Wednesday, September 1, 2010

Tuesday, July 20, 2010

Hacking Server Through Apache Manager Console

While testing many times we come across tomcat servers and various vulnerabilities related with the old version. The most common one is open Tomcat Managers Console on port 8080 Or 8081.

I have seen most of the people just try to brutforce the credentials and show the screenshot without going further and actually exploiting and taking over the base operating system. so lets discuss in detail,

1) Brutforce the appache tomcat managers console. You can manually tomcat / tomcat Or even use auxiliary scanner module from metasploit - Tomcat_mgr_login It will test for common username and passwords for Apache.

2) You have found credentials for login













3) now fire up tomcat_mgr_deploy from metasploit and choose the applicable payload and target. in my case It was Linux and Payload was Linux Shell.












4) Target Comprised :) ....... Best thing is to show this in External PT.









































Next Topic would be Hacking Server Through JBoss Console............

Wednesday, June 9, 2010

LIGATT Security International XSS Vulnerability



LIGATT Security International Protecting One CPU at a time............maybe they forgot to protect their own CPU .......... And only one CPU at a time?




Wednesday, May 19, 2010

Virtual Security

Virtualization Security

Abstract

Virtualization Security is the need for rapidly growing Virtualized environment. This paper try to explain various factors affecting virtual security, assessment tools and various products to deal with it.

1) What is Virtualization?

Virtualization is anything that directly segregates any software resource from underlying hardware or system resource. It is done via using Hypervisor, also known as VMM (Virtual Machine Moniter). Multiple operating systems, including multiple instances of the same operating system, can share hardware resources. Unlike multitasking, which also allows applications to share hardware resources, the virtual machine approach using a hypervisor isolates failures in one operating system from other operating systems sharing the hardware.

2) Virtualization Standard

DMTF Open Standard for System Virtualization Management (http://www.dmtf.org/newsroom/pr/view?item_key=70d5d3ba78d39488626f838397a3d1e9812e5d40)

DMTF OVF Rel. 1 (www.dmtf.org/standards/published_documents/DSP0243_1.0.0.pdf) The Open Virtualization Format (OVF) Specification describes an open, secure, portable, efficient and extensible format for the packaging and distribution of software to be run in virtual machines.

3) What is Virtualization Environment

The virtualization environment is anything that directly or indirectly touches the virtualization host or virtual machines.


4) Change in Datacenter

Virtualization is changing datacenter into Green DataCenter (Green IT) and becoming cost effective solution for enterprises.

More and more companies are adopting Virtual environment and cloud for better operational functionality,


5) Famous Virtualization, Cloud Implementations,

5.1) The Rackspace Cloud

5.2) Amazon Elastic Compute Cloud

5.3) VMWare Technologies

5.4) Windows Azure

5.5) Google App Engine

5.6) SalesForce

5.7) Go Grid

5.8) Oracle VM Virtual Box

5.9) Red Hat Enterprise Virtualization Manager

6) Virtualization for Better Security

Industries are adopting Virtualization because of its better security functionality over traditional network components.

i) Cleaner and easier Disaster Recovery and Business Continuity Planning.

ii) Faster Recovery after attacks,

a. Compromised VM’s can be reverted to Last known Good Snapshot OR Backup.

b. No need to rebuild from scratch.

c. Better forensics capabilities,

i. Take entire VM as opposed to just one image.

ii. Contents of memory can be more easily captured.

iii) Patching is safer and more effective,

a. Actually test patches on identical images of critical machine as opposed to the mocked up lab environment.

b. Failed patches can be easily recovered through snapshots or clones.

c. Patch offline virtual machines.

iv) No need of multiple images for every different piece of hardware in the environment.

v) More “Cost Effective” Solution,

a. Security devices can also be virtualized, so internal security becomes a real option because of low cost of software solution versus hardware.

7) Traditional Security Approach

8) Security Risks in Virtualization

8.1) Misconfiguration

As per Gartner security survey biggest security risk for virtual environment is Misconfiguration and mismanagement.

Following attacks are possible in misconfigured environment,

i) MITM attack against Virtualization Admin.

It is possible if virtualization admin in organization lives in same broadcast domain as other users. Not careful about SSL Certificate implementation in VM. Main problem in VM is VM CLI Tools do NOT warn about invalid certificates. Which makes MITM easier (example: vCLI, VIMA, VMWare Perl SDK).

ii) Web Attack against Virtualization admin.

It is possible if admin uses same workstation to browse web which they use to administrate virtual environment. It is possible through phishing and other good old web attack techniques.

8.2) Dormant VM

8.3) Resource Contention

Resource contention can be problem with AV Full system scan on Virtual Environment as existing AV Solutions are not VM Aware. Simulation full AV Scans on the same host causes severe performance degradation. In Physical Environment all machines have independent hardware resource to distribute the load but in Virtual Environment resource are shared across multiple machines thus making it serious problem.

8.4) VM Sprawl

It is very easy to create virtual environment and most of the system administrators are following the VM Technology for ease of use. But by doing VM Sprawl they are compromising security as Security weaknesses replicate quickly in VM and there is lack of visibility into, or integration with, virtualization console increases management complexity.

