Happy New Year

This year, I want to tell you “Happy New Year” in a different way. In fact, I recorded a video to tell you all the things I’ve been doing in 2018. It’s difficult to say all the things in a video of 2 minutes but I’ve highlighted, I think, the most important things.

I was working with AWS at the beginning of the year where I deployed Amazon CloudFront, AWS Shield and AWS WAF. I also took several webinars about FortiSIEM and the new version of FortiOS 6.0 which, I think, are interesting for deploying this new year. The second prize I got for the CyberSecurity Challenge in Badajoz is also to remember.

I’ve also been working a lot with F5 Networks. I’ve installed, configured and supported the LTM, ASM and DNS modules. In fact, I’ve uploaded videos to my YouTube channel about how to protect services against Web Scraping and Brute Force attacks, DDoS and DoS, Cookie and HTTP Header Tampering, Parameter Tampering Attacks, Bot Protection, etc. Finally, I ended up for getting the F5 BIG-IP ASM Certified Technology Specialist.

I like languages. Therefore, I keep learning French language. I passed the A2 level in French language and this is my third year learning French. As you can see, I keep writing in English language in this blog and I’m used to reading and watch films in English language.

I’ve been reading books such as Thinking, Fast and Slow by Daniel Kahneman, Factfulness by Hans Rosling and The Art of Intrusion by Kevin Mitnick. I even read the National Cyber Strategy of the U.S. of America, the DoD Cyber Strategy of the U.S. of America and the review of the Cyberdefense Strategy of France which I read in French language.

To finish this year, I’ve been teaching Security on Networks and Systems in Mérida. What’s more, I’m going to teach about Ethical Hacking next year. I hope to see you!

 

That’s all! Keep learning! Keep studying!

Happy New Year!!

F5 BIG-IP ASM - Bot Protection

I’ve already written several posts about load balancers in this blog but, this year, I’ve been also writing about the Web Application Firewall (WAF) of F5 Networks because I’ve had to deploy, configure and support these devices during 2018. This is the main reason I passed the exam for BIG-IP ASM Specialist this summer and I’ve been recording videos about L7 DDoS Mitigation, CSRF Protection or XXE Protection. Today, I want to continue recording this kind of videos because, I think, they are useful for learning and testing attacks and defenses.

This post is about how to configure Bot Protection in F5 BIG-IP ASM because there are increasingly bots out there (Internet) and we should take into account the bots for Layer 7 DoS Mitigation and Web Scraping Mitigation. However, we have to know what bots we want to allow and what bots we want to block. For instance, it’s interesting to allow the Googlebot, which is used by the Google search engine, but it’s also interesting to block all DoS tools such as Apache Bench or slowhttptest, which can be malicious for the web page we are protecting with the WAF.

ab -c 10 -n 10 -r -H "User-Agent: Agilitybot" http://url_to_attack/

Apache Bench

You can watch in the next video how to configure Bot Protection in F5 BIG-IP ASM:

Regards my friend and remember, keep studying!!

F5 BIG-IP ASM - XXE Protection

I wrote about OWASP Top 10 last year where I described the new categories added in 2017. One of them is Insecure Deserialization, another category is Insufficient Logging and Monitoring, which can be got with Security Information and Event Management (SIEM) systems, and the last category added to OWASP is XML External Entity (XXE), which is the category I'm going to write about it today. These categories and the OWASP project were not into the University curriculum when I was studying. I think, it’s a pity because the OWASP project should be taken into account at University as best practices for secure software development.

XXE attack is an injection attack where the attacker inserts a malicious XML code to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, as well as execute other attacks. For instance, we can insert an XML code to list the root directory of the file system or know the server’s hostname. Actually, this issue is not easy to detect by manual testers but SAST and DAST tools can discover and exploit an XXE vulnerability easily. Therefore, if you are working with XML and Web Services, you should also take into account XXE attacks.

XML External Entity (XXE) Attack

 

If you want to know how to test and mitigate a XXE attack, see the next video:

Regards my friend and remember, keep studying!!

F5 BIG-IP ASM - CSRF Protection

I think, the best way to learn about hacking and security is testing attacks and mitigating them. This is the methodology I follow in the Security courses on Networks and Systems I’m teaching these weeks. In addition, I like testing the laboratories before teaching to students because there are lots of kind of attacks and I think the best way to learn about how to block them is testing, testing and testing. Today, I’m going to write about how to exploit a CSRF vulnerability and how to mitigate it with a Web Application Firewall (WAF).

