Saturday, October 24, 2009

Rapid7 snaps up the Metasploit Project - Source SecurityFocus

Vulnerability management firm Rapid7 announced on Wednesday that the company had purchased the Metasploit Project, a popular software tool among penetration testers to exploit software flaws.

The founder of the project, security researcher HD Moore, will join Rapid7 as chief architect of Metasploit and chief security officer of Rapid7, the company said in a statement. The company plans to fund Moore and other developers to focus their work on the Metasploit project.

"Successful security requires equal understanding and capabilities of both offensive and defensive security best practices," the company said in a statement. "Metasploit gives Rapid7 access and collaboration with one of the largest, most sophisticated security researcher communities in the world."

The Metasploit Framework was created by Moore in 2003 and, until the acquisition, was maintained by a team of volunteers. The software can be used by security professionals and system administrators to perform penetration tests and verify the patch level of computers. While the software can be controlled by an interactive command line, a point-and-click AJAX-based Web interface is also available. The group released a major upgrade to the framework, version 3.0, in 2007. In November, the Metasploit Project plans to release its next major upgrade, version 3.3.

Moore and other members of the Metasploit team will now be able to work full time on the project's code, according to Rapid7.

"HD and the team will now have more dedicated resources and support to invest in exploit research and to create a broader penetration testing platform," the firm said.

Sunday, October 18, 2009

Doing SQL Hardening

Many times I have noticed that people are totally clueless about how to do SQL Database Hardening, So Just writing a small guide for that, now i m not expert in SQL Hardening but people say that i do good sql hardening so writing a guide,

If you want to try then try otherwise don't try as simple as that...........

Now First that are two option,

1) To understand how SQL Works, what is the software, hardware requirement, its functionality and etc...

2) Directly do SQL Hardening

so we will do directly SQL Hardening because as you are on the level of doing hardening it means that you already know how SQL Works so, why waste time ??

so starting with SQL Database Hardening,

We are taking SQL Server 2005 as example,

Rule 1:

DO NOT JUST GO TO INTERNET AND DOWNLOAD ANY RANDOM CHECKLIST, THERE ARE SOME RULES FOR HARDENING IT GOES FOR ALL, WINDOWS, ROUTERS, DATABASES EVERYTHING....................

SO TO START WITH,

Divide all the rules in Groups, To create groups just think, Its Simple

Think......................

...................
.................


..........................


so for SQL It will be,

1) Access Controls
2) Account & Passwords
3) Auditing & Monitoring
4) Backup & Restore
5) Capacity Planning
6) Documentation
7) Encryption
8) Fault Tolerance
9) File Permissions
10) Local and Remote Settings
11) Updates and Patches
12) User Privileges

Now evaluate your settings as per best practices described for each and every group by Security Configuration available for SQL Database.

for example as per best practices ,

1) Access Controls

SQL Server 2005 should be configured to use the Windows Authentication
method to authenticate users.
A Firewall or other access control mechanism should be installed
to control access to MS SQL Server 2005.
SQL Server should be installed on a server
which is not a Domain Controller.
MS SQL Server 2005 should be
configured to use the Windows Authentication method
to authenticate replication agents.

2) Account & Passwords

The MS SQL Server 2005 administration login ("sa")
should have a hard-to-guess password.
Granting of administrative privileges to MS SQL Server 2005
through database roles should follow the "least privilege principle".
Granting of administrative privileges on
MS SQL Server 2005 through server roles should follow
the "least privilege principle".



3) Auditing & Monitoring

MS SQL Server's auditing feature should be enabled.
SQL Server audit logs should be checked regularly.
A retention period should be defined
for MS SQL Server 2005 audit log files.

and so on........

Obviously I am not going to give entire checklist for free.......... I have given Imp. steps now u just need to find out the security controls which will fit in those groups.

Word Of Caution " Many times SQL Server is loaded with lots of Data, It is used by many clients so before doing SQL Hardening Take Backup, Sit with administrator, Take Down Time and Verify that Hardening is not effecting any of the Connected clients, write down each and every step so u can undo it if required"

Bad Social Engineering Attempt......Something about Social Engineering

Dear All,

Early Morning around 11 AM, Sleeping in a deep sleep

suddenly my phone started crying,

I answered the phone,

There was one stupid fellow,

Now see the conversation,

Stupid Fellow " Sir, I am calling from Hutch"

Me "Ya"

Stupid Fellow " Sir as per Diwali Dhamaka Offer, We are extending your credit limit from 500 to 1000 on your monthly mobile bills"

Me "Ok" ( This time I got alert becoz my credit limit is already 3000)

Stupid Fellow " Sir Now Can I have your date of Birth and email address"

Me " Why"

Stupid Fellow " Sir as a security requirement we need to ask this to customer before giving them any new information about our special products"

Me " Dear You already gave me all information " ( I was laughing really hard )

Stupid Fellow " haa.........hummm.......... ........................." ( got confused and hang up the phone"

ON THE TOP OF THAT HE WAS CALLING FROM HIS MOBILE.............

NOW I DIDNT CALL HIM BACK, BUT I SAVE HIS NO...... SO I CAN CALL HIM IN FUTURE IF I NEED SOME MONEY :P...........

BUT REALLY BAD ATTEMPT...................becoz Common Why would anyone will entertain you for mobile bill credit limit, he should have at least use Credit Card Or Saving Bank Account, something which is valuable, Who cares about Mobile Bill Credit limit.

