Penetration testing, antivirus, firewalls and false sense of security

Sunday, November 9th, 2008

False sense of security is an ongoing issue. Fueled by inaccurate marketing strategies promising the ultimate security product and convincing clients that their product will make your system immune to every single attack.

Security professionals are used to hear all kind of comments from clients caught up by false sense of security; the three most common mistakes are:

Client - My application must be secure, it is running over SSL.
Penetration tester - That’s good, your IDS will not pick up my attacks.

Client - My web application must be secure, it is protected by my firewall.
Penetration tester - Sure enough your firewall is not going to filter web traffic on your web server.

Client - My server must be secure, it has an antivirus up to date.
Penetration tester - Your antivirus will only pick up known signatures, it will not pick up my custom made scripts.

We recently performed a back box web application peneration test for a client who expresed (before the penetration test) how secure his application was as he deployed SSL on the application layer, antivirus on the server and everything was protected using a firewall.

During the penetration test we managed to find a page which allowed uploading arbitrary files to the web server. When we tried to upload some of the standard web shells we saw how the antivirus was detecting them and removing them from the server. It is fair to say that an antivirus in this case provides a very thin layer of security. After doing some modifications to the scripts we easily bypassed the antivirus protection.

In this example achieving command execution required another step as the user the web server was running as had not enough privileges. However, it was easy enough finding a high privilege username/password for the MS SQL database also running on the server. The next steps were:

- Creating a custom script which connected to the MS SQL database using a high privileged account.
- Enabling xp_cmdshell stored procedures, as we found it disabled.
- Enjoying command execution.

Once we got to this point it was easy to execute Metasploit Meterpreter to bypass firewall protection, tunneling services over HTTP.

In conclusion, SSL, antivirus and firewalls are essential parts on the security of an infrastructure, however they need to be properly implemented and they don’t protect from all kinds of attacks.

Tags: antivirus, antivirus bypass, black box, false sense of security, firewall, firewall bypass, metasploit, meterpreter, Penetration Testing, web application penetration test
Posted in Penetration Testing | No Comments »

Penetration testing with IPv6

Tuesday, October 14th, 2008

Today has been released the Uninformed (number 10) magazine. As usual it is a very interesting read, with very nice and technical articles there. One of them caught my eye, written by H D Moore - Exploiting Tomorrow’s Internet Today, Penetration testing with IPv6.

IPv6 is an Internet layer protocol designed to substitute the current IPv4. The article covers the basics of IPv6 such as configuration and addressing standards.

Later in the article the author some of the common tasks of penetration testing focusing on IPv6 protocol:

Network Discovery

Van Hauser’s IPv6 Attack Toolkit contains a tool for this. The alive6 tool sends an ICMP6 packet using Neighbor Discovery protocol:

# alive6 eth0
Alive: fe80:0000:0000:0000:xxxx:xxff:fexx:xxxx
Alive: fe80:0000:0000:0000:yyyy:yyff:feyy:yyyy

Found 2 systems alive

Tools ip and ping6 can also be used for that:

# ping6 -c 3 -I eth0 ff02::1 >/dev/null 2>&1
# ip neigh | grep ^fe80
fe80::211:43ff:fexx:xxxx dev eth0 lladdr 00:11:43:xx:xx:xx
fe80::21e:c9ff:fexx:xxxx dev eth0 lladdr 00:1e:c9:xx:xx:xx
fe80::218:8bff:fexx:xxxx dev eth0 lladdr 00:18:8b:xx:xx:xx
[...]

H D More also covers the use of Nmap and Metasploit against IPv6 hosts.

It is interesting the use of socat to ‘translate’ from IPv4 to IPv6 and then being able to use the common penetration testing tools:

$ socat TCP-LISTEN:8080,reuseaddr,fork TCP6:[IPv6%eth0]:80

In the example above socat creates and binds a local IPv4 port (8080) to a remote IPv6 service which was listening on port 80. After running the command above, the penetration tester can confortably use the common web assessment tools such as nikto o web proxies even if they don’t natively support IPv6.

Tags: IPv6, metasploit, nmap, Penetration Testing
Posted in Penetration Testing | No Comments »