If you really want to learn about hacking and security, firstly, you have to deploy a laboratory with lots of technologies, such as IDS, HIDS, WIDS, network firewalls, WAFs, SIEMs; vulnerable servers like WebGoat; and hacking tools such as those which come with the Kali Linux operating system. Secondly, you must have lots of time to read and test because most the time you’ll have to learn by yourself. Finally, you should really love security. Today, I’ve used a Kali Linux with WebGoat as vulnerable server and a F5 BIG-IP ASM as WAF.

WebGoat

The Proof of Concept (PoC) that I have been testing today is a CSRF attack which is used when a malicious user wants to execute unauthorized commands from a user that the web application trusts. For instance, firstly, the victim has authenticated into the target website, such as a bank account website or a forum; secondly, the attacker sends a malicious link to fool victim to click; finally, if the victim clicks the malicious link, unauthorized commands are executed, such as transfers in the bank account or replies in the forum, which have happened underground. It’s important to highlight that XSS attacks exploit the trust a user has for a particular site while CSRF attacks exploit the trust a site has in a user’s browser.

CSRF Attack

 

If you want to know how to test and mitigate a CSRF attack, see the next video:

Regards my friend and remember, keep studying!!

F5 BIG-IP ASM - L7 DDoS Mitigation

This summer I was writing about F5 BIG-IP ASM. In fact, I made several videos where we can watch how we can configure the Web Application Firewall (WAF). For instance, I recorded videos about Session Based Brute Force Mitigation, Web Scraping Mitigation or Cookie Tampering. However, this week, I’ve made a new video about L7 DDoS Mitigation, which is useful for blocking DDoS attacks, but this video is different than Layer 7 DoS Mitigation due to the fact that this video takes into account that lots of computers can be behind the same IP address. Therefore, it’s able to block PCs regardless the IP address.

BIG-IP ASM has three mitigation methods to use on the attacking IP’s. The first mitigation method is Client Side Integrity Defense where PCs has a JavaScript challenge which should be resolved. If it’s not a bot, the browser will be able to resolve the challenge, and the F5 will considerate the PCs as legitimate. However, if the PCs won’t be able to resolve the challenge, requests will be blocked. The second mitigation method is a CAPTCHA challenge, where the user has to resolve the CAPTCHA challenge to access the website. The last mitigation method is Request Blocking where requests are blocked when a threshold is exceed.

Client Side Integrity Defense - Flow

The Client Side Integrity Defense method is useful to know if requests come from users or machines. However, once the DoS L7 attack starts, PCs have to resolve the JavaScript challenge, and this is a little bit computational demanding for PCs. You can notice this in the video. In addition, these mitigation methods can be configured with additional features such as Recording Traffic for automatic recording traffic during DoS attacks, or Trigger iRule for managing DoS events in a customized manner.

JavaScript Challenge

 

If you want to know what I’m writing about, see the next video:

Regards my friend and remember, keep studying!!

Revue Stratégique Cyberdéfense de France (III)

This is the last post I write about “Revue Stratégique Cyberdéfense de France”. I wrote about “Les dangers du monde cyber” in the first part, and about “L’État, responsable de la cyberdéfense de la nation” in the second part. Today, I’m going to write about “L’État, garant de la cybersécurité de la société” where I’m going to explain risks into the European Union but I’m also going to speak about Cloud, Intelligence Artificial, cyberweapons, economy and recruitment. There are many interesting things in the third part and I would like to highlight some of them.

The first interesting thing I would like to highlight is the risk of the EU with regard to technology because most IT companies are managed from the U.S. This, although it could seem a little bit silly, it’s important because countries, businesses and citizens shouldn’t depend on IT foreign companies. At least, countries shouldn’t depend on IT foreign companies. Why? Because if we start a trade war, like the war China and U.S. have currently, it will be devastating for the EU countries. What would happen if we stopped receiving U.S. services? What would happen if we start a war with the U.S.? We couldn’t! We would always lose!

