gauntlet - asis news · the gauntlet saw the capture of a total of 35 flags across the pool of...
TRANSCRIPT
Gauntlet A CloudPassage Report 12042013
reg
reg
Table of Contents 1 Introduction
1 Background
4 How The Gauntlet Was Won
11 Recommendations
17 Closing Thoughts
17 About CloudPassage
17 About Bugcrowd
18 Appendix A ndash Tool Information
reg 1
IntroductionIn September 2013 CloudPassage Inc ran a live server exploitation exercise to see how long an unpatched and minimally configured cloud server instance could survive against financially motivated attackers when connected directly to the Internet The exercise referred to as The Gauntlet throughout the capture-the-flag-style contest ran for 23 days across a collection of Microsoft Windows and Linux-based servers with varying combinations of applications and application frameworks installed
The Gauntlet saw the capture of a total of 35 flags across the pool of targets and the successful capture of two flags in only four hours ndash allowing the attacker to claim the five-digit financial incentive designed to motivate the attackers
Highlightsbull Server fully compromised by a single individual in four hoursbull Six servers provisioned with a different Microsoft Windows Server or Linux-based operating system (detailed in ldquoTarget Informationrdquo)bull Included 367 participants from 41 different countriesbull 102 total security issues reported (90 successfully validated)bull 35 flags submitted over 23 days
BackgroundIn August 2013 CloudPassage started planning a live exercise that involved several popular Linux distributions and the two most recent Microsoft Windows Server versions along with differing combinations of application stacks and databases These systems installed using the default images of a popular Cloud Service Provider (CSP) were installed and configured to the point of being ldquooperationalrdquo No security hardening of the operating systems applications or application stacks was performed Also no additional controls were deployed besides those provided by the CSP
To facilitate the exercise we contracted Bugcrowd to manage the logistics of running the bug bounty Bugcrowd runs managed bug bounties in which members of its curated 4100+ crowd of security researchers (referred to in this document as lsquoattackersrsquo) compete to be the first to report security flaws for cash and kudos
The targets whose configuration is detailed in the Target Information section each held two unique image files that served as the flags for the attackers to capture These flags had differing levels of permissions with the lsquounprivilegedrsquo flag owned and accessible by a different
reg 2
system-level user and a lsquoprivilegedrsquo flag owned and accessible only by the administrative (or root) user
In order to capture the flag an attacker would need to either elevate his or her privileges to be equal to or greater than the flag owners or exploit a previously unreported or unpatched vulnerability that would facilitate the flagrsquos capture The Gauntlet went live on September 11 2013 and ran until October 4
Target information In an effort to provide a wide and diverse pool of targets several servers of varying types were provisioned The operating systems used included Red Hat Enterprise Linux 64 CentOS 64 Debian 7 Ubuntu 120403 LTS Microsoft Windows 2008 R2 and Microsoft Windows 2012 These servers were provisioned and installed with a different combination of databases FTP servers and application frameworks Table 1 shows the operating system application and application framework combinations that were deployed
With the exception of configuring the bare minimum settings to get the applications and application frameworks operational no additional hardening or obfuscation was performed For example an attacker that successfully footprinted one of the Linux-based targets would have discovered several active listening services including FTP (tcp21) SSH (tcp22) Nginx (tcp80) and the rpcbind service (tcp111)
Note External information gathering also known as footprinting is a phase of information gathering that consists of interaction with the target in order to gain information from a perspective external to the organization1
Table 1 ndash System configuration matrix
Operating System Debian 7
Ubuntu 120403 LTS CentOS 64 RHEL 64
Windows 2008 R2
Windows 2012
Web Nginx Nginx Apache Apache IIS IISDatabase MySQL PostgreSQL MySQL PostgreSQL MS SQL MS SQLFTP Server Vsftpd Proftpd Proftpd Vsftpd IIS IISApplication PHP PHP PHP PHP ASPNET ASPNETFramework
1 Intelligence Gathering bull (REFhttpwwwpentest-standardorgindexphpIntelligence_GatheringFootprinting)
reg 3
All application and operating system logs were forwarded to a CloudPassage-managed log management application Standard syslog configurations facilitated this requirement on the Linux-based targets but the Windows-based targets required the installation of software to forward the operating system and application event logs to The Gauntlet centralized log server
This application (see Figure 1) which runs on tcp port 8000 also provides a web-based administrative interface With minimal effort an attacker scanning one of the Microsoft Windows servers could have quickly discovered that the CherryPy httpd 312 server was available and that an applicationrsquos web user interface was exposed along with it
Figure 1 - Nmap scan of one of the Windows targets
At this point an attacker would need only to open a web browser point it at the server IP address and port (8000) and be greeted with the login prompt for the applicationrsquos web user interface
Starting Nmap 500 ( httpnmaporg ) at 2013-09-17 1929 PDT Interesting ports on REDACTED Not shown 986 filtered ports PORT STATE SERVICE VERSION 80tcp open http Microsoft IIS Webserver 75 |_ html-title aspinfo() 135tcp open msrpc Microsoft Windows RPC 139tcp open netbios-ssn 445tcp open netbios-ssn 1984tcp open remoting MS NET Remoting services 3389tcp open microsoft-rdp Microsoft Terminal services 8000tcp open http CherryPy httpd 312 | html-title Site doeswnt have a title (texthtmlcharset=vtf-8) |_ Requested resource was http REDACTED 8089tcp open sslunknown |_sslv2 server still supports SSLv2 8090tcp open sslunknown |_sslv2 server still supports SSLv2 49152tcp open msrpc Microsoft Windows RPC 49153tcp open msrpc Microsoft Windows RPC 49154tcp open msrpc Microsoft Windows RPC 49157tcp open msrpc Microsoft Windows RPC 49175tcp open msrpc Microsoft Windows RPC
reg 4
When this particular application is installed on a system it is set up with a very weak password for the administrator user account The credentials for the account are easily guessable and not unique to this particular application or vendor
The application provides a modular framework that allows for the uploading of custom application extensions by authorized users An attacker with sufficient privileges could take advantage of the application by uploading a script that could allow for unintended consequences upon execution The intent of the framework is to allow users to create their own custom interfaces dashboards and custom scripts for the collection of non-standard data
How The Gauntlet Was WonUpon reviewing both application and operating system logs it became clear that a number of attackers were employing the Nmap (Network Mapper) tool in an attempt to footprint the system and gain information about the exposed attack surface area
Several attackers submitted flags for consideration but only one attacker (who well call Terrence) successfully submitted both a privileged and an unprivileged flag from the same server ndash effectively ending the race for the bounty
Exploitation of default administrative credentialsTerrence gained access to the web interface using the easily guessed credentials and immediately attempted to use the application to view the hard drive of the system Terrence did convey that he was able to look at corrupted hexadecimal data of the flags themselves however he was unable to actually retrieve the flags at this point
To explore the options provided by the application Terrence first created a new account on the vendorrsquos website and downloaded a popular app extension for monitoring Windows systems The app downloaded as a tar and gzipped (targz) archive containing various configuration files for the data inputs and custom dashboards for viewing information about the Windows systems being monitored The package also contained a folder for binaries that included among other things a Windows batch file (bat) and a number of python (py) scripts
2 more information on the use of Nmap for this purpose bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidlinesNmap_28Windows2FLinux29)
Note Port scanning techniques can vary based on the amount of time available for the test and the need to be stealthy If there is zero knowledge of the systems a fast ping scan can be used to identify systems In addition a quick scan without ping verification (-PN in Nmap) should be run to detect the most common ports available You can find more information on the use of Nmap for this purpose in the PTES Technical Guideline2
reg 5
Exploiting the app codeThe first modification Terrence tried was to insert the following code into one of the python scripts import win32netcon win32net
d=
d[name] = TestingTesing
d[password] = XXXXXXXX
d[comment] = A user
d[flags] = win32netconUF_NORMAL_ACCOUNT | win32netconUF_SCRIPT
d[priv] = win32netconUSER_PRIV_USER
win32netNetUserAdd(None 1 d)
Terrence then uploaded the modified version of the app which he had renamed notwindows likely so as not to confuse his malicious app with the standard Windows app After uploading Terrence tried to RDP to the server with the credentials he had inserted into the script but was greeted with the error message in Figure 2
Figure 2 - Failed remote login attempt
The error message that Terrence received confirmed that the user he had attempted to create now existed on the system with the provided password but that Terrencersquos newly created account did not have sufficient remote login privileges
At this point Terrence realized that the scripts uploaded through the application could affect the system in ways that the creators had not intended Terrence also became certain that this script upload vector would almost certainly be his way into the system
To log on to this remote computer you must be granted the Allow log through Terminal Ser-vices right By default members of the Remote Desktop Users group have this right If you are not a member of the Remote Desktop Users group that has this right or id the Remote Desktop Users group does not have this right you must be granted this right manually
OK
reg 6
Next Terrence had to gain remote access and escalate the privileges of his new account He tried unsuccessfully to add additional user privileges through the python scripts but he finally backtracked and looked at the batch script provided by the Windows App - notwindowsbinexploitbat On Terrencersquos local machine he modified the exploitbat script and inserted the following line at the top
win32netNetGroupAddUser(None Remote Desktop Users TestingTesting)
Gaining remote accessTerrence uploaded the app again and made sure the script was set to run He attempted to RDP again and was able to successfully log into the desktop of the target server Inspecting his permissions Terrence saw that his account was a Guest account and as such he was not able to access the Administrator home folder where the privileged flag resided
Logging out Terrence made one final modification to the batch script and replaced his previous modification with the following
win32netNetGroupAddUser(None Administrators TestingTesting)
This time when Terrence connected via his RDP session he was logged in and presented with the server administrator interface
Obtaining the flagsTo grab the privileged flag and by way of his new administrative access the unprivileged flag Terrence logged out and reconfigured his remote desktop client to share a local folder on his desktop with the remote server Terrence logged back into his admin account and copied the flags to his local machine as shown in Figure 3
Bugcrowd verified the methodology employed by Terrence validated the integrity of the flags captured and awarded Terrence the win ldquoUntil this particular test I had never considered that this particular application could be abused in this wayrdquo said Terrence ldquoThe applicationrsquos framework for customization is I think one of the things that gives it so much potentialrdquo
Terrence also stated that he hoped he had ldquoshown the potential for damage an attacker can cause when he (or she) is able to gain access to a WUI and its applicationrdquo
Note Removing this particular threat vector would have completely nullified this attack Restricting administrative ports using a host-based firewall and providing dynamic assess for authorized administrators would have responsibly limited application access
reg 7
Figure 3 - Evidence of copied flags
It only took Terrence four hours to exploit the application find the flags and submit them to win the bounty ldquoWhat I did could be boiled down to a single batch scriptrdquo explains Terrance ldquoOnce access is gained to an administrator account on the application interface it would take only a minute or two to gain full access to a similarly configured systemrdquo
Other attack dataAlthough the above analysis details the winning capture methodology and timeline a number of other bugs were reported and flags captured using different vectors
reg 8
Upon commencement of Project Gauntlet 367 participants from 41 different countries viewed the bounty as illustrated in Figure 4 Of those that viewed the bounty only a small subset actively participated and submitted bugs as shown in Figure 5 The majority of attackers and submissions originated from Europe with small pockets of interest and submissions in other parts of the world
In September 96 bugs were submitted against the exercise The rate of submissions dropped off considerably after September 23 but six bugs were submitted from October 2 through October 4 bringing the total number of submitted bugs for this exercise to 102 Of the 102 total submissions only 90 were considered valid and within scope Submissions pertaining to possible Denial of Service (DoS) attacks web server information disclosure or service banner disclosure among others were eliminated and not considered Figure 6 illustrates the Project Gauntlet bug submissions over time
Figure 6 - Bug submissions throughout Project Gauntlet
Figure 4 - Attackers who viewed the bounty by country
Figure 5 - Attackers who summited bugs by country
448 AM
1200 AM
712 AM
224 AM
936 AM
448 AM
1200 AM
9813 91313 91813 92313 92813 10313 10813
The types of security submissions varied but included everything from the ability to anonymously log into the FTP server typical information disclosure about applications or services to actual flag submissions
As shown in Figure 7 the majority of submissions were in fact flag submissions (38) information disclosures (34) and anonymous FTP access (12)
When submitting a bug each attacker was asked which tools if any were used to achieve the resultant bug conditions Table 3 details the tool names disclosed by the attackers and includes a mixed bag of manual testing web application tools exploit frameworks and hostservice discovery tools Information about the disclosed tools can be found in Appendix A ndash Tool Information
Table 3 - Tools used
reg 9
Figure 7 Types of bug submissions by Percent
1 Banner Disclosure
38 Flag
2 Directory Permissions
34 Info Disclosure
2 No Anti-Automation
1 Default Credentials
12 Anon FTP
6 XSS
3 Web Server Conf
1 No SSL
Acunetix 4Backtrack 1Burp Suite 4FileZilla 2Firefox 2FTP (manual) 1Iceweasel browser 1Manual 3
Metasploit 1NetSparker 2Nmap 5None 4SSH client 2und3ath injector 1Visual Studio 2010 Express 1WinSCP 1
38
34
12
reg 10
The flags submitted for the Windows servers all exploited the same threat vector as proven by Terrence with the exception of one privileged flag capture that exploited a particular application that was not in scope for The Gauntlet exercise At the time of this writing CloudPassage is actively working with the vendor to ensure that the issue is corrected while following responsible disclosure rules
RecommendationsThe Gauntlet project highlighted several common deficiencies in the configurations of servers deployed without the protection of rigorous security scrutiny The following recommendations may be considered as ldquolessons learnedrdquo guidance for current and future cloud server instance deployments
1 Change default and use strong credentials for system and application accountsEnsure that passwords are sufficiently complex so that attackers cannot readily guess them According to section 321 of the NIST Special Publication 800-118 Guide to Enterprise Password Management it is particularly important to change all default OS and application passwords lists of default accounts and passwords are widely available to attackers
According to the Penetration Testing Execution Standard (PTES) identifying whether a device application or operating system is vulnerable to a default credential attack is really as simple as trying to enter known default passwords
Many applications store their credentials in system configuration files Windows Registry Keys or application databases Often these credentials are stored in unencrypted clear text format in which case validating that the credentials have changed from the default is trivial If the password is obfuscated using something as commonly implemented as ROT13 character substitution it is not as trivial to inspect but easily reversible If the password is encrypted it may be impossible to validate that it has been changed from the default
3 Source of the websites listed bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCommon2Fdefault_passwords)
