Set up your environment for security testing

If you do not have any old Windows XP CD, you can try to download the Federal Desktop Core configuration (FDCC) image from NIST.

For Windows XP, here are the download links:

http://nvd.nist.gov/download/FDCC-Q4-2009/FDCC_IMAGES/XP-Q4-2009/XP_NIST_FDCC_Q4_2009.zip

http://nvd.nist.gov/download/FDCC-Q4-2009/FDCC_IMAGES/XP-Q4-2009/XP_NIST_FDCC_Q4_2009.z01

http://nvd.nist.gov/download/FDCC-Q4-2009/FDCC_IMAGES/XP-Q4-2009/XP_NIST_FDCC_Q4_2009.z02

http://nvd.nist.gov/download/FDCC-Q4-2009/FDCC_IMAGES/XP-Q4-2009/XP_NIST_FDCC_Q4_2009.z03

The username / password scheme for the Image is:

Renamed_Admin / P@ssw0rd123456

http://www.offensive-security.com/metasploit-unleashed/Metasploitable

Metasploitable is a VMware based virtual machine running Ubuntu 8.04 server. A number of vulnerable services have been included, some of which are an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older version of mysql server.

http://think-security.com/metasploitable-your-first-training-ground/

Here are some of the credentials that you can use to access it:

msfadmin:msfadmin

user:user

service:service

postgres:postgres

klog:123456789

Penetration Testing Execution Standard

Penetration Testing Execution Standard is a wonderful idea to standardize penetration testing process.

There are seven steps:

• Pre-engagement Interactions

Discuss the goals, scope of tests and terms with customers.

• Intelligence Gathering

Gather any information about the target.

• Threat Modeling

Identify existing vulnerability of the target and decide the effective way to attack.

• Vulnerability Analysis

Understand what attacks might be viable by analyzing all information gathered.

• Exploitation

Exploit the identified possible target with suitable exploits.

• Post Exploitation

Determine what various systems do and their different user roles.

• Reporting

Report your findings to clients.

CISSP

Today, I receive an email notification that I become a CISSP. Cheers!

Some links for log4net

Here are some good links for learning log4net:

http://www.beefycode.com/post/Log4Net-Tutorial-pt-1-Getting-Started.aspx

http://www.beefycode.com/post/Log4Net-Tutorial-pt-2-Basic-XML-Configuration.aspx

http://www.beefycode.com/post/Log4Net-Tutorial-pt-3-Appenders.aspx

http://www.beefycode.com/post/Log4Net-Tutorial-pt-4-Layouts-and-Patterns.aspx

http://www.beefycode.com/post/Log4Net-Tutorial-pt-5-Using-Logger-Objects.aspx

http://www.beefycode.com/post/Log4Net-Tutorial-pt-6-Log-Event-Context.aspx

http://www.beefycode.com/post/Log4Net-Tutorial-pt-7-Filters.aspx

http://www.beefycode.com/post/Log4Net-Tutorial-pt-8-Lossy-Logging.aspx

http://www.beefycode.com/post/Log4Net-Recommended-Practices-pt-1-Your-Code.aspx

http://www.beefycode.com/post/Death-By-Logging-1-Logs-Consume-Space.aspx

http://actcode.com/2009/11/net-application-logging-with-log4net-in-console-file-database/

Year of Security for Java by John Melton

John Melton wrote some wonderful stuff about Java security

Year of Security for Java – Week 1 - Session Fixation Prevention

Year of Security for Java – Week 2 – Error Handling in web.xml

Year of Security for Java – Week 3 – Session Cookie Secure Flag

Year of Security for Java – Week 4 – Session Cookie HttpOnly Flag

Year of Security for Java – Week 5 – Clickjacking Prevention

Year of Security for Java – Week 6 – CSRF Prevention in Java

Year of Security for Java – Week 7 – Content Security Policy

Year of Security for Java – Week 8 – HTTP Strict Transport Security

Year of Security for Java – Week 9 – X-Frame – Options

OWASP Top 10

OWASP Top 10 focuses on identifying the most serious risks for your application.

https://www.owasp.org/index.php/Top_10_2010-Main

Troy Hunt writes excellent “OWASP TOP 10 for .NET”

1. Injection

2. Cross-Site Scripting (XSS)

3. Broken Authentication and Session Management

4. Insecure Direct Object References

5. Cross-Site Request Forgery (CSRF)

6. Security Misconfiguration

7. Insecure Cryptographic Storage

8. Failure to Restrict URL Access

9. Insufficient Transport Layer Protection

10. Unvalidated Redirects and Forwards

Here are some other interesting links related with owasp top 10

http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/

http://resources.infosecinstitute.com/owasp-csrf/

http://resources.infosecinstitute.com/owasp-url-access/

Hide some server response headers

Troy Hunt talks about “Don’t let your response headers talk too loudly”

There are four headers that might leak information about the servers:

• Server: The web server software being run by the site. Typical examples include “Microsoft-IIS/7.5”, “nginx/1.0.11” and “Apache”.

Solution: The easiest way is to install urlScan. Find the “RemoveServerHeader” setting with its configuration file UrlScan.ini and configure it to be “1”.

• X-Powered-By: The collection (there can be multiple) of application frameworks being run by the site. Typical examples include: “ASP.NET”, “PHP/5.2.17” and “UrlRewriter.NET 2.0.0”.