Cloud and Intelligence Artificial (IA) are also subjects of the Cyberdefense Strategy of France. These two new emerging technologies are taken into account in the Strategy because, one of them, the IA, should be useful for improving cybersecurity while, the second one, the Cloud, should be regulated for better protection of critical activities. For instance, we can read in the Strategy how Elon Musk highlighted the importance of cybersecurity for autonomous electric cars in a conference, or how the OVH company is a French Cloud Provider who hosts Microsoft services. This kind of references are interesting!

Les domaines de l’intelligence artificielle

It’s “easy” to detect who sells weapons such as tanks, warships or guns to countries which are in the blacklist of the United Nations but it’s very difficult to know who sells cyberweapons to these countries. This kind of trade should be regulated. In fact, we can read in the Strategy about the Italian Hacking Team company or the German-English Gamma company who were hacked, and their zero-days and customer list were published. Some customers of Hacking Team and Gamma are in the blacklist of the United Nations!!

I like this Strategy. They have realised they must support French companies, and EU companies as well, for getting better protection. The government of French has realised that most companies, which work on the technology field, are small with less than 20 people and less than 1 M€ billing. In addition, they know that lots of IT engineers emigrate abroad to look for better job opportunities. Therefore, they want more companies like Gemalto, Thales or Oberthur.

Structure par taille des entreprises de la Confiance Numerique en France en 2016 (% des entreprises)

This is a great Cybersecurity Strategy. I would like to read a Strategy like this written by the government of Spain. I think, we have the same risks of the French government but it’s required to take actions.

Merci mes amis!

Revue Stratégique Cyberdéfense de France (II)

I wrote about the first part of the Cyberdefense Strategy of France last week. Today, I’m going to write about the second part of the strategy. The second part speaks about the cyberdefense responsibility of France. It tells how the government of France is organised to fight against cybercrime and how they want to improve the protection of critical activities such as military activities, health activities or energy activities. In addition, this second part speaks about the international cooperation of France in cybersecurity. We’ll see with more details in next paragraphs.

France is fighting against cyberthreats since 2011 when the government created the first cyberdefence strategy. However, they knew about cyberthreats years before, because they had already been attacked. Therefore, the government created the first white book about defence and security in 2008. This white book, or livre blanc, was actually the first purpose of fighting against cyberthreaths because it was the beginning of the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), which is responsible for proposing rules for the protection of state information systems and it reports to SGDSN to assist the Primer Minister in exercising his responsibilities for defence and national security. Since then, a new white book has been written in 2013 with a military program for 2014 – 2019 to reinforce cybersecurity with more money and people.

It’s interesting how the government of France has many departments to fight against cyberthreats. Firstly, they have completely separated the cyberdefence to the active cybersecurity. Secondly, they want to create a Centre de Coordination des Crises Cyber (C4) with three levels: Strategic (C4 STRAT), technique (C4 TECH) and operational (C4 TECHOPS). In addition, I would like to highlight the COMCYBER, which is responsible for cyber-protection and cyberdefence in the Ministry of the Armed Forces. Maybe, there are some more departments for cybersecurity, I don’t know, but I think these departments are required for the protection of the country.

The review of the Cyberdefence Strategy of France speaks also about improving the protection of critical activities such as the protection of the information systems of the State, the protection of important agencies, the protection of fundamental activities, the protection of local authorities and the protection of the democracy. What’s more, this Strategy mentions the Security Directives for the European Union where there is something like a threshold with minimum security measures to apply in all countries of the EU. The aim of the NIS Directive is to improve the weakest link in the information security chain.

This Cyberdefence Strategy is too long but I like. Maybe, it is one of the best Cyber Strategy I’ve read because it is accurate, concise and detailed. I can’t write about all things are included in this Strategy because it would be too many post, thus I recommend reading the whole Strategy.

On va continuer avec le dernier article la semaine prochaine!! On y va !!

Revue Stratégique Cyberdéfense de France (I)

The CISA and CISM certifications were my first contact with security strategies and since then I’ve read several cyber strategies such as the Cybersecurity Strategy of the EU, the National Security Strategy of Spain, the National Cybersecurity Strategy of Spain, the Department of Defense (DoD) Cyber Strategy of the United States and the National Cyber Strategy of the United States. Today, I want to write about the last Cybersecurity Strategy I’m reading, the review of the Cyberdefense Strategy of France. In fact, I’m only going to write about the first part of the strategy, “Les dangers du monde cyber”, due to the fact that this strategy is too extend for just one post.

