Wednesday, January 26, 2011

[app-security] Scanning VoIP Service for SIP-based Vulnerabilities

Scanning VoIP Service for SIP-based Vulnerabilities
(the version details and product specifcs belong to 2010)


Task Detail: 
Scanning the state of SIP implementation in VoIP Service.

Background:
SIP (Session Initiation Protocol) is a popular protocol used for controlling multimedia connection session for VoIP based services. It is also used for providing some services in our Organization even over a public network. Thus, we required a security analysis of this service.

Execution Method:
Attackers are actively seeking exposed PBX systems to launch Phishing Scams & route fake calls.
In recent years scams have evolved to include SMS Solicitations (Smishing) and Fake Phone Calls through VoIP (Vishing).
Two common VoIP frauds are:
1. Compromise of server to allow outbound calls at owner's
   expense
2. Use of VoIP in Vishing Scams {combined with phishing e-mails
   or automated attendant}

There are many tools available to hackers supporting SIP exploitation like Cain-n-Abel, Intelligent War Dialer, Sipsak, siVus, Scapy, Vomit, SIPVicious, SIPCrack, Nessus, Protos, Asteroid SIP DoS and many more.
VoIPPack is now coming with SIPDigetsLeak.py which enables a user to send invite to IP Phone and collect the Digest Authentication Response. After enough collection of responses, it can launch brute-force attack on challenge-response and guess the password.

Tools/Technology Used:
Cain & Abel : http://www.oxid.it/cain.html
Sipsak : http://sipsak.org/
Scapy : http://www.secdev.org/projects/scapy/
VoIPPack : 
http://enablesecurity.com/products/voippack/
SIPVicious : http://code.google.com/p/sipvicious/

Inference:
VoIP systems should be configured keeping in mind the following points:
1. Check for weak Account Credentials
2. Build a Dial-Plan only allowing what is required
3. Limit exposure of your entire Network
4. Be informed of new exploits in the arena
All the VoIP enabled devices were running SIP service at its default port. So identifying the IP for devices to be exploited for SIP vulnerabilities was already made easy. As now, we had to provide the IP of those devices to self-sustained SIP fuzzing utilities to check for different kind of information. This information could range from extensions of various VoIP phones, passwords of devices to audio recording of actual conversation taking place using those devices.


New Updates to VOIPPack consists:

* two new tools called “bypassalwaysreject” and “sipopenrelay”
* DoS exploits for Asterisk PBX called “asteriskdiscomfort”, “asterisksscanfdos” and “iax2resourceexhaust”
* Generic DoS exploit “sipinviteflood”
* Optimizations for the SIP Digest leak tool “sipdigestleak” and the SIP digest cracker




[net-security] Security Analysis of WiFi implementation WPA2-AES


Background:
WiFi has several vulnerable protocols still in use for backward compatibility. There have been new updates made available for the WiFi implementations, but still they all can be exploited in some way.

Execution Method:
[] The best WiFi setup you can have is WPA2-AES, its the most secure but not hacker-proof... you still need to be cautious making it secure enough.
So, go ahead and implement WPA2-AES standardized WiFi setup and then be cautious for what I mention ahead...

[] Recent WiFi implementations uses WPA2 for network authentication, AES for data encryption, PEAP as EAP type to provide stronger security as opposed to older WiFi implementation. They are vulnerable to attacks if improper configurations have been done at the client side. 
The correct configuration procedure is given below:
1. Open the Properties of your Wireless NIC.
2. From there open the properties of your Network.
3. Click on 'Wireless Networks' tab, and select properties of
   EAP Type.
4. Here, if 'Validate Server Certificate' checkbox is unchecked,
   or 'Do not prompt users to..." is not checked in, then it's a
   Privacy flaw making clients vulnerable to PEAP Attack.

[] Using 'WiFish Finder', one can easily figure-out the networks being used by client and the encryption type configured for it.
Then, it can probe as a fake Network Provider and attack the client by tricking it to send authentication packets to it disguising as original network added to trusted network listing of client.

Tools/Technology Used:
WPA2-AES PEAP, Pentoo, Airmon-ng, WiFish Finder

Inference:
Not many practical attacks are available but still weak implementation could make WPA2-AES WiFi Network vulnerable. 
The attack vector raised by WiFish-Finder is an under-rated possibility.

[net-security] Subset Scan for Old Clients At New Networks

WHY? Subset Scan for Old Clients At New Networks

Task Detail:
If you are supposed to perform vulnerability assessment of a new network for some client you have already worked for.
They might have all newly configured devices supposed to be checked for security.
But one thing mostly they can't resist having is similar machine images being used for the new setup.
HOOOOLAAA... what you need to do is sniff out all the flaws noted in earlier scan.