Note Defaulft passwords can be obtained from the following websites3 bull httpwwwphenoelit-usorgdpldplhtml bull httpwwwcirtnetpasswords bull httpwwwdefaultpasswordcom bull httpwwwapsswordsdatabasecom bull httpwwwisdpodcastcomrecources62k-common-passwords
reg 11
2 Use non-trivial passwordsOrganizations should ensure that other trivial passwords cannot be set According to section 323 of the NIST Special Publication 800-118 Guide to Enterprise Password Management having strong passwords helps mitigate guessing and cracking Password strength is determined by a passwordrsquos length and complexity which is determined by the unpredictability of its characters
An example of a good password complexity policy is requiring that characters from at least three of the following four groups be present in every password lowercase letters uppercase letters digits and symbols Username or personrsquos name ldquopasswordrdquo the organizationrsquos name simple keyboard patterns (eg ldquoqwertyrdquo ldquo1234$rdquo) dates (eg ldquo03011970rdquo) dictionary words and names of people and places should not be used
3 Employ multiple factors of authenticationMulti-factor authentication refers to the use of more than one authentication factor in place of a single factor The three types of authentication factors are something you know something you have and something you are The number of factors incorporated by the system largely determines the strength of authentication systems According to NIST Special Publication 800-63-2 Electronic Authentication Guideline implementations that use two factors are considered to be stronger than those that use only one factor and systems that incorporate all three factors are stronger than systems that only incorporate two of the factors
With regards to application and operating system authentication many tools exist to facilitate additional authentication factors With randomly generated hardware
or software authentication tokens (as seen in Figure 8) integrated Single Sign-On (SSO) frameworks and dynamic user access to applications and administrative ports multi-factor authentication is a relatively easy way to add additional layers of access control (and user monitoring) to existing cloud server instances
Whichever methodology or tool you use know that multi-factor authentication can only help to add additional access control to your servers and applications
4 Block access to administrative ports until neededDo your administrators need to access your administrative access ports 247 What about the rest of the world Allowing access to sensitive administrative and remote access ports may entice attackers to undertake brute forcing and password guessing exercises against your servers To limit the attack surface area of your servers and applications we advise blocking access to sensitive ports until an authorized user requires access
Figure 8 - Example display of a software authentication token
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
reg
Table of Contents 1 Introduction
1 Background
4 How The Gauntlet Was Won
11 Recommendations
17 Closing Thoughts
17 About CloudPassage
17 About Bugcrowd
18 Appendix A ndash Tool Information
reg 1
IntroductionIn September 2013 CloudPassage Inc ran a live server exploitation exercise to see how long an unpatched and minimally configured cloud server instance could survive against financially motivated attackers when connected directly to the Internet The exercise referred to as The Gauntlet throughout the capture-the-flag-style contest ran for 23 days across a collection of Microsoft Windows and Linux-based servers with varying combinations of applications and application frameworks installed
The Gauntlet saw the capture of a total of 35 flags across the pool of targets and the successful capture of two flags in only four hours ndash allowing the attacker to claim the five-digit financial incentive designed to motivate the attackers
Highlightsbull Server fully compromised by a single individual in four hoursbull Six servers provisioned with a different Microsoft Windows Server or Linux-based operating system (detailed in ldquoTarget Informationrdquo)bull Included 367 participants from 41 different countriesbull 102 total security issues reported (90 successfully validated)bull 35 flags submitted over 23 days
BackgroundIn August 2013 CloudPassage started planning a live exercise that involved several popular Linux distributions and the two most recent Microsoft Windows Server versions along with differing combinations of application stacks and databases These systems installed using the default images of a popular Cloud Service Provider (CSP) were installed and configured to the point of being ldquooperationalrdquo No security hardening of the operating systems applications or application stacks was performed Also no additional controls were deployed besides those provided by the CSP
To facilitate the exercise we contracted Bugcrowd to manage the logistics of running the bug bounty Bugcrowd runs managed bug bounties in which members of its curated 4100+ crowd of security researchers (referred to in this document as lsquoattackersrsquo) compete to be the first to report security flaws for cash and kudos
The targets whose configuration is detailed in the Target Information section each held two unique image files that served as the flags for the attackers to capture These flags had differing levels of permissions with the lsquounprivilegedrsquo flag owned and accessible by a different
reg 2
system-level user and a lsquoprivilegedrsquo flag owned and accessible only by the administrative (or root) user
In order to capture the flag an attacker would need to either elevate his or her privileges to be equal to or greater than the flag owners or exploit a previously unreported or unpatched vulnerability that would facilitate the flagrsquos capture The Gauntlet went live on September 11 2013 and ran until October 4
Target information In an effort to provide a wide and diverse pool of targets several servers of varying types were provisioned The operating systems used included Red Hat Enterprise Linux 64 CentOS 64 Debian 7 Ubuntu 120403 LTS Microsoft Windows 2008 R2 and Microsoft Windows 2012 These servers were provisioned and installed with a different combination of databases FTP servers and application frameworks Table 1 shows the operating system application and application framework combinations that were deployed
With the exception of configuring the bare minimum settings to get the applications and application frameworks operational no additional hardening or obfuscation was performed For example an attacker that successfully footprinted one of the Linux-based targets would have discovered several active listening services including FTP (tcp21) SSH (tcp22) Nginx (tcp80) and the rpcbind service (tcp111)
Note External information gathering also known as footprinting is a phase of information gathering that consists of interaction with the target in order to gain information from a perspective external to the organization1
Table 1 ndash System configuration matrix
Operating System Debian 7
Ubuntu 120403 LTS CentOS 64 RHEL 64
Windows 2008 R2
Windows 2012
Web Nginx Nginx Apache Apache IIS IISDatabase MySQL PostgreSQL MySQL PostgreSQL MS SQL MS SQLFTP Server Vsftpd Proftpd Proftpd Vsftpd IIS IISApplication PHP PHP PHP PHP ASPNET ASPNETFramework
1 Intelligence Gathering bull (REFhttpwwwpentest-standardorgindexphpIntelligence_GatheringFootprinting)
reg 3
All application and operating system logs were forwarded to a CloudPassage-managed log management application Standard syslog configurations facilitated this requirement on the Linux-based targets but the Windows-based targets required the installation of software to forward the operating system and application event logs to The Gauntlet centralized log server
This application (see Figure 1) which runs on tcp port 8000 also provides a web-based administrative interface With minimal effort an attacker scanning one of the Microsoft Windows servers could have quickly discovered that the CherryPy httpd 312 server was available and that an applicationrsquos web user interface was exposed along with it
Figure 1 - Nmap scan of one of the Windows targets
At this point an attacker would need only to open a web browser point it at the server IP address and port (8000) and be greeted with the login prompt for the applicationrsquos web user interface
Starting Nmap 500 ( httpnmaporg ) at 2013-09-17 1929 PDT Interesting ports on REDACTED Not shown 986 filtered ports PORT STATE SERVICE VERSION 80tcp open http Microsoft IIS Webserver 75 |_ html-title aspinfo() 135tcp open msrpc Microsoft Windows RPC 139tcp open netbios-ssn 445tcp open netbios-ssn 1984tcp open remoting MS NET Remoting services 3389tcp open microsoft-rdp Microsoft Terminal services 8000tcp open http CherryPy httpd 312 | html-title Site doeswnt have a title (texthtmlcharset=vtf-8) |_ Requested resource was http REDACTED 8089tcp open sslunknown |_sslv2 server still supports SSLv2 8090tcp open sslunknown |_sslv2 server still supports SSLv2 49152tcp open msrpc Microsoft Windows RPC 49153tcp open msrpc Microsoft Windows RPC 49154tcp open msrpc Microsoft Windows RPC 49157tcp open msrpc Microsoft Windows RPC 49175tcp open msrpc Microsoft Windows RPC
reg 4
When this particular application is installed on a system it is set up with a very weak password for the administrator user account The credentials for the account are easily guessable and not unique to this particular application or vendor
The application provides a modular framework that allows for the uploading of custom application extensions by authorized users An attacker with sufficient privileges could take advantage of the application by uploading a script that could allow for unintended consequences upon execution The intent of the framework is to allow users to create their own custom interfaces dashboards and custom scripts for the collection of non-standard data
How The Gauntlet Was WonUpon reviewing both application and operating system logs it became clear that a number of attackers were employing the Nmap (Network Mapper) tool in an attempt to footprint the system and gain information about the exposed attack surface area
Several attackers submitted flags for consideration but only one attacker (who well call Terrence) successfully submitted both a privileged and an unprivileged flag from the same server ndash effectively ending the race for the bounty
Exploitation of default administrative credentialsTerrence gained access to the web interface using the easily guessed credentials and immediately attempted to use the application to view the hard drive of the system Terrence did convey that he was able to look at corrupted hexadecimal data of the flags themselves however he was unable to actually retrieve the flags at this point
To explore the options provided by the application Terrence first created a new account on the vendorrsquos website and downloaded a popular app extension for monitoring Windows systems The app downloaded as a tar and gzipped (targz) archive containing various configuration files for the data inputs and custom dashboards for viewing information about the Windows systems being monitored The package also contained a folder for binaries that included among other things a Windows batch file (bat) and a number of python (py) scripts
2 more information on the use of Nmap for this purpose bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidlinesNmap_28Windows2FLinux29)
Note Port scanning techniques can vary based on the amount of time available for the test and the need to be stealthy If there is zero knowledge of the systems a fast ping scan can be used to identify systems In addition a quick scan without ping verification (-PN in Nmap) should be run to detect the most common ports available You can find more information on the use of Nmap for this purpose in the PTES Technical Guideline2
reg 5
Exploiting the app codeThe first modification Terrence tried was to insert the following code into one of the python scripts import win32netcon win32net
d=
d[name] = TestingTesing
d[password] = XXXXXXXX
d[comment] = A user
d[flags] = win32netconUF_NORMAL_ACCOUNT | win32netconUF_SCRIPT
d[priv] = win32netconUSER_PRIV_USER
win32netNetUserAdd(None 1 d)
Terrence then uploaded the modified version of the app which he had renamed notwindows likely so as not to confuse his malicious app with the standard Windows app After uploading Terrence tried to RDP to the server with the credentials he had inserted into the script but was greeted with the error message in Figure 2
Figure 2 - Failed remote login attempt
The error message that Terrence received confirmed that the user he had attempted to create now existed on the system with the provided password but that Terrencersquos newly created account did not have sufficient remote login privileges
At this point Terrence realized that the scripts uploaded through the application could affect the system in ways that the creators had not intended Terrence also became certain that this script upload vector would almost certainly be his way into the system
To log on to this remote computer you must be granted the Allow log through Terminal Ser-vices right By default members of the Remote Desktop Users group have this right If you are not a member of the Remote Desktop Users group that has this right or id the Remote Desktop Users group does not have this right you must be granted this right manually
OK
reg 6
Next Terrence had to gain remote access and escalate the privileges of his new account He tried unsuccessfully to add additional user privileges through the python scripts but he finally backtracked and looked at the batch script provided by the Windows App - notwindowsbinexploitbat On Terrencersquos local machine he modified the exploitbat script and inserted the following line at the top
win32netNetGroupAddUser(None Remote Desktop Users TestingTesting)
Gaining remote accessTerrence uploaded the app again and made sure the script was set to run He attempted to RDP again and was able to successfully log into the desktop of the target server Inspecting his permissions Terrence saw that his account was a Guest account and as such he was not able to access the Administrator home folder where the privileged flag resided
Logging out Terrence made one final modification to the batch script and replaced his previous modification with the following
win32netNetGroupAddUser(None Administrators TestingTesting)
This time when Terrence connected via his RDP session he was logged in and presented with the server administrator interface
Obtaining the flagsTo grab the privileged flag and by way of his new administrative access the unprivileged flag Terrence logged out and reconfigured his remote desktop client to share a local folder on his desktop with the remote server Terrence logged back into his admin account and copied the flags to his local machine as shown in Figure 3
Bugcrowd verified the methodology employed by Terrence validated the integrity of the flags captured and awarded Terrence the win ldquoUntil this particular test I had never considered that this particular application could be abused in this wayrdquo said Terrence ldquoThe applicationrsquos framework for customization is I think one of the things that gives it so much potentialrdquo
Terrence also stated that he hoped he had ldquoshown the potential for damage an attacker can cause when he (or she) is able to gain access to a WUI and its applicationrdquo
Note Removing this particular threat vector would have completely nullified this attack Restricting administrative ports using a host-based firewall and providing dynamic assess for authorized administrators would have responsibly limited application access
reg 7
Figure 3 - Evidence of copied flags
It only took Terrence four hours to exploit the application find the flags and submit them to win the bounty ldquoWhat I did could be boiled down to a single batch scriptrdquo explains Terrance ldquoOnce access is gained to an administrator account on the application interface it would take only a minute or two to gain full access to a similarly configured systemrdquo
Other attack dataAlthough the above analysis details the winning capture methodology and timeline a number of other bugs were reported and flags captured using different vectors
reg 8
Upon commencement of Project Gauntlet 367 participants from 41 different countries viewed the bounty as illustrated in Figure 4 Of those that viewed the bounty only a small subset actively participated and submitted bugs as shown in Figure 5 The majority of attackers and submissions originated from Europe with small pockets of interest and submissions in other parts of the world
In September 96 bugs were submitted against the exercise The rate of submissions dropped off considerably after September 23 but six bugs were submitted from October 2 through October 4 bringing the total number of submitted bugs for this exercise to 102 Of the 102 total submissions only 90 were considered valid and within scope Submissions pertaining to possible Denial of Service (DoS) attacks web server information disclosure or service banner disclosure among others were eliminated and not considered Figure 6 illustrates the Project Gauntlet bug submissions over time
Figure 6 - Bug submissions throughout Project Gauntlet
Figure 4 - Attackers who viewed the bounty by country
Figure 5 - Attackers who summited bugs by country
448 AM
1200 AM
712 AM
224 AM
936 AM
448 AM
1200 AM
9813 91313 91813 92313 92813 10313 10813
The types of security submissions varied but included everything from the ability to anonymously log into the FTP server typical information disclosure about applications or services to actual flag submissions
As shown in Figure 7 the majority of submissions were in fact flag submissions (38) information disclosures (34) and anonymous FTP access (12)
