ClearNet Security: Tag Tate Hansen

True penetration testing?

tate@ClearNetSec.com (Tate Hansen) — Sun, 04 May 2008 22:45:00 -0600

This from the new PCI information supplement: (regarding the required annual penetration testing for compliance)

The penetration tests should attempt to exploit vulnerabilities […] attempting to penetrate both at the network level and key applications

Really? I laughed when I read this, seriously. It made me think for a second about how many consultants really have the skills to chef-boy-ar-dee exploits under pressure. It’s clear too; this is not about a vulnerability sweep, they want you to bust in.

Penetration testing [..] should occur from both outside the network trying to come in (external testing) and from inside the network.

Wow. True penetration testing from inside the network? How many internal networks have you seen that would survive a blitzkrieg attack from a good penetration test team?

PCI states:

“resources must be experienced penetration testers”

What does that mean?

I’m sure the PCI council is of compos mentis, and I’m not trying to rain on the PCI council or ASVs or QSAs, though it’s funny the council points out that “The PCI DSS does not require that a QSA or ASV perform the penetration test”. That statement wouldn’t be because most of them couldn’t penetration test there way out of a paper bag even if they were handed a loaded metasploit gun, right?

With the huge number of companies bemoaning PCI compliance, I just don’t see most getting a true penetration test. I guess I could be reading too much into this. Maybe the skills bar level I consider for experienced penetration testers is way higher than what the PCI council considers experienced or what others consider experienced or good?

Do you have penetration testing skills? What does that mean to you? Do you think most of the companies that buy a penetration test actually get one?

Predictive markets & betting on when apps or companies get owned

tate@ClearNetSec.com (Tate Hansen) — Wed, 30 Apr 2008 23:30:00 -0600

A recent WSJ article titled “Trading on the Wisdom of Crowds” sparked my interest as it may relate to security. Are there ways to build a business around helping organizations understand the risk to their data assets by using predictive market models? Or maybe building it around betting on commercial applications?

“Betting odds are generally taken as the best indicator of probable results in presidential campaigns," this newspaper explained in 1924.

I’m placing a bet that retail store XYZ gets owned and reveals grandma’s credit card details in ‘08. I’m placing another bet that application ABC will have a remote admin level vulnerability by October ’08.

Alas, we must have more transparency and trust in the publicly disclosed information to play. Participation is key as well:

Predicting markets seem to work so long as there are enough traders whose aggregate information is fully reflected in bets.

Would enough people find it worthwhile to become active traders? Maybe. There was an active predictive market created around the following question:

What will the government's 2007 computer security grade be?

It’s probably a big stretch to build a successful predictive market business around the types of security bets which would benefit organizations. By that I mean if I was responsible for a commercial application in which 75% of the traders were betting on my application being owned within the year, I’d probably work hard to change the odds (i.e. allocate resources to improving the security of my app).

When virtual servers play havoc

tate@ClearNetSec.com (Tate Hansen) — Mon, 14 Apr 2008 15:19:00 -0600

I recorded a tidbit which came from a comment spoken at one of this year's RSA panel tracks. I hadn't thought of this issue on a big scale. It was a comment on how disruptive an environment which frequently "resets" virtual servers as part of normal business is to security.

It's obvious such an environment can have a significant impact on security tools, especially those which strive to learn patterns or look at history or both.

I was just imagining if I was a security admin responsible for a large block of EC2 virtual servers. As part of that, maybe the use of these blocks of servers is similar to a class lab whereby students get to install and do anything they want on the servers. When they're done, the instructor runs around and resets all the servers. Extrapolate this and it can lead to a hard problem, security speaking, for general cases.

I haven't meditated on this issue, but I'm guessing it'll become more visible in short time.

Test commercial web app scanners for free and without restrictions?

tate@ClearNetSec.com (Tate Hansen) — Mon, 24 Mar 2008 11:54:00 -0600

If your software licensing ethics tend to contort a tad here and there, then you may find the below tricks helpful when you want to evaluate commercial web app scanners. Partaking in these tricks is slippery, and you may fall into ethical perdition, so prepare yourself!

Super simple trick #1: Request search and replace proxy

Fire up a proxy that supports request search and replace.

Let’s say an app restricts you to scan only their target site (e.g. demo.testsite.net), but you want to point the scanner to a different target.

No problema.

As shown above, I typed in demo.testsite.net for Search, and blog.clearnetsec.com for Replace. Every HTTP request passing through this proxy with a Request-URI matching the string demo.testsite.net will get replaced with blog.clearnetsec.com. The result? The app scans my blog.

Note: Super simple trick #1 only works for apps which restrict via the hostname. If the app is smarter and adds IP validation, then move along to Sort of simple trick #2.

Sort of simple trick #2: IPTables magic

This trick can add license evading umpf to your smokin’ renegade style. :)

Let’s say the app tries to validate you are only scanning the sites you're licensed for by checking the target IP addresses (regardless of how the hostnames are resolved). For example, maybe the demo version of the app allows you to only scan IP address 55.55.55.55.

