Category Archives: Info Security

Burp Suite installation and features

The other day I came across a social media post that was about utilizing Burp Suite to identify vulnerabilities in web applications. I had heard of Burp before but never really had the chance to play around with it – until now.

Just like a lot of other security tools, Burp has a community version along with its commercial product. I decided to download the free edition from here in my home lab.  The installation process is straightforward and in no time you have Burp up and running. Here is how the initial interface looks like:

Burp

Right when I finished my installation of  Burp, I realized that I did not have a web application running in my lab that I could use to test Burp against. Bummer! Now I had to decide between setting up a web server myself or finding a commercial distribution that came pre-built with one. This was a no-brainer – and within minutes I found a few distributions that were designed for testing and learning web application security; such as SamuraiWTF, WebGoat and Kali Web Application Metapackages. I decided to go with SamuraiWTF.

SamuraiWTF gives you the option to run from a live disk or install it in a VM. I decided to install the VM. Here is a good guide to the installation process. I give my VM instance 4GB RAM and 3 cores; more than enough horsepower.

This distribution comes pre-installed with Mutillidae, which is a “free, open source, deliberately vulnerable web-application providing a target for web-security enthusiasts”. This was perfect for what I was looking for. Setting up the Mutillidae in pretty simple – all I had to do was change my network configurations to NAT and that was it. However, if you need more information on configuration here are some great video guides on Mutillidae; in fact, I used some of these myself while configuring Burp to work with Mutilliade.

After finishing all of the above prep work, I was ready to run Burp!

For those who are not familiar with Burp, it’s an interception proxy which sits between your browser and the web server and by doing so it is able to intercept requests/responses and provides you the ability to manipulate the content. To do so you have to configure Burp as your proxy. On your VM, this would be your localhost (Proxy Tab > Options):

Proxy

Likewise, you would have to configure your browser to that same proxy. Here is my proxy configuration on Firefox:

Firefox Proxy Configuration

Now as you navigate through your Mutilliadae webpage, all your requests should go through Burp. One thing you have to do is turn on the Intercept option in Burp. It’s under Proxy > Intercept.

What this allows you to do is see the request as its made but gives you the control to either forward it to the web server or simply drop the request (like a typical MiTM). For example, on the login page of Mutilliade i used admin name and admin123 password. And as soon as I hit “Login” I saw the request being made from my browser to the web server in Burp:

Burp Intercept

In the screenshot above, you can see the two options: Forward and Drop. If you hit forward, the web server will receive this request from your browser and will respond as it would normally. In this case, the account I used to log in did not exist:

Web Server Respose

Burp has the capability to also capture the responses. It is an option that you can turn on by going to Proxy > Options and towards the middle of the page you will see “Intercept Server Responses”. By turning this on you will be able to see and control both sides of the requests:

Request and Response

If you look at Target > Site Map; on the left pane you will see a list of all the sites that you have visited with the Burp proxy on:

History Map

One advantage of the above feature is that it allows you to go back and revisit requests and responses. The sites that are in grey color are those that are available on the target web page but you have not visited them.

Another neat feature is that if you do not want to visit each page individually you can run the “Spider” feature which will map the whole target page for you.

Spider

If you go under Spider > Control you are able to see the status of the Spider as it runs:

Spider Status

When you intercept request or response, you have the ability to send that to other features of Burp. You are able to view these additional options by right-clicking on the intercept:

Intercept Additional Options

Towards the bottom of the official Burp Suite guide page here you can see a brief description of most of the options shown in the screenshot above. The one I found really neat is the “Repeater” option which allows you to modify and re-transmit requests repeatedly without having the need to perform new intercepts each time.

This concludes my brief journey of getting started with Burp using SamuraiWTF. There is a whole lot more than I had the chance to explore but here is a great reference for advanced topics.

Below  is a quick blurb on some of Burps features:

Spider: crawls the target and saves the numerous web pages that are on the target.

Intruder: automated attack feature which tries to automagically determine which parameters can be targeted i.e. fuzzing.

Fuzzing options: Sniper (fuzz each position one-by-one), Battering Ram (all positions on the target receive one payload), Pitchfork (each target position is fuzzed in parallel) Cluster Bomb (repeats through payloads for multiple positions at once).

