Ads 468x60px

11 de diciembre de 2017

AWS Elastic Load Balancing



AWS Cloud has firewalls, load balancers, WAF and many other interesting services which can be used easily and freely for the first year or paying as we use. I work with Load Balancers from time ago and AWS Elastic Load Balancing is an Amazon Service I’m working on right now. I have already talked about the Benefits of Layer 7 Load Balancing such as making decisions based in requests and responses of applications, modifying data in transit, redirecting, showing messages, caching, compression, encrypting as well as better availability and performance.

AWS Elastic Load Balancing (ELB) is not like a traditional load balancing appliance because I don’t know whether it supports MultiPath TCP, SACK, Nagle’s Algorithm, Long Fat Networks, prevents Web Scraping, etc but AWS ELB is enough for most companies. For instance, we can use AWS Application Load Balancer (ALB) for HTTP and/or HTTPS load balancing which also supports WebSockets and HTTP/2, path-based routing, health checks customization, SSL Offloading as well as integration with other AWS Services like AWS Certificate Manager (ACM), Amazon CloudWatch, AWS WAF, AWS CloudFormation, Amazon CloudFront, etc, etc, etc.


Comparison of Elastic Load Balancing Products

When we configure AWS ALB, we always have to choose at least two Availability Zones (AZ) to increase the fault tolerance of our applications. Therefore, Amazon recommends to have the same amount of EC2 instances in each AZ to distribute incoming application traffic across multiple zones. As a result, if one Availability Zone becomes unavailable, the load balancer can continue to route traffic to another Availability Zone.

AWS ELB + Web App + Multi-AZ

What we know as real servers at Radware or nodes at F5 BIG-IP, Amazon call them as Targets, which are EC2 instances with listening ports. In addition, we should configure our own custom health checks to route incoming traffic to healthy instances thus unhealthy instances, which application is not behaved properly, are not used by AWS ELB till they are alive again. What’s more, Stickness can be also configured into Targets to bind a client’s session to a specific instance within the target group.

Path-and Host-Based Routing
 
On the other hand, what we know as virtual servers at F5 BIG-IP, Amazon call them as Listeners, which are a set of protocol and port as well as the default target group to route requests to the targets in that default target group. Furthermore, if we choose HTTPS protocol into the listener, we can upload our own SSL Certificate or we can also use AWS Certificate Manager (ACM) to provision, manage, deploy and renew SSL Certificates.

AWS ELB Architecture
 
Eight years ago, I read, for the first time, about AppDirector and vDirect from Radware which allow us to create virtual machines automatically as services have more and more connections. As a result, virtual machines are powered on and powered off automatically when we need more resources and this is integrated into the load balancing to distribute traffic properly. This is what Auto Scaling can also do for us along with AWS Elastic Load Balancing.

AWS Auto Scaling
 
To sum up, we have today a reliable platform into AWS Cloud with lots of services where we can deploy our applications easily and inexpensively.

Regards my friends and keep studying!!

4 de diciembre de 2017

OWASP Top 10 - 2017



I wrote about OWASP at University nearly five years ago and, today, I don’t know yet if there is some subject about it to learn main web issues and how to keep them away thus we’ll have many Web Application Vulnerabilities if web engineers don’t study, and they don’t know, how to develop secure Web Services and WebSockets. Once web applications are developed, with vulnerabilities or not, there should be mandatory to install a Web Application Firewall to protect our organization of new vulnerabilities, DoS attacks, Web Scraping, etc.

When I was at University, I learnt to develop with Pascal, C/C++ and Assembly languages, although I learnt a little bit about PHP, HTML, JavaScript and Java as well. I developed applications without thinking about publishing to Internet, just basic web pages, but, today, web applications are behind an API or RESTful web service to be consumed by Single Page Applications (SPAs) and mobile applications. In addition, microservices written in node.js and Spring Boot are replacing traditional monolithic applications which have security challenges like establishing trust between microservices, containers, secret management, etc. On the other hand, modern web frameworks have been released such as Bootstrap, Electron, Angular and React which run functionalities on the client-side while traditional frameworks run functionalities on the server-side.