When submitting a bug each attacker was asked which tools if any were used to achieve the resultant bug conditions Table 3 details the tool names disclosed by the attackers and includes a mixed bag of manual testing web application tools exploit frameworks and hostservice discovery tools Information about the disclosed tools can be found in Appendix A ndash Tool Information
Table 3 - Tools used
reg 9
Figure 7 Types of bug submissions by Percent
1 Banner Disclosure
38 Flag
2 Directory Permissions
34 Info Disclosure
2 No Anti-Automation
1 Default Credentials
12 Anon FTP
6 XSS
3 Web Server Conf
1 No SSL
Acunetix 4Backtrack 1Burp Suite 4FileZilla 2Firefox 2FTP (manual) 1Iceweasel browser 1Manual 3
Metasploit 1NetSparker 2Nmap 5None 4SSH client 2und3ath injector 1Visual Studio 2010 Express 1WinSCP 1
38
34
12
reg 10
The flags submitted for the Windows servers all exploited the same threat vector as proven by Terrence with the exception of one privileged flag capture that exploited a particular application that was not in scope for The Gauntlet exercise At the time of this writing CloudPassage is actively working with the vendor to ensure that the issue is corrected while following responsible disclosure rules
RecommendationsThe Gauntlet project highlighted several common deficiencies in the configurations of servers deployed without the protection of rigorous security scrutiny The following recommendations may be considered as ldquolessons learnedrdquo guidance for current and future cloud server instance deployments
1 Change default and use strong credentials for system and application accountsEnsure that passwords are sufficiently complex so that attackers cannot readily guess them According to section 321 of the NIST Special Publication 800-118 Guide to Enterprise Password Management it is particularly important to change all default OS and application passwords lists of default accounts and passwords are widely available to attackers
According to the Penetration Testing Execution Standard (PTES) identifying whether a device application or operating system is vulnerable to a default credential attack is really as simple as trying to enter known default passwords
Many applications store their credentials in system configuration files Windows Registry Keys or application databases Often these credentials are stored in unencrypted clear text format in which case validating that the credentials have changed from the default is trivial If the password is obfuscated using something as commonly implemented as ROT13 character substitution it is not as trivial to inspect but easily reversible If the password is encrypted it may be impossible to validate that it has been changed from the default
3 Source of the websites listed bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCommon2Fdefault_passwords)
Note Defaulft passwords can be obtained from the following websites3 bull httpwwwphenoelit-usorgdpldplhtml bull httpwwwcirtnetpasswords bull httpwwwdefaultpasswordcom bull httpwwwapsswordsdatabasecom bull httpwwwisdpodcastcomrecources62k-common-passwords
reg 11
2 Use non-trivial passwordsOrganizations should ensure that other trivial passwords cannot be set According to section 323 of the NIST Special Publication 800-118 Guide to Enterprise Password Management having strong passwords helps mitigate guessing and cracking Password strength is determined by a passwordrsquos length and complexity which is determined by the unpredictability of its characters
An example of a good password complexity policy is requiring that characters from at least three of the following four groups be present in every password lowercase letters uppercase letters digits and symbols Username or personrsquos name ldquopasswordrdquo the organizationrsquos name simple keyboard patterns (eg ldquoqwertyrdquo ldquo1234$rdquo) dates (eg ldquo03011970rdquo) dictionary words and names of people and places should not be used
3 Employ multiple factors of authenticationMulti-factor authentication refers to the use of more than one authentication factor in place of a single factor The three types of authentication factors are something you know something you have and something you are The number of factors incorporated by the system largely determines the strength of authentication systems According to NIST Special Publication 800-63-2 Electronic Authentication Guideline implementations that use two factors are considered to be stronger than those that use only one factor and systems that incorporate all three factors are stronger than systems that only incorporate two of the factors
With regards to application and operating system authentication many tools exist to facilitate additional authentication factors With randomly generated hardware
or software authentication tokens (as seen in Figure 8) integrated Single Sign-On (SSO) frameworks and dynamic user access to applications and administrative ports multi-factor authentication is a relatively easy way to add additional layers of access control (and user monitoring) to existing cloud server instances
Whichever methodology or tool you use know that multi-factor authentication can only help to add additional access control to your servers and applications
4 Block access to administrative ports until neededDo your administrators need to access your administrative access ports 247 What about the rest of the world Allowing access to sensitive administrative and remote access ports may entice attackers to undertake brute forcing and password guessing exercises against your servers To limit the attack surface area of your servers and applications we advise blocking access to sensitive ports until an authorized user requires access
Figure 8 - Example display of a software authentication token
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
reg 1
IntroductionIn September 2013 CloudPassage Inc ran a live server exploitation exercise to see how long an unpatched and minimally configured cloud server instance could survive against financially motivated attackers when connected directly to the Internet The exercise referred to as The Gauntlet throughout the capture-the-flag-style contest ran for 23 days across a collection of Microsoft Windows and Linux-based servers with varying combinations of applications and application frameworks installed
The Gauntlet saw the capture of a total of 35 flags across the pool of targets and the successful capture of two flags in only four hours ndash allowing the attacker to claim the five-digit financial incentive designed to motivate the attackers
Highlightsbull Server fully compromised by a single individual in four hoursbull Six servers provisioned with a different Microsoft Windows Server or Linux-based operating system (detailed in ldquoTarget Informationrdquo)bull Included 367 participants from 41 different countriesbull 102 total security issues reported (90 successfully validated)bull 35 flags submitted over 23 days
BackgroundIn August 2013 CloudPassage started planning a live exercise that involved several popular Linux distributions and the two most recent Microsoft Windows Server versions along with differing combinations of application stacks and databases These systems installed using the default images of a popular Cloud Service Provider (CSP) were installed and configured to the point of being ldquooperationalrdquo No security hardening of the operating systems applications or application stacks was performed Also no additional controls were deployed besides those provided by the CSP
To facilitate the exercise we contracted Bugcrowd to manage the logistics of running the bug bounty Bugcrowd runs managed bug bounties in which members of its curated 4100+ crowd of security researchers (referred to in this document as lsquoattackersrsquo) compete to be the first to report security flaws for cash and kudos
The targets whose configuration is detailed in the Target Information section each held two unique image files that served as the flags for the attackers to capture These flags had differing levels of permissions with the lsquounprivilegedrsquo flag owned and accessible by a different
reg 2
system-level user and a lsquoprivilegedrsquo flag owned and accessible only by the administrative (or root) user
In order to capture the flag an attacker would need to either elevate his or her privileges to be equal to or greater than the flag owners or exploit a previously unreported or unpatched vulnerability that would facilitate the flagrsquos capture The Gauntlet went live on September 11 2013 and ran until October 4
Target information In an effort to provide a wide and diverse pool of targets several servers of varying types were provisioned The operating systems used included Red Hat Enterprise Linux 64 CentOS 64 Debian 7 Ubuntu 120403 LTS Microsoft Windows 2008 R2 and Microsoft Windows 2012 These servers were provisioned and installed with a different combination of databases FTP servers and application frameworks Table 1 shows the operating system application and application framework combinations that were deployed
With the exception of configuring the bare minimum settings to get the applications and application frameworks operational no additional hardening or obfuscation was performed For example an attacker that successfully footprinted one of the Linux-based targets would have discovered several active listening services including FTP (tcp21) SSH (tcp22) Nginx (tcp80) and the rpcbind service (tcp111)
Note External information gathering also known as footprinting is a phase of information gathering that consists of interaction with the target in order to gain information from a perspective external to the organization1
Table 1 ndash System configuration matrix
Operating System Debian 7
Ubuntu 120403 LTS CentOS 64 RHEL 64
Windows 2008 R2
Windows 2012
Web Nginx Nginx Apache Apache IIS IISDatabase MySQL PostgreSQL MySQL PostgreSQL MS SQL MS SQLFTP Server Vsftpd Proftpd Proftpd Vsftpd IIS IISApplication PHP PHP PHP PHP ASPNET ASPNETFramework
1 Intelligence Gathering bull (REFhttpwwwpentest-standardorgindexphpIntelligence_GatheringFootprinting)
reg 3
All application and operating system logs were forwarded to a CloudPassage-managed log management application Standard syslog configurations facilitated this requirement on the Linux-based targets but the Windows-based targets required the installation of software to forward the operating system and application event logs to The Gauntlet centralized log server
This application (see Figure 1) which runs on tcp port 8000 also provides a web-based administrative interface With minimal effort an attacker scanning one of the Microsoft Windows servers could have quickly discovered that the CherryPy httpd 312 server was available and that an applicationrsquos web user interface was exposed along with it
Figure 1 - Nmap scan of one of the Windows targets
At this point an attacker would need only to open a web browser point it at the server IP address and port (8000) and be greeted with the login prompt for the applicationrsquos web user interface
Starting Nmap 500 ( httpnmaporg ) at 2013-09-17 1929 PDT Interesting ports on REDACTED Not shown 986 filtered ports PORT STATE SERVICE VERSION 80tcp open http Microsoft IIS Webserver 75 |_ html-title aspinfo() 135tcp open msrpc Microsoft Windows RPC 139tcp open netbios-ssn 445tcp open netbios-ssn 1984tcp open remoting MS NET Remoting services 3389tcp open microsoft-rdp Microsoft Terminal services 8000tcp open http CherryPy httpd 312 | html-title Site doeswnt have a title (texthtmlcharset=vtf-8) |_ Requested resource was http REDACTED 8089tcp open sslunknown |_sslv2 server still supports SSLv2 8090tcp open sslunknown |_sslv2 server still supports SSLv2 49152tcp open msrpc Microsoft Windows RPC 49153tcp open msrpc Microsoft Windows RPC 49154tcp open msrpc Microsoft Windows RPC 49157tcp open msrpc Microsoft Windows RPC 49175tcp open msrpc Microsoft Windows RPC
reg 4
When this particular application is installed on a system it is set up with a very weak password for the administrator user account The credentials for the account are easily guessable and not unique to this particular application or vendor
The application provides a modular framework that allows for the uploading of custom application extensions by authorized users An attacker with sufficient privileges could take advantage of the application by uploading a script that could allow for unintended consequences upon execution The intent of the framework is to allow users to create their own custom interfaces dashboards and custom scripts for the collection of non-standard data
How The Gauntlet Was WonUpon reviewing both application and operating system logs it became clear that a number of attackers were employing the Nmap (Network Mapper) tool in an attempt to footprint the system and gain information about the exposed attack surface area
Several attackers submitted flags for consideration but only one attacker (who well call Terrence) successfully submitted both a privileged and an unprivileged flag from the same server ndash effectively ending the race for the bounty
Exploitation of default administrative credentialsTerrence gained access to the web interface using the easily guessed credentials and immediately attempted to use the application to view the hard drive of the system Terrence did convey that he was able to look at corrupted hexadecimal data of the flags themselves however he was unable to actually retrieve the flags at this point
To explore the options provided by the application Terrence first created a new account on the vendorrsquos website and downloaded a popular app extension for monitoring Windows systems The app downloaded as a tar and gzipped (targz) archive containing various configuration files for the data inputs and custom dashboards for viewing information about the Windows systems being monitored The package also contained a folder for binaries that included among other things a Windows batch file (bat) and a number of python (py) scripts
2 more information on the use of Nmap for this purpose bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidlinesNmap_28Windows2FLinux29)
Note Port scanning techniques can vary based on the amount of time available for the test and the need to be stealthy If there is zero knowledge of the systems a fast ping scan can be used to identify systems In addition a quick scan without ping verification (-PN in Nmap) should be run to detect the most common ports available You can find more information on the use of Nmap for this purpose in the PTES Technical Guideline2
reg 5
Exploiting the app codeThe first modification Terrence tried was to insert the following code into one of the python scripts import win32netcon win32net
d=
d[name] = TestingTesing
d[password] = XXXXXXXX
d[comment] = A user
d[flags] = win32netconUF_NORMAL_ACCOUNT | win32netconUF_SCRIPT
d[priv] = win32netconUSER_PRIV_USER
win32netNetUserAdd(None 1 d)
Terrence then uploaded the modified version of the app which he had renamed notwindows likely so as not to confuse his malicious app with the standard Windows app After uploading Terrence tried to RDP to the server with the credentials he had inserted into the script but was greeted with the error message in Figure 2
Figure 2 - Failed remote login attempt
The error message that Terrence received confirmed that the user he had attempted to create now existed on the system with the provided password but that Terrencersquos newly created account did not have sufficient remote login privileges
At this point Terrence realized that the scripts uploaded through the application could affect the system in ways that the creators had not intended Terrence also became certain that this script upload vector would almost certainly be his way into the system
To log on to this remote computer you must be granted the Allow log through Terminal Ser-vices right By default members of the Remote Desktop Users group have this right If you are not a member of the Remote Desktop Users group that has this right or id the Remote Desktop Users group does not have this right you must be granted this right manually
OK
reg 6
Next Terrence had to gain remote access and escalate the privileges of his new account He tried unsuccessfully to add additional user privileges through the python scripts but he finally backtracked and looked at the batch script provided by the Windows App - notwindowsbinexploitbat On Terrencersquos local machine he modified the exploitbat script and inserted the following line at the top
win32netNetGroupAddUser(None Remote Desktop Users TestingTesting)
Gaining remote accessTerrence uploaded the app again and made sure the script was set to run He attempted to RDP again and was able to successfully log into the desktop of the target server Inspecting his permissions Terrence saw that his account was a Guest account and as such he was not able to access the Administrator home folder where the privileged flag resided
Logging out Terrence made one final modification to the batch script and replaced his previous modification with the following
win32netNetGroupAddUser(None Administrators TestingTesting)
This time when Terrence connected via his RDP session he was logged in and presented with the server administrator interface
Obtaining the flagsTo grab the privileged flag and by way of his new administrative access the unprivileged flag Terrence logged out and reconfigured his remote desktop client to share a local folder on his desktop with the remote server Terrence logged back into his admin account and copied the flags to his local machine as shown in Figure 3
Bugcrowd verified the methodology employed by Terrence validated the integrity of the flags captured and awarded Terrence the win ldquoUntil this particular test I had never considered that this particular application could be abused in this wayrdquo said Terrence ldquoThe applicationrsquos framework for customization is I think one of the things that gives it so much potentialrdquo
