessment Bureau.
SECFORCEâ€™s Operations and Commercial Director Sam Temple said:
â€œThis marks an important milestone for us in security management. It is one thing to strive to operate in a secure manner, but fantastic to have it confirmed by a respected external auditing body. Having achieved ISO27001 will not mean that we can relax about our security though, although we can be confident that the systems and procedures put in place are effective now, we will continue to invest effort in to this area to ensure that they remain so. â€
SECFORCE handles confidential information in a daily basis. This achievement contributes to ensure that our client’s information is kept secure.
SECFORCE Presents to European Banking Industry in Riederau
Wednesday, October 3rd, 2012
SECFORCE Technical Director, Rodrigo Marcos, impressed bankers at an IT Cyber-Security workshop in Germany on Tuesday treating them to a live hacking demonstration. The presentation comes as financial institutions focus more and more on how to foil the dangerous and cutting-edge cyber criminals hiding behind their computer screens around the globe.
During the two day conference Marcos demonstrated how an unsuspecting online banking customer could be targeted and their life-savings stolen without them even noticing that their browser had been compromised.
“It is not common to see competitors in the same industry sharing information security knowledge and organising events like this one. To my mind, it clearly shows the increasing security awareness in the market today.” said Rodrigo Marcos.
The experienced ethical hacker also advised the banks to provide more security tips to their customers such as opening a new browser session when conducting online banking.
Proxyfuzz fuzzer RPM binary
Thursday, September 22nd, 2011
Proxyfuzz is now available in RPM format for Fedora users.Â Petr Sklenar has created and uploaded the RPM version,Â availableÂ for download here.
Source code and windows binaries can still be found in the security research section of our website.
Proxyfuzz is a protocol agnostic fuzzer which randomly fuzzes network traffic following a man-in-the-middle approach. The tool is designed to randomly inject a number of fuzzing signatures to the data that goes through it. It is incredibly easy to set up and can be used to research any TCP and UDP protocol.
SECFORCE is now CREST certified
Monday, July 25th, 2011
As part of the SECFORCE commitment to ensuring the provision of high quality services, SECFORCE has now achieved CREST certification. This will further complement the strong existing methodology and work of ethics.
SECFORCE is already recognised as one of the leading penetration testing service providers in both the UK and Europe with the ability to demonstrate expertise and professionalism to ensure clients are totally satisfied.
CREST Penetration Testing
â€œCREST is a not for profit organisation which brings a demonstrable level of expertise and professionalism to security and penetration testing market. The bar for entry is set very high to protect the interests of the buying community and provide a clear differentiator for professional testing companies. There are very few companies in the UK who can meet the requirements of CREST and those that do, like SECFORCE, have had to demonstrated the processes they utilise for testing are sound, they have adopted industry best practice in their approach to testing and they handle sensitive client information in an appropriate manner.â€
Ian Glover, President of CREST
The addition of CREST certification will provide further reassurance and confidence to the many clients where SECFORCE has already built a strong working relationship.
â€œWe are really pleased that CREST certification has been achieved and view this as an important step forward in the continue enhancement of our service deliveryâ€
Rodrigo Marcos, Technical Services Director
For more information about our CREST assessments and discover how we can benefit your organization, please visit ourÂ CREST penetration testing page.
SECFORCE invited to present at Athcon
Saturday, June 18th, 2011
SECFORCE was invited to present at Athcon conference, held in Athens during 2nd and 3rd June 2011.
AthCon is an annual IT security conference that takes place in Athens Greece designed to give a technical insight to the world of IT security. A realistic, practical view of current and evolving threats and security trends presented by top international security experts.
SECFORCE presented a talk called “What you didn’t know about Metasploit”, covering the history of the Metasploit Framework, architecture, exploitation and post-exploitation features.
The Metasploit Framework is mainly used for exploitation purposes duringÂ penetration testing engagements.
You can download the slides from the talk from our security research area.
SECFORCE achieves quality management ISO 9001 certification
Wednesday, April 6th, 2011
SECFORCE has achieved recognition for its quality management systems with the award of ISO 9001:2008.
The certification recognises the company’s commitment to quality management systems used in the delivery of IT security services to SECFORCE customers and to continuous improvement processes and procedures.
For customers this achievement will enhance their confidence in the high quality of SECFORCE’s services and will guarantee a more efficient and effective business operation, increasing customer satisfaction. As quality is constantly measured and procedures ensure corrective actions are taken whenever defects occur, our clients will be benefited by an ever increasing excellent service.
Certification was awarded by The British Assessment Bureau, a UKAS accredited authority, by a series of independent audits.