The difference between the monolithic and microservices architecture

Many changes have had over the last years and, therefore, OWASP Top 10 has been updated. For instance, we have a new category called A4 – XML External Entities (XXE) because new issues have been identify in older or poorly configured XML processors when they evaluate external entity references within XML documents.

A4 – XML External Entities (XXE)

Insecure Direct Object References and Missing Function Level Access Control have been merged into A5 – Broken Access Control where restrictions on what authenticated users are allowed to do are often not properly enforced.

A5 – Broken Access Control

A8 – Insecure Deserialization is another new category into OWASP Top 10, which, initially, is difficult to exploit. However, a successful exploitation could lead to remote code execution and it can also be used for replay attacks, injection attacks, and privilege escalation attacks.

A8 – Insecure Deserialization

Last change to the OWASP Top 10 has been to add the category A10 – Insufficient Logging and Monitoring because many organizations don’t have security tools and processes to detect malicious activities and data breaches and, as a result, they become aware of a security breach by external parties with more than an average of 200 days of delay.

A10 – Insufficient Logging and Monitoring

This has been an overview of changes in OWASP Top 10 – 2017 where there is also to highlight other security risks like Injection or Cross-Site Scripting (XSS) which keep the importance into the OWASP Top 10.

What changed from 2013 to 2017?

Regards my friends, protect your web servers and keep studying!!

27 de noviembre de 2017

Social Engineering Toolkit



As a pentester, social engineering help us to get confidential information that, along with HUMINT and OSINT, is a good place to start. However, most of the time, we are going to need social engineering toolkit as well to deceive people. For instance, there are useful tools which allow us to clone a webpage to build our own malicious webpage with a built-in exploit for getting access to the victim computer. These tools are able to get passwords as well as inserting our own payload and they are also able to exploit the major vulnerabilities of Java, Flash, IE, Mozilla, etc.

The most famous Social Engineering Toolkit is SET developed by David Kennedy, which is an open source framework with many attacks features. For example, we can create a spear-phishing attack easily with the aim of getting the victim credentials or we can even send mails massively to a organization. SET is also able to clone webpages easily to launch DNS spoofing or phishing attacks. What’s more, it allows to create malicious files (.exe) quickly or we can import our own malicious file into a payload. Lately, SET has added new attack features like wireless attacks which create rogue Wireless Access Points to perform a Man-in-the-middle (MITM) attack for sniffing traffic packets, as well as Arduino-based attacks, QRCode Generator attack, Powershell attack or SMS Spoofing attack.

SEToolkit
 
When I gave the speech about my own Domain Generation Algorithm (DGA) for the ISACA Challenge to bypass firewall security features like web filtering, I used SET to show realism into the attack because with a social engineering toolkit is easy to demonstrate how we can deceive people to install malicious files into their computers. In fact, I cloned a webpage and I performed a MITM attack to redirect the victim to the malicious webpage which hosts Java exploits to take advantages of Java vulnerabilities and I imported my own payload about DGA into the Java exploits to create random domains and bypass web filtering.


These weeks I’m working with social engineering toolkit to create a lab with powershell attack vectors to get into Windows 10 operating systems. It is too easy, as always, to create a malicious file with a reverse shell for accessing into the victim computer and stealing whatever we want. However, once we have the malicious file, we have to deceive the victim because it has to be executed as administrator privileges to inject shellcode into the operating system. How can we deceive the victim to execute the malicious file? Again, SET helps us to clone webpages and deploy malicious files, it helps us to perform spear-phishing attacks, etc. It just thinking about social engineering.


Therefore, as pentesters, everything is useful, we can use HUMINT and OSINT as well but social engineering toolkit is a powerful tool needed to get confidential and private information of a company. Sadly, this kind of toolkit is used by offenders and this is the main reason why pentesters should used it as well.

Regards my friends, keep warning and alarming to social engineering toolkit.

