ITS Blog

Openwall just released the 1.7.7 Jumbo 5 patch of John The Ripper to download

From Openwall: “This patch integrates lots of contributed patches adding support for over 40 of additional hash and cipher types (including popular ones such as NTLM, raw MD5, etc.), as well as some optimizations and features. Most likely, this is the only patch you may need to apply. Requires OpenSSL 0.9.7+.”

John the Ripper (JTR) is one of the most popular password cracking tool. If you are going to break passwords this software is the reference against which you should compare your software.

Currently I am focusing on the topic of password security and guessing of passwords. For this work I started to analyse the famous rockyou password list. This list was leaked in December 2009 [wikipedia]. The list can be found on various sources for example at SkullSecurity, where are a lot more lists as well.

Taking a closer look on the passwords brings the following results:

12.2% are passwords with 6 letters lower case

8.4% are passwords with 7 letters lower case

7.5% are passwords with 8 letters lower case

7% are passwords with 6 digits

As a little performance test I took a list of raw-MD5 Hashes a asked John The Ripper to brute force all lower case words with 8 letters meaning from a to zzzzzzzz. It took around 5 hours then John had finished his work with roughly 2.4 Million words hashed per second.The work was performed on a Compaq nx9420 running a gentoo linux. Testing the digits from 0 to 99999999 took additionally 42 seconds.

This numbers bring us to the point:

• use long passwords (10+ signs)
• use small and capital letters
• use numbers
• use special signs !

All of these measures increase the security of your password and also help to protect your data.

On hack.lu Thursday I attended a workshop on Red Team Testing. Red Team testing comes from military jargon. It means to try to break into a facility. Not only on electronic or network way but also, if needed, physically. At the very first beginning there was a video presented, showing a show called Tiger Team breaking in to a jewelry store. This action was done on behalf of the owner. If you would like to get an impression of such things take a look at trutv.com. They produced a show where the team broke into a car dealer facility.

Talking about read team testing, the testing team need always to have the permission of the owner or their representatives. Without this written permission all actions are illegal and should not be done. After having the permission the next step is to gather information on the target. This step will most likely take about 60% of the overall time for the test.

The target

Together with the customer first the business is evaluated with respect to the three aspects of security: Confidentiality, Integrity, Availability. For this task, first a list with all parts of the business is created. An example in case of a hospital could be:

• billing,
• health care,
• credit card handling,
• client data
• etc.

The next step is to evaluate, the criticality of each aspect on each part of the business.

Looking at a hospital, it is important that patient data is kept confidential, integer and always available, simple because people can die if it is not. Dying people in a hospital will destroy this business, especially if it is in the responsibility of the hospital. On the other hand looking at credit data, confidentiality has to be high, but if the credit card information is not available for an hour it is not critical for the business. The money can be taken later from the account. After finishing the matrix the targets for the attack are the highest rated parts of the business.

Scope

After defining the target, the scope has to be clarified. Scope means, what is allowed and what is forbidden. If the goal is to break in to a facility, it has to be clarified, if you are allowed to use brute force, like driving a truck through the front door, or softer approaches have to be chosen. In general a good team should always be able to work without harming the systems with force. If during the test the team encounters opportunities, which are beyond scope or which had not been discussed, a call to the customer can clarify if the scope can or should be changed.

Information gathering

As in the beginning mentioned, 60% of the time needed is used for information gathering. During information gathering, it is important to stay out of the scope of the security team of the customer. Therefore you can not use portscanners or something similar, since the security team of the customer would get on red alert and therefore raise the alert level of the target. Your victim will immediately know that it is being attacked and take countermeasures. A better way is to use google or other sources to get information about your victim. Also their webside is a good information source. Looking at the job opportunities you can learn which kind of software they use just by looking at the required skillset. For Information gathering have a look at

Maltego or Foca

Foca allows you to search for files published by the victim and extract metadata from it. Maltego gathers information from various sources and puts everything together. Also mindmapping tools will help to organize the collected data.