Experience:
Several vulnerabilties still persist if the images have been used because
[] These machine images are not so regularly updated, as thats the benefit of having images
so they act like a vulnerability copying bot.
------




Wednesday, January 19, 2011

[net-security] all need Authentication most need Domain Controllers 'n hackers love it

Background:
Domain Controllers are devices responsible for maintenance of data about all corporate user accounts, software resources and user ACLs. So, specific vulnerability assessment was required for them. We were supposed to assess the Domain Controllers with a more intense vulnerability scan cycle.

Execution Method:
Similar to previous task, we first scanned using NMap, and then launched NeXpose Scans on the domain servers one by one.
The scan result showed that all the machines ran the exploitable services and we tried testing those using Metasploit and tools specific to the identified vulnerability.
Here, we especially checked for User Account Enumeration and found most of the Domain Controllers to be vulnerable to CIFS Vulnerabilities, resulting in enumeration of all User Accounts with their details.

Tools/Technology Used:
NMap, Rapid7's NeXpose, Metasploit, SNMP Fuzzer, SNScan, Hunt, SuperScan, User2SID, SID2Use

NMap: http://nmap.org/, http://nmap.org/book/man.html
Rapid7's NeXpose: http://www.rapid7.com/products/nexpose-community-edition.jsp
Metasploit: http://www.metasploit.com/
SNMP Fuzzer: http://www.securityfocus.com/tools/3623
SNScan: http://www.mcafee.com/us/downloads/free-tools/snscan.aspx
Hunt: http://packetstormsecurity.org/sniffers/hunt/
SuperScan: http://www.mcafee.com/us/downloads/free-tools/superscan3.aspx
User2SID & SID2Use: http://www.securityfocus.com/tools/544

[net-security] Internal Network Scan : major NeXpose work

Background:
Even if a network has strong intrusion detection and prevention mechanism implemented, it is as safe as machines present within the network. If any network device within the network is infected with Trojan, Virus or even running a vulnerable service; it could lead to the compromise of entire network.

Execution Method:
Rapid7 team of Metasploit, have a network vulnerability assessment tool named 'NeXpose'.
It has a huge, regularly updating database of exploits and vulnerabilities to be tested against limited set of machines in its Community Version.

First start scanning the subnets with the best network scanner, NMap revealing some interesting information about Machines, Ports and services running on those ports.

Next, launch NeXpose Scans for all machines identified in the first step in small batches. Here, NeXpose will again do some NMap like testing and a lot more extra self-checking of whether certain exploit is useful against the machine.
Keep a record of all machines with exploitable services and tried hacking those using Metasploit and tools specific to vulnerabilities.


Also use tools like SNMPFuzz, Hunt mainly on server like machines... say AD Server, etc.; you could get lucky anytime.

Tools/Technology Used:
NMap, Rapid7's NeXpose, Metasploit, SNMP Fuzzer, SNScan, Hunt

Monday, January 17, 2011

[net-security] sometimes dumbest try hits hardest, our lovely 'Port Scan'

even the dumbest tries could hit opponent real hard... that is how the case is with Port Scanning today.

almost every Network Techie knows its importance and ways to secure them,
still everyone does leave a gap or even if no gap is left... its too hard to make network services hide their basic instincts and leave no trace...

 Normally, you shouldn't hope for any big revelations... but you can always crawl after the probable services active and their versions.

so a general procedure you can follow for some thrill is

Method:
perform it externally on available network resources and an internal multi-style scan
1. Simple Port Scanning
Doing a plain 'intensive mode' port scanning for all the ports from outside the network.
Do it for more specific ports on internal network, otherwise you could overflow your network routing tables or say DDoS your own lan. Know-More-About-it-Link
2. No-Ping Port Scanning ('n few more scan-modes)
Next, doing a scan in No-Ping mode made the Port-Scanner assume the host is already up and scan for the host's open ports. In certain better protected network scenarios, this is more successful than earlier style. Know-More-About-it-Link
3. Firewalking (just for fun... but you'll learn a lot)
In external scanning task, you could also use this old-school trick just to have some fun and try your luck to its limit. Know-More-About-it-Link


Tools/Technology Used: 
NMap, PortBunny, Telnet, Firewalk and NetCat present on BackTrack pen-test distribution.

[security] prying 'ears' at 'get-some-fresh-air-spots' near office

the first task I did in an organization (it was an assigned task) was to PRY around and see if I get caught... though it was easy to roam around office and connect to network once I'm past the entry checks for office...

But, this made me think what about information coming to me walking out of those entry check-points... at hangout spots near offices, where techies come in group or alone on a call and then they can't resist all the headache this-n-that-technology is causing them mostly with intricate details (which they feel is normal data as everyone in their group already know it, but what about prying ears).

I don't pry around, just go to tea-stall outside my office with my friends... and still get to know some internal details of other organizations 'cuz they are chattered by a person standing next to me...

if someone do it with motive and attention  'a lot can happen over a cup of tea'  ;)