Terrence also stated that he hoped he had ldquoshown the potential for damage an attacker can cause when he (or she) is able to gain access to a WUI and its applicationrdquo
Note Removing this particular threat vector would have completely nullified this attack Restricting administrative ports using a host-based firewall and providing dynamic assess for authorized administrators would have responsibly limited application access
reg 7
Figure 3 - Evidence of copied flags
It only took Terrence four hours to exploit the application find the flags and submit them to win the bounty ldquoWhat I did could be boiled down to a single batch scriptrdquo explains Terrance ldquoOnce access is gained to an administrator account on the application interface it would take only a minute or two to gain full access to a similarly configured systemrdquo
Other attack dataAlthough the above analysis details the winning capture methodology and timeline a number of other bugs were reported and flags captured using different vectors
reg 8
Upon commencement of Project Gauntlet 367 participants from 41 different countries viewed the bounty as illustrated in Figure 4 Of those that viewed the bounty only a small subset actively participated and submitted bugs as shown in Figure 5 The majority of attackers and submissions originated from Europe with small pockets of interest and submissions in other parts of the world
In September 96 bugs were submitted against the exercise The rate of submissions dropped off considerably after September 23 but six bugs were submitted from October 2 through October 4 bringing the total number of submitted bugs for this exercise to 102 Of the 102 total submissions only 90 were considered valid and within scope Submissions pertaining to possible Denial of Service (DoS) attacks web server information disclosure or service banner disclosure among others were eliminated and not considered Figure 6 illustrates the Project Gauntlet bug submissions over time
Figure 6 - Bug submissions throughout Project Gauntlet
Figure 4 - Attackers who viewed the bounty by country
Figure 5 - Attackers who summited bugs by country
448 AM
1200 AM
712 AM
224 AM
936 AM
448 AM
1200 AM
9813 91313 91813 92313 92813 10313 10813
The types of security submissions varied but included everything from the ability to anonymously log into the FTP server typical information disclosure about applications or services to actual flag submissions
As shown in Figure 7 the majority of submissions were in fact flag submissions (38) information disclosures (34) and anonymous FTP access (12)
When submitting a bug each attacker was asked which tools if any were used to achieve the resultant bug conditions Table 3 details the tool names disclosed by the attackers and includes a mixed bag of manual testing web application tools exploit frameworks and hostservice discovery tools Information about the disclosed tools can be found in Appendix A ndash Tool Information
Table 3 - Tools used
reg 9
Figure 7 Types of bug submissions by Percent
1 Banner Disclosure
38 Flag
2 Directory Permissions
34 Info Disclosure
2 No Anti-Automation
1 Default Credentials
12 Anon FTP
6 XSS
3 Web Server Conf
1 No SSL
Acunetix 4Backtrack 1Burp Suite 4FileZilla 2Firefox 2FTP (manual) 1Iceweasel browser 1Manual 3
Metasploit 1NetSparker 2Nmap 5None 4SSH client 2und3ath injector 1Visual Studio 2010 Express 1WinSCP 1
38
34
12
reg 10
The flags submitted for the Windows servers all exploited the same threat vector as proven by Terrence with the exception of one privileged flag capture that exploited a particular application that was not in scope for The Gauntlet exercise At the time of this writing CloudPassage is actively working with the vendor to ensure that the issue is corrected while following responsible disclosure rules
RecommendationsThe Gauntlet project highlighted several common deficiencies in the configurations of servers deployed without the protection of rigorous security scrutiny The following recommendations may be considered as ldquolessons learnedrdquo guidance for current and future cloud server instance deployments
1 Change default and use strong credentials for system and application accountsEnsure that passwords are sufficiently complex so that attackers cannot readily guess them According to section 321 of the NIST Special Publication 800-118 Guide to Enterprise Password Management it is particularly important to change all default OS and application passwords lists of default accounts and passwords are widely available to attackers
According to the Penetration Testing Execution Standard (PTES) identifying whether a device application or operating system is vulnerable to a default credential attack is really as simple as trying to enter known default passwords
Many applications store their credentials in system configuration files Windows Registry Keys or application databases Often these credentials are stored in unencrypted clear text format in which case validating that the credentials have changed from the default is trivial If the password is obfuscated using something as commonly implemented as ROT13 character substitution it is not as trivial to inspect but easily reversible If the password is encrypted it may be impossible to validate that it has been changed from the default
3 Source of the websites listed bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCommon2Fdefault_passwords)
Note Defaulft passwords can be obtained from the following websites3 bull httpwwwphenoelit-usorgdpldplhtml bull httpwwwcirtnetpasswords bull httpwwwdefaultpasswordcom bull httpwwwapsswordsdatabasecom bull httpwwwisdpodcastcomrecources62k-common-passwords
reg 11
2 Use non-trivial passwordsOrganizations should ensure that other trivial passwords cannot be set According to section 323 of the NIST Special Publication 800-118 Guide to Enterprise Password Management having strong passwords helps mitigate guessing and cracking Password strength is determined by a passwordrsquos length and complexity which is determined by the unpredictability of its characters
An example of a good password complexity policy is requiring that characters from at least three of the following four groups be present in every password lowercase letters uppercase letters digits and symbols Username or personrsquos name ldquopasswordrdquo the organizationrsquos name simple keyboard patterns (eg ldquoqwertyrdquo ldquo1234$rdquo) dates (eg ldquo03011970rdquo) dictionary words and names of people and places should not be used
3 Employ multiple factors of authenticationMulti-factor authentication refers to the use of more than one authentication factor in place of a single factor The three types of authentication factors are something you know something you have and something you are The number of factors incorporated by the system largely determines the strength of authentication systems According to NIST Special Publication 800-63-2 Electronic Authentication Guideline implementations that use two factors are considered to be stronger than those that use only one factor and systems that incorporate all three factors are stronger than systems that only incorporate two of the factors
With regards to application and operating system authentication many tools exist to facilitate additional authentication factors With randomly generated hardware
or software authentication tokens (as seen in Figure 8) integrated Single Sign-On (SSO) frameworks and dynamic user access to applications and administrative ports multi-factor authentication is a relatively easy way to add additional layers of access control (and user monitoring) to existing cloud server instances
Whichever methodology or tool you use know that multi-factor authentication can only help to add additional access control to your servers and applications
4 Block access to administrative ports until neededDo your administrators need to access your administrative access ports 247 What about the rest of the world Allowing access to sensitive administrative and remote access ports may entice attackers to undertake brute forcing and password guessing exercises against your servers To limit the attack surface area of your servers and applications we advise blocking access to sensitive ports until an authorized user requires access
Figure 8 - Example display of a software authentication token
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
reg 2
system-level user and a lsquoprivilegedrsquo flag owned and accessible only by the administrative (or root) user
In order to capture the flag an attacker would need to either elevate his or her privileges to be equal to or greater than the flag owners or exploit a previously unreported or unpatched vulnerability that would facilitate the flagrsquos capture The Gauntlet went live on September 11 2013 and ran until October 4
Target information In an effort to provide a wide and diverse pool of targets several servers of varying types were provisioned The operating systems used included Red Hat Enterprise Linux 64 CentOS 64 Debian 7 Ubuntu 120403 LTS Microsoft Windows 2008 R2 and Microsoft Windows 2012 These servers were provisioned and installed with a different combination of databases FTP servers and application frameworks Table 1 shows the operating system application and application framework combinations that were deployed
With the exception of configuring the bare minimum settings to get the applications and application frameworks operational no additional hardening or obfuscation was performed For example an attacker that successfully footprinted one of the Linux-based targets would have discovered several active listening services including FTP (tcp21) SSH (tcp22) Nginx (tcp80) and the rpcbind service (tcp111)
Note External information gathering also known as footprinting is a phase of information gathering that consists of interaction with the target in order to gain information from a perspective external to the organization1
Table 1 ndash System configuration matrix
Operating System Debian 7
Ubuntu 120403 LTS CentOS 64 RHEL 64
Windows 2008 R2
Windows 2012
Web Nginx Nginx Apache Apache IIS IISDatabase MySQL PostgreSQL MySQL PostgreSQL MS SQL MS SQLFTP Server Vsftpd Proftpd Proftpd Vsftpd IIS IISApplication PHP PHP PHP PHP ASPNET ASPNETFramework
1 Intelligence Gathering bull (REFhttpwwwpentest-standardorgindexphpIntelligence_GatheringFootprinting)
reg 3
All application and operating system logs were forwarded to a CloudPassage-managed log management application Standard syslog configurations facilitated this requirement on the Linux-based targets but the Windows-based targets required the installation of software to forward the operating system and application event logs to The Gauntlet centralized log server
This application (see Figure 1) which runs on tcp port 8000 also provides a web-based administrative interface With minimal effort an attacker scanning one of the Microsoft Windows servers could have quickly discovered that the CherryPy httpd 312 server was available and that an applicationrsquos web user interface was exposed along with it
Figure 1 - Nmap scan of one of the Windows targets
At this point an attacker would need only to open a web browser point it at the server IP address and port (8000) and be greeted with the login prompt for the applicationrsquos web user interface
Starting Nmap 500 ( httpnmaporg ) at 2013-09-17 1929 PDT Interesting ports on REDACTED Not shown 986 filtered ports PORT STATE SERVICE VERSION 80tcp open http Microsoft IIS Webserver 75 |_ html-title aspinfo() 135tcp open msrpc Microsoft Windows RPC 139tcp open netbios-ssn 445tcp open netbios-ssn 1984tcp open remoting MS NET Remoting services 3389tcp open microsoft-rdp Microsoft Terminal services 8000tcp open http CherryPy httpd 312 | html-title Site doeswnt have a title (texthtmlcharset=vtf-8) |_ Requested resource was http REDACTED 8089tcp open sslunknown |_sslv2 server still supports SSLv2 8090tcp open sslunknown |_sslv2 server still supports SSLv2 49152tcp open msrpc Microsoft Windows RPC 49153tcp open msrpc Microsoft Windows RPC 49154tcp open msrpc Microsoft Windows RPC 49157tcp open msrpc Microsoft Windows RPC 49175tcp open msrpc Microsoft Windows RPC
reg 4
When this particular application is installed on a system it is set up with a very weak password for the administrator user account The credentials for the account are easily guessable and not unique to this particular application or vendor
The application provides a modular framework that allows for the uploading of custom application extensions by authorized users An attacker with sufficient privileges could take advantage of the application by uploading a script that could allow for unintended consequences upon execution The intent of the framework is to allow users to create their own custom interfaces dashboards and custom scripts for the collection of non-standard data
How The Gauntlet Was WonUpon reviewing both application and operating system logs it became clear that a number of attackers were employing the Nmap (Network Mapper) tool in an attempt to footprint the system and gain information about the exposed attack surface area
Several attackers submitted flags for consideration but only one attacker (who well call Terrence) successfully submitted both a privileged and an unprivileged flag from the same server ndash effectively ending the race for the bounty
Exploitation of default administrative credentialsTerrence gained access to the web interface using the easily guessed credentials and immediately attempted to use the application to view the hard drive of the system Terrence did convey that he was able to look at corrupted hexadecimal data of the flags themselves however he was unable to actually retrieve the flags at this point
To explore the options provided by the application Terrence first created a new account on the vendorrsquos website and downloaded a popular app extension for monitoring Windows systems The app downloaded as a tar and gzipped (targz) archive containing various configuration files for the data inputs and custom dashboards for viewing information about the Windows systems being monitored The package also contained a folder for binaries that included among other things a Windows batch file (bat) and a number of python (py) scripts
2 more information on the use of Nmap for this purpose bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidlinesNmap_28Windows2FLinux29)
Note Port scanning techniques can vary based on the amount of time available for the test and the need to be stealthy If there is zero knowledge of the systems a fast ping scan can be used to identify systems In addition a quick scan without ping verification (-PN in Nmap) should be run to detect the most common ports available You can find more information on the use of Nmap for this purpose in the PTES Technical Guideline2
reg 5
Exploiting the app codeThe first modification Terrence tried was to insert the following code into one of the python scripts import win32netcon win32net
d=
d[name] = TestingTesing
d[password] = XXXXXXXX
d[comment] = A user
d[flags] = win32netconUF_NORMAL_ACCOUNT | win32netconUF_SCRIPT
d[priv] = win32netconUSER_PRIV_USER
win32netNetUserAdd(None 1 d)
Terrence then uploaded the modified version of the app which he had renamed notwindows likely so as not to confuse his malicious app with the standard Windows app After uploading Terrence tried to RDP to the server with the credentials he had inserted into the script but was greeted with the error message in Figure 2
Figure 2 - Failed remote login attempt
The error message that Terrence received confirmed that the user he had attempted to create now existed on the system with the provided password but that Terrencersquos newly created account did not have sufficient remote login privileges
At this point Terrence realized that the scripts uploaded through the application could affect the system in ways that the creators had not intended Terrence also became certain that this script upload vector would almost certainly be his way into the system
To log on to this remote computer you must be granted the Allow log through Terminal Ser-vices right By default members of the Remote Desktop Users group have this right If you are not a member of the Remote Desktop Users group that has this right or id the Remote Desktop Users group does not have this right you must be granted this right manually
OK
reg 6
Next Terrence had to gain remote access and escalate the privileges of his new account He tried unsuccessfully to add additional user privileges through the python scripts but he finally backtracked and looked at the batch script provided by the Windows App - notwindowsbinexploitbat On Terrencersquos local machine he modified the exploitbat script and inserted the following line at the top
win32netNetGroupAddUser(None Remote Desktop Users TestingTesting)
Gaining remote accessTerrence uploaded the app again and made sure the script was set to run He attempted to RDP again and was able to successfully log into the desktop of the target server Inspecting his permissions Terrence saw that his account was a Guest account and as such he was not able to access the Administrator home folder where the privileged flag resided
Logging out Terrence made one final modification to the batch script and replaced his previous modification with the following
win32netNetGroupAddUser(None Administrators TestingTesting)
This time when Terrence connected via his RDP session he was logged in and presented with the server administrator interface
Obtaining the flagsTo grab the privileged flag and by way of his new administrative access the unprivileged flag Terrence logged out and reconfigured his remote desktop client to share a local folder on his desktop with the remote server Terrence logged back into his admin account and copied the flags to his local machine as shown in Figure 3