Proxy: used to capture requests & responses to either just monitor or manipulate and replay.

Scope: controls what (pages, sites) is in/out of the test “scope”.

Repeater: manually resubmit requests/responses; allows modification.

Sequencer: used to detect predictability of session tokens using various built-in tests i.e. FIPS 140-2.

Decoder: allows encoding/decoding of the target data i.e. BASE64, Hex, Gzip, ASCII, etc.

Comparer: allows side-by-side analysis between two requests/responses.

Cheers!

Tagged , , ,

How do botnets work?

How does it feel to know that your personal computer can be remotely controlled by someone without your knowledge for ill purposes? Or worse, instead of a single individual having this unauthorized access to your system it can be a group of people over the internet that controls what your computer does and how it does it. In the field of Information Security, if your system is involved in such control it is considered a bot: a computer system being controlled by an automated malicious program. In addition, your computer system can be part of a larger group of infected computer systems and these collections of infected computers create botnets. Casually, these bots are also referred to as zombies and the remote controller is called the botmaster. So how are these bots born and grow into botnets?

According to Damballa, an independent security firm’s annual threat report, “at its peak in 2010, the total number of unique botnet victims grew by 654 percent, with an average incremental growth of 8 percent per week ”. Originally, these bots are developed by tech-savvy criminals who develop the malicious bot code and then usually release on the open internet. While on the internet, the bot can perform numerous malicious functions based on its code design but it most cases it spreads itself across the internet by searching for vulnerable, unprotected computers to infect. After compromising victims’ computers, these bots quickly hide their presence in difficult to find locations, such as computer operating system files. The botmaster’s goal here is to maintain the compromised system behavior as normal as possible so the victim does not become suspicious. Common activities that bots perform at this stage involve registering themselves as the trusted program in any anti-virus program that might be on the victim’s computer. Moreover, to maintain persistence, bots add their operations in systems startup functions which results in bots automatically reactivating even after shutdown/restart. Throughout this process, bots continue to report back to the botmaster and wait for further instructions.

Below lists some of the common operations that bots can perform on behalf of its botmaster:

Sending
Stealing
DoS (Denial of Service)
Clickfraud
They send
– spam
– viruses
– spyware
They steal personal and private information and communicate it back to the malicious user:
– credit card numbers
– bank credentials
– other sensitive personal information
Launching denial of service (DoS) attacks against a specified target. Cybercriminals extort money from Web site owners, in exchange for regaining control of the compromised sites.
Fraudsters use bots to boost Web advertising billings by automatically clicking on Internet ad

As the chart above states, there are numerous functions that bots can perform. However, recently bots have mainly been used to conduct Distributed Denial of Service (DDoS) attacks: utilizing hundreds or thousands of bots from around the whole world against a single target.  Botmaster’s goal with DDoS is to use thousands of bots with numerous botnets to attempt to access the same resource simultaneously. This overwhelms the resource with thousands of requests per second thus making the resource unreachable. This inaccessibility of the resource has severe effects on legitimate users and requests. According to FBI, “botnet attacks have resulted in the overall loss of millions of dollars from financial institutions and other major U.S. businesses. They’ve also affected universities, hospitals, defense contractors, law enforcement, and all levels of government”.

A misconception exists that if your system does not hold any valuable information or if you do not use your system to conduct online financial transactions than an adversary is less likely to target your system. Unfortunately, as much as we would like this to be true, it is not the case. For botnets, the most valuable element is your system’s storage and your internet speed. Our personal computers are now capable of storing and processing terabytes of information seamlessly and are able to use our high-speed internet to transfer this information.  As stated by a malware researcher team from Dell SecureWorks, botnets “allows a single person or a group to leverage the power of lots of computers and lots of bandwidth that they wouldn’t be able to afford on their own”.

——————————————————————-

http://www.fbi.gov/news/news_blog/botnets-101

https://www.damballa.com/press/2011_02_15PR.php

http://news.discovery.com/tech/what-are-botnets-110304.htm

http://us.norton.com/botnet/

Tagged , , , , , ,

Nexpose Install Guide and Review with Nessus

My last blog post was related to setting up Nessus home edition scanner for your lab to do testing. Nessus is properly what I am most familiar with and I like it. I also have some experience using Qualys scanner but it has been couple years since I have used it. However, the scanning technology that I have only heard of but never actually used is Nexpose. So for that reason, I figured I give it a try.

