SANSFIRE pen testing fun

I'm writing these lines from Baltimore MD, where SANSFIRE conference has taken place. I was taking the SEC 542 Web App pen testing class with Kevin Johnson from Inguardians.com and the founder of the SAMURAI web application pen testing environment. It's a great class with a lot of experience being transferred from Kevin who is an excellent experienced security consultant. Learning the whole methodology and process of pen testing is really worth it. I've been doing pen testing for a while now, but this is like defining a process to follow. A guideline similar to the waterfall model used in software development for example.
At the end of the class there is a capture the flags contest, where all the students compete in teams to hack a list of web servers and capture three flags. It was really fun popping those boxes. Me and my team won the 1st place capturing all the three flags in less than 3 hours. Also one of the bugs exploited that I found myself that Kevin himself was not aware of and when we told him about it he was like "OMG! I'm gonna kill ya! DID I DO THAT?!".

It was an excellent overall experience although I was looking forward to more technical information. The transfer of knowledge was excellent, the exercises were to the point and realistic. And the competition at the end really summed it all up where we went through a full test with all it's phases.

Chinese Cyber Botnet Army

I was shocked to hear that china is planning to deploy a software, Green Dam Youth Escort, which is supposed to filter out pornographic and improper content. Certain parties were concerned about freedom of the community to reveal their opinions in political issues. However, I'm more concerned about something else..

Imagine that the whole Chinese population has deployed this government software. We're talking about billions of computers here!. What if the government decided to send requests from this software to a certain network. It's like building a "gigantic official botnet"!! I'm sure that they thought about that. That can be very handy in case of cyber warefare. It's actually like a secret cyber weapon that utilizes all the computers in china.

Anyway, weather this is going to be used in the way described or not, I think that's a good idea but it should be implemented in a different way. In times of warefare, governments can call for volunteers, like cyber soldiers. These volunteers won't have to do anything except deploy a software on their computers that is connected securly to the government via the internet . And the government then can control this giant botnet and make it act in an organized coherent fashion. It's the same idea as laser, laser is just light that is highly coherent. Also having a choice to volunteer, gives a good impression; giving people who are not convinced to just not participate as part of the democratic system and at the same time allowing people who are convinced with the government's political actions to volunteer.

I'm just dropping off some ideas i had. They're not organized yet so I highly appreciate your opinions

Stupidity Can't Be Patched

Evil intended people can't get what they want most of the time if their victims where aware enough about the risk of what they are doing. clicking a link is way more dangerous that it looks.

Being a security professional, always talking about security, vulnerabilities, malicious websites, all this stuff made my family kind of aware about some of the risks involved with cyber-space. A couple of days ago, my little ten years old brother came along and asked me "Did you leave me an offline message with a link?" I was really proud of him! he does nothing on the computer except playing games and chatting. However, he didn't open the link because it had nothing proving that it's from me. Actually I am the one who sent him this link about the newly announced "Thief 4" game because I thought he'd be interested in the pictures!

Usually when i send a link to someone i add a couple of words that identifies me like "hey jimmy, remember out talk last night about thief 4, i found this, check it". James now is confident (to an extent) to click the link because i called him Jimmy (which i usually call him that) and I told him about something that we did last night (our talk about Thief 4). It depends of course on the link also. If the link says gamespot.com/blablabla then it makes sense. But if its atyk.123.msnet.com/index.php?james%20hotmail.com , that would definitely raise James' suspicion. But when I sent my brother the pic, I didn't think that he'd think like that. Seems that he's security skills are better than I thought! good for him.

Cybercrimes and Law

All what we have been talking about to prevent cybercrimes has nothing to do with the real criminals themselves!!. All this geeky technical stuff is good but cyber crimes are really very easy to commit! and very tempting!, because the punishment is not imminent. Usually, when cyber criminals are doing their attacks they have this feeling that they are safe, because they are sitting at home or at a cyber café physically way far from the "crime scene". Why is cybercrime numbers raging while physical crimes are coming to a settlement? The answer of this question cannot be answered directly. However, one can argue that usually cyber criminals do not have a visualization of what can happen to them if they were caught and usually they think that they will not get caught at all! We have to have more strict laws that define cyber crimes and its penalties. Some countries have some laws, others have few laws and others do not have laws concerning cybercrime at all! Even countries that have laws, do not spend much effort on tracking and hunting down criminals. Also trials of cyber crimes have to be more publicized. People have to know that playing around the cyberspace is not a game anymore and there are strict laws that are well applied.

The United States is taking good steps in that direction. We have John Schiefer, a botmaster, sentenced for four years prison and fined $20,000 and earlier in 2007. Also Microsoft has announced in February 2009 that it is offering a reward of $250,000 to anyone who can provide information that can help arrest the creator of the Conficker worm (i.e. the botmaster of the Conficker botnet). “Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack,” a Microsoft statement said. This is actually a good start.However, this is not enough. The cyber world is so small that countries cannot be separated in cyber space. In order to teach the cyber criminals a lesson, we need this spirit to propagate to the Far East, Middle East and Russia as well and get well established through national and international laws.