Bugcrowd verified the methodology employed by Terrence validated the integrity of the flags captured and awarded Terrence the win ldquoUntil this particular test I had never considered that this particular application could be abused in this wayrdquo said Terrence ldquoThe applicationrsquos framework for customization is I think one of the things that gives it so much potentialrdquo
Terrence also stated that he hoped he had ldquoshown the potential for damage an attacker can cause when he (or she) is able to gain access to a WUI and its applicationrdquo
Note Removing this particular threat vector would have completely nullified this attack Restricting administrative ports using a host-based firewall and providing dynamic assess for authorized administrators would have responsibly limited application access
reg 7
Figure 3 - Evidence of copied flags
It only took Terrence four hours to exploit the application find the flags and submit them to win the bounty ldquoWhat I did could be boiled down to a single batch scriptrdquo explains Terrance ldquoOnce access is gained to an administrator account on the application interface it would take only a minute or two to gain full access to a similarly configured systemrdquo
Other attack dataAlthough the above analysis details the winning capture methodology and timeline a number of other bugs were reported and flags captured using different vectors
reg 8
Upon commencement of Project Gauntlet 367 participants from 41 different countries viewed the bounty as illustrated in Figure 4 Of those that viewed the bounty only a small subset actively participated and submitted bugs as shown in Figure 5 The majority of attackers and submissions originated from Europe with small pockets of interest and submissions in other parts of the world
In September 96 bugs were submitted against the exercise The rate of submissions dropped off considerably after September 23 but six bugs were submitted from October 2 through October 4 bringing the total number of submitted bugs for this exercise to 102 Of the 102 total submissions only 90 were considered valid and within scope Submissions pertaining to possible Denial of Service (DoS) attacks web server information disclosure or service banner disclosure among others were eliminated and not considered Figure 6 illustrates the Project Gauntlet bug submissions over time
Figure 6 - Bug submissions throughout Project Gauntlet
Figure 4 - Attackers who viewed the bounty by country
Figure 5 - Attackers who summited bugs by country
448 AM
1200 AM
712 AM
224 AM
936 AM
448 AM
1200 AM
9813 91313 91813 92313 92813 10313 10813
The types of security submissions varied but included everything from the ability to anonymously log into the FTP server typical information disclosure about applications or services to actual flag submissions
As shown in Figure 7 the majority of submissions were in fact flag submissions (38) information disclosures (34) and anonymous FTP access (12)
When submitting a bug each attacker was asked which tools if any were used to achieve the resultant bug conditions Table 3 details the tool names disclosed by the attackers and includes a mixed bag of manual testing web application tools exploit frameworks and hostservice discovery tools Information about the disclosed tools can be found in Appendix A ndash Tool Information
Table 3 - Tools used
reg 9
Figure 7 Types of bug submissions by Percent
1 Banner Disclosure
38 Flag
2 Directory Permissions
34 Info Disclosure
2 No Anti-Automation
1 Default Credentials
12 Anon FTP
6 XSS
3 Web Server Conf
1 No SSL
Acunetix 4Backtrack 1Burp Suite 4FileZilla 2Firefox 2FTP (manual) 1Iceweasel browser 1Manual 3
Metasploit 1NetSparker 2Nmap 5None 4SSH client 2und3ath injector 1Visual Studio 2010 Express 1WinSCP 1
38
34
12
reg 10
The flags submitted for the Windows servers all exploited the same threat vector as proven by Terrence with the exception of one privileged flag capture that exploited a particular application that was not in scope for The Gauntlet exercise At the time of this writing CloudPassage is actively working with the vendor to ensure that the issue is corrected while following responsible disclosure rules
RecommendationsThe Gauntlet project highlighted several common deficiencies in the configurations of servers deployed without the protection of rigorous security scrutiny The following recommendations may be considered as ldquolessons learnedrdquo guidance for current and future cloud server instance deployments
1 Change default and use strong credentials for system and application accountsEnsure that passwords are sufficiently complex so that attackers cannot readily guess them According to section 321 of the NIST Special Publication 800-118 Guide to Enterprise Password Management it is particularly important to change all default OS and application passwords lists of default accounts and passwords are widely available to attackers
According to the Penetration Testing Execution Standard (PTES) identifying whether a device application or operating system is vulnerable to a default credential attack is really as simple as trying to enter known default passwords
Many applications store their credentials in system configuration files Windows Registry Keys or application databases Often these credentials are stored in unencrypted clear text format in which case validating that the credentials have changed from the default is trivial If the password is obfuscated using something as commonly implemented as ROT13 character substitution it is not as trivial to inspect but easily reversible If the password is encrypted it may be impossible to validate that it has been changed from the default
3 Source of the websites listed bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCommon2Fdefault_passwords)
Note Defaulft passwords can be obtained from the following websites3 bull httpwwwphenoelit-usorgdpldplhtml bull httpwwwcirtnetpasswords bull httpwwwdefaultpasswordcom bull httpwwwapsswordsdatabasecom bull httpwwwisdpodcastcomrecources62k-common-passwords
reg 11
2 Use non-trivial passwordsOrganizations should ensure that other trivial passwords cannot be set According to section 323 of the NIST Special Publication 800-118 Guide to Enterprise Password Management having strong passwords helps mitigate guessing and cracking Password strength is determined by a passwordrsquos length and complexity which is determined by the unpredictability of its characters
An example of a good password complexity policy is requiring that characters from at least three of the following four groups be present in every password lowercase letters uppercase letters digits and symbols Username or personrsquos name ldquopasswordrdquo the organizationrsquos name simple keyboard patterns (eg ldquoqwertyrdquo ldquo1234$rdquo) dates (eg ldquo03011970rdquo) dictionary words and names of people and places should not be used
3 Employ multiple factors of authenticationMulti-factor authentication refers to the use of more than one authentication factor in place of a single factor The three types of authentication factors are something you know something you have and something you are The number of factors incorporated by the system largely determines the strength of authentication systems According to NIST Special Publication 800-63-2 Electronic Authentication Guideline implementations that use two factors are considered to be stronger than those that use only one factor and systems that incorporate all three factors are stronger than systems that only incorporate two of the factors
With regards to application and operating system authentication many tools exist to facilitate additional authentication factors With randomly generated hardware
or software authentication tokens (as seen in Figure 8) integrated Single Sign-On (SSO) frameworks and dynamic user access to applications and administrative ports multi-factor authentication is a relatively easy way to add additional layers of access control (and user monitoring) to existing cloud server instances
Whichever methodology or tool you use know that multi-factor authentication can only help to add additional access control to your servers and applications
4 Block access to administrative ports until neededDo your administrators need to access your administrative access ports 247 What about the rest of the world Allowing access to sensitive administrative and remote access ports may entice attackers to undertake brute forcing and password guessing exercises against your servers To limit the attack surface area of your servers and applications we advise blocking access to sensitive ports until an authorized user requires access
Figure 8 - Example display of a software authentication token
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
reg 3
All application and operating system logs were forwarded to a CloudPassage-managed log management application Standard syslog configurations facilitated this requirement on the Linux-based targets but the Windows-based targets required the installation of software to forward the operating system and application event logs to The Gauntlet centralized log server
This application (see Figure 1) which runs on tcp port 8000 also provides a web-based administrative interface With minimal effort an attacker scanning one of the Microsoft Windows servers could have quickly discovered that the CherryPy httpd 312 server was available and that an applicationrsquos web user interface was exposed along with it
Figure 1 - Nmap scan of one of the Windows targets
At this point an attacker would need only to open a web browser point it at the server IP address and port (8000) and be greeted with the login prompt for the applicationrsquos web user interface
Starting Nmap 500 ( httpnmaporg ) at 2013-09-17 1929 PDT Interesting ports on REDACTED Not shown 986 filtered ports PORT STATE SERVICE VERSION 80tcp open http Microsoft IIS Webserver 75 |_ html-title aspinfo() 135tcp open msrpc Microsoft Windows RPC 139tcp open netbios-ssn 445tcp open netbios-ssn 1984tcp open remoting MS NET Remoting services 3389tcp open microsoft-rdp Microsoft Terminal services 8000tcp open http CherryPy httpd 312 | html-title Site doeswnt have a title (texthtmlcharset=vtf-8) |_ Requested resource was http REDACTED 8089tcp open sslunknown |_sslv2 server still supports SSLv2 8090tcp open sslunknown |_sslv2 server still supports SSLv2 49152tcp open msrpc Microsoft Windows RPC 49153tcp open msrpc Microsoft Windows RPC 49154tcp open msrpc Microsoft Windows RPC 49157tcp open msrpc Microsoft Windows RPC 49175tcp open msrpc Microsoft Windows RPC
reg 4
When this particular application is installed on a system it is set up with a very weak password for the administrator user account The credentials for the account are easily guessable and not unique to this particular application or vendor
The application provides a modular framework that allows for the uploading of custom application extensions by authorized users An attacker with sufficient privileges could take advantage of the application by uploading a script that could allow for unintended consequences upon execution The intent of the framework is to allow users to create their own custom interfaces dashboards and custom scripts for the collection of non-standard data
How The Gauntlet Was WonUpon reviewing both application and operating system logs it became clear that a number of attackers were employing the Nmap (Network Mapper) tool in an attempt to footprint the system and gain information about the exposed attack surface area
Several attackers submitted flags for consideration but only one attacker (who well call Terrence) successfully submitted both a privileged and an unprivileged flag from the same server ndash effectively ending the race for the bounty
Exploitation of default administrative credentialsTerrence gained access to the web interface using the easily guessed credentials and immediately attempted to use the application to view the hard drive of the system Terrence did convey that he was able to look at corrupted hexadecimal data of the flags themselves however he was unable to actually retrieve the flags at this point
To explore the options provided by the application Terrence first created a new account on the vendorrsquos website and downloaded a popular app extension for monitoring Windows systems The app downloaded as a tar and gzipped (targz) archive containing various configuration files for the data inputs and custom dashboards for viewing information about the Windows systems being monitored The package also contained a folder for binaries that included among other things a Windows batch file (bat) and a number of python (py) scripts
2 more information on the use of Nmap for this purpose bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidlinesNmap_28Windows2FLinux29)
Note Port scanning techniques can vary based on the amount of time available for the test and the need to be stealthy If there is zero knowledge of the systems a fast ping scan can be used to identify systems In addition a quick scan without ping verification (-PN in Nmap) should be run to detect the most common ports available You can find more information on the use of Nmap for this purpose in the PTES Technical Guideline2
reg 5
Exploiting the app codeThe first modification Terrence tried was to insert the following code into one of the python scripts import win32netcon win32net
d=
d[name] = TestingTesing
d[password] = XXXXXXXX
d[comment] = A user
d[flags] = win32netconUF_NORMAL_ACCOUNT | win32netconUF_SCRIPT
d[priv] = win32netconUSER_PRIV_USER
win32netNetUserAdd(None 1 d)
Terrence then uploaded the modified version of the app which he had renamed notwindows likely so as not to confuse his malicious app with the standard Windows app After uploading Terrence tried to RDP to the server with the credentials he had inserted into the script but was greeted with the error message in Figure 2
Figure 2 - Failed remote login attempt
The error message that Terrence received confirmed that the user he had attempted to create now existed on the system with the provided password but that Terrencersquos newly created account did not have sufficient remote login privileges
At this point Terrence realized that the scripts uploaded through the application could affect the system in ways that the creators had not intended Terrence also became certain that this script upload vector would almost certainly be his way into the system
To log on to this remote computer you must be granted the Allow log through Terminal Ser-vices right By default members of the Remote Desktop Users group have this right If you are not a member of the Remote Desktop Users group that has this right or id the Remote Desktop Users group does not have this right you must be granted this right manually
OK
reg 6
Next Terrence had to gain remote access and escalate the privileges of his new account He tried unsuccessfully to add additional user privileges through the python scripts but he finally backtracked and looked at the batch script provided by the Windows App - notwindowsbinexploitbat On Terrencersquos local machine he modified the exploitbat script and inserted the following line at the top
win32netNetGroupAddUser(None Remote Desktop Users TestingTesting)
Gaining remote accessTerrence uploaded the app again and made sure the script was set to run He attempted to RDP again and was able to successfully log into the desktop of the target server Inspecting his permissions Terrence saw that his account was a Guest account and as such he was not able to access the Administrator home folder where the privileged flag resided
Logging out Terrence made one final modification to the batch script and replaced his previous modification with the following
win32netNetGroupAddUser(None Administrators TestingTesting)
This time when Terrence connected via his RDP session he was logged in and presented with the server administrator interface
Obtaining the flagsTo grab the privileged flag and by way of his new administrative access the unprivileged flag Terrence logged out and reconfigured his remote desktop client to share a local folder on his desktop with the remote server Terrence logged back into his admin account and copied the flags to his local machine as shown in Figure 3
Bugcrowd verified the methodology employed by Terrence validated the integrity of the flags captured and awarded Terrence the win ldquoUntil this particular test I had never considered that this particular application could be abused in this wayrdquo said Terrence ldquoThe applicationrsquos framework for customization is I think one of the things that gives it so much potentialrdquo
Terrence also stated that he hoped he had ldquoshown the potential for damage an attacker can cause when he (or she) is able to gain access to a WUI and its applicationrdquo
Note Removing this particular threat vector would have completely nullified this attack Restricting administrative ports using a host-based firewall and providing dynamic assess for authorized administrators would have responsibly limited application access
reg 7
Figure 3 - Evidence of copied flags
It only took Terrence four hours to exploit the application find the flags and submit them to win the bounty ldquoWhat I did could be boiled down to a single batch scriptrdquo explains Terrance ldquoOnce access is gained to an administrator account on the application interface it would take only a minute or two to gain full access to a similarly configured systemrdquo
Other attack dataAlthough the above analysis details the winning capture methodology and timeline a number of other bugs were reported and flags captured using different vectors
reg 8
Upon commencement of Project Gauntlet 367 participants from 41 different countries viewed the bounty as illustrated in Figure 4 Of those that viewed the bounty only a small subset actively participated and submitted bugs as shown in Figure 5 The majority of attackers and submissions originated from Europe with small pockets of interest and submissions in other parts of the world