The Cybersecurity Strategy of France starts speaking about how threats are moving quickly to cyber spying, cybercrime, destabilization, and cyber sabotage. For instance, the strategy highlights the Operation Aurora and Mandiant reports where United States organizations were attacked from China. It also highlights the darkweb for cybercrime, and social networks for terrorism and political destabilization. The strategy makes also reference other cyber operations such as Stuxnet, NotPetya, DDoS attacks, etc.

Action de sabotage informatique

 

The main actions and the operation modes of cyber attacks are also discussed into the cyber strategy. In fact, we can read, and see an example, of the four phases of a cyber attack: Reconnaissance, Intrusion, Malware Insertion, and Exploitation. In addition, we can read about the attacker infrastructure needed for a cyber attack such as C&C servers and exploitation toolkit. The threat structure is also commented into the strategy where we can read an overview of lots of cyber attacks (Shamoon, Carbanak, WannaCry, etc)

Exfiltration de données par envoi d'un courriel piégé

 

This Cybersecurity Strategy has also into account the vulnerabilities. It’s said that the National Security is insufficient because there are increasingly more and more digital services, which could have vulnerabilities, and therefore there is more risk for the State. For instance, a vulnerability into an important system, like the Swift System for worldwide payments, can be able to break the reputation of the system.

Resilience for mitigating risks of cyber attacks is also into this strategy. How can we get resiliency? Integrating cybersecurity into organizations, considering security throughout the information system lifecycle, knowing technologies and threats, and considering active defenses.

Cycle de vie de la sécurité d'un systéme d'information

 

There are many other sections in this first part of the Cybersecurity Strategy of France such as international regulation, which is not too good, or cybersecurity models for protection. I think the review of dangers of the cyber world in this strategy is very complete with lots of examples, concepts and references. I like it!!

On va continuer comme ça la semaine prochaine!!

The Art of Intrusion by Kevin Mitnick

I really love reading. It’s the best time of the day. I’m relaxed. I’m quieted. Nobody disturbs me. I’m just reading. I think reading has lots of advantages such as increasing attention capacity, it also helps us to improve the writing skill as well as it helps us to improve the speaking skill. I think it’s a good way to active the mind and, at the same time, we are learning, enjoying and relaxed. This is why I try reading more and more, although it’s increasingly difficult for me to have time for reading. I would like reading more than I read. The last book I’ve been reading these weeks is “The Art of Intrusion” by Kevin D. Mitnick.

Kevin Mitnick is a computer security consultant, author and hacker who was arrested for five years in 1995 because he was charged with wire fraud, possession of unauthorized access devices, interception of wire or electronic communications, unauthorized access to a federal computer, and causing damage to a computer. What’s more, according to Mitnick, law enforcement officials convinced a judge that he had the ability to “start a nuclear war by whistling into a pay phone”. Amazing!! Today, he runs a security firm and he is the keynote speaker in many security conferences.

The Art of Intrusion book has more than ten stories about hackers. All of them are anonymous because some crimes still hadn’t prescribed when the book was written. The most interesting story for me has been about social engineering because we don’t need technical skills but social skills to get confidential information from companies. However, we have to be able to deceive people which is not easy. This chapter speaks about psychological behaviour of human beings. Maybe, the previous book, “The Art of Deception” by Mitnick, teaches more tricks for social engineering.

Another story that I like is about intrusion into casinos for one million dollars. In fact, it’s the first chapter on the book. Four guys who worked in high technological firms as consultants went to Las Vegas for visiting a trade fair, where they also played in slot machines. However, they wanted to win more and more money, then they were thinking about hack the slot machines, till they got it. They were able to understand how the slot machines worked, I mean, the algorithm, and they developed a system to know when the slot machines were going to give money. At the end, the avarice did they was caught by guards.

There is another story that I would like to highlight. It is about crackers. I’ve always thought that cracking software was full of malware, where malicious developers inserted codes to break into computers of people who don’t want to pay money for genuine software. However, the book says that some crackers research how to crack software and develop the crack just for pride, attribution or revenge.

