Exploits and large companies | How nothing has changed since 1998

header

I am posting something a bit different today a opinion article on something I feel to be true. The basis is from a video from 1998’s L0pht testimony and a comparison of how little things have changed since then.

Recently in the Washington Post there was an article about the hacker group called L0pht and their plea to the government on how private companies need to be responsible for the software they put online. They were trying to bring to light that if you want a more secure system then don’t put it online. This does not mean that offline systems are impervious to attacks either.  The testimonial is worth the 1 hour run time and I recommend you listen to it on youtube. It is very important if your business is accountable for holding data records, login info, and customer info. This is not related to my previous article but rather all kinds of software I see day in and day out.

I just wanted to touch on a few items on the video that I believe to still be prevalent in todays online culture and mentality of corporate security.

“Can the systems be secured? In most cases they can be … they can be remedied by incorporating relatively trivial and inexpensive cryptographically secure authentication.”
Often some of the insecure items I come across are due to no security at all, whether they end up using plain text to store data in the database or don’t use common and readily available technologies like HTTPS or TLS in order to transmit over public forms of communication. Having something is always better than having nothing.

“Insecure software is cheaper and easier to sell as there is no liability tied to the manufactures” … “encourage companies to include this [security] in their products and hold them liable when their products fail.” 
Selling software is easy, ensuring it has perfect security is impossible. No product will ever be truly secure, it is not a matter of if but rather when.

“I don’t think it is possible to create a fool proof system, but I don’t think that should be the goal. The goal should be very difficult to get in.”
Putting hurdles in the way of would be exploiters slows them down and keeps away the script kiddies. This in combination with monitoring incursion events would keep organisations aware. Security needs to roll forward with the times, it is not something you can deploy and hope it will work for the lifetime of the product.

“If you have sensitive information then you should not share it with networks that are less secure or less trusted”
As straight forward as this sounds it could be a simple as allowing VPN users from outside of the office in or more commonly BYOD enrollment in the office.

So that leaves us with what can be done about it.
For starters listen and be aware to what is going on in both the industry and with your own systems. I am not saying go out now and update your Watchguard and Ironport devices and patching every device on the network. Simply I am referring to read up on what is going on, is there a new exploit for TLS downgrading that could affect my S3 instance? Are my offsite backups stored in an encrypted manner? Is there documentation on how strong this manner stands up to bruteforce techniques? Have I looked at the FTP logs for unusual activity? Maybe I should not have a FTP account that could expose the internal file server.  All of these questions lead to new avenues of learning and awareness.

Also, listen to users who are trying to help. Its much easier and cheaper to ignore a problem, however when a internal or external user lets you know there is a issue with the current implementation list, getting upset will only make the user think twice about letting you know in the future. I see this as one of the biggest roadblocks on reporting issues. It is far easier to sell a exploit online and actually make money than it is to report it and then have pressure from the company. In a more recent example with starbucks. Imagine if this exploit was sold.
“The unpleasant part is a guy from Starbucks calling me with nothing like “thanks” but mentioning “fraud” and “malicious actions” instead.”
The selling of zero days and exploits also hurt the company far more than if they were to fix it after it was disclosed to them. This comes at a higher cost to both the organization and the clients that had put their faith and more importantly their data into the organization.

Gomez Peer Exploit |

Introduction:

I decided to take a look at how GomezPeer works from a low level view. During my observations I was surprised how someone would very easily be able to grab username and login info from cooperate websites in a passive manner while running the application.

What is GomezPeer: (in brief)

For those of you who don’t know GomezPeer is a public peer application that is run in order for Dynatrace to test out website responsiveness. Dynatrace claims it is #1 in application performance management.

What gomezpeer does is pays clients to run the application and instruction sets on their own PC so that vendors can measure end user performance of their sites. Such examples could be log in and order plane tickets, or execute a database queries against a server to see how long it will take to return the data in different areas of the country or world. This allows them to test a large number of OSs and ISPs and locations without needing to have the cost of the infrastructure in place. Peers are compensated anywhere between 5$ and 40$ per month and can choose to donate the amount to charity. Over the last few months GomezPeer has been slowly re branding its application into Dynatrace. Both GomezPeer and Dynatrace are owned by Compuware.

Both GomezPeer and Dynatrace use the same addressing block.

Gomez Advisor PNAP-BSN-GOMEZ-RM-02 (NET-63-251-134-0-1) 63.251.134.0 – 63.251.134.255

How GomezPeer works:
Gomez peer is installed on a client and then activated by putting in a username that corresponds to a GomezPeerZone account. You can install as many peers as you like on as many physical hosts in order to increase your earnings.

The Exploit:

The original documentation on it has been pulled at the request of the vendor.

