AverageSecurityGuy

Security, Programming, Pentesting

About

Mastodon

Linked In

Projects

Cheat Sheets

Book

OSCP Certified

28 Feb 2011

I just found out that I passed my OSCP certification challenge. If you have not considered taking the OSCP challenge from Offensive Security. I would highly recommend it.

ivil

21 Feb 2011

Ivil is an XML schema used to exchange vulnerability information. You can read about it here. You can download it here. I like the project but I don't like Perl. So I wrote a small python module to handle ivil files.

Here's the docstring...

This module defines an ivil class and allows you to create and populate an ivil object. In addition, an ivil object can be loaded from an xml file or can be written to an xml file. The ivil class is based on ivil version 0.2

You can download the ivil module here.

I would appreciate any comments or feedback.

Unfortunately, I have lost this script. When I find it or rewrite it, I will post it here.

Morse Code Ping

11 Feb 2011

I saw this on twitter. So I made this. It uses the TTL on the ping packet to represent a '.', '-', or ' '. Don't know if this works but here it is.

import random
import os

code = {'A': '.-', 'B': '-...', 'C': '-.-.', 'D': '-..', 'E': '.',
        'F': '..-.', 'G': '--.', 'H': '....', 'I': '..', 'J': '.---',
        'K': '-.-', 'L': '.-..', 'M': '--', 'N': '-.', 'O': '---',
        'P': '.--.', 'Q': '--.-', 'R': '.-.', 'S': '...', 'T': '-',
        'U': '..-', 'V': '...-', 'W': '.--', 'X': '-..-', 'Y': '-.--',
        'Z': '--..', '0': '-----', '1': '.----', '2': '..---', '3': '...--',
        '4': '....-', '5': '.....', '6': '-....', '7': '--...', '8': '---..',
        '9': '----.', ',': '--..--', '.': '.-.-.-', ' ': ' ', '_': '..--.-',
        '?': '..--..', ';': '-.-.-.', ':': '---...', "'": '.----.',
        '-': '-....-', '/': '-..-.', '(': '-.--.-', ')': '-.--.-' }
    
def encode(s):
    mstr = ''
    for c in s:
        mstr += code[c]
    return mstr
   
def mstr2packets(d, mstr):
    """Send ICMP packet with ttl within certain range to represent a '.', '-',
    or ' '. ttl < 80 = '.', 80 < ttl < 160 = '-', 160 < ttl = ' ' """
    for c in mstr:
        if c == '.':
            t = random.randrange(24,80)
        elif c == '-':
            t = random.randrange(104,160)
        elif c == ' ':
            t = random.randrange(184,254)
        else:
            pass
        ping = 'ping -n 1 -i ' + str(t) + ' ' + d
        print ping
        os.system('ping -n 1 -i ' + str(t) + ' ' + d)
        
word = "a"
mstr = encode(word.upper())
dest = '192.168.170.1'
mstr2packets(dest, mstr)

Do I need an Internal Penetration Test?

10 Feb 2011

The answer to this question depends heavily on the maturity of your information security program. Let me explain.

Maturity Level 1

Description

  • You do not have a comprehensive, asset-based Risk Assessment.
  • You do not have written policies or procedures.
  • You have minimal technical controls such as a firewall, anti-virus, and security update management.

Do I need an internal pentest?

No, an internal penetration test would be like shooting fish in a barrel. You need to start by doing a risk assessment, which should include a list of all your assets, potential risks to those assets, and controls to mitigate the risks. Then, you need to implement the identified controls, which will include written policies and technical controls. The risk assessment should be updated regularly. You may also consider hiring an information security consultant to assist you in the process.

Maturity Level 2

Description

  • You have a comprehensive asset-based risk assessment, which is updated regularly.
  • You have implemented a number of controls based on your risk assessment.
  • You have a number of written policies and procedures, but they are not followed consistently.
  • You have update management procedures and/or an associated policy.
  • You have change management procedures and/or an associated policy.

Do I need an internal pentest?

No an internal penetration test would find a number of vulnerabilities but without an effective vulnerability management program you will not see much value in the penetration test. Instead, you should have an outside review of your implemented controls to confirm they are sufficient to mitigate the identified risks. You should also implement a vulnerability management program to identify potential hardware and software vulnerabilities. Your risk assessment, policies, and procedures should be updated based on the results of the controls review and vulnerability assessment.

Maturity Level 3

Description

  • You have a comprehensive asset-based risk assessment, which is updated regularly.
  • You have an effective vulnerability management program in place and have documented evidence it is working.
  • You have an effective update management policy and procedures.
  • You have an effective change management policy and procedures.

Do I need an internal pentest?

Yes, an internal penetration test would serve as a valuable method of auditing your vulnerability management program and will also help you identify potential weaknesses in your change management and update management policies and procedures.

Conclusion

I realize this is an over simplification, but the point is an internal penetration test will not provide significant value unless you have a mature information security program in place. Instead, consider either a vulnerability assessment or getting outside help developing an information security program, depending on your maturity level.

Improving Brute force Attacks with Frequency Analysis

07 Feb 2011

There are two primary methods for cracking passwords, dictionary attacks and brute force attacks. With both methods, a candidate password is generated and then hashed and compared to the hash of the missing password. If the hashes match, then we have found our password; otherwise, we move to the next candidate. In a dictionary attack the candidate passwords are generated using a word list. In some cases the words are modified to add capital letters, numbers or symbols. Dictionary attacks run much faster than a brute force attack because the number of candidate passwords is much smaller but there is no guarantee you will find the password. A brute force attack can guarantee you will find the password but can take a very long time to run.

What I want to do is attempt to get the efficiency of a dictionary attack with the effectiveness of a brute force attack by looking at the frequency analysis of previously cracked passwords. Skull Security maintains lists of previously cracked passwords, including passwords for phpbb, hotmail, and rockyou. I used a script to identify and count each character in each of the files. I then calculated the percent of total characters each character represents and then a cumulative percentage. Using these numbers I was able to find the character set that represented approximately 90% of all the characters in the file.

Filename # of Chars in File # of Chars in 90% Set 90% Character Set
Hotmail 91 29 aeoi1r0ln2st9m8c3756u4dbphgyv
phpbb 119 29 aeoir1nstl02md3chpbu94k8576gy
rockyou 211 29 ae10i2onrls938t45m67cdyhubkgp

I was surprised to see how many characters overlapped in each of the 90% sets. Next, I used a script to determine how many passwords in each file could be found using only the characters in the 90% set. Then I combined each of the 90% sets and determined how many passwords in each file could be found using the combined set.

Filename % Passwords in 90% Set % Passwords in Combined Set
Hotmail 64 77
phpbb 59 74
rockyou 58 73

In all three files the combined set found over 70% of the passwords. It looks like the frequency analysis could be useful in improving brute force password attacks. In another post I will put this theory to the test by attacking a different set of passwords.

If you want an in depth study of character frequency analysis of password files then check out Matt Weir's work at reusablesec.blogspot.com.