Actually, I think the book is interesting for newbies because there are lots of stories with some technical details. Maybe a little bit outdated. For instance, I’ve enjoyed much more with “Countdown to Zero Day” by Kim Zetter than with this one. However, I’ll try reading “The Art of Deception”. I think, it could be interesting for reinforce my knowledge about social engineering.

Regards my friends. Keep reading. Keep learning!!

National Cyber Strategy of the U.S. of America

I read the Department of Defense (DoD) Cyber Strategy of the United States of America last week and this week I’ve been reading the National Cyber Strategy of the United States. Why? I think reading Cyber Strategies is the best way to understand and learn how to write a Cyber Strategy. This is obvious! In addition, reading Cyber Strategies, we can find out what are the security risks of the States or what they are worrying about. For instance, the DoD Cyber Strategy speaks about the competition with China and Russia as well as the malicious cyber activities of North Korea and Iran. Another example is the Cybersecurity Strategy of the EU which highlight the security risk of depending excessively on ICT produced outside the EU.

The first pillar of the National Cyber Strategy of the U.S. is about protecting the American People, the Homeland, and the American Way of Life. How is the government going to do this? Securing Federal Networks and Information, Securing Critical Infrastructure, Combating Cybercrime and Improving Incident Reporting. The government has written many priority actions in the first pillar such as improving federal supply chain risk management which is interesting to exclude risky vendors, products and services.

Promote American Prosperity is the second pillar of the National Cyber Strategy. The government wants to foster a vibrant and resilient digital economy. They also want to foster and protect United States ingenuity. Finally, the government wants to develop a superior cybersecurity workforce, which is aligned with the DoD Cyber Strategy of the U.S. I would like to highlight the priority action of maintaining United States leadership in emerging technologies, which means most ICT are produced in the EEUU and they want to maintain this leadership. Another interesting priority action is about updating mechanism to review foreign investment and operation in the United States where they want to know who and what foreign companies invest in the United States.

The third pillar is about preserving peace through strength. Peace and Strength in the same sentence. Interesting!! The aim is enhancing cyber stability through norms of responsible state behaviour as well as attributing and deterring unacceptable behaviour in cyberspace. The priority actions in the third pillar talk about information campaigns and non-state propaganda and disinformation. Do you remember the Cambridge Analytica consulting firm and the Trump campaign? Yes, this is to fight against online malign influences.

Advance American Influence is the last pillar of the Cyber Strategy. The government will promote an open, interoperable, reliable, and secure Internet as well as they’ll build international cyber capacity. It seems they are interested in protecting and promoting Internet freedom, me too, but I think they are especially interested in market opportunities for technological American firms because why they don’t also promote free trade? why there are a chaotic trade war?

Regards my friends. Keep reading. Keep learning!!

DoD Cyber Strategy of the U.S. of America

I’ve been reading the Department of Defense (DoD) Cyber Strategy of the United States of America this week. This new strategy seems more offensive than the last one because the Trump administration “will employ offensive cyber capabilities and innovative concepts” as well as they “must ensure the U.S. military’s ability to fight and win wars in any domain, including cyberspace”. However, the devil is in the details, of course. And the strategy includes no much details.

The first line of effort is to build a more lethal Joint Force which means accelerating cyber capabilities development and innovating to foster agility. In addition, the Department will use automation and data analysis tools to improve effectiveness with the aim of operating at machine speed and analysing large-scale of data to identify quickly malicious cyber activities. It’s interesting as well how they are also willing to employ commercial-off-the-shelf (COTS) cyber capabilities to optimized cyber operations.

The second line of effort is to compete and deter in cyberspace which means deterring malicious cyber activities and persistently fighting malicious cyber activity in day-to-day competition. The Department will also increase the resilience of U.S. critical infrastructure working with other agencies and the private sector and sharing information with them. It’s important to highlight most critical infrastructure is managed by the private sector thus sharing information is mandatory for protecting the country.

The third line of effort is to strengthen alliances and attract new partnerships for building trusted private sector partnerships and making international partnerships with the goal of getting advanced cyber capabilities. In addition, the Department wants to reinforce norms of responsible State behaviour in cyberspace to improve behaviour in cyberspace such as including prohibitions against damaging civilian critical infrastructure during peacetime.

