Putting on the back burner major security issues, many network infrastructures follow a more flexible setup (sometimes chaotic) and operational plan. Main representatives of this approach are the academic and educational institutes. Each department, lab or research unit under the campus roof, following a simple checkbox paper work, can establish its own main services (web, mail, data, authentication etc). It is understandable that academic teams must not follow strict security policies in order to efficiently conduct their research, although NOC teams cannot leave things to their fate.
A common scenario in low scale IT infrastructure involves the existence of a main web server hosting all the web services and applications. In such a scenario the main challenge for the Web Administrator is to keep the system as safe as possible while offering high usability levels. The web services are used from a group of people with different IT skills and experience, forcing the webadmin to keep the access procedures as simple as possible. The most striking examples following this approach are the universities and educational institutes.
In previous articles i have extensively analyzed the information leakage originating from file metadata fields. In this article i will go one step further showing how an attacker can use common EXIF JPEG metadata fields to hide PHP code (or even a whole backdoor shell) into them. After the relative PoC about the effectiveness of the hide techniques, i will present some basic scanning mechanisms that can be applied in order to protect against malicious images with hidden PHP code.
Recently i conducted a network penetration test on behalf of an academic institution. Apart from the security holes that i have discovered, i noticed the existence of many SNMP running services with their community strings publicly accessible. For monitor purposes network devices such as routers, switches, printers and voip devices have their read-only community strings enabled. Because of the read-only behavior of the public community many network and system administrators may assume that it is pointless to get into trouble securing them with ACLs or Firewall rules, making them accessible from any source IP. But is it really pointless?
The last few days OSS Web Admins are very concerned about a recent Apache HTTPd Denial Of Service. “Apache Killer (written by Kingcope)” is a perl script causing remote DoS through memory exhaustion to an apache httpd server. The script sends large amounts of HEAD requests with lots of ranges, resulting in swapping memory to filesystem on the remote side, making the remote system unstable.
While the vulnerability is publicly known from August 19, an official advisory haven’t been published yet. Although, a temp workaround must be found in order to avoid regular system crashes. The most efficient and elegant solution that i have read is using the mod_rewrite engine.
Recently I undertook to investigate a web server hacking incident. It was an up-to-date debian machine (apache2+php5+mysql) that hosted a joomla CMS for a logistic website. The web admin has installed a joomla extension plugin which allows users to put custom php code in their articles. The attacker has “phished” valid login credentials for the website and published an article in which he has placed a simple php backdoor shell. The malicious code haven’t been noticed from the moderator that approved the article and so the article normally come to public.
Text dump websites are used by programmers and system administrators to share and store pieces of source code and configuration information. Two of the most popular text dump websites are pastebin and pastie. Day by day more and more programmers, amateur system administrators and regular users are captivated by the attractive functional features of these web tools and use them in order to share large amounts of configuration and source code information. Therefore, like happening in each famous web platform, sensitive information sharing is inevitable. Potential attackers use these web platforms to gather information about their targets, while on the other side penetration testers search into these sites to prevent critical information leakage.
Penetration tests might involve Windows user password auditing. In Windows systems (NT, 2000, XP, Vista, 7) user password hashes (LM and NTLM hashes) are stored in registry file named SAM (Security Accounts Manager). Until recently whenever I had to extract Windows password hashes I had two alternatives: the manual way or by using Windows password auditing suites (Cain&Abel, Ophcrack, L0phtCrack etc). But yesterday I came across in the web with a very useful python script named HashGrab2. HashGrab2 automatically mounts Windows drives and extracts username-password hashes from SAM and SYSTEM files located on the Windows drives using the samdump2 utility. HashGrab2 is ideal in cases that you just want to collect the Windows password hashes in order to import them to your preferred password cracker.
In the third part of the Enumerating Metadata sequence, we will talk about Open Document Format (ODF) supported by popular document software suites (OpenOffice, LibreOffice, Microsoft Office 2007 and more). ODF are XML-based file formats used to represent new-age electronic documents (spreadsheets, presentations, word documents etc). The standard ODF file is a ZIP commpressed archive containing the appropriate files and directories. The document metadata information is stored in a seperate XML file under the name meta.xml. The types of metadata contained in the file can comprise pre-defined metadata, user defined metadata, as well as custom metadata (like ODF version, Title, Description and more).
The first phase (reconnaissance phase) of a penetration test, includes information gathering & network mapping procedures. Automated intelligent reconnaissance tools have been developed extensively the last years, offering a reliable and sprinting starting point for the exploitation phase. In this article, I will focus on information gathering tools in order to collect valid login names, emails, DNS records and WHOIS databases. A Penetration Tester can use the gathered information in order to profile the target, launch client side attacks, search into social networks for additional knowledge, bruteforce authentication mechanisms etc.