No problema.

One line explanation: Setup a linux box to do routing, configure a VIP, and add two IPTable NAT rules.

The long answer.

Setup a linux box. A linux VMware image works too. Configure the network as normal – give it a standard IP, gateway, list of name servers, etc., as you would when configuring any other box on your local subnet.

Once you got that, then check out the script below.

Follow? If not, I’ll explain in more detail.

Again, the first thing you need is a normal networked working linux box.
There are 4 steps to facilitate a destination IP switch-a-roo:

Configure a Virtual IP. Pick an IP located on a different subnet, don’t pick an IP on the same subnet as the primary IP.
Enable IP forwarding.
Setup a DNAT (Destination NAT) rule to replace the destination IP on the fly. The first IP (e.g. 55.55.55.55) is the licensed locked IP. The second IP is (e.g. 216.241.191.205) is the IP you want to scan.
Setup a SNAT (Source NAT) rule to replace the source IP on the fly. The first IP (e.g. 192.168.1.101) is your workstation IP. The second IP is the primary IP address of the linux box.

The last step there, #4, is overloaded. Once you go through the steps above on the linux box, then you need to change the IP address of your workstation with the app scanner installed. You want to pick a new IP for your workstation which is on the same subnet as the VIP you configured on the linux box. You also want to change your workstation to use the linux box as your gateway to the Internet, so change the default route address to match the IP of the VIP on the linux box.

That should do it. Replace the IPs in the IPTable rules above with the IPs that work for you and scan away.

Note: You can’t always do the IPTables trick by itself; one reason is due to virtual hosting. If only one website is being hosted on the IP, then you probably can do this. If the target IP is hosting lots of domains, then you need to chain the request and replace proxy with the IPTables magic to ensure each Request-URI is for the correct host and domain.

For example, GET http://216.241.191.205/... HTTP/1.1 may not be the same as GET http://blog.clearnetsec.com/... HTTP/1.1

Super Simple trick #3: VMware snapshots

Most everyone is likely familiar with this trick. If you have a web app installed in a VMware image and you have a working license (e.g. trial license), but it expires at a certain time and date, the trick is to create a snapshot of the VMware image with the app in a working state.

Anytime you want to scan, change your host OS clock back to a time that is within the licensing window (or ensure your VMware guest image doesn’t sync the clock with the host OS when you restore the snapshot), and restore the snapshot.

Note: Some apps may call home when first launched, so it helps to create the VM snapshot when you have the app open and ready to scan.

Trick addendum:

For those web app scanners which restrict you from scanning SSL enabled sites, have no hesistation, you can work around that too.

One way is via stunnel. From www.stunnel.org.

Encrypted version with STUNNEL

+---------+      | |     +--------+    +---------+
| non-SSL | -ST- | | --- | Apache | -- | non-SSL |
| enabled |      | |     | WITH   |    | enabled |
| client  |      | |     | SSL    |    | server  |
+---------+      | |     +--------+    +---------+
   CLIENT        NET     WEB SERVER      SERVICE

Note the position of STUNNEL : the "-ST-" in the diagram above. Below is an example stunnel configuration:

client=yes
verify=0
[psuedo-https]
accept = 8080
connect = blog.clearnetsec.com:443
TIMEOUTclose=0

Configure your app or browser to use the stunnel proxy listening on port 8080 and you'll be able to hit the site using HTTPS (via the proxy), but your local app or browser will be only speaking HTTP.

Quick alternate to #1 for Apache fan boys and girls:

Via Apache 2.2.x, with mod proxy and mod rewrite enabled, setup a proxy like so:

ProxyRequests On
<Proxy *>
RewriteEngine on
RewriteRule ^(.+) http://blog.clearnetsec.com/$1 [P] (or something close to this)
Order deny,allow
Deny from all
Allow from all
</Proxy>

Configure your browser or app scanner to use this Apache proxy server and all Request-URIs passed through will be re- written to target http://blog.clearnetsec.com/.

YMMV. Have fun.

Rogue modems are still plentiful?

tate@ClearNetSec.com (Tate Hansen) — Fri, 15 Feb 2008 22:18:00 -0700

I was doing a scope call for a large grocery chain recently when they mentioned they discover around 20 rogue modems per quarter per division (and they have more than 12 divisions). That number is way higher than I would've guessed, though maybe lots of the modems are legitimate but not on their official roster.

Whatever the case may be, wardialing is not a moribund activity, or as close to it as I thought.

The booming exploit market and bye bye to swaths of products

tate@ClearNetSec.com (Tate Hansen) — Thu, 31 Jan 2008 23:50:00 -0700

There are lots of articles mentioning the Digital Armaments bounty for exploits. I wrote a snippet on the commercial exploit market about a month ago, whereby I was simply listing the prices for subscribing to the different exploit houses.

I guess I forgot to consider another complexity of all this and that is from the influence the organizations who compete to purchase exploits are having (e.g. iDefense, 3COM/TippingPoint, Governments, people and groups w/lots of money).

