Pages

Friday, January 18, 2013

Nipper Studio Licensing Protection Bypass

Greetings all,

Ever heard of Titania's Nipper Studio (previously known as Nipper One)? It's a security audit tool which takes in configuration files such as your cisco running-configs or your sonicwall enchanced OS's configuration files and generates a very nice and comprehensive report on the device's current security posture. Especially when you don't have time going through files and files of configurations, Nipper Studio will do the audit job for you. Unfortunately, it's NOT open-source (was, but no longer) so you'll need to purchase it. For more information, visit: https://www.titania-security.com/nipperstudio

I was just evaluating the usefulness of the tool and I decided to want to move my eval license (or what's left of it) over to another computer, I couldn't. The license codes won't authenticate in the new machine. So I'll just looking around the directory in hope to 'transfer' my license over but couldn't find the license file. Guess what, it's in the registry and after some analysis, I managed to get it over. UNfortunately, I also discover a flaw in the licensing protection. This flaw allows you to repeatedly audit on devices with only 1 single working license. Hint: Work the registry ;) Such an awesome software yet with poor licensing protection - what a shame! =D

*Sorry guys, I will not be sharing the step-by-step cracking as you know, lawsuit, -$, jail-term, blah.

** If you happen to be Titania, and wish to find out more on the license exploitation, please contact me: breaktoprotect@gmail.com and I'll gladly work with you to resolve this. And of course, I'd expect you to at least buy me at least a cup of coffee. :)

Break to protect,
J.S.


Wednesday, January 16, 2013

Kioptrix Noob-ing #1

As usual, I'll be reading PDF books on my tablet on my way to work. Train rides can get really boring. Anyhow, I'm currently reading "Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide". I'm 100+ pages into it and i must say it has been informative. Get yours at http://www.amazon.com/Advanced-Penetration-Testing-Highly-Secured-Environments/dp/1849517746 or your *ahem* friends who might have it. 

So while I'm perusing through the pages, it recommended a Virtual Machine (VM) called Kioptrix to be downloaded at: http://www.kioptrix.com/blog/ for security testing purpose. The main objective is to obtain ROOT privileges through several ways you can think of: dictionary/bruteforce password, exploit, etc. (but since you can't do client-side attack, you probably can't social engineer, drive-by, mitm/sniff/, etc). Although there's a port 80 (and a 443) opened, you might not be able to do much via web attacks (but I might be wrong so drop a comment if you manage to do it =P ). 

Metasploit on Debian Raspberry (Soft-float) - Bad idea
Still obsessed with my little ARM friend, I tried to install metasploit on it. BUT, big BUT, it is SLOW. I don't mean "ah takes 15seconds" but "WTF, it's been 5minutes and i can't even bring up msfconsole" slow. Annoying as hell, I decided to rm -r msf3. I'll go back to BackTrack when I decide to proceed with an exploit. Yes, with several sweet ports open I would like to toss in some ready-made attacks to gain shell. However, I shall reserve it for later. 


*SPOILER ALERT*: Although I'm not pasting the results of the Kioptrix, I might reveal a few things that you may wish to discover yourself while playing around with Kioptrix. If you want to do Kioptrix all by your own without any influence/advice/help, please do not view the content below. You have been warned!

Recon & Next step against Kioptrix 
You can't do much except to see this very nice screen via VMware workstation (or vmplayer):

This VM will sit in your subnet. So if you're on 192.168.0.0/24, it might be a 192.168.0.5.
Remember, you'll need a DHCP (in this case my home router) in order for Kioptrix to get its IP.

So what I did so far:
1. Fping - sweep the whole friggin' subnet and identify the sorethumb.
2. Nmap - your fundamental reconnaissance, preferrably with OS detection and NSE scripts.
* I won't be pasting the spoiler results.
3. Bruteforce - even as I speak, my good ol' Rasp pal is bruteforcing the crap out of the Kioptrix. 