After working with the vendor the exploit has been mitigated and GomezPeer has been hardened in order to be more resilient to such attacks. The Dynatrace team has been very quick to respond to the issue and let the affected clients know.

I also found working with the project managers at Dynatrace easy to communicate with while working out the specifics and I thank them for that.

SQL Injection Basics | How I learned how point and click attacks are easy.

After watching Troy Hunts Yow! Conference I was inspired to try the great SQL injection. This technique is known for getting mass password lists \ email addresses from forum sites. This is a two part guide with this being the first part. Part two covers what do with the data once you have it.

Disclaimer – Tests were conducted internally as far as you need to believe and by reading past this line you remove me from any liability regarding you and the use of the tools with the provided information below. See below for your very vintage reminder that 14 year olds go to jail every year for doing this kind of shit.

be8

 

Question: Can I use SQL injection to get usernames and passwords?
How can I test for SQL Injection?
What is a good app for those who dont understand what SQL is or how injection works?
What is SQL injection?

 Answer:  Yes you can get usernames and passwords in a plaintext (if provided and poorly stored manner), hashed , and salted variety.
There are many paid services for testing SQL injection that will be better than the one demoed here for free, but you cant beat free.
We are going to use Havij 1.15 for testing SQL injection.
In brief SQL Injection is when input is not sanitized on incoming request and thus allowing someone to insert a question (query) before the data is sent back to the user.

Here is your super basic break down of SQL injection. A user goes to site that they want to attempt to SQL inject. They look for some kind of SQL element on the page (Logins, php? forms ties to DBs, Forums, Comments, etc). Once they find that element they will attempt to pass erroneous data to to it and see how it responds. If it shows a error that looks like a SQL error or table of data you have likely scored as SQL is telling you the problem something it shouldn’t do.  So lets get to this!

First locate your internal site you are allowed to test that I’m sure your all here to read and learn about. Here is mine straight from the 1990’s. I see there is a comments section that has my appropriate string.

www.site.com/comments.php?id=4

 

s1

Perfect now we need to test it, lets add a simple ‘ to the end of it and try again.

s2

Perfect we just got a warning from SQL about the GET request. so lets take our new string

http://mysite.com/comments.php?id=4′

and throw it into Havij. this app will give us a logical view of the DB including a tree view of the tables and columns. In other words it will show what can be seen publicly. Havij comes in two flavors Free and Pro and can be readily found on google. I will not be linking it from this article as there is no official source repo.

s3

 

Then click on Analyze and it will attempt to fingerprint the database and interface with it. The log console will show you any information you need. If you see it running iterations then it has probably failed or the query can not be injected. Check the status field, here we can see my successful injection.

s4

Now you want to click Tables and Get DBs to list all the available DBs on the server.

s5

s6

 

Ok, so there are 3 types of data fields we can query, Databases the root folders you see here these are usually based off service or used to logically sort data think of it like a folder called \music\ . Tables the first sub folder these are used to sort the data within the database much like if you have \music\techno\ they usually contain sets of columns like privileges and group settings. Then we have Columns these are the actual values, these columns would be items like post dates / times, ids, GUIDs, usernames, and passwords, they would be similar to \music\techno\Gemini – Blue .

When using Havij you need to do it from a top down structure allow it to find all the Databases first, then pick one database and Get Tables until you see what table you want to Get Columns from.

Here is an example of a few phpBB database using Get Tables.

phpbb_users
phpbb_privmsgs
phpbb_topics

I am going to use phpbb_users as my example table to Get Columns from. Checkbox the single table and choose Get Columns.

s7

new data will be populated and you will see it as another sub category. Select the data you want its best to just choose a few at first. These will be unique for the service but this example specifically is target to phpBB. For the example I chose:

user_id – a number tied to the user, gives us a idea of the size of the userbase
username – the login
user_email – the account registrant address
user_password – their hashed and salted password
user_form_salt – some kind of initial salt for logins or account creation not sure

There are various other items like user_ip that would have been interesting as well.

s8

 

But wait I thought you said I could get some passwords from this! Well there grasshopper, we need to establish the fact that no one should be storing passwords in cleartext on the server this is bad practice and phpBB does not do this. Im going to explain how to reverse this in the next post. But for now lets go ahead and save this using the Save Data button and make sure its a easy to read HTML file.

Congratulations you are just as badass as those 14 year olds out there running a muck on the internet. But your one more step closer to understand how this attack works and what could happen in the event you have a leak of your DB.

I would just like to point out this is a very basic representation on how to do this. The software used is doing all the heavy lifting if you would look into programming and testing for such a thing I would recommend taking a course on SQL and reviewing the commands in the console output of Havij also known as ‘carrot’

Now that you have learned the basics its time to grab a copy of SQLmap and learn how to do it the proper way. Havij is really just a easy way to test out a site.