Solution: Go to IIS configuration of the website and locate “HTTP Reponse Headers” item and remove “X-Powered-By”.

• X-AspNet-Version: Obviously an ASP.NET only header, typical examples include “2.0.50727”, “4.0.30319” and “1.1.4322”.

Solution: Modify web.config

<system.web>

<httpRuntime enableVersionHeader="false" />

system.web>

• X-AspNetMvc-Version: Again, you’ll only see this in the ASP.NET stack and typical examples include “3.0”, “2.0” and “1.0”.

Solution: In Global.asax and add this to handle Application_Start event

MvcHandler.DisableMvcResponseHeader = true;

Troy also adds this function into his http://asafaweb.com/

Agile and security

Here are two different views:

1) Agile Software Development Doesn’t Create Secure Software

2) Agile Development Teams CAN build secure software

What's your take?

RSA 2012 #sophospuzzle

Came across this puzzle today at

http://nakedsecurity.sophos.com/2012/02/27/take-on-the-rsa-2012-sophospuzzle-and-win-a-nerf-gun/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+nakedsecurity+(Naked+Security+-+Sophos)

It looks like an interesting problem. The first step is to copy and paste the c program into a text editor:

#include~!int~putchar(int~c);char~*m="noncen.cmh/alu/puyxs.hrhb\xd\xa";void~main(int~argc,char~**argv){if(argc>1&&strlen(argv[1])==8){int~i=0;while(*m){putchar(*m+(*m<0x41?0:argv[1][(++i>8?i=1:i)-1]-0x61));m++;};};}

After some minor twisting, it can be compiled successfully. It accepts input with length of eight. Let's try abcdefgh, the output is nppfis.ith/bnx/tzs.itkf

Let's take a close look at the source code, it looks like a simple encoding between command line parameter and a constant string "noncen.cmh/alu/puyxs.hrhb\xd\xa". Any character with ASCII value less than 0x41 will be unchanged. The list should include "./". Since the puzzle is from sophos.com. The best guess is that noncen.cmh will be encoded as "sophos.com". A couple of trials shows that this is the right path. Here is the so-called password:

./test2 facfkfac

sophos.com/anz/zzyzx.html

The instructions for the second step comes from http://www.sophos.com/anz/zzyzx.html

The DECODEME fashion test

Take the text of an RFC - call it RFC x. Append the eight-character password from the previous stage of the puzzle. Append the text of some other RFC - call it RFC y. (For what it's worth, x and y are different.)

The data lump you've just created will have this MD5:

01b9e8adf4dd660c7e4cb6dd8a304691

Now, compute the product of x and y, and find the smallest integer greater than xy which has exactly two prime factors.

Email the larger of these prime factors to:

duck@sophos.com

before 3pm San Francisco time on Thursday 01 March 2012. (That's 2012-03-01T15:00-5.)

You will be entered in a draw to win a NERF N-STRIKE Vulcan EBF-25.

If you are at the RSA 2012 conference, you have extra chances to win! Wear the puzzle shirt and be on the Sophos booth (#1817) at 2.10pm on Tuesday, Wednesday and Thursday. For further details, check out Naked Security.

You can follow Paul Ducklin and the puzzle on Twitter. Look for the hashtag #sophospuzzle.

Of course, you can also stop by the Sophos Booth (#1817) whenever you like to ask for advice. You never know – you might catch one of us in an unguarded moment.

The problem is to find two RFCs which contents combined with the password (facfkfac) generate a md5 hash value of (01b9e8adf4dd660c7e4cb6dd8a304691). How many RFCs are there? According to http://www.rfc-editor.org/rfc-index2.html, there are 6557 RFCs. Let's download them to local machine using Curl.

curl -o "rfc#1.txt" http://www.ietf.org/rfc/rfc[1-6557].txt

Next, a python script is created to calculate md5 sum from rfcx.txt+password+rfcy.txt. The script stops when a match is found. However, this approached turned out non-working. There are no matching MD5 found. The only explanation is that those RFC text are not exactly same as those used by puzzle creator. Another approach is tried, all RFC texts can be downloaded from ftp://ftp.rfc-editor.org/in-notes/tar/RFC-all.zip

A quick comparison between rfc1.txt from two approaches shows: rfc1.txt from curl has length of 21088 with md5 hash (99c9bdf9b63044f27de4fa8ac8ccba38). However, rfc1.txt from ftp approach has length of 21707 with md5 hash (ee350c347a17f0b46564c113667be323).

The same python script runs against new rfc text files and a match is found:

6533

6532

6531

6530

6529

6528

*****Matched***** (6528, 6533) => 01b9e8adf4dd660c7e4cb6dd8a304691

Bingo! Now, we have two numbers 6528 and 6533. Their product is 42647424. The last hurdle is to find the smallest number which is bigger and have only two prime factors.

Google search found a decent solution at http://stackoverflow.com/questions/171765/what-is-the-best-way-to-get-all-the-divisors-of-a-number

A simple modification turns out the magic number is

42647426

[1, 2, 21323713, 42647426]

The larger prime factor is 21323713. Puzzle solved. Now, it is time for a NERF Gun which I do not think that I have any chance.

Lesson learned:

It is better practice to open files using binary mode for calculation of md5 hash. Different hashes are generated for text mode and binary mode.