Social Engineering Toolkit

As a pentester, social engineering help us to get confidential information that, along with HUMINT and OSINT, is a good place to start. However, most of the time, we are going to need social engineering toolkit as well to deceive people. For instance, there are useful tools which allow us to clone a webpage to build our own malicious webpage with a built-in exploit for getting access to the victim computer. These tools are able to get passwords as well as inserting our own payload and they are also able to exploit the major vulnerabilities of Java, Flash, IE, Mozilla, etc.

The most famous Social Engineering Toolkit is SET developed by David Kennedy, which is an open source framework with many attacks features. For example, we can create a spear-phishing attack easily with the aim of getting the victim credentials or we can even send mails massively to a organization. SET is also able to clone webpages easily to launch DNS spoofing or phishing attacks. What’s more, it allows to create malicious files (.exe) quickly or we can import our own malicious file into a payload. Lately, SET has added new attack features like wireless attacks which create rogue Wireless Access Points to perform a Man-in-the-middle (MITM) attack for sniffing traffic packets, as well as Arduino-based attacks, QRCode Generator attack, Powershell attack or SMS Spoofing attack.

SEToolkit

 

When I gave the speech about my own Domain Generation Algorithm (DGA) for the ISACA Challenge to bypass firewall security features like web filtering, I used SET to show realism into the attack because with a social engineering toolkit is easy to demonstrate how we can deceive people to install malicious files into their computers. In fact, I cloned a webpage and I performed a MITM attack to redirect the victim to the malicious webpage which hosts Java exploits to take advantages of Java vulnerabilities and I imported my own payload about DGA into the Java exploits to create random domains and bypass web filtering.

These weeks I’m working with social engineering toolkit to create a lab with powershell attack vectors to get into Windows 10 operating systems. It is too easy, as always, to create a malicious file with a reverse shell for accessing into the victim computer and stealing whatever we want. However, once we have the malicious file, we have to deceive the victim because it has to be executed as administrator privileges to inject shellcode into the operating system. How can we deceive the victim to execute the malicious file? Again, SET helps us to clone webpages and deploy malicious files, it helps us to perform spear-phishing attacks, etc. It just thinking about social engineering.

Therefore, as pentesters, everything is useful, we can use HUMINT and OSINT as well but social engineering toolkit is a powerful tool needed to get confidential and private information of a company. Sadly, this kind of toolkit is used by offenders and this is the main reason why pentesters should used it as well.

Regards my friends, keep warning and alarming to social engineering toolkit.

Web Application Firewall - WAF

One year ago, I was working with Web Application Firewalls (WAF) to protect web servers against Web Application Vulnerabilities like SQL injection attacks, XSS attacks, CSRF attacks, etc with the aim of protecting XML and Web Services as well as WebSockets. This kind of firewall is much more than a network firewall because while an IDS is able to detect and warn attacks, an IPS is able to detect, warn and block attacks, a WAF is able to detect, warn and block sophisticated attacks like parameter tampering, hidden field manipulation, forceful browsing, etc. Therefore, WAF works much better at the application layer than a traditional firewall.

I’m going to write about how to configure a basic security policy to protect web servers, which is something I have taught in the Security courses on Networks and Systems. First of all, we have to understand how a common web attack works like SQLi attack, which can be used to steal databases or bypass login pages. For instance, we can see the next SQL sentence used to authenticate users in a web page.

<php

$query = "select id from users where nick='$username' and password='".md5($MD5_PREFIX.$password)."' and suspended=0";

However, this PHP code has security weaknesses because if we insert the characters ‘ or 1=1 # into the login form, we are going to bypass the authentication in the web page.

<php

$query = "select id from users where nick='‘ or 1=1 # ' and password='".md5($MD5_PREFIX.$password)."' and suspended=0";

SQLi attack

Now, it’s time to protect the web server with a WAF. I’m going to use F5 BIG-IP ASM but there are other manufactures like Imperva, Akamai or Citrix.

WAF Architecture

We have to create a security policy manually, which builds a basic security policy in Transparent mode that we can review and fine-tune. In addition, we have to select the Rapid Deployment (RDP) template to minimize or eliminate the amount of false positives and the complexity and duration of the initial evaluation deployment period.

Rapid Deployment security policy

After the security policy is deployed and applied, we can attack the web page to see attacks detected into the Traffic Learning.

SQLi attack detected into Traffic Learning

Once there are no false positives, we are ready to configure the security policy into the blocking state and disable the signature staging to actually block real attacks.

Learning and Blocking Settings

If we attack the web page again, we are going to see illegal requests into the application event logs as well as traffic attacks will be blocked by WAF.

SQLi attack detected into Application Event Logs

 

Regards my friends, protect your web servers and keep studying!!

Security courses on Networks and Systems

I’m teaching about security networks and systems every afternoon in Cáceres, Spain, where I’m speaking and showing about what I know and what I do in my job. I think, it’s being great because students are learning a lot of things about security, they ask everything that goes through their heads and even they participate to add knowledge to the group. It’s fantastic. We have already done two courses of 32 hours each, the first one was called Basic Security course on Networks and Systems and the second one was called Advanced Security course on Networks and Systems and I’m going to write about them today.

