Author Archives: Adam - Page 5

IPv6 Security Issues

There’s a lot of talk about IPv6 having a number of security flaws. I thought I’d summarize some of them and address them accordingly. What follows is an enthusiasts’ view of the issues at stake gained by reading up on the issue through various sources.

Security Concerns

1) The argument that federal and state law enforcement will be hard pressed to be able to track criminals over the internet is also a benefit for those preaching anonymity online. Since IPv6 addressing is considerably more complex than their IPv4 counterparts, spanning multiple subnets, some security experts warn users against it entirely.

IPv6, currently being favored for use over on the popular uTorrret Bit Torrent client serves as a proponent to IPv6, saying Teredo tunneling enables a more effective means of sharing data between older operating systems (Teredo = backward compatibility between 6 and 4).

Could the prospect of anonymity have been a driving force in the adoption of IPv6 for torrent use? Possibly but not likely considering there are net tools available for IPv6 (such as SubnetOnline and many others, makes you wonder why the FBI is so concerned if tools are available, even if not so widespread yet).

Source: IPv6 good for criminals, says FBI and DEA | Digital Trends
Source: Teredo tunneling – Wikipedia, the free encyclopedia
Source: IPv6 – Wikipedia, the free encyclopedia

2) IPv6 may or may not be more susceptible to mass DDoS attacks and MITM attacks or at least ones which are not presently protected against by common routers and/or firewalls, the debate is still up in the air. If interested, there is a white paper that I’ve found that discusses the effects of DDoS with IPv6’s new IPSec protection configured and without it (covers TCP, UDP, ICMP flooding and Smurf attacks; check it here).

One exploit toolkit known as THC-IPV6 (THC-IPV6 – attacking the IPV6 protocol suite) has been particularly problematic as it contains ICMP flood tools, network listeners, ARP poisoning tool which actually fakes the network into believing you are a router, MITM traffic redistribution tools, DOS detection, IDS, ICMP6/TCP-SYN traceroute, network fuzzers, smurfers and countless other tools. The only safety users have against this is a really strong modern firewall and/or network policy. (Source of Note: thc-ipv6 Toolkit – Attacking the IPV6 Protocol | Darknet – The Darkside)

To summarize but counter the concerns, ZDNet said the following on their blog:

True, IPv6 incorporates Internet Protocol Security (IPsec), but by itself that doesn’t buy you any more security. IPv6’s header design also lends itself to better security since it can be used to provide to a cleaner division between encryption meta-data and the encrypted payload. In addition IPv6’s huge address space can be deployed to scanning attacks harder by allocating random addresses within subnets. But, those are all matters on how you deploy IPv6. In and of itself, IPv6 won’t make you any more secure than your childhood blue blanket.

First IPv6 Distibuted Denial of Service Attacks Seen, ZDNet

So although attacks can be larger spread if the implementation of IPv6 is handled improperly (across entire subnets), this is a deployment problem not a problem inherent in the protocol itself. Furthermore, on an individual level, as more firewalls support IPv6 so too will we see a decline in the attacks available to those using IPv6 on their network.

3) Route Header Security Concerns – a packet’s route header can be used to specify where and how to strike a particular target. This concern is mentioned in the following presentation: http://meetings.ripe.net/ripe-54/presentations/IPv6_Routing_Header.pdf Possible solutions is better packet routing by ISPs as they become more equipped to handle IPv6 as well as more advanced firewalls and security schemes.

Conclusion

So essentially what we see is a growing technology, still very much in its infancy, becoming more predominant by the day. Hopefully as IPv6 is adopted so to will public awareness of the security risks increase. It’s also my belief that software vendors and internet service providers alike should work together to better address such issues.

IPv6 may have started slow but it may be here to stay.

Public Wi-Fi? Be Mindful of Session Hijacking

Cache Exploitation & Sidejacking (Session Hijacking)

Tools

* Firesheep Packet Sniffer on PC
* FaceNiff or DroidSheep on Android (rooted)
* Other MITM (man in the middle software; no packet injecting capable NIC needed!) For more on MITM attacks please click here (Schneier on Security; 7/15/2008).

The risk

The most common type of cache exploit can be seen using Firesheep which takes unencrypted data passed via cookies over a Wi-Fi network and reveals them (works well with social networks and sites that do not appropriately handle user data transmission).

Although some data may be handled via SSH (encrypted), the actual cookies, for logins are not on some insecure sites. Some social networks and heavily trafficked websites have sought ways of solving the problem but not all evolve accordingly. So long as they don’t, this exploit will work and has done so for many years.

These type of exploits could be known as the “The Starbucks Social Network Exploit” for all intents and purposes since places that offer free wi-fi are at risk.