The New Echelon: NSA Spying Program

Back in the 20th century, NSA had this program "echelon" that aimed basically at "tapping" all communications going in/out or inside the US. They had some legal issues but it was ignored as usual and the spying went on. The spying relied mainly on intercepting satellite traffic because back then there was no fiber optics. Since the introduction of the fiber optics network overseas, eavesdropping did not work very well. Tapping wires especially optical fibers weren't that easy. It needed physical access. NSA had a research team working on it. They even sent a submarine to try to find a way to eavesdrop traffic from under sea cables without cutting the cable but they failed. All the previous facts are documented. You may refer to RSA conference 2009 speech of James Bamford, author of "The shadow factory". But doesn't this ring a bell ?? cutting cables ? a series of unclear events happened earlier at the cables joining the middle and far east that was very vague. Cables were cut with no clear logical reason. People were saying all sorts of stories about this like "a ship drop its anchor on a cable" "fish ate it" "Al Qaeda intentionally severed the cables for their own nefarious purposes" "krakens maybe!" (the latter is mine). However, after Bamford speech i think this all makes sense. There are communication corporates/countries that agreed to cooperate and put a tap on its nodes. But when countries don't cooperate what happens ? dozens of cables get cut "accidentely" and fixed right after. That makes perfect sense! :D

Heterogeneity Promotes Security

Consider this scenario. There is only one operating system in the world that everybody uses. Now it’s going to be very easy for the attackers to write one exploit that runs on every single machine on earth!

On the contrary, if every single machine had its own operating system, then an attacker must write malware for every specific user.
The point from this argument is that heterogeneity of platforms makes it statistically harder on the attacker to write a malware that spreads well. The problem is that most of the personal computers on earth run Microsoft software. Recently, servers also are migrating to Microsoft. This fact makes the decision pretty easy for the attacker when he is choosing the platform under which his malware are going to work.

It’s very healthy for the whole internet to have some sort of balance between operating systems on both client and server sides to make the job harder for the black hats.

How to know someone's IP Address

In many cases, it's desired to know the IP address of someone in the reconnaissance phase. The first question to ask is what information do I have about this person. In most cases it's possible that you have the email or IM of the target. First let's discuss the methods:

Method #0x01

if you have a web server hosted someplace where you can see its logs then it's very easy to send someone a URL of an image or any webpage hosted on your web server (http://123.123.123.123/veryfunnyimage.jpg) whenever this page is visited the web server keeps a log of who visited that page (IP address, time, browser, OS ... and lots of more info) where you can check later to collect IP addresses. if

Method #0x02

sometimes people get freaked out from addresses that have ip addresses in the URL so having your webserver with a domain name would really help the person you sent the URL to press on the link (www.mywebsite.com/veryfunnyimage.jpg)

Method #0x03

Some paranoid people don't open links to unknown sites. so here comes the cool trick. you can embed the image in a post of yours in a known site that allows HTML tags with image sources like < img src = (your image URL). in this case the URL you are going to send to the person is a link to a known website but the website contains another link to your web server. And whenever someone views this page on the known website, the "img src" link is invoked and voila!, you have a log entry on your webserver.

Method #0x04

Some Ultra paranoid people don't open links at all!! for these people I use my old trick. I send an email to the target that looks important to him (depending on the target actually and what's important to him). This email is in HTML format and contains a tag that links to an image on my webserver (probably a white image not to attract attention). Now upon merely opening the email, my webserver is invoked and a log entry is saved about the persons current IP address.

Note that this method only works if the email client allows images to be displayed (gmail disable that by default)

Method #0x05

A more faster approach is IM. If you have the IM of the target, then it's possible that you try to send him a file (not malicious, a picture or smthng). upon sending the file, a direct connection is established between you and the target. with a simple connection monitoring application (e.g.netstat on windows), you can know the Ip address.

Method #0x06

Some paranoid people don't accept files! so another trick in case of MSN is background sharing. the default for MSN is to accept backgrounds shared by others. Actually background sharing performs file sending if the background is not one of the default backgrounds. So the trick is to set your background for the IM to a cool pic from your computer and share it. if the default setting was not altered on your target's IM, then he will automatically accept it right away and a connection is opened. here comes again the connection monitoring app where you can identify the new connection and extract the IP add of the target.


Well those are one's that I used .. do you have any other methods ?? sometimes I only have the username on a forum or website. Any clues?


UPDATE:

Method #0x07

In MSN messenger, if u don't have the display picture of the person you're talking to, the messenger will try to download it by default. this cause the the MSN to open a direct connection. Using a sniffing tool like wireshark will allow you to know the IP of the remote person.So basically if you don't have his display picture and you opened the chat window you'll get your log entry. You can either convince the target to change his/her display picture or you can remove the your local directory that caches the display pictures for all contacts (located in application data folder for the msn) to force the messenger to redownload the picture. [ NOTE: thanks to rvdh for the great tip :) and thanks to Borry for letting me taking him as a test subject :D ]