The plan

Having all information gathered it is time to make a plan. In the planning phase the team should not only concentrate on one plan, but also think about a plan B, C, D … and so on. It is always good to have a lot of options in the back, in case something unexpected happens. This can range from some security guards, which catches the team, to the team cannot open a lock.

The second last step is then the attack by itself. This step is built a lot on experience. During the attack the team should document each target which is successfully taken. This can be a picture of the team holding some documents or something similar. Whichever documentation is choosen the customer should at the end be convinced that the goal was reached.

Debriefing

After the attack it is time to debrief the customer. The customer should get a full report, covering the parts of his business together with the security aspects which have been broken. Every step performed during the attack needs to be added to a report, together with the found weaknesses and suggestions how to improve the overall security. In this step the customer can be reminded that security is not only about performing tests but also that the security is a process. A process to which the customer needs to commit himself to. It is then up to the client, to make the needed changes to his habit, to his facility and to his processes to improve security.

Inside this article I could only cover a very small amount of the content of the workshop. I would like to thank Chris Nickerson and Ryan Jones for holding this workshop.

This is the next article in our hacking a website series. To hack a website we need to know the different ways how to perform the attack. These ways are also called attack vectors. Our first vector is Cross Site Scripting. Cross Site Scripting is an attack against the user of a website. An Attacker tries to insert Java script Code in a Website through the URL.

Most websites want to interact with their users. To achieve this goal, the website asks for user input. As an example a website asks in a form for the name of the user. After entering the User name and pressing the submit button a new website is presented which simply says “Hello xxx”, where xxx would be the data the user entered in the form before. If the website does not filter the input and takes the input by the GET method (a common way to transfer data between browser and server), an attacker can create an URL which would execute Java script Code in the browser of the user. Such an URL could look like:

http://www.example.com/greet.php?name=<script>alert(1);</script>

If this website would be opened, an alert window would pop up telling “1″. So, why is this causing harm?

Well, since the attacker can add any Javascript Code there, he can control the whole page. Javascript offers methodes to manipulate the content of a website. complete areas can be made invisible, and new text can be added, as the attacker prefers. Beside the website itself, the attacker can also read out cookies, these small pieces of information which is stored in your browser and which are containing information about your websession. He can read out passwords which are entered into fields of the website. If the attackers adds the login form of the website, the browser fills out these fields automatically, since most users use the function of their browser to store the password.

If the vulnerable website is a bank, for example, the attacker could at least steal the login credentials and have a look at the bank accounts of his victims.

A real nightmare.

Following up the announcement, that we a going to hack a website, there are further preparation needed. By now you should have installed VirtualBox to be able to run the Website in a virtual environment.

What is missing are the images of our Test site:

• DVWA – The Damn Vulnerable Web Application
  DVWA will be used to explain the attacks.
• Badstore
  We will use Badstore as the Website we will hack.

Please download the Images and either install them in your virtual environment or burn them on a CD to run them on a spare system.

For your own comfort I recommend to have Firefox installed on the machine you use to hack the website.

Additionally you should have installed the following Addons:

• HackBar
• Live HTTP headers
• Firebug

These addons will make our life lot more easier.

In the next weeks I would like to hack a website together with you in order to have a deep look into the web security area.

It will be shown how hackers are trying to execute code on a website and which  typical problems can occur in case a programmer writes code for a highly dynamical website. Additionally cross site scripting will be explained on real life example.

Isn’t it illegal?

Well, in general it would be. But in our case we will hack  a website on our own machine.

Therefore I will introduce you in the first article to an Web Application which is vulnerable. This application can be downloaded as some kind of an disk image from the Internet. It is legal and free to use. But please be aware to not put this application to a computer which can be accessible through the Internet. The application is so vulnerable that an attacker on the Internet could easily get full access to your computer.

This application has been developed for training purpose in order to teach developers how a hacker is thinking and how easy it can be for an attacker to do harmful things.

To prepare yourself in advance, I recommend to install Virtual Box which is a free to use virtualization system, which can boot ISO images (a file representing the content of a CD/DVD) and is able to  run on Windows, Linux, OS X or Solaris.

As an alternative you can burn the images to an CD/DVD and boot them up on a spare system.