20 de noviembre de 2017

Web Application Firewall - WAF


One year ago, I was working with Web Application Firewalls (WAF) to protect web servers against Web Application Vulnerabilities like SQL injection attacks, XSS attacks, CSRF attacks, etc with the aim of protecting XML and Web Services as well as WebSockets. This kind of firewall is much more than a network firewall because while an IDS is able to detect and warn attacks, an IPS is able to detect, warn and block attacks, a WAF is able to detect, warn and block sophisticated attacks like parameter tampering, hidden field manipulation, forceful browsing, etc. Therefore, WAF works much better at the application layer than a traditional firewall.

I’m going to write about how to configure a basic security policy to protect web servers, which is something I have taught in the Security courses on Networks and Systems. First of all, we have to understand how a common web attack works like SQLi attack, which can be used to steal databases or bypass login pages. For instance, we can see the next SQL sentence used to authenticate users in a web page.

<php
$query = "select id from users where nick='$username' and password='".md5($MD5_PREFIX.$password)."' and suspended=0";

However, this PHP code has security weaknesses because if we insert the characters ‘ or 1=1 # into the login form, we are going to bypass the authentication in the web page.

<php
$query = "select id from users where nick='‘ or 1=1 # ' and password='".md5($MD5_PREFIX.$password)."' and suspended=0";

SQLi attack

Now, it’s time to protect the web server with a WAF. I’m going to use F5 BIG-IP ASM but there are other manufactures like Imperva, Akamai or Citrix.

WAF Architecture

We have to create a security policy manually, which builds a basic security policy in Transparent mode that we can review and fine-tune. In addition, we have to select the Rapid Deployment (RDP) template to minimize or eliminate the amount of false positives and the complexity and duration of the initial evaluation deployment period.

Rapid Deployment security policy

After the security policy is deployed and applied, we can attack the web page to see attacks detected into the Traffic Learning.

SQLi attack detected into Traffic Learning

Once there are no false positives, we are ready to configure the security policy into the blocking state and disable the signature staging to actually block real attacks.

Learning and Blocking Settings

If we attack the web page again, we are going to see illegal requests into the application event logs as well as traffic attacks will be blocked by WAF.

SQLi attack detected into Application Event Logs
 
Regards my friends, protect your web servers and keep studying!!

13 de noviembre de 2017

Security courses on Networks and Systems



I’m teaching about security networks and systems every afternoon in Cáceres, Spain, where I’m speaking and showing about what I know and what I do in my job. I think, it’s being great because students are learning a lot of things about security, they ask everything that goes through their heads and even they participate to add knowledge to the group. It’s fantastic. We have already done two courses of 32 hours each, the first one was called Basic Security course on Networks and Systems and the second one was called Advanced Security course on Networks and Systems and I’m going to write about them today.

The first week was for Information Security Fundamentals and Information Security Plan where we started with security awareness, methodologies and tools. There are very different profiles on class like IT engineers, building engineers as well as electrical technicians thus security awareness was interesting to advise and warn about security risks with lots of examples, images and videos. On the other hand, we started playing with wireless security tools like Wiggle, Airodump-ng, Wireshark, etc where we see that everything is in the air as we also spoke about Bluetooth Security, SIEM and Event Correlation.

Wireless Security Tools slides

The second week, we finished the Basic Security course with Infrastructure Protection and Contingency Plan where we spoke about Antivirus, Application Control, Web Filtering, Antispam, IPS/IDS and we also deployed a virtual firewall as well as we configured FortiGate firewalls and pfSense firewalls. I think these lessons were useful because we made lots of firewall configurations where students learnt about what’s a network firewall and how firewall policies allow and deny traffic into a company. On the other hand, we were talking about Business Continuity and Disaster Recovery where I highlighted the ISO 22301 and COBIT 5.