Another line of effort is to reform the Department for incorporating cyber awareness into DoD institutional culture because leaders and their staffs should know about security risks as well as they should be able to identify opportunities to gain advantages. The Department will also increase cybersecurity accountability into the private sector and personnel so that each person is accountable for their cybersecurity practices and choices. This line of effort also seeks material solutions that are affordable, flexible, and robust which will be got from COTS. What’s more, the Department wants to expand crowd-sourced vulnerability identification with hack-a-thons and bug-bounties to identify and mitigate vulnerabilities.

Finally, the last line of effort is for cultivating talent. The aim of this line is to enhance the Nation’s cyber talent and sustain a ready cyber workforce. This is going to be done with education, training and awareness as well as with the use of the Reserve Components. Moreover, software and hardware expertise will be in the core of DoD competencies as well as establishing a cyber top talent management program will be one of the main objectives of the DoD.

This is a summary of the Department of Defense Cyber Security. Five lines of effort to compete, deter, and win in the cyberspace domain.

Regards my friends. Keep reading. Keep learning!!

Crowd Counting Researches

I’m not a research but I like reading papers to know and learn about new technologies and trends because many papers later on are useful in the future. For instance, I read about Notos, which is a dynamic reputation system; Pleiades, which is a DGA malware detection system, and Phoenix, which is another DGA botnets searching system. These papers helped me to understand how Domain Generation Algorithms work and, therefore, helped me to win the ISACA Challenge in 2015. Today, I want to write about some papers I’ve been reading about Crowd Counting.

I knew a little bit about crowd counting using computer-vision techniques which is useful to know how many people are in the area. However, after reading more about crowd counting, I’ve realised that crowd counting is interesting for many other applications. For instance, crowd counting can be used in smart buildings to optimize the energy consumption based on the number of people in the building or crowd counting can also be used by retailers for better plan their business by assessing which parts of the store get more visitors. In addition, crowd counting is not only investigated from computer-vision but also from environmental science communities and wireless networking.

I didn’t know environmental science communities also studied about crowd counting. They utilize the characteristics of the area of interest such as temperature, concentration of carbon dioxide, lighting, relative humidity, motion, acoustics, etc to identify the number of people in the area. It’s interesting. However, it requires installing specialized sensors such as gas detection sensors, ambient sensors or CO₂ sensors, which are expensive. In addition, it requires access to the area of interest.

Wireless networking is another technique to identify the number of people in the area where radio frequency (RF) signals can penetrate through objects, such as walls, that combined with wireless devices, such as WiFi routers, provide a great potential for imaging, tracking, and occupancy estimation. There are two methods using RF signals, which are the device-based active methods and the device-free passive methods.

The device-based active methods rely on pedestrians to carry smartphones. For instance, device-based active methods can use GPS or Bluetooth to assess crowd density. It’s interesting how some researches are based in the walking speed of pedestrians to know the crowd density. However, the device-free passive methods don’t require people to carry any device. Instead, device-free methods rely on the interaction of the wireless signals with the people in the area of interest. It’s interesting how these methods can count people through walls using WiFi.

Crowd Counting Through Walls Using WiFi

Once I read the first paper “Crowd Counting Through Walls Using WiFi”, I wanted to know and learn more and more. After reading this paper, I also read “Occupancy Detection Through An Extensive Environmental Sensor Network In An Open-Plan Office Building”, “Indoor Occupancy Estimation From Carbon Dioxide Concentration”, “Bluetooth Based Collaborative Crowd Density Estimation with Mobile Phones” and “Probing Crowd Density Through Smartphones In City-Scale Mass Gatherings”. It’s been interesting, it’s been funny reading about Crowd Counting Researches.

Regards my friends. Keep studying. Keep reading!

Linux Privilege Escalation Example

Privilege escalation is when someone exploits an error, design failure or application configuration, into an operating system or application. Privilege escalation is used to get administrative access into operating systems and applications by malicious users. Most systems have two types of user profiles: users which configure the system with administrator privilege and users which use the system without administrator privilege. Therefore, privilege escalation exploits are used by attackers to get superuser privileges into systems.

There are many web pages out there where we can find privilege escalation exploits which can be used to get into operating systems and applications. Most of them take advantage of bugs and vulnerabilities. One of them, which have many exploits and I like it, is the Exploits Database by Offensive Security where we can search exploits and shellcodes by CVE and platforms. In addition, we can even download the vulnerable application and information to learn how to get into the system.