8.5) Inter-VM Traffic

The major problem in Inter-VM Traffic, The network IDS/IPS cannot see the Inter-VM Traffic, It is invisible for network IDS/IPS. Because the VM operates the traffic in its own little network and not allowing it to come to Network IDS/IPS

8.6) VM Mobility / vMotion

When one VM Machine moves from one ESX Server to another Server on live environment It can cause an issue as the current solutions are not capable of handling the new location and auto configure Themselves to move the data or traffic through respective VM’s. Live migration capability is major issue.

8.7) Malware / Rootkits

Virtualization environment is prone to various malware and root kits attacks which are specially developed for it. One example is Operation Blue Pill by Joanna Rutkowska. This Root kit has Common HVM layer architecture to support SVM and VT-x, On the fly loading and unloading, Support for nested hypervisors on AMD NBP inside NBP inside NBP, Virtual PC inside NBP, etc...


9) Virtualization Security Assessment Tool

9.1) VASTO Virtualization Assessment Toolkit

The framework consists of tools, libraries, modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload. Hundreds of exploits and dozens of payload options are available.

There are a number of open source modules that perform a number of different attacks from hijacking a connection to the virtual infrastructures web-based management consoles against VMware VI/vSphere, Server 1.x, Converter and even Citrix XenCenter to password bruteforcing against VMware and Xen platforms, up to a path traversal attack against VMware ESX, ESXi and Server web interfaces. VASTO even includes an attack against VMware Studio.

9.2) VMInformer Assessment Toolkit

10)Best Practices for Virtualization

I. Hypervisor security

The hypervisor is a piece of software, in many cases, unless integrated directly with the host platform (see the next section). The major virtualization vendors release patches for their products like any other software providers, and the key to mitigating the risk of hypervisor vulnerabilities is a sound patch management process.

Examples of sound patch management practices include maintaining the latest service packs for both guests and hosts, alleviating any unnecessary applications that have a history of vulnerabilities, and applying the latest security rollup patches if and when they are supplied by the virtual software vendor.

II. Host/Platform Security

The host platform, which connects the VMM and virtual guests to the physical network, can vary widely in the type of configuration options available. This is largely dependent on system architecture; for example, VMware’s ESX Server platform has a number of similarities to Red Hat Linux. Given that many of these systems are able to be hardened considerably, a number of “best practice” configuration guidelines can be applied, including setting file permissions, controlling users and groups, and setting up logging and time synchronization. There are many freely available configuration guides from the virtualization platform vendors, the Center for Internet Security (CIS), NSA, and DISA.

III. Securing Communications

Securing communications between the host system and desktops or a management infrastructure component such as VMware’s vCenter is essential in order to prevent eavesdropping, data leakage, and Man-in-the-Middle attacks. Most of the well-known platforms today support SSH, SSL and IPSec for any communications that are required, and one or more of these should be enabled.

IV. Security between guests

One of the biggest security issues facing the virtualized enterprise revolves around the lack of visibility into traffic between guests. Inside a host platform is a virtual switch that each guest connects to – in essence, the host’s physical NICs are abstracted into a switching fabric. In many organizations, network monitoring and intrusion detection solutions have long been established to gain visibility and security alerting on critical network segments. With the advent of the virtual switch, all inter-VM traffic on a host is contained entirely within the host’s virtual switching components, so visibility and security is severely compromised. Fortunately, most enterprise-class virtualization solutions have traditional Layer-2 switching controls built in, so it’s possible to create Mirror ports on the virtual switch to monitor traffic.

V. Security between host/guests

it is required to Avoid “VM Escape”, where malicious code could “break out” of the VM Guest and execute on the underlying Host. The safest method for protecting against VM escape and other attacks that relate to guest-host interaction is to turn off services you don’t need.


11) Products for Virtual Environment,

11.1)VMSafe API By VMWare

11.2)Cisco Nexus 1000V Virtual Switches

11.3)Backup Storage and Protection for Virtualized Environment

NetApp BEX – Using Data Deduplication

11.4)Open vSwitch – Citrix

11.5)VMWare vNetwork Distributed Switch Architecture

11.6)Citrix XenServer 5.6 – Free & Open source Hypervisor

11.7) EMC Ionix ControlCenter

11.8) EMC Rainfinity File Virtualization Appliance


To Be Continue ................

Friday, May 14, 2010

Fraud Emails


Indian Version :P







One more example of freaud emails,

Sunday, January 10, 2010

M.In.Com XSS Vulnerability

Dear All,

Today I decided to do time pass on mobile version of In.com.

Now I just really can't understand how can someone be that stupid Or Careless in designing all the web applications, All websites in that domain.

I think In.com is better option for replacing web goat :P .

have a look,


Tuesday, November 10, 2009

In.com XSS Vulnerabilty Disclosure

Dear All,

One Of the most famous website now days, In.com but most careless about Web Application Security.

So no falatu gyan this time Directly ScreenShots,

Now I tried to contact them but there was no reply, and my ip was Blocked :( ..........

1)



2)

3)

4)
Sorry for the delay in uploading last screenshot, they have updated the website and I was hoping that they might fix it but it is still vulnerable. I was waiting for the update to break it :P ........