In September 96 bugs were submitted against the exercise The rate of submissions dropped off considerably after September 23 but six bugs were submitted from October 2 through October 4 bringing the total number of submitted bugs for this exercise to 102 Of the 102 total submissions only 90 were considered valid and within scope Submissions pertaining to possible Denial of Service (DoS) attacks web server information disclosure or service banner disclosure among others were eliminated and not considered Figure 6 illustrates the Project Gauntlet bug submissions over time
Figure 6 - Bug submissions throughout Project Gauntlet
Figure 4 - Attackers who viewed the bounty by country
Figure 5 - Attackers who summited bugs by country
448 AM
1200 AM
712 AM
224 AM
936 AM
448 AM
1200 AM
9813 91313 91813 92313 92813 10313 10813
The types of security submissions varied but included everything from the ability to anonymously log into the FTP server typical information disclosure about applications or services to actual flag submissions
As shown in Figure 7 the majority of submissions were in fact flag submissions (38) information disclosures (34) and anonymous FTP access (12)
When submitting a bug each attacker was asked which tools if any were used to achieve the resultant bug conditions Table 3 details the tool names disclosed by the attackers and includes a mixed bag of manual testing web application tools exploit frameworks and hostservice discovery tools Information about the disclosed tools can be found in Appendix A ndash Tool Information
Table 3 - Tools used
reg 9
Figure 7 Types of bug submissions by Percent
1 Banner Disclosure
38 Flag
2 Directory Permissions
34 Info Disclosure
2 No Anti-Automation
1 Default Credentials
12 Anon FTP
6 XSS
3 Web Server Conf
1 No SSL
Acunetix 4Backtrack 1Burp Suite 4FileZilla 2Firefox 2FTP (manual) 1Iceweasel browser 1Manual 3
Metasploit 1NetSparker 2Nmap 5None 4SSH client 2und3ath injector 1Visual Studio 2010 Express 1WinSCP 1
38
34
12
reg 10
The flags submitted for the Windows servers all exploited the same threat vector as proven by Terrence with the exception of one privileged flag capture that exploited a particular application that was not in scope for The Gauntlet exercise At the time of this writing CloudPassage is actively working with the vendor to ensure that the issue is corrected while following responsible disclosure rules
RecommendationsThe Gauntlet project highlighted several common deficiencies in the configurations of servers deployed without the protection of rigorous security scrutiny The following recommendations may be considered as ldquolessons learnedrdquo guidance for current and future cloud server instance deployments
1 Change default and use strong credentials for system and application accountsEnsure that passwords are sufficiently complex so that attackers cannot readily guess them According to section 321 of the NIST Special Publication 800-118 Guide to Enterprise Password Management it is particularly important to change all default OS and application passwords lists of default accounts and passwords are widely available to attackers
According to the Penetration Testing Execution Standard (PTES) identifying whether a device application or operating system is vulnerable to a default credential attack is really as simple as trying to enter known default passwords
Many applications store their credentials in system configuration files Windows Registry Keys or application databases Often these credentials are stored in unencrypted clear text format in which case validating that the credentials have changed from the default is trivial If the password is obfuscated using something as commonly implemented as ROT13 character substitution it is not as trivial to inspect but easily reversible If the password is encrypted it may be impossible to validate that it has been changed from the default
3 Source of the websites listed bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCommon2Fdefault_passwords)
Note Defaulft passwords can be obtained from the following websites3 bull httpwwwphenoelit-usorgdpldplhtml bull httpwwwcirtnetpasswords bull httpwwwdefaultpasswordcom bull httpwwwapsswordsdatabasecom bull httpwwwisdpodcastcomrecources62k-common-passwords
reg 11
2 Use non-trivial passwordsOrganizations should ensure that other trivial passwords cannot be set According to section 323 of the NIST Special Publication 800-118 Guide to Enterprise Password Management having strong passwords helps mitigate guessing and cracking Password strength is determined by a passwordrsquos length and complexity which is determined by the unpredictability of its characters
An example of a good password complexity policy is requiring that characters from at least three of the following four groups be present in every password lowercase letters uppercase letters digits and symbols Username or personrsquos name ldquopasswordrdquo the organizationrsquos name simple keyboard patterns (eg ldquoqwertyrdquo ldquo1234$rdquo) dates (eg ldquo03011970rdquo) dictionary words and names of people and places should not be used
3 Employ multiple factors of authenticationMulti-factor authentication refers to the use of more than one authentication factor in place of a single factor The three types of authentication factors are something you know something you have and something you are The number of factors incorporated by the system largely determines the strength of authentication systems According to NIST Special Publication 800-63-2 Electronic Authentication Guideline implementations that use two factors are considered to be stronger than those that use only one factor and systems that incorporate all three factors are stronger than systems that only incorporate two of the factors
With regards to application and operating system authentication many tools exist to facilitate additional authentication factors With randomly generated hardware
or software authentication tokens (as seen in Figure 8) integrated Single Sign-On (SSO) frameworks and dynamic user access to applications and administrative ports multi-factor authentication is a relatively easy way to add additional layers of access control (and user monitoring) to existing cloud server instances
Whichever methodology or tool you use know that multi-factor authentication can only help to add additional access control to your servers and applications
4 Block access to administrative ports until neededDo your administrators need to access your administrative access ports 247 What about the rest of the world Allowing access to sensitive administrative and remote access ports may entice attackers to undertake brute forcing and password guessing exercises against your servers To limit the attack surface area of your servers and applications we advise blocking access to sensitive ports until an authorized user requires access
Figure 8 - Example display of a software authentication token
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
reg 4
When this particular application is installed on a system it is set up with a very weak password for the administrator user account The credentials for the account are easily guessable and not unique to this particular application or vendor
The application provides a modular framework that allows for the uploading of custom application extensions by authorized users An attacker with sufficient privileges could take advantage of the application by uploading a script that could allow for unintended consequences upon execution The intent of the framework is to allow users to create their own custom interfaces dashboards and custom scripts for the collection of non-standard data
How The Gauntlet Was WonUpon reviewing both application and operating system logs it became clear that a number of attackers were employing the Nmap (Network Mapper) tool in an attempt to footprint the system and gain information about the exposed attack surface area
Several attackers submitted flags for consideration but only one attacker (who well call Terrence) successfully submitted both a privileged and an unprivileged flag from the same server ndash effectively ending the race for the bounty
Exploitation of default administrative credentialsTerrence gained access to the web interface using the easily guessed credentials and immediately attempted to use the application to view the hard drive of the system Terrence did convey that he was able to look at corrupted hexadecimal data of the flags themselves however he was unable to actually retrieve the flags at this point
To explore the options provided by the application Terrence first created a new account on the vendorrsquos website and downloaded a popular app extension for monitoring Windows systems The app downloaded as a tar and gzipped (targz) archive containing various configuration files for the data inputs and custom dashboards for viewing information about the Windows systems being monitored The package also contained a folder for binaries that included among other things a Windows batch file (bat) and a number of python (py) scripts
2 more information on the use of Nmap for this purpose bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidlinesNmap_28Windows2FLinux29)
Note Port scanning techniques can vary based on the amount of time available for the test and the need to be stealthy If there is zero knowledge of the systems a fast ping scan can be used to identify systems In addition a quick scan without ping verification (-PN in Nmap) should be run to detect the most common ports available You can find more information on the use of Nmap for this purpose in the PTES Technical Guideline2
reg 5
Exploiting the app codeThe first modification Terrence tried was to insert the following code into one of the python scripts import win32netcon win32net
d=
d[name] = TestingTesing
d[password] = XXXXXXXX
d[comment] = A user
d[flags] = win32netconUF_NORMAL_ACCOUNT | win32netconUF_SCRIPT
d[priv] = win32netconUSER_PRIV_USER
win32netNetUserAdd(None 1 d)
Terrence then uploaded the modified version of the app which he had renamed notwindows likely so as not to confuse his malicious app with the standard Windows app After uploading Terrence tried to RDP to the server with the credentials he had inserted into the script but was greeted with the error message in Figure 2
Figure 2 - Failed remote login attempt
The error message that Terrence received confirmed that the user he had attempted to create now existed on the system with the provided password but that Terrencersquos newly created account did not have sufficient remote login privileges
At this point Terrence realized that the scripts uploaded through the application could affect the system in ways that the creators had not intended Terrence also became certain that this script upload vector would almost certainly be his way into the system
To log on to this remote computer you must be granted the Allow log through Terminal Ser-vices right By default members of the Remote Desktop Users group have this right If you are not a member of the Remote Desktop Users group that has this right or id the Remote Desktop Users group does not have this right you must be granted this right manually
OK
reg 6
Next Terrence had to gain remote access and escalate the privileges of his new account He tried unsuccessfully to add additional user privileges through the python scripts but he finally backtracked and looked at the batch script provided by the Windows App - notwindowsbinexploitbat On Terrencersquos local machine he modified the exploitbat script and inserted the following line at the top
win32netNetGroupAddUser(None Remote Desktop Users TestingTesting)
Gaining remote accessTerrence uploaded the app again and made sure the script was set to run He attempted to RDP again and was able to successfully log into the desktop of the target server Inspecting his permissions Terrence saw that his account was a Guest account and as such he was not able to access the Administrator home folder where the privileged flag resided
Logging out Terrence made one final modification to the batch script and replaced his previous modification with the following
win32netNetGroupAddUser(None Administrators TestingTesting)
This time when Terrence connected via his RDP session he was logged in and presented with the server administrator interface
Obtaining the flagsTo grab the privileged flag and by way of his new administrative access the unprivileged flag Terrence logged out and reconfigured his remote desktop client to share a local folder on his desktop with the remote server Terrence logged back into his admin account and copied the flags to his local machine as shown in Figure 3
Bugcrowd verified the methodology employed by Terrence validated the integrity of the flags captured and awarded Terrence the win ldquoUntil this particular test I had never considered that this particular application could be abused in this wayrdquo said Terrence ldquoThe applicationrsquos framework for customization is I think one of the things that gives it so much potentialrdquo
Terrence also stated that he hoped he had ldquoshown the potential for damage an attacker can cause when he (or she) is able to gain access to a WUI and its applicationrdquo
Note Removing this particular threat vector would have completely nullified this attack Restricting administrative ports using a host-based firewall and providing dynamic assess for authorized administrators would have responsibly limited application access
reg 7
Figure 3 - Evidence of copied flags
It only took Terrence four hours to exploit the application find the flags and submit them to win the bounty ldquoWhat I did could be boiled down to a single batch scriptrdquo explains Terrance ldquoOnce access is gained to an administrator account on the application interface it would take only a minute or two to gain full access to a similarly configured systemrdquo
Other attack dataAlthough the above analysis details the winning capture methodology and timeline a number of other bugs were reported and flags captured using different vectors
reg 8
Upon commencement of Project Gauntlet 367 participants from 41 different countries viewed the bounty as illustrated in Figure 4 Of those that viewed the bounty only a small subset actively participated and submitted bugs as shown in Figure 5 The majority of attackers and submissions originated from Europe with small pockets of interest and submissions in other parts of the world
In September 96 bugs were submitted against the exercise The rate of submissions dropped off considerably after September 23 but six bugs were submitted from October 2 through October 4 bringing the total number of submitted bugs for this exercise to 102 Of the 102 total submissions only 90 were considered valid and within scope Submissions pertaining to possible Denial of Service (DoS) attacks web server information disclosure or service banner disclosure among others were eliminated and not considered Figure 6 illustrates the Project Gauntlet bug submissions over time
Figure 6 - Bug submissions throughout Project Gauntlet
Figure 4 - Attackers who viewed the bounty by country
Figure 5 - Attackers who summited bugs by country
448 AM
1200 AM
712 AM
224 AM
936 AM
448 AM
1200 AM
9813 91313 91813 92313 92813 10313 10813
The types of security submissions varied but included everything from the ability to anonymously log into the FTP server typical information disclosure about applications or services to actual flag submissions
As shown in Figure 7 the majority of submissions were in fact flag submissions (38) information disclosures (34) and anonymous FTP access (12)
When submitting a bug each attacker was asked which tools if any were used to achieve the resultant bug conditions Table 3 details the tool names disclosed by the attackers and includes a mixed bag of manual testing web application tools exploit frameworks and hostservice discovery tools Information about the disclosed tools can be found in Appendix A ndash Tool Information
Table 3 - Tools used
reg 9
Figure 7 Types of bug submissions by Percent
1 Banner Disclosure
38 Flag
2 Directory Permissions
34 Info Disclosure
2 No Anti-Automation
1 Default Credentials
12 Anon FTP
6 XSS
3 Web Server Conf
1 No SSL
Acunetix 4Backtrack 1Burp Suite 4FileZilla 2Firefox 2FTP (manual) 1Iceweasel browser 1Manual 3
Metasploit 1NetSparker 2Nmap 5None 4SSH client 2und3ath injector 1Visual Studio 2010 Express 1WinSCP 1
38
34
12
reg 10
The flags submitted for the Windows servers all exploited the same threat vector as proven by Terrence with the exception of one privileged flag capture that exploited a particular application that was not in scope for The Gauntlet exercise At the time of this writing CloudPassage is actively working with the vendor to ensure that the issue is corrected while following responsible disclosure rules
RecommendationsThe Gauntlet project highlighted several common deficiencies in the configurations of servers deployed without the protection of rigorous security scrutiny The following recommendations may be considered as ldquolessons learnedrdquo guidance for current and future cloud server instance deployments
1 Change default and use strong credentials for system and application accountsEnsure that passwords are sufficiently complex so that attackers cannot readily guess them According to section 321 of the NIST Special Publication 800-118 Guide to Enterprise Password Management it is particularly important to change all default OS and application passwords lists of default accounts and passwords are widely available to attackers
According to the Penetration Testing Execution Standard (PTES) identifying whether a device application or operating system is vulnerable to a default credential attack is really as simple as trying to enter known default passwords