Contingency Plan slides

We started the third week with the Advanced Security course where I spoke about Information Security Governance Fundamentals, Advanced Access Control Systems and Design and development of secure applications. Three units for one week where we spoke about COSO, balanced scorecard, ISO 38500, ISO 27000, ISO 20000, ITIL as well as web application concepts. However, the funny days were when we analysed HTTP headers with a web debugging proxy like Fiddler to learn about how to make our app safer with HTTP Security Policy. What’s more, they already knew about network firewalls thus it was time to introduce Web Application Firewalls with a basic SQL Injection attack and some basic SQL sentences over the MySQL engine.

Information Security Governance Fundamentals slides

Last week we finished the Advanced Security course with the last two units about Cryptography Fundamentals and Computer Security Regulations and Laws. The first unit was lively because each student configured a hardware firewall to make a LAN to LAN VPN and Dialup to Site VPN as well as SSL VPN in tunnel mode and portal mode. Moreover, students learnt about Authentication, Confidentiality and Integrity along with Diffie Hellman algorithm, asymmetrical cryptography and symmetric cryptography. With regards to regulations and laws, we were talking about LOPD, ISO 27001, ENS and PCI-DSS.

Computer Security Regulations and Laws slides

Regards my friends and keep studying!!

6 de noviembre de 2017

Make your app safer with HTTP Security Policy



The World Wide Web is changing, users don’t realise but web protocols are improving a lot. We are moving the web from TCP to UDP for faster communications, we can use Multipath TCP and HTTP/2 for better performance and security, and we also have increasingly better Web Services and WebSockets thanks to HTML5. Therefore, I’m going to write about some security mechanisms to protect websites because, although I’m not a developer, I think it’s important to known how next generation protocols work to protect our services and the company we are working for.

The first and most used security mechanism by main webservers is HSTS or HTTP Strict Transport Security. This is an HTTP header sent from web servers to clients, for instance browsers, to ask them to use HTTPS instead of HTTP for a period of time specified by the “max-age” attribute. Consequently, HTTP can be used for the first access from clients to websites but HTTPS is used thereafter and the change from HTTP to HTTPS will be done natively by clients instead of redirections by web servers. However, the first HTTP connection can be used by attackers that along with a MITM attack and SSL Strip attack the confidentiality can be compromised. As a result, browsers have a preload list with websites which should be accessed by HTTPS even in the first connection. However, the preload list mechanism is not scalable because all websites can’t fit into only one list thus DNSSEC could be the solution.

HTTP Strict Transport Security
 
Another security mechanism delivered via an HTTP header is HPKP or HTTP Public Key Pinning. This security feature is used by few sites and even we could say it’s nearly dead because Chrome has already announced their plans to deprecate and remove support for HPKP. This is a security protocol to prevent fraudulently issued TLS certificates from being used to impersonate existing secure websites.

HTTP Public Key Pinning
 
CSP or Content Security Policy is another security mechanism to prevent XSS and data injection attacks. This security standard is implemented in web servers and the security policy is delivered via an HTTP header, like HPKP and HSTS, to browsers. The aim of the security policy is to tell browsers what are the trustworthy source content to prevent code execution by malicious scripts into victim’s browser.

Content Security Policy

There are many tools to help us to know which websites are properly secured. For instance, HSTS Preload List Submission is a website where we can enter a domain to check if that domain is preload into main browsers, and even we can submit our own domain to be inside into the preload list. Another interesting tool is securityheaders.io where we can analyse HTTP response headers to know if the web server is protected with security headers like “Strict-Transport-Security”, “Content-Security-Policy”, “X-Content-Type-Options”, etc. On the other hand, if we want to know which websites we have visited with HSTS or HPKP, we can install the Pin Patrol plugin into our browser.

Analyse HTTP response headers
 
These are some of the security mechanism we have to take into account when we are protecting web servers and users. For example, it’s too important to know how HSTS works when we are configuring SSL inspection in a firewall to make exceptions and allow websites which are configured with this security feature.

Regards my friends and keep protecting your web servers!!!

