17 Sep

Does Your DLP/IRM Implementation Keep You Awake At Night?

Posted by Wasim Halani in Case Study, General. Tagged: , , , .

With the fragmented manner of work culture in the 21st century, organizations have started to wake up to a fact that they cannot withhold information within the confines of their heavily guarded data-centers. Clients, employees and vendors need the information to continue smooth functioning of their businesses.

Information usually falls into anyone of the below categories:

Classification Legitimate Users Examples
Public  Visible to everyone in the world Tender documents
Internal Only for employees Memos, newsletters
Restricted Only for certain people/teams Contracts, Invoices, PO, Network Diagrams
Confidential Sensitive information – for very specific people Financial proposal
Private personal information of people Salaries, Employee HR Information

Continue reading

30 Mar

How-to: Modify Apache-Coyote/1.1 Banner

Posted by Wasim Halani in How-to, PenTest, Vulnerability. Tagged: , , , .

If you’ve ever done a penetration test or got one done, you may have come across the following scenario:

HTTP Service running on port 8080, revealing the version information of the product in it banner.
The banner  revealed is Apache-Coyote/1.1.
This is the banner of the Apache Tomcat Web Server which runs on port 8080 by default.

Apache-Coyote/1.1 Version Disclosure

Now, as per good security practice, the banner should be removed or modified, so that it no longer reveals the version number.
This can be achieved by editing your server.xml configuration file found at the below location:

CATALINA_HOME/conf/server.xml

Original server.xml reveals version information

Modified server.xml

You may need to restart your server for the changes to reflect.
Once the Tomcat server is up, test the server to see if it shows the custom header.

 

> telnet localhost 8080
HEAD / HTTP/1.0
<CRLF>
<CRLF>

Web Server with Custom HTTP Banner

 

Hope this helps others who are looking for a solution to the banner version disclosure

Check out OWASP’s article on Securing Tomcat for more details.

Wasim

22 Mar

Vulnerable Web Applications for learning

Posted by Wasim Halani in PenTest, Resource, Web Application. Tagged: , , .

Update: 08/08/2010: Created a tabled output of the listing. Platforms for most applications added. More applications added to list thanks to comments.

Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected  all vulnerable web applications and listed them below for reference:

Continue reading

18 Mar

[Tool] Unique Pattern Generator for Exploit Development

Posted by Wasim Halani in Programming, Research, Tool. Tagged: , , .

CAUTION: I have realised, that this script gives wrong results after a certain length of characters. It’s not recommended for use. The intention for this script was for me to learn some coding – which I have. But I haven’ got the time at the moment to fix the errors. Hopefully, sometime in the future, I’ll be able to re-write the code. You can use corelanc0d3r’s pvefindaddr.py, which is an excellent script for Immunity Debugger.

Update: Thanks to corelanc0d3r for pointing out that my script does not generate an output same as the metasploit and pvefindaddr scripts. This is useful, as pointed by him, to anyone wishing to mix the outputs/offsets between the tools. I have made relevant changes to the code and also fixed another bug which prevented all offsets from being calculated.

While developing exploits, at times you require a unique string for which any 4 consecutive characters selected at an instance are unique across the string(or may be repeated only after a large gap of characters). This is mostly used to find the ‘offset’ of the characters which have over-written the EIP register.

Metasploit (version 3.0+) has a tool for both:
1) to generate the string pattern (tools/pattern_create.rb)
2) to find the offset of the required pattern (tools/pattern_offset.rb)
Continue reading

2 Feb

Rediffmail XSS vulnerability disclosed

Posted by Wasim Halani in Security News, Vulnerability. Tagged: , , , , , .

A member of the ‘NULL’ mailing-list today announced a ‘Persistent XSS’ vulnerability in the ‘subject’ parameter of RediffMail’s email application.
This Vulnerability was discovered and reported by w4rl0ck.d0wn and Rockey Killer of h4ck3r crew
Check out their PoC video at:
Rediffmail PoC
Continue reading

24 Dec

Windows (Trusted) Authentication Vs SQL (Mixed-Mode) Authentication

Posted by Wasim Halani in Attack Vectors, PenTest. Tagged: , , .

Just a quick post for my future reference on the differences between Trusted authentication and Mixed-mode Authentication used by SQL Server

Windows Authentication

  • When a user connects through a Windows user account, SQL Server validates the account name and password using the Windows principal token in the operating system. This means that the user identity is confirmed by Windows.
  • SQL Server does not ask for the password, and does not perform the identity validation.
  • Windows Authentication is the default authentication mode, and is much more secure than SQL Server Authentication.
  • Windows Authentication
    • uses Kerberos security protocol,
    • provides password policy enforcement with regard to complexity validation for strong passwords,
    • provides support for account lockout,
    • and supports password expiration.
  • A connection made using Windows Authentication is sometimes called a trusted connection, because SQL Server trusts the credentials provided by Windows.

SQL Authentication

  • When using SQL Server Authentication, logins are created in SQL Server that are not based on Windows user accounts.
  • Both the user name and the password are created by using SQL Server and stored in SQL Server.
  • Users connecting using SQL Server Authentication must provide their credentials (login and password) every time that they connect.
  • When using SQL Server Authentication, you must set strong passwords for all SQL Server accounts.
  • Three optional password policies are available for SQL Server logins.
    • User must change password at next login
    • Enforce password expiration
    • Enforce password policy
  • SQL Server Authentication cannot use Kerberos security protocol.
  • Supports environments with mixed operating systems, where all users are not authenticated by a Windows domain.

Source: http://msdn.microsoft.com/en-us/library/ms144284.aspx

9 Nov

Exploiting ActiveX

Posted by Wasim Halani in Attack Vectors, Research. Tagged: , .

I’ve been reading a very interesting paper over the weekend. It’s about exploiting ActiveX controls implemented in the Microsoft Windows OS (mostly IE).
The article is very lucid and easy to understand even for beginners. The paper is titled “ActiveX – Active Exploitation” and it’s written by ‘warlord’

Highly recommended. You can find the article here. I’m also adding it to my Reading Room for future reference.

« Older Entries
Follow

Get every new post delivered to your Inbox.

Join 295 other followers