Many applications store their credentials in system configuration files Windows Registry Keys or application databases Often these credentials are stored in unencrypted clear text format in which case validating that the credentials have changed from the default is trivial If the password is obfuscated using something as commonly implemented as ROT13 character substitution it is not as trivial to inspect but easily reversible If the password is encrypted it may be impossible to validate that it has been changed from the default
3 Source of the websites listed bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCommon2Fdefault_passwords)
Note Defaulft passwords can be obtained from the following websites3 bull httpwwwphenoelit-usorgdpldplhtml bull httpwwwcirtnetpasswords bull httpwwwdefaultpasswordcom bull httpwwwapsswordsdatabasecom bull httpwwwisdpodcastcomrecources62k-common-passwords
reg 11
2 Use non-trivial passwordsOrganizations should ensure that other trivial passwords cannot be set According to section 323 of the NIST Special Publication 800-118 Guide to Enterprise Password Management having strong passwords helps mitigate guessing and cracking Password strength is determined by a passwordrsquos length and complexity which is determined by the unpredictability of its characters
An example of a good password complexity policy is requiring that characters from at least three of the following four groups be present in every password lowercase letters uppercase letters digits and symbols Username or personrsquos name ldquopasswordrdquo the organizationrsquos name simple keyboard patterns (eg ldquoqwertyrdquo ldquo1234$rdquo) dates (eg ldquo03011970rdquo) dictionary words and names of people and places should not be used
3 Employ multiple factors of authenticationMulti-factor authentication refers to the use of more than one authentication factor in place of a single factor The three types of authentication factors are something you know something you have and something you are The number of factors incorporated by the system largely determines the strength of authentication systems According to NIST Special Publication 800-63-2 Electronic Authentication Guideline implementations that use two factors are considered to be stronger than those that use only one factor and systems that incorporate all three factors are stronger than systems that only incorporate two of the factors
With regards to application and operating system authentication many tools exist to facilitate additional authentication factors With randomly generated hardware
or software authentication tokens (as seen in Figure 8) integrated Single Sign-On (SSO) frameworks and dynamic user access to applications and administrative ports multi-factor authentication is a relatively easy way to add additional layers of access control (and user monitoring) to existing cloud server instances
Whichever methodology or tool you use know that multi-factor authentication can only help to add additional access control to your servers and applications
4 Block access to administrative ports until neededDo your administrators need to access your administrative access ports 247 What about the rest of the world Allowing access to sensitive administrative and remote access ports may entice attackers to undertake brute forcing and password guessing exercises against your servers To limit the attack surface area of your servers and applications we advise blocking access to sensitive ports until an authorized user requires access
Figure 8 - Example display of a software authentication token
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
reg 5
Exploiting the app codeThe first modification Terrence tried was to insert the following code into one of the python scripts import win32netcon win32net
d=
d[name] = TestingTesing
d[password] = XXXXXXXX
d[comment] = A user
d[flags] = win32netconUF_NORMAL_ACCOUNT | win32netconUF_SCRIPT
d[priv] = win32netconUSER_PRIV_USER
win32netNetUserAdd(None 1 d)
Terrence then uploaded the modified version of the app which he had renamed notwindows likely so as not to confuse his malicious app with the standard Windows app After uploading Terrence tried to RDP to the server with the credentials he had inserted into the script but was greeted with the error message in Figure 2
Figure 2 - Failed remote login attempt
The error message that Terrence received confirmed that the user he had attempted to create now existed on the system with the provided password but that Terrencersquos newly created account did not have sufficient remote login privileges
At this point Terrence realized that the scripts uploaded through the application could affect the system in ways that the creators had not intended Terrence also became certain that this script upload vector would almost certainly be his way into the system
To log on to this remote computer you must be granted the Allow log through Terminal Ser-vices right By default members of the Remote Desktop Users group have this right If you are not a member of the Remote Desktop Users group that has this right or id the Remote Desktop Users group does not have this right you must be granted this right manually
OK
reg 6
Next Terrence had to gain remote access and escalate the privileges of his new account He tried unsuccessfully to add additional user privileges through the python scripts but he finally backtracked and looked at the batch script provided by the Windows App - notwindowsbinexploitbat On Terrencersquos local machine he modified the exploitbat script and inserted the following line at the top
win32netNetGroupAddUser(None Remote Desktop Users TestingTesting)
Gaining remote accessTerrence uploaded the app again and made sure the script was set to run He attempted to RDP again and was able to successfully log into the desktop of the target server Inspecting his permissions Terrence saw that his account was a Guest account and as such he was not able to access the Administrator home folder where the privileged flag resided
Logging out Terrence made one final modification to the batch script and replaced his previous modification with the following
win32netNetGroupAddUser(None Administrators TestingTesting)
This time when Terrence connected via his RDP session he was logged in and presented with the server administrator interface
Obtaining the flagsTo grab the privileged flag and by way of his new administrative access the unprivileged flag Terrence logged out and reconfigured his remote desktop client to share a local folder on his desktop with the remote server Terrence logged back into his admin account and copied the flags to his local machine as shown in Figure 3
Bugcrowd verified the methodology employed by Terrence validated the integrity of the flags captured and awarded Terrence the win ldquoUntil this particular test I had never considered that this particular application could be abused in this wayrdquo said Terrence ldquoThe applicationrsquos framework for customization is I think one of the things that gives it so much potentialrdquo
Terrence also stated that he hoped he had ldquoshown the potential for damage an attacker can cause when he (or she) is able to gain access to a WUI and its applicationrdquo
Note Removing this particular threat vector would have completely nullified this attack Restricting administrative ports using a host-based firewall and providing dynamic assess for authorized administrators would have responsibly limited application access
reg 7
Figure 3 - Evidence of copied flags
It only took Terrence four hours to exploit the application find the flags and submit them to win the bounty ldquoWhat I did could be boiled down to a single batch scriptrdquo explains Terrance ldquoOnce access is gained to an administrator account on the application interface it would take only a minute or two to gain full access to a similarly configured systemrdquo
Other attack dataAlthough the above analysis details the winning capture methodology and timeline a number of other bugs were reported and flags captured using different vectors
reg 8
Upon commencement of Project Gauntlet 367 participants from 41 different countries viewed the bounty as illustrated in Figure 4 Of those that viewed the bounty only a small subset actively participated and submitted bugs as shown in Figure 5 The majority of attackers and submissions originated from Europe with small pockets of interest and submissions in other parts of the world
In September 96 bugs were submitted against the exercise The rate of submissions dropped off considerably after September 23 but six bugs were submitted from October 2 through October 4 bringing the total number of submitted bugs for this exercise to 102 Of the 102 total submissions only 90 were considered valid and within scope Submissions pertaining to possible Denial of Service (DoS) attacks web server information disclosure or service banner disclosure among others were eliminated and not considered Figure 6 illustrates the Project Gauntlet bug submissions over time
Figure 6 - Bug submissions throughout Project Gauntlet
Figure 4 - Attackers who viewed the bounty by country
Figure 5 - Attackers who summited bugs by country
448 AM
1200 AM
712 AM
224 AM
936 AM
448 AM
1200 AM
9813 91313 91813 92313 92813 10313 10813
The types of security submissions varied but included everything from the ability to anonymously log into the FTP server typical information disclosure about applications or services to actual flag submissions
As shown in Figure 7 the majority of submissions were in fact flag submissions (38) information disclosures (34) and anonymous FTP access (12)
When submitting a bug each attacker was asked which tools if any were used to achieve the resultant bug conditions Table 3 details the tool names disclosed by the attackers and includes a mixed bag of manual testing web application tools exploit frameworks and hostservice discovery tools Information about the disclosed tools can be found in Appendix A ndash Tool Information
Table 3 - Tools used
reg 9
Figure 7 Types of bug submissions by Percent
1 Banner Disclosure
38 Flag
2 Directory Permissions
34 Info Disclosure
2 No Anti-Automation
1 Default Credentials
12 Anon FTP
6 XSS
3 Web Server Conf
1 No SSL
Acunetix 4Backtrack 1Burp Suite 4FileZilla 2Firefox 2FTP (manual) 1Iceweasel browser 1Manual 3
Metasploit 1NetSparker 2Nmap 5None 4SSH client 2und3ath injector 1Visual Studio 2010 Express 1WinSCP 1
38
34
12
reg 10
The flags submitted for the Windows servers all exploited the same threat vector as proven by Terrence with the exception of one privileged flag capture that exploited a particular application that was not in scope for The Gauntlet exercise At the time of this writing CloudPassage is actively working with the vendor to ensure that the issue is corrected while following responsible disclosure rules
RecommendationsThe Gauntlet project highlighted several common deficiencies in the configurations of servers deployed without the protection of rigorous security scrutiny The following recommendations may be considered as ldquolessons learnedrdquo guidance for current and future cloud server instance deployments
1 Change default and use strong credentials for system and application accountsEnsure that passwords are sufficiently complex so that attackers cannot readily guess them According to section 321 of the NIST Special Publication 800-118 Guide to Enterprise Password Management it is particularly important to change all default OS and application passwords lists of default accounts and passwords are widely available to attackers
According to the Penetration Testing Execution Standard (PTES) identifying whether a device application or operating system is vulnerable to a default credential attack is really as simple as trying to enter known default passwords
Many applications store their credentials in system configuration files Windows Registry Keys or application databases Often these credentials are stored in unencrypted clear text format in which case validating that the credentials have changed from the default is trivial If the password is obfuscated using something as commonly implemented as ROT13 character substitution it is not as trivial to inspect but easily reversible If the password is encrypted it may be impossible to validate that it has been changed from the default
3 Source of the websites listed bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCommon2Fdefault_passwords)
Note Defaulft passwords can be obtained from the following websites3 bull httpwwwphenoelit-usorgdpldplhtml bull httpwwwcirtnetpasswords bull httpwwwdefaultpasswordcom bull httpwwwapsswordsdatabasecom bull httpwwwisdpodcastcomrecources62k-common-passwords
reg 11
2 Use non-trivial passwordsOrganizations should ensure that other trivial passwords cannot be set According to section 323 of the NIST Special Publication 800-118 Guide to Enterprise Password Management having strong passwords helps mitigate guessing and cracking Password strength is determined by a passwordrsquos length and complexity which is determined by the unpredictability of its characters
An example of a good password complexity policy is requiring that characters from at least three of the following four groups be present in every password lowercase letters uppercase letters digits and symbols Username or personrsquos name ldquopasswordrdquo the organizationrsquos name simple keyboard patterns (eg ldquoqwertyrdquo ldquo1234$rdquo) dates (eg ldquo03011970rdquo) dictionary words and names of people and places should not be used
3 Employ multiple factors of authenticationMulti-factor authentication refers to the use of more than one authentication factor in place of a single factor The three types of authentication factors are something you know something you have and something you are The number of factors incorporated by the system largely determines the strength of authentication systems According to NIST Special Publication 800-63-2 Electronic Authentication Guideline implementations that use two factors are considered to be stronger than those that use only one factor and systems that incorporate all three factors are stronger than systems that only incorporate two of the factors
With regards to application and operating system authentication many tools exist to facilitate additional authentication factors With randomly generated hardware
or software authentication tokens (as seen in Figure 8) integrated Single Sign-On (SSO) frameworks and dynamic user access to applications and administrative ports multi-factor authentication is a relatively easy way to add additional layers of access control (and user monitoring) to existing cloud server instances
Whichever methodology or tool you use know that multi-factor authentication can only help to add additional access control to your servers and applications
4 Block access to administrative ports until neededDo your administrators need to access your administrative access ports 247 What about the rest of the world Allowing access to sensitive administrative and remote access ports may entice attackers to undertake brute forcing and password guessing exercises against your servers To limit the attack surface area of your servers and applications we advise blocking access to sensitive ports until an authorized user requires access
Figure 8 - Example display of a software authentication token
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
reg 6
Next Terrence had to gain remote access and escalate the privileges of his new account He tried unsuccessfully to add additional user privileges through the python scripts but he finally backtracked and looked at the batch script provided by the Windows App - notwindowsbinexploitbat On Terrencersquos local machine he modified the exploitbat script and inserted the following line at the top
win32netNetGroupAddUser(None Remote Desktop Users TestingTesting)
Gaining remote accessTerrence uploaded the app again and made sure the script was set to run He attempted to RDP again and was able to successfully log into the desktop of the target server Inspecting his permissions Terrence saw that his account was a Guest account and as such he was not able to access the Administrator home folder where the privileged flag resided
Logging out Terrence made one final modification to the batch script and replaced his previous modification with the following
win32netNetGroupAddUser(None Administrators TestingTesting)
This time when Terrence connected via his RDP session he was logged in and presented with the server administrator interface
Obtaining the flagsTo grab the privileged flag and by way of his new administrative access the unprivileged flag Terrence logged out and reconfigured his remote desktop client to share a local folder on his desktop with the remote server Terrence logged back into his admin account and copied the flags to his local machine as shown in Figure 3
Bugcrowd verified the methodology employed by Terrence validated the integrity of the flags captured and awarded Terrence the win ldquoUntil this particular test I had never considered that this particular application could be abused in this wayrdquo said Terrence ldquoThe applicationrsquos framework for customization is I think one of the things that gives it so much potentialrdquo
Terrence also stated that he hoped he had ldquoshown the potential for damage an attacker can cause when he (or she) is able to gain access to a WUI and its applicationrdquo
Note Removing this particular threat vector would have completely nullified this attack Restricting administrative ports using a host-based firewall and providing dynamic assess for authorized administrators would have responsibly limited application access
reg 7
Figure 3 - Evidence of copied flags
It only took Terrence four hours to exploit the application find the flags and submit them to win the bounty ldquoWhat I did could be boiled down to a single batch scriptrdquo explains Terrance ldquoOnce access is gained to an administrator account on the application interface it would take only a minute or two to gain full access to a similarly configured systemrdquo