I wonder how extensive this really goes – I mean, it seems this market is in a boom of sorts which implies there are lots of private exploits trading hands. Exactly how many would be interesting to know. Hell, any numbers would be nice.

One thing is apparent though, if this market continues to grow then how can any security products based on “knowing attacks” succeed? They won't. An IDS vendor is not going to be able to afford to purchase all; no company will have a monopoly.

“Big money! Big prizes! I love it!”

tate@ClearNetSec.com (Tate Hansen) — Fri, 28 Dec 2007 08:57:00 -0700

Smash TV quotes. Love ‘em.

Speaking of big money, the commercial exploit market’s growth isn’t making it any easier to bid on penetration test gigs. If you want to provide the highest assurance you’re capable of to clients, then of course you would like to have your hands on all the exploits out there, both public and private.

product	to start	quarterly	total
d2	$1,950	$850	$5,350
gleg	$1,400	$700	$4,200
argeniss	$1,000	$500	$3,000
canvas	$1,450	$730	$4,370

And the crème of the crop:
Immunity Sec’s Vulnerability Sharing Club $50,000 - $100,000 per year

Attacking with anything less in hand tends toward negligence, especially if you do so without disclosing what you’re missing. Pay to have all and you’ve likely priced yourself out of competitive bids.

The winners here, again, are the attackers.

“Good Luck… you’ll need it!”

Follow-up on using unicornscan for a big scan (400,000+ public IPs)

tate@ClearNetSec.com (Tate Hansen) — Thu, 27 Dec 2007 12:36:00 -0700

I’m happy to report our growing experience using unicornscan for large discovery sweeps is a positive one. Our confidence in using this tool has increased and it is now our preferred weapon of choice for scanning large IP swaths.

To recap: We performed a sweep of 400,000+ public IPs across multiple continents by configuring the scans to do a full TCP port scan of each IP, sustained ~55 Mbits/s using between 3 and 5 systems, and completed it in a matter of days.

This is pretty good considering by sending two SYN probes per port it meant sending ~52.5 billion packets and producing some 3 Terabytes of data.

Nmap is often our preferred tool, and we used it to spot check our results with unicornscan, but from now on it will come down to the details of the gig to make the choice.

Tech note: We avoided problems with table overflows and other like issues by placing the systems directly on the internet and with iptables turned off.

Another tidbit on PCI

tate@ClearNetSec.com (Tate Hansen) — Tue, 06 Nov 2007 18:31:00 -0700

Today I was talking with a colleague from a partner company about the PCI certification - I think he's up for recertification.

The interesting thing is he was talking to a Qualys representative recently whom, affably speaking, offered tips on how to tune the Qualys scans based on new modifications made at Mastercard's test lab. The representative also said he could review the report Qualys automatically builds. My colleague exclaimed to me "It sounded like they already have the answers".

Of course they do. Qualys pays PCI to verify their ability to discover what PCI wants them to discover. People pay and use Qualys so they can become PCI certified. Anybody willing to click "start scan" has the ability to be an Approved Scanning Vendor.

What's my problem with all this? For one, the certification process is rotten:

http://blog.clearnetsec.com/articles/2007/05/16/pci-not-our-problem.
http://blog.clearnetsec.com/articles/2007/05/04/pci-misleading-racket

On top of that, it's costly and does little to vet engineers claiming competency. Its design is to weed out small security firms, which is probably why it fires me up in the first place and turns me into a cynical punk all day.

Trying out unicornscan

tate@ClearNetSec.com (Tate Hansen) — Sun, 14 Oct 2007 22:10:00 -0600

We’ve hit a new high. We’ve soaked ourselves in a bandwidth bath on behalf of a client whom would like us to discover active services across a range of six public /16 blocks plus some scattered /17s, /24s, etc. The range is close to a total of 400,000 IPs.

We started out with five dual Xeon systems running 20 to 40 instances of nmap, each tuned, and each instance targeting 64 IPs. This client wants the job completed in weeks, so we decided it was a good time to get more experience with unicornscan.

By luck, we tapped into a Danish provider that is allowing us to push 55Mbits/s. I have no idea how much that amount of bandwidth would normally cost, especially if sustaining it 24x7 for a few weeks, but I’m guessing it is way over $10,000. Our client would allow us to go up to 100Mbits/s, alas, our luck doesn’t go that far.

Anyway, we now have faster dual-core systems each pushing ~25 Mbits/s via unicornscan like so:

sudo nohup /usr/local/bin/unicornscan -mT -p –r25000 -vv xxx.zz.0.0/16:a -w unicorn.output.for.xxx.zz..0.0.fullTCP > unicorn.output.fullTCP &

We have lots of results from nmap; so far unicornscan is matching the nmap results. Having the ability to specify packets per second with unicornscan is super nice.

We’ll create a follow up post on how all our scanning worked out on this gig when we’re finished (sometime in late November).