30 de octubre de 2017

Digital Forensics Tools



If we want to study and work in Computer Forensics, we should have a deep technical knowledge about file systems and how to recover files. Therefore, we have to know about raw file recovery, how to get metadata as well as we should understand how file systems work like FAT, Ext4, NTFS, HFS+, etc. On the other hand, choosing the right tools to get reliable information and preserve evidences is too important thus I’m going to write about some interesting tools we can use to analyse digital evidences.

Once we have digital evidences, it’s important to preserve evidences and they shouldn’t be modified under no circumstances for keeping valid evidences. There are many tools to do this but, for instance, we can use AccessData FTK Imager for hashing verification and read only access. In addition, this tool can be also used to know what files have been deleted as well as to recover files. Next, we can see a deleted file into the root directory from VOL02 partition, which has a FAT16 file system.

AccessData FTK Imager
 
Another interesting tool is Active Disk Editor which is a freeware tool available for Windows and Linux to view and edit raw sectors on physical disks, partitions, and files content in hexadecimal form. This is an excellent tool for opening partitions and volumes and searching into the file system as well as analysing the boot record like MBR (Master Boot Record) and partition table like GPT (GUID Partition Table). What’s more, there are many templates which are useful to highlight sectors by colours and they contain hyperlinks for easily navigation.

Active Disk Editor
 
PhotoRec is another file recovery freeware, older than FTK Imager at the moment, available for Windows and Linux. We can use this software for recovering files like video, documents, and archives from hard disks, CD-ROMs, USB memory sticks, memory cards, etc. Moreover, PhotoRec is able to recover more than 480 file extensions and it uses read-only access for recovering lost data which is mandatory to preserve digital evidences.

PhotoRec
 
As you can see, there are many file recovery tools and Recuva is another one. This is an easy to use tool, with a free version, to recover lost files from damaged or newly formatted drives. Furthermore, Recuva can be used to delete files securely thanks to industry and military standard deletion techniques for overwriting drives.

Recuva
 
Getting metadata information is powerful because we can have lots of interesting information from hidden data. I already knew FOCA from Eleven Paths but ExifTool is another excellent free and open-source software for reading, writing and manipulating image, audio, video and PDF metadata. ExifTool is used by the image hosting site Flickr to parse the metadata from uploaded images and it uses many types of metadata like Exif, IPTC, etc.

ExifTool

These are just some interesting tools useful for the examination and analysis process of Computer Forensics. However, we’ll need more tools and lots of technical knowledge when we are with a real evidence but this is a good point to start with analysis of digital evidences.

Regards my friends and keep studying!

23 de octubre de 2017

Make your own malicious WhatsApp



We can see how to create a backdoor for Android systems in my last post but if we want to be more convincing to deploy a trojan into someone’s mobile, we’ll need to customize the malicious application. For instance, it would be a good idea to change the App name to WhatsApp Messenger, Facebook or some other social network, as well as customize permissions and modify the default App icon to some more convincing.

Step 1: The first step is to make the malicious mobile application with the MSFvenom tool from Kali Linux where we set the IP address and port of the C&C server.

Making the Malicious Apk
 
Step 2: Once the malicious application has been created, we have to decompile the application to get important files, which are going to be modified to make the application more convincing.

Decompiling the Malicious Apk
 
Step 3: It’s time to modify the AndroidManifiest.xml file to customize permissions and avoid warnings in the installation as well as to change the line highlighted to add icons.

Modifying App Permissions into the AndroidManifiest.xml file
 
On the other hand, we can edit the strings.xml file into the “values” folder, which is into the “res” folder, to modify the application name for some more convincing. For instance, WhatsApp Messenger Plus.

Modifying the App Name into the strings.xml file
 
If we want to customize application icons as well, we’ll have to make three new folders into the “res” folder and copy inside icon png files.
  • We should have a 72x72 pixels file called icon.png into the drawable-hdpi-v4 folder.
  • We should have a 36x36 pixels file called icon.png into the drawable-ldpi-v4 folder.
  • We should have a 48x48 pixels file called icon.png into the drawable-mdpi-v4 folder.