If I need to call I will Call for Credit Card Or for Saving Bank Account. and Its very Easy, Just think Entire day you get calls from Marketing Companies, Do you ever wonder how do they get your details ?? They know your name, they know your number, they also have address, how do they ?? Do u ever bother to ask them how do they get all details ?? no , you will just put the phone down but on the other hand we should ask them, Boss How did you got my no, how do u know my name.......we should ask.

now just to try, go to any banks website, you will get account opening forms, credit card forms and other things, download it, take printout, wear white shirt, tie, black pant, take one file in your hand. on some forms fill any random information and keep others blank. stand in-front of any ATM, Shopping Complex or theater and talk to people, give them any stupid offer ask them to fill the forms and you will see that people will fill all the details and Next step will be......to call them using that information.....as simple as that...........and while feeling the form If someone ask you about Identity card, you can always say "Sir we are freelancers we are doing this as part time job. we work on commission basis so we don't get I-Cards but If you have doubt you can see the other forms, and anyway If you are not interested in the offer It is ok... We are not forcing you to fill this" ........and If someone from bank catches you....no probs.......you are working as freelancers...you just tell that guy, Sir we selling your credit cards only now just to attract people we are telling about offers and sir dont worry no one will make any complaint.....

Just try it.....it works..........

and don't worry no one is going to check back and you will be doing this for 3-4 hours only ..........so be cool be confident, change the place if you feel that something is wrong.........

Now above is good if you are in public place........

Now What If you are in Corp. Office, What Will you do.....

Again Very Simple,

If you need to get in Any Office ( I do this a lot while doing assignments and It works very well In India )

Before Beginning Of Assignment Just do some Sniffing Around.....like how is the company, do they have diff. Gates for Visitors and for Employees. The most Imp. thing is How is Corp. Culture like all people wear suit Or they wear t-shirt in Office, Just Remember U Need to be Part Of The Group, If you look Diff. People Will ask you questions......If they have Bus which drops all employees to office, Make some frnds and try to get in the Bus, do anything to get it in, When Security see you getting down from Office Bus there is very little Chance that he will ask you something, also When you get in the office keep talking to somebody who is working there and walk in with that person only........

The best time enter is between 8.30 To 10.30 When most of the employees enters in the office - Reason - You just have to be the part of Crowd, get in there group before entering in gate, ignore security guard and just walk in.... behave like you are working there for years, even If you dont know where you are heading dont worry just follow the crowd...........

Now If Security Guard calls you from behind just wave your hand and keep walking in..........and also keep something in your upper pocket which will resembles to ID Card, just wave and keep walking............ If he runs behind you then Dont Run........... Be Cool.............Stay Calm, Stop if he runs............. Greet Him, Say Good Morning, Be nice, Dont get scared and act like you are Boss....Dont Allow Him To Take Your Control.. and take any random name of any top management guy or say that you are going in HR Dept. (HR Dept. is most common becoz of interviews, If he asks you HR name, just act like you forgot it, and then allow him to say the name, and node your head yes yes same one.........) now there are 90% chances that he will let you leave becoz Its morning time and there will be too much rush to handle........It is very rare that he will try to call that person in morning, Max to Max he will just tell you to write your name in Reg. Fill any Random name and again walk in.

If you face any access control in Office, just wait people are friendly someone will open it will for you, just give nice smile Or act like you are talking on the phone and stand near access control as soon as some one walks in you also follow him ( Tailgating......Piggybacking)

inside the office,

Just walk here and there...........see how they work, what they are doing.............. If anyone asks you what are you doing here........... tell them, " I am looking for Washroom" Or " I am looking for Accounts Dept. (before saying dept. name make sure that you are not standing in the same dept....) Or " I am looking for Xerox Machine" Say anything................... and No one will bother to ask you ............. people are busy, so no one is going to ask............and common people always get visitors in office.........so its common to see visitors.........

and rest of the thing........................common i wont tell you each and everything.................

Learn something no your own, Just think about all Naughty Things You can do in Office.................

hey But I can tell you one thing, It is good for having lunch at less price Or in most of the companies for free, just walk in canteen and stand in line, most of the companies offer free lunch now days Or ask for your employee no if you dont have money to pay, simple give any employee no and walk out as soon as possible :P .....



Shaadi.Com XSS Vulnerability

So I am Bachelor,

Want to search for my soul mate,


I am from India,
So I visited Shaadi.com,

I was searching for my bride and I noticed something in URL,
have a look,



Oops you can not see it, There are some Stupid Rule about Vulnerability Disclosures On Net...........

Now as i saw that** in url parameter my hands started working (cant help.......) and woop, it worked have a look,



Nice one na,

Then I decided to look about what they say about Safety Security & Privacy on there website,


I have nothing to say...............

But now you will say that is it right that i published this on my blog,

so answer is Yes,

Becoz I informed them and I got following reply after 3 days from them, now As per them It is patched but I can still exploit it... God Knows What They Did .........

hmm.......... I think they might have deleted my email to claim that they never got it............... so no need to react......right....hehe it is same like our gov, they just put all the reports in dustbin and claim that they never got it so no need to take any action......... :P

see what i got from customer care on first day,



Ok and this what I got after 3 days,




Update = Tested on 5th Nov. Test was Negative :)