The first week was for Information Security Fundamentals and Information Security Plan where we started with security awareness, methodologies and tools. There are very different profiles on class like IT engineers, building engineers as well as electrical technicians thus security awareness was interesting to advise and warn about security risks with lots of examples, images and videos. On the other hand, we started playing with wireless security tools like Wiggle, Airodump-ng, Wireshark, etc where we see that everything is in the air as we also spoke about Bluetooth Security, SIEM and Event Correlation.

Wireless Security Tools slides

The second week, we finished the Basic Security course with Infrastructure Protection and Contingency Plan where we spoke about Antivirus, Application Control, Web Filtering, Antispam, IPS/IDS and we also deployed a virtual firewall as well as we configured FortiGate firewalls and pfSense firewalls. I think these lessons were useful because we made lots of firewall configurations where students learnt about what’s a network firewall and how firewall policies allow and deny traffic into a company. On the other hand, we were talking about Business Continuity and Disaster Recovery where I highlighted the ISO 22301 and COBIT 5.

Contingency Plan slides

We started the third week with the Advanced Security course where I spoke about Information Security Governance Fundamentals, Advanced Access Control Systems and Design and development of secure applications. Three units for one week where we spoke about COSO, balanced scorecard, ISO 38500, ISO 27000, ISO 20000, ITIL as well as web application concepts. However, the funny days were when we analysed HTTP headers with a web debugging proxy like Fiddler to learn about how to make our app safer with HTTP Security Policy. What’s more, they already knew about network firewalls thus it was time to introduce Web Application Firewalls with a basic SQL Injection attack and some basic SQL sentences over the MySQL engine.

Information Security Governance Fundamentals slides

Last week we finished the Advanced Security course with the last two units about Cryptography Fundamentals and Computer Security Regulations and Laws. The first unit was lively because each student configured a hardware firewall to make a LAN to LAN VPN and Dialup to Site VPN as well as SSL VPN in tunnel mode and portal mode. Moreover, students learnt about Authentication, Confidentiality and Integrity along with Diffie Hellman algorithm, asymmetrical cryptography and symmetric cryptography. With regards to regulations and laws, we were talking about LOPD, ISO 27001, ENS and PCI-DSS.

Computer Security Regulations and Laws slides

Regards my friends and keep studying!!

Make your app safer with HTTP Security Policy

The World Wide Web is changing, users don’t realise but web protocols are improving a lot. We are moving the web from TCP to UDP for faster communications, we can use Multipath TCP and HTTP/2 for better performance and security, and we also have increasingly better Web Services and WebSockets thanks to HTML5. Therefore, I’m going to write about some security mechanisms to protect websites because, although I’m not a developer, I think it’s important to known how next generation protocols work to protect our services and the company we are working for.

The first and most used security mechanism by main webservers is HSTS or HTTP Strict Transport Security. This is an HTTP header sent from web servers to clients, for instance browsers, to ask them to use HTTPS instead of HTTP for a period of time specified by the “max-age” attribute. Consequently, HTTP can be used for the first access from clients to websites but HTTPS is used thereafter and the change from HTTP to HTTPS will be done natively by clients instead of redirections by web servers. However, the first HTTP connection can be used by attackers that along with a MITM attack and SSL Strip attack the confidentiality can be compromised. As a result, browsers have a preload list with websites which should be accessed by HTTPS even in the first connection. However, the preload list mechanism is not scalable because all websites can’t fit into only one list thus DNSSEC could be the solution.

HTTP Strict Transport Security

 

Another security mechanism delivered via an HTTP header is HPKP or HTTP Public Key Pinning. This security feature is used by few sites and even we could say it’s nearly dead because Chrome has already announced their plans to deprecate and remove support for HPKP. This is a security protocol to prevent fraudulently issued TLS certificates from being used to impersonate existing secure websites.

HTTP Public Key Pinning

 

CSP or Content Security Policy is another security mechanism to prevent XSS and data injection attacks. This security standard is implemented in web servers and the security policy is delivered via an HTTP header, like HPKP and HSTS, to browsers. The aim of the security policy is to tell browsers what are the trustworthy source content to prevent code execution by malicious scripts into victim’s browser.

Content Security Policy

There are many tools to help us to know which websites are properly secured. For instance, HSTS Preload List Submission is a website where we can enter a domain to check if that domain is preload into main browsers, and even we can submit our own domain to be inside into the preload list. Another interesting tool is securityheaders.io where we can analyse HTTP response headers to know if the web server is protected with security headers like “Strict-Transport-Security”, “Content-Security-Policy”, “X-Content-Type-Options”, etc. On the other hand, if we want to know which websites we have visited with HSTS or HPKP, we can install the Pin Patrol plugin into our browser.

Analyse HTTP response headers

 

These are some of the security mechanism we have to take into account when we are protecting web servers and users. For example, it’s too important to know how HSTS works when we are configuring SSL inspection in a firewall to make exceptions and allow websites which are configured with this security feature.

Regards my friends and keep protecting your web servers!!!