Modifying App Icons into the rest folder
 
It’s easy to resize images on the net. There are many services to do this. For instance, resizeimage.net.

Step 4: The next step is to compile the custom application with the apktool command to make a new application with all our custom features. Once executed, we’ll see the new application into the “dist” folder.

Compiling the Malicious App
 
Step 5: We've almost done. Android systems don’t allow installing applications without signing thus we have to sign manually the application with jarsigner and our keystore.

Signing the Malicious Apk
 
Step 6: We are ready to deploy the custom application to someone’s mobile. As you can see, it’s simple and easy, and we just need social engineering to get our aim.

Fake WhatsApp Messenger Plus

Once malicious application is installed into some Android system, we’ll have to start the listener with multi/handler exploit from Metasploit, which will be our C&C system to control Android devices. We can know how to start the listener from my last post (step 3).

I’m not responsible for any illegal activity performed by the reader because this is for education purpose only.

Regards my friends and be a good guy!

16 de octubre de 2017

How to create a Backdoor for Android systems



There are lots of documentation, how-to and videos today on the net to create our own backdoor for Android devices. Therefore, it’s increasingly easy to “develop” a backdoor and trojan to spy someone and thus this is extremely dangerous in the wrong hands. Once again, if we don’t want to be the victim, security awareness is too important to detect social engineering attacks and block access to malicious websites or unknown mail.

I’m going to write an easy how-to today to create a backdoor for Android devices although there are many tutorials on the net like this. Of course, I’m not responsible for any illegal activity performed by the reader because this is for education purpose only.

Step 1: We are going to create a payload .apk file from Kali Linux with the MSFvenom tool. This tool is a combination of msfpayload and msfencode, which are no longer used.

MSFvenom payload

-p = Payload to be used
LHOST = Localhost IP to receive a back connection. We have used private IP address for testing into the lab while if the victim are going to be on the Internet, LHOST should be a public IP address.
LPORT= Localhost Port on which the connection listen for the victim.
R = Raw format (We select apk).
Location = to save the file.

Step 2: Once successfully created .apk file, we have to sign the .apk file because Android devices don’t allow installing apps without the appropriately signed certificate. Therefore, we are going to sign the .apk file manually.

First, if we don’t have a valid keystore, we have to create our own keystore.

Keytool making Keystore

Second, we are going to sign the .apk file with our own key.

Signing an apk file with JARsigner

Third, we are going to align the .apk file into a new file with zipalign. It’s important to highlight that zipalign package isn’t installed by default in Kali Linux thus we’ll have to install zipaling previously with apt-get install zipalign.

Aligning the apk into new file using zipalign
 
Step 3: We have already finished with the backdoor app and it’s time for starting the listener with multi/handler exploit using Metasploit.

Starting Metasploit
 
We’ll also have to setting up the parameters for listening in the right IP address and TCP port number with a reverse TCP meterpreter:

Setting up the exploit

Finally, we run the exploit and wait for victims:

Executing the exploit

Step 4: It’s time for sharing and installing the android.apk file to the victim mobile device. If we have configure a public IP address into the apk payload, we can use the android.apk file everywhere, which is what attackers actually do. On the other hand, the way to share the android.apk file is up to you because what attackers actually do is sharing by social networks, mail, etc.

Installing the application on an Android device

Step 5: Once the App is installed into the victim mobile device, we can go back to Kali Linux to see a session meterpreter is opened, which means we have access to the mobile device.

Successfully got the meterpreter session
From a session meterpreter we can get contacts (dump_contacts), last calls (dump_calllog), upload/download files, record audio with the microphone (record_mic), even take picture or open the webcam.

Webcam Streaming
 
As we can see, it’s easy to create a backdoor for Android mobile devices. From my point of view, it’s a cyberweapon for spying that in the wrong hands, and with a little bit creativity, could be harmful for innocent people.

Regards my friends and be a good guy!
Related Posts Plugin for WordPress, Blogger...

Entradas populares