Naturally ANY wi-fi network is at risk. As we see with Aircrack and WEP/WPA cracking, any reasonably secure network can run the risk of MITM attacks. Another way of bypassing security measures is by ARP poisoning once one has gained access to a network, assuming the identity of a networked computer. Another reason why you should only join relatively secure networks that allow SSH tunneling.

Protecting yourself

* Use SSH tunneling to connect to your VPN/proxy setup after connecting to open wi-fi.
* Always try to use SSL/TLS enabled variations of web pages (if you use Firefox please be sure to download and make use of the HTTPS Anywhere Addon).
* Use encrypted connections, using only protected wi-fi networks not public ones or at least trusted ones.
* Urge wi-fi network admins to monitor ARP tables and run appropriate IDS and conduct other server-side preventative measures.

Metasploit 3.5.2 Windows VB-XCACLS Error

I was installing the Windows Metasploit on a Windows XP desktop host today and I encountered an error message. After resolving the error I thought I’d post about it here to inform people of why it occurs and how it fix it.

Problem running post-install step. Installation may not complete correctly
Error running cscript “C:metasploittoolsXCALCS.vbs” “C:metasploit” / G “
(Username):f” /G SID#S-1-5-18:f /I REMOVE /T: Program ended with an error exit code

If you get that message and you’re using XP you’re dating yourself. In Windows versions prior to Windows Vista you’ll need the the VB tools located at: Download details: Extended Change Access Control List Tool (Xcacls)

The r00tsec blog describes this as being caused by the fact that in prior Metasploit utilizes the ability to run without requiring special permissions from the user and, in XP, this feature requires the right tool (the Xcacls expansion from MS).

It is my understanding that the tool above allows Metasploit to run with the right privileges without requiring any additional access/permission(s) on the part of the user.

Prior to Vista there was no special group of users (“Authenticated Users” group), so Xcacls.vbs is needed to facilitate this operation in earlier operating systems.

To fix the error(s)

All I did was uninstall Metasploit (may or may not be required), install the VB tool, and reinstall.

When asked where XCacls.vbs should install, you can install to your framework directory. Then from a DOS prompt in the same directory as Xcacls.vbs:

Cscript.exe /h:cscript
Cscript.exe xcacls.vbs
xcacls.vbs (framework directory) /E /R SID#S-1-5-32-545 /T

Note – If your VBS scripts are opening in Notepad, the correct Visual Basic scripts association has been broken (yeah, and you just wanted to open all scripts in your cool new text editing program, right?). You can correct this by altering the appropriate registry string or simply by downloading a .reg fix which will reset it for you.*

A similar problem can also occur in Vista but to read more about it please follow the r00tsec link below.

Keep in mind that Metasploit works best in Linux as there are many bugs that need ironing out in the Windows release.

Source: Computer Security Blog | Learning The Offensive Security: Metasploit Framework 3.5.2 Released!

Source2: http://blog.metasploit.com/2011/02/metasploit-framework-352-released.html

* VBS Association Fix (XP):
http://www.dougknox.com/xp/fileassoc/xp_vbs_file_association.zip

Computer Security Resources

** Thanks for checking out this post! It’ll be revamped shortly to include a better forensics section and, perhaps, a little more order!!! If you think something should go here, just send me a message! In the meantime, feel free to check out some of the great links on the right side menu of the blog. **

Top Sources at Random

Schneier on Security

Honeynet Project Blog

SANS Institute’s Forensics Blog

LinuxSecurity.com

Exploits Database by Offensive Security

LeakDB (search by hash or text string for cracked content)

Ethical Hacking Projects @ Break The Security (contains a nice repository of tools)

16 Systems (awesome free cryptanalysis and penetration tools inc. TrueCrypt volume detection)

Security Tube (the best site for computer security and video instruction; complete with segments from security conferences!)

Nirsoft Tools (great freeware forensics tools and password utilities).

Cryptohaze (interesting encryption penetration tools that rely on your GPU)

Forensics

Cyberspeak’s Podcast (Ovie Carroll’s podcast!)

Forensic 4cast (great podcast and magazine by Lee Whitfield!)

Mandiant (Redline memory analyzer, Web Historian, Highlighter for logs, awesome industry blogs, etc.)

AccessData (FTK/FTKi for acquisitions, Registry Viewer, PRTK/DNA, etc.)

Guidance Software (makers of EnCase which I’ve come to admire greatly despite being a die hard FTK fan. The EnScript scripting element for customized analysis and artifact recovery is outstanding. They also own Tableau!)

DEFT Linux – Computer Forensics live cd (forensics linux distro, pretty good for IR)

Paladin4 (one of the easiest linux distros to use, excellent for imaging!)