Similar to other commercial scanning technologies, there is a community edition of Nexpose that you can download in your home lab for testing from here.

They have a pretty straightforward user/installation guide here, which I followed in my installation. But just in-case, here is the high-level overview of how I did my setup.

  • Selected the VMWare Virtual Appliance option of the Community Edition
    • Completed the online forum and received the activation code in the email
    • The download contains 1.02GB of .ova file called NexposeVA.ova
  • I opened that file using VMWare Workstation
    • Please note that by default, it allocates 8GB of memory, 2 processors and 160GB of disk space. So, please modify these settings if you do not have those resources available before you power-on the VM.
  • After the VM completely boots, you will login using the following credentials: login: nexpose password: nexpose (please change this)
    • If you just want to complete the most basic setup and want to get up and running immediately without messing with any of the advanced configurations or upgrades, the only configuration you need to do is networking. The virtual appliance is set up in bridge mode by default and should be able to get you an IP automatically. But if you need to give it static IP then you will have to do that manually.
  • At this point, you are pretty much done with the setup. You will be able to complete the rest of the setup by accessing your Nexpose instance by typing following in your browser: https[:]//[VM-IP-Address]:3780
    • The default username for the web interface is: nxadmin and the password is: nxpassword
    • After your first login, the initialization process will take some time. For me, it was about 5-7 minutes.

Continue reading

Tagged , , ,

nessus installation guide linux

Unfortunately, after my last CDR post  – for some unrelated reason, I had my main lab system crash and now I have to rebuild most of the different lab machines that I had before. Obviously, this is a little frustrating because I had everything set up the way I wanted it and now I have to pretty much start from scratch. But to make this rebuilding process more pleasant and productive, I think I am going to document and share some of the labs that I am going to build. Most of these are going to be pretty simple to set up without much difficulty using VMware Workstation. I am not going to go over setting up VMware Workstation since there are already a ton of YouTube videos on it.

First, we are going to select the platform that we are going to use for most of these machines – our choice: Ubuntu 13 Desktop.

The first tool that we are going to install is the Nessus vulnerability scanner. In the first CDR project, we used Nessus as one of our reconnaissances tools along with Nmap. However, this tool can be used in just your lab or home network for identifying vulnerabilities in your systems.

We are going to be installing the latest version of Nessus v6 Home – as of this post. For the operating system, we will choose Ubuntu 11.10, 12.04, 12.10, 13.04, 13.10, and 14.04 AMD64 and download the .deb package.

Here are the sequence of commands after you have downloaded the package and opened the appropriate download directory in the terminal.

Nessus_installationWe are pretty much done. The only thing you need to check is if the Nessus service is running. Usually, it starts automatically but you can verify by running: service nessusd status. If the output shows stopped then simply run the following to start it: service nessusd start.

After above, open your browser and type your IP and port 8834. You can find your IP address by running ifconfig in your terminal. My IP address on this machine is 192.168.244.178.

LocalIP

You should get a similar page as above. Follow through the prompt and in a couple of screens you will have the option to create an initial account for your Nessus scanner. After that, you will need to provide Plugin Feed Registration. For home use, you can request the activation code by completing the following: http://www.tenable.com/products/nessus-home

After completing all the steps thus far – you are done with installing your Nessus scanner. Now you need to configure your scans. Following are the basic steps to configure a scan:

New Scan > Basic Network Scan > [Complete General Page with the Name of the Scan and the target IPs]. On the left side, you have additional scan options that you can play around with. After you are done with making your selections, simply hit save and your scan will automatically start. The scan duration depends on the number of IPs that you are scanning and if they are credentialed or non-credentialed.

After your scan completes you will be able to see the scan results and drill down on each host to see the details on the findings.  Later you can also run just reports against previously completed scans.

This is pretty much all you need to do for the basic setup. Feel free to run more scans and try to run a credentialed scan as they will provide the most comprehensive vulnerability information and its also least intrusive on your target systems.

Until next time!

Tagged , , ,
Advertisements