I’ve uploaded to my YouTube channel a new video where we can watch how to get root access in a Linux machine with a local privilege escalation exploit, which I’ve downloaded from www.exploit-db.com. This exploit takes advantage of a vulnerability in Linux Kernel 2.6.39 < 3.2.2. On the other hand, we can also watch how to get remote root access abusing the weak service permission configuration on Linux. As we can watch, privilege escalation is got through bugs and vulnerabilities but also through misconfiguration.

Regards my friends. Keep studying. Keep testing!!

Linux Buffer Overflow Example

I uploaded a video and I wrote about Windows Buffer Overflow Example two weeks ago. I learnt a lot with this example but I wanted to study about Linux Buffer Overflow as well. Therefore, I’ve been testing with the crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow these days. I installed a Kali Linux 32 bits with the crossfire server, which is an online computer game, and thanks to the edb debugger and python scripts, I’ve been able to learn how to exploit a Linux Buffer Overflow vulnerability. You can check in the next video.

Firstly, I’ve started the virtual machine with the NX protection disabled (noexec=off) and I’ve executed the crossfire server, which listens in the 13327 TCP port. I’ve also tested a simple python script to send 4379 ‘A’s to the vulnerable service. We can see how the program crashes and ESP register contains many ‘A’s or ‘41’ in hex. However, we have to find the specific EIP memory location thus I’ve created a unique string which is sent to the vulnerable server through the malicious script. After I’ve controlled the EIP register, I have to know where I’m going to save the shellcode. Following the EIP register, only 7 bytes are left thus shellcode can’t be saved there. As a result, I’ve pointed to the EAX register where the shellcode is going to be located. The next challenge is to locate a JMP ESP instruction into the memory to insert it into the EIP register. Finally, I’ve created a payload with the msfvenom tool to add it into the script, which give us a Linux remote reverse shell.

Regards my friends. This is another amazing demo to know how Buffer Overflow works. I recommend you do it by yourself.

Training on Networks, Systems and Hacking

I want to write about next security courses on Networks, Systems and Hacking which are going to be delivered for free by FEVAL in Extremadura. It will be five training courses where students will learn basic and advanced security techniques to protect and attack networks and systems. In addition, students will learn computer forensic techniques to analyse digital evidences. Last year, I was the teacher. However, this year, I don’t know yet who are going to provide these training. Nevertheless, I think it’s a good opportunity for learning about security information.

 

The first course, which start next month, is about basic security on networks and systems, where students will learn concepts and skills to understand main information security issues on networks and systems. Students will learn methodologies, and they’ll also use security tools, for protecting IT infrastructures and implementing security plans. Besides, students will manage the Risk Management Process and they’ll also read and create Business Continuity and Disaster Recovery Plans. For instance, last year, we spoke about Antivirus, Application Control, Web Filtering, Antispam, IPS/IDS and we even deployed a virtual firewall.

After finishing the basic security course on networks and systems, we can continue learning information security in the advanced security course on networks and systems. Students will get a deep knowledge about security management and operations, access management techniques, security software methodologies, cryptography, and security laws and regulations. For example, last year, we introduced Web Application Firewalls with SQLi and XSS attacks.

If you like hacking, you can also take the ethical hacking fundamental course where students will learn concepts and technical skills to discover vulnerabilities and attack services with the aim of auditing information systems. For instance, last year, we spoke about vulnerabilities such as Heartbleed, Apache Struts and Shellshock as well as we tested with vulnerabilities assessment systems like Greenbone and OpenVAS into Kali Linux and OSSIM.

If you really love hacking, the ethical hacking fundamental course is not enough because you’ll want more and more hacking techniques. Therefore, the advanced ethical hacking course will be interesting for those students who want to learn advanced techniques to get unauthorized access by targeting systems. For example, last year, we were talking about Social-Engineering Toolkit (SET), Windows Powershell attack, OWASP - Top 10, Web Application Vulnerabilities, DoS Attacks, etc.

This year, there is a new course about Digital Forensics, which sounds fascinating, where students will learn methodologies, procedures and techniques to look for electronic evidences. Computer forensics activities are increasingly requested by organizations because there are lots of security incidents which have to be analysed to determine the scope of attacks.