Python SSH Bruteforce
It's the standard garden variety bruteforcing in attempt to login by "guessing" the password on the SSH server listening on port 22. Either you do the dictionary attack (commonly used words, phrases, etc) or a literal bruteforce (every possible character set) and then pray that you get in. Not very elegant but heck, if it works, why not?
Btw, I'm using Christian Martorella's python program. More instructions at:
http://zeldor.biz/2011/01/how-to-bruteforce-ssh/ 
with the password list:
wget http://dazzlepod.com/site_media/txt/passwords.txt
I've been wanting to install Nessus 5 on it but seems like it only supports i386/x86-64 arch (RPi's ARM arch). Meanwhile, I'll keep searching for decent vulnerability scanners that can installed and used on the RPi.

Happy fun times~

Break To Protect,
J.S.

Monday, January 14, 2013

Basics FIM-ing

What's FIM?
FIM stands for 'File Integrity Monitoring'. It's a host-based IDS that detects any changes to files, especially those which sits in critical directories such as /etc/, /boot/, /lib/modules, /root/ or in windows your system or system32 folder. You get to pick and choose ;)

How does it work?
The FIM will do a hash (MD5, SHA-1, etc) on the target file or directory that is chosen to protect, and then securely keep this 'hash' as a BASELINE. So periodically, the FIM will do same hashing task but compare it with the BASELINE 'hashes' generated previously.
e.g. I want to monitor /folderX/ and its contents.
The FIM can be set to trigger warning if:
#1 Attackers add/remove files within /folderX/
or
#2 Attackers EDIT one of my existing files within /folderX/

This means that if any attacker attempts to upload foreign objects, be it malware or a netcat program into the monitored system, the FIM will trip and the administrators will start their prowl. 

So, what's cooking?
To avoid such IDS, the first step is to play around with one in your own lab environment. So I've downloaded Tripwire (www.tripwire.org) on my Debian Raspberry PI to experiment around a little. If you're using Debian, you can get it by:
sudo apt-get install tripwire

* If you get some funky error messages, do this first: 
sudo apt-get update

Setting up isn't hard. To trigger the Tripwire for testing purposes, just add a random txt file in your /root/: 
sudo touch /root/ intrusion_vector.txt
And it should trip when you do a:
sudo tripwire --check 
But of course, this is NOT the full instructions. There are config and policy files to talk about. The steps from  "compiling" the policy files, generating the baseline database and to the cron job that continually performs the --check command, I'm not really inclined to explain them as I've found one site which is extremely helpful. So I'll recommend Meryll Larkin's tutorial to Tripwire:
http://www.alwanza.com/howTo/linux/tripwire.html
She's a lifesaver to setting this FIM up! :) Thanks Larkin.

If you need some help, feel free to drop your comments below and I'll see what I can do.

Peace out,
J.S.

Tuesday, January 8, 2013

Hello World, and what is this?

This is a online journal to pen down my personal experience gained from performing security testing. What is to be achieved through writing this blog:
1. A Journal - a record of my findings, experience, discovery, etc. So basically a platform for my own recollection needs and at the same time share the information. Information should be free.
2. A Guide - may not be as useful for the veterans but will attempt to provide security 101 to non-security folks
3. A Challenge - for myself to consistently grow in knowledge and skills. I'm thinking of doing 'a hack a week' to bring my lazy ass to learn. Hmm...

Lastly, I'm nowhere near a pro. But I'm working towards in becoming better and attempting to bring value to the community. And in times, I'll may be presenting the work of past giants and today's experts for educational purpose. If I've forgotten to credit you, please know that I have no intention to plagiarize nor claim credit for work I have not done and DO email me and I'll make the wrong right. ;)

Thanks for reading!

Disclaimer: Use this site at your own risk. This site is meant for educational purpose only. And if you decide to use it for crimes and you're caught, you can be sure that you and you're ass will be thrown in the federal prison before you can even attempt to utter an excuse. So, be a responsible hacker who contributes to the security space, not a criminal nutcase. When in doubt of a certain tool and its potential impact, don't use it on production systems.

Break To Protect,
J.S.