F-Response (never used it but I see it used online all the time; this looks like one of the best networking acquisitions tools ever. The fact that I dc3dd and netcat is probably not healthy, but I’m new to forensics so I have an excuse!)

Malware Analysis

Deep End Research (Leading malware research, Yara, etc.)

VirusShare (Malware Samples)

VirusTotal.com (Identify malware by hash or upload a file to scan)

Some more good reading…

TaoSecurity

Dark Reading | Security | Protect The Business – Enable Access

Darknet – The Darkside | Ethical Hacking, Penetration Testing & Computer Security

Packet Storm ≈ Full Disclosure Information Security

CYBER ARMS – Computer Security

Zimperium – Protecting your empire

Offensive Security Blog

BackTrack Linux – Penetration Testing Distribution **

Insecure.Org (makers of the famous nmap and crackers you can trust)

Seclists Mailing Lists (Insecure.org brings you a quality mailing lists spanning a wide variety of topics!)

Seclists Vulnerability Mailing List (Insecure.org brings you a quality vulnerability/bug-related mailing list)

Lifehacker, tips and downloads for getting things done (occasionally some good security articles on setting up a VPN, Proxy server or safeguarding data, targeted at non-security professionals)

TrueCrypt – Free Open-Source On-The-Fly Disk Encryption Software for Windows 7/Vista/XP, Mac OS X and Linux (Beside from the “Evil Housemaid” exploit, this is – simply put – the very best open source encryption software out there)

Armitage – Cyber Attack Management for Metasploit (Armitage; that which makes a lot of Metasploit possible)

https://www.grc.com/default.htm (offers on-site quick vulnerability scans and other services)

BugTraq (Security Focus)

SecurityFocus (Symantec owned news)

** Some great Backtrack/Kali-related sites include the Official Wiki & Tutorials Section. SecurityTube has some great tutorial videos as well. Kali Linux is now my go-to distro for Linux forensics and pentesting, you can snag a copy here (or join a great unofficial fan forum here). Additional BT5 instructional videos can be found on the BackTrack Linux Fan Page.

Cracking

Ophcrack Project Homepage

This tool is good for LM and NT hash; quick and easy SAM hive cracking which is ideal if you don’t happen to have a license for PRTK but do for FTK and wish to crack EFS; uses rainbow tables for speed (pre-calculated hashes), for brute force see l0phtcrack below.

l0phtcrack Password Auditor

Offers excellent brute force, support for rainbow tables and dictionary attacks. Some that are coming from PRTK may note l0phtcrack seems to be missing PRTK’s biographical dictionary attack… one of my favorite tools. But that’s not necessarily true: you can accomplish this by loading biographical information in by creating your own dictionaries. Also one of the coolest features of l0phtcrack is the network sniffer which pulls password hashes transmitted across a network… but fair warning: it doesn’t always work, if in doubt, read the documentation).

** Note: thanks to my nameless friend for letting me try his l0phtcrack. Much appreciated.

AccessData’s PRTK

One of my all time favorite tools. Although brute forcing and standard dictionary attacks may take a long time and be resource intensive, PRTK also includes some pretty powerful dictionaries straight off the bat. Also nothing beats the simple and straight forward interface. I’m a huge fan of the biographical dictionary attack in which you can import string data from FTK and FTKi to accomplish a user-specific attack (that is to say, things like directory listings, FTK dtIndex’d results, etc. can all be imported to speed up attacks).  I used PRTK extensively in my AccessData Certified Examiner studies and found it to be one of the best tools to date.

Interesting side note regarding EFS cracking if you have a license to FTK but not to PRTK:

If you are running FTK4+, you can first crack the Windows user password in Ophcrack (SAM & SYSTEM hives) and then, after selecting the EFS encrypted file, allow FTK to decrypt it with the password you’ve discovered. FTK also includes allows you to list multiple passwords if you’re unsure of which it may be. If PRTK is installed on the same system, it’ll use PRTK in the background and decrypt the file. Of course, as an ACE, I advocate getting a license to PRTK if you can, but thankfully PRTK can be used for this at the back-end with little trouble.

Safeguarding Data using Strong Passwords

https://www.grc.com/passwords.htm

Strong Password Generator

How To Create Strong Passwords That You Can Remember Easily

Computer Security Conferences of Note

http://www.defcon.org/

Black Hat | Home

Where The World Talks Security | RSA Conference

ASIS International: Home Page

Computer Forensic Show

Multiple SANS Conferences

NYC 2600

What Kind of Disjointed List is This?

Obviously it would be impossible list all the great computer security-related sites and tools out there. Hope you find the list somewhat useful.