Regards my friends. I hope this will be interesting for you. Keep studying.

Windows Buffer Overflow Example

I’m learning these days how to exploit Buffer Overflow Vulnerabilities and how to find this kind of vulnerabilities. I think the best way to learn about Buffer Overflow is exploiting these vulnerabilities in a laboratory by ourself. Therefore, I’ve installed a vulnerable server in a Windows machine along with Immunity Debugger and Mona tools. I’ve also installed a Kali Linux machine, which has been the attacker machine. This is the laboratory I’ve deployed to test a simple buffer overflow vulnerability that you can check in the next video.

Firstly, I've scanned the vulnerable server with the Nmap tool to know whether POP3 service is open. I’ve also tested a simple script to send 3000 ‘A’s to the vulnerable server. We can see the program crashes and ESP registry contains many ‘A’s or ‘41’ in hex. However, we have to find the specific EIP memory location thus I’ve created a unique string which is sent to the vulnerable server through the malicious script. Once I’ve controlled the EIP registry, we have to know which bytes cause problems within the vulnerable server such as truncation with bad characters \x00\x0a\x0d. The next challenge is to locate a JMP ESP instruction into the memory to insert it into the EIP register. Finally, I’ve created a payload with the msfvenom tool to add it into the script, which give us a Windows reverse shell.

Regards my friends. This has been an amazing demo to know how Buffer Overflow works. I recommend you do it by yourself.

Buffer Overflow Attack

I remember when I was at University and I studied the “Computer Introduction” and “Operating Systems” subjects. I learnt about registers and how computers use them. I learnt about assembly language. I learnt about Little-Endian and Big-Endian. When I was studying these subjects, I just wanted to pass my exams. However, I realise this knowledge is useful to discover vulnerabilities. It’s also useful to understand attacks such as Buffer Overflow attacks. These knowledge which I learnt 14 years ago is still useful and it’s the basis of new vulnerabilities and attacks.

If we want to understand how Buffer Overflow attacks work, firstly, we have to understand how the memory is segmented and organized, secondly, why the registers are used and what they are used for, lastly, how attackers take advantages of Buffer Overflow vulnerabilities to take control of computers. If we have these knowledge, we will be ready to discover this kind of vulnerabilities and we will also be ready to develop exploits. However, this is not easy because there are different CPU architectures to take into account and there are increasingly security protections such as ASLR or DEP.

The memory model for an x86 Processor is segmented and organised from higher address to the lower address where the stack is at the top of the memory and the program code is at the bottom of the memory. On the x86-32bit architecture there are 8 general purpose registers that are used to store data and address that point to other positions in memory. The most important registers for Buffer Overflow attacks are ESP, EBP and EIP. The first one, ESP, tells us where on the stack we are, thus, the ESP register always mark the top of the stack. The second one, EBP, points to the base address of the stack. Finally, the EIP register contains the address of the next instruction to read on the program, thus, points always to the “Program Code” memory segment.

When we are developing applications, we can use functions like strcpy, gets, scanf, and others. If we call these functions without previously limiting the buffer, we can allow the program writes out of the buffer. For instance, if the parameter value is higher than the memory buffer space, the EIP register could be overwritten by the parameter value. Obviously, the program will crash and it will stop because the CPU doesn’t know where is the next instruction to read on the program.

What an attacker does to exploit a Buffer Overflow vulnerability? Actually, the attacker writes the address of a malicious code in the EIP section. In other words, the attacker overflows the buffer to write into the EIP section the address which points to the exploit.

 

However, a Buffer Overflow attack is not so simple. There are some problems. First, we don’t really know where the address of the EIP register is located. Second, we have to capture the ESP value when the buffer overflow exception occur. Third, there are some values that could cause a problem if the address of ESP contains one of this bad characters. Of course, these problems can be resolved. The first one can be resolved sending a unique pattern of characters to find the offset position in the original string. The second one can be resolved using any Disassembler/Debugger. The last problem can be resolved sending all the characters (from 0x00 to 0xFF) and monitor manually with a Disassembler/Debugger thus when a bad character is sent, the string sent is truncated just before the bad character revealing one of the bad characters

Regards my friends. Maybe, this is a very technical post. I've obviated many things. I’ll try making a video.