Other attack dataAlthough the above analysis details the winning capture methodology and timeline a number of other bugs were reported and flags captured using different vectors
reg 8
Upon commencement of Project Gauntlet 367 participants from 41 different countries viewed the bounty as illustrated in Figure 4 Of those that viewed the bounty only a small subset actively participated and submitted bugs as shown in Figure 5 The majority of attackers and submissions originated from Europe with small pockets of interest and submissions in other parts of the world
In September 96 bugs were submitted against the exercise The rate of submissions dropped off considerably after September 23 but six bugs were submitted from October 2 through October 4 bringing the total number of submitted bugs for this exercise to 102 Of the 102 total submissions only 90 were considered valid and within scope Submissions pertaining to possible Denial of Service (DoS) attacks web server information disclosure or service banner disclosure among others were eliminated and not considered Figure 6 illustrates the Project Gauntlet bug submissions over time
Figure 6 - Bug submissions throughout Project Gauntlet
Figure 4 - Attackers who viewed the bounty by country
Figure 5 - Attackers who summited bugs by country
448 AM
1200 AM
712 AM
224 AM
936 AM
448 AM
1200 AM
9813 91313 91813 92313 92813 10313 10813
The types of security submissions varied but included everything from the ability to anonymously log into the FTP server typical information disclosure about applications or services to actual flag submissions
As shown in Figure 7 the majority of submissions were in fact flag submissions (38) information disclosures (34) and anonymous FTP access (12)
When submitting a bug each attacker was asked which tools if any were used to achieve the resultant bug conditions Table 3 details the tool names disclosed by the attackers and includes a mixed bag of manual testing web application tools exploit frameworks and hostservice discovery tools Information about the disclosed tools can be found in Appendix A ndash Tool Information
Table 3 - Tools used
reg 9
Figure 7 Types of bug submissions by Percent
1 Banner Disclosure
38 Flag
2 Directory Permissions
34 Info Disclosure
2 No Anti-Automation
1 Default Credentials
12 Anon FTP
6 XSS
3 Web Server Conf
1 No SSL
Acunetix 4Backtrack 1Burp Suite 4FileZilla 2Firefox 2FTP (manual) 1Iceweasel browser 1Manual 3
Metasploit 1NetSparker 2Nmap 5None 4SSH client 2und3ath injector 1Visual Studio 2010 Express 1WinSCP 1
38
34
12
reg 10
The flags submitted for the Windows servers all exploited the same threat vector as proven by Terrence with the exception of one privileged flag capture that exploited a particular application that was not in scope for The Gauntlet exercise At the time of this writing CloudPassage is actively working with the vendor to ensure that the issue is corrected while following responsible disclosure rules
RecommendationsThe Gauntlet project highlighted several common deficiencies in the configurations of servers deployed without the protection of rigorous security scrutiny The following recommendations may be considered as ldquolessons learnedrdquo guidance for current and future cloud server instance deployments
1 Change default and use strong credentials for system and application accountsEnsure that passwords are sufficiently complex so that attackers cannot readily guess them According to section 321 of the NIST Special Publication 800-118 Guide to Enterprise Password Management it is particularly important to change all default OS and application passwords lists of default accounts and passwords are widely available to attackers
According to the Penetration Testing Execution Standard (PTES) identifying whether a device application or operating system is vulnerable to a default credential attack is really as simple as trying to enter known default passwords
Many applications store their credentials in system configuration files Windows Registry Keys or application databases Often these credentials are stored in unencrypted clear text format in which case validating that the credentials have changed from the default is trivial If the password is obfuscated using something as commonly implemented as ROT13 character substitution it is not as trivial to inspect but easily reversible If the password is encrypted it may be impossible to validate that it has been changed from the default
3 Source of the websites listed bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCommon2Fdefault_passwords)
Note Defaulft passwords can be obtained from the following websites3 bull httpwwwphenoelit-usorgdpldplhtml bull httpwwwcirtnetpasswords bull httpwwwdefaultpasswordcom bull httpwwwapsswordsdatabasecom bull httpwwwisdpodcastcomrecources62k-common-passwords
reg 11
2 Use non-trivial passwordsOrganizations should ensure that other trivial passwords cannot be set According to section 323 of the NIST Special Publication 800-118 Guide to Enterprise Password Management having strong passwords helps mitigate guessing and cracking Password strength is determined by a passwordrsquos length and complexity which is determined by the unpredictability of its characters
An example of a good password complexity policy is requiring that characters from at least three of the following four groups be present in every password lowercase letters uppercase letters digits and symbols Username or personrsquos name ldquopasswordrdquo the organizationrsquos name simple keyboard patterns (eg ldquoqwertyrdquo ldquo1234$rdquo) dates (eg ldquo03011970rdquo) dictionary words and names of people and places should not be used
3 Employ multiple factors of authenticationMulti-factor authentication refers to the use of more than one authentication factor in place of a single factor The three types of authentication factors are something you know something you have and something you are The number of factors incorporated by the system largely determines the strength of authentication systems According to NIST Special Publication 800-63-2 Electronic Authentication Guideline implementations that use two factors are considered to be stronger than those that use only one factor and systems that incorporate all three factors are stronger than systems that only incorporate two of the factors
With regards to application and operating system authentication many tools exist to facilitate additional authentication factors With randomly generated hardware
or software authentication tokens (as seen in Figure 8) integrated Single Sign-On (SSO) frameworks and dynamic user access to applications and administrative ports multi-factor authentication is a relatively easy way to add additional layers of access control (and user monitoring) to existing cloud server instances
Whichever methodology or tool you use know that multi-factor authentication can only help to add additional access control to your servers and applications
4 Block access to administrative ports until neededDo your administrators need to access your administrative access ports 247 What about the rest of the world Allowing access to sensitive administrative and remote access ports may entice attackers to undertake brute forcing and password guessing exercises against your servers To limit the attack surface area of your servers and applications we advise blocking access to sensitive ports until an authorized user requires access
Figure 8 - Example display of a software authentication token
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
reg 7
Figure 3 - Evidence of copied flags
It only took Terrence four hours to exploit the application find the flags and submit them to win the bounty ldquoWhat I did could be boiled down to a single batch scriptrdquo explains Terrance ldquoOnce access is gained to an administrator account on the application interface it would take only a minute or two to gain full access to a similarly configured systemrdquo
Other attack dataAlthough the above analysis details the winning capture methodology and timeline a number of other bugs were reported and flags captured using different vectors
reg 8
Upon commencement of Project Gauntlet 367 participants from 41 different countries viewed the bounty as illustrated in Figure 4 Of those that viewed the bounty only a small subset actively participated and submitted bugs as shown in Figure 5 The majority of attackers and submissions originated from Europe with small pockets of interest and submissions in other parts of the world
In September 96 bugs were submitted against the exercise The rate of submissions dropped off considerably after September 23 but six bugs were submitted from October 2 through October 4 bringing the total number of submitted bugs for this exercise to 102 Of the 102 total submissions only 90 were considered valid and within scope Submissions pertaining to possible Denial of Service (DoS) attacks web server information disclosure or service banner disclosure among others were eliminated and not considered Figure 6 illustrates the Project Gauntlet bug submissions over time
Figure 6 - Bug submissions throughout Project Gauntlet
Figure 4 - Attackers who viewed the bounty by country
Figure 5 - Attackers who summited bugs by country
448 AM
1200 AM
712 AM
224 AM
936 AM
448 AM
1200 AM
9813 91313 91813 92313 92813 10313 10813
The types of security submissions varied but included everything from the ability to anonymously log into the FTP server typical information disclosure about applications or services to actual flag submissions
As shown in Figure 7 the majority of submissions were in fact flag submissions (38) information disclosures (34) and anonymous FTP access (12)
When submitting a bug each attacker was asked which tools if any were used to achieve the resultant bug conditions Table 3 details the tool names disclosed by the attackers and includes a mixed bag of manual testing web application tools exploit frameworks and hostservice discovery tools Information about the disclosed tools can be found in Appendix A ndash Tool Information
Table 3 - Tools used
reg 9
Figure 7 Types of bug submissions by Percent
1 Banner Disclosure
38 Flag
2 Directory Permissions
34 Info Disclosure
2 No Anti-Automation
1 Default Credentials
12 Anon FTP
6 XSS
3 Web Server Conf
1 No SSL
Acunetix 4Backtrack 1Burp Suite 4FileZilla 2Firefox 2FTP (manual) 1Iceweasel browser 1Manual 3
Metasploit 1NetSparker 2Nmap 5None 4SSH client 2und3ath injector 1Visual Studio 2010 Express 1WinSCP 1
38
34
12
reg 10
The flags submitted for the Windows servers all exploited the same threat vector as proven by Terrence with the exception of one privileged flag capture that exploited a particular application that was not in scope for The Gauntlet exercise At the time of this writing CloudPassage is actively working with the vendor to ensure that the issue is corrected while following responsible disclosure rules
RecommendationsThe Gauntlet project highlighted several common deficiencies in the configurations of servers deployed without the protection of rigorous security scrutiny The following recommendations may be considered as ldquolessons learnedrdquo guidance for current and future cloud server instance deployments
1 Change default and use strong credentials for system and application accountsEnsure that passwords are sufficiently complex so that attackers cannot readily guess them According to section 321 of the NIST Special Publication 800-118 Guide to Enterprise Password Management it is particularly important to change all default OS and application passwords lists of default accounts and passwords are widely available to attackers
According to the Penetration Testing Execution Standard (PTES) identifying whether a device application or operating system is vulnerable to a default credential attack is really as simple as trying to enter known default passwords
Many applications store their credentials in system configuration files Windows Registry Keys or application databases Often these credentials are stored in unencrypted clear text format in which case validating that the credentials have changed from the default is trivial If the password is obfuscated using something as commonly implemented as ROT13 character substitution it is not as trivial to inspect but easily reversible If the password is encrypted it may be impossible to validate that it has been changed from the default
3 Source of the websites listed bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCommon2Fdefault_passwords)
Note Defaulft passwords can be obtained from the following websites3 bull httpwwwphenoelit-usorgdpldplhtml bull httpwwwcirtnetpasswords bull httpwwwdefaultpasswordcom bull httpwwwapsswordsdatabasecom bull httpwwwisdpodcastcomrecources62k-common-passwords
reg 11
2 Use non-trivial passwordsOrganizations should ensure that other trivial passwords cannot be set According to section 323 of the NIST Special Publication 800-118 Guide to Enterprise Password Management having strong passwords helps mitigate guessing and cracking Password strength is determined by a passwordrsquos length and complexity which is determined by the unpredictability of its characters
An example of a good password complexity policy is requiring that characters from at least three of the following four groups be present in every password lowercase letters uppercase letters digits and symbols Username or personrsquos name ldquopasswordrdquo the organizationrsquos name simple keyboard patterns (eg ldquoqwertyrdquo ldquo1234$rdquo) dates (eg ldquo03011970rdquo) dictionary words and names of people and places should not be used
3 Employ multiple factors of authenticationMulti-factor authentication refers to the use of more than one authentication factor in place of a single factor The three types of authentication factors are something you know something you have and something you are The number of factors incorporated by the system largely determines the strength of authentication systems According to NIST Special Publication 800-63-2 Electronic Authentication Guideline implementations that use two factors are considered to be stronger than those that use only one factor and systems that incorporate all three factors are stronger than systems that only incorporate two of the factors
With regards to application and operating system authentication many tools exist to facilitate additional authentication factors With randomly generated hardware
or software authentication tokens (as seen in Figure 8) integrated Single Sign-On (SSO) frameworks and dynamic user access to applications and administrative ports multi-factor authentication is a relatively easy way to add additional layers of access control (and user monitoring) to existing cloud server instances
Whichever methodology or tool you use know that multi-factor authentication can only help to add additional access control to your servers and applications
4 Block access to administrative ports until neededDo your administrators need to access your administrative access ports 247 What about the rest of the world Allowing access to sensitive administrative and remote access ports may entice attackers to undertake brute forcing and password guessing exercises against your servers To limit the attack surface area of your servers and applications we advise blocking access to sensitive ports until an authorized user requires access
Figure 8 - Example display of a software authentication token
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
reg 8
Upon commencement of Project Gauntlet 367 participants from 41 different countries viewed the bounty as illustrated in Figure 4 Of those that viewed the bounty only a small subset actively participated and submitted bugs as shown in Figure 5 The majority of attackers and submissions originated from Europe with small pockets of interest and submissions in other parts of the world
In September 96 bugs were submitted against the exercise The rate of submissions dropped off considerably after September 23 but six bugs were submitted from October 2 through October 4 bringing the total number of submitted bugs for this exercise to 102 Of the 102 total submissions only 90 were considered valid and within scope Submissions pertaining to possible Denial of Service (DoS) attacks web server information disclosure or service banner disclosure among others were eliminated and not considered Figure 6 illustrates the Project Gauntlet bug submissions over time
Figure 6 - Bug submissions throughout Project Gauntlet
Figure 4 - Attackers who viewed the bounty by country
Figure 5 - Attackers who summited bugs by country
448 AM
1200 AM
712 AM
224 AM
936 AM
448 AM
1200 AM
9813 91313 91813 92313 92813 10313 10813
The types of security submissions varied but included everything from the ability to anonymously log into the FTP server typical information disclosure about applications or services to actual flag submissions
As shown in Figure 7 the majority of submissions were in fact flag submissions (38) information disclosures (34) and anonymous FTP access (12)
When submitting a bug each attacker was asked which tools if any were used to achieve the resultant bug conditions Table 3 details the tool names disclosed by the attackers and includes a mixed bag of manual testing web application tools exploit frameworks and hostservice discovery tools Information about the disclosed tools can be found in Appendix A ndash Tool Information
Table 3 - Tools used
reg 9
Figure 7 Types of bug submissions by Percent
1 Banner Disclosure
38 Flag
2 Directory Permissions
34 Info Disclosure
2 No Anti-Automation
1 Default Credentials
12 Anon FTP
6 XSS
3 Web Server Conf
1 No SSL
Acunetix 4Backtrack 1Burp Suite 4FileZilla 2Firefox 2FTP (manual) 1Iceweasel browser 1Manual 3
Metasploit 1NetSparker 2Nmap 5None 4SSH client 2und3ath injector 1Visual Studio 2010 Express 1WinSCP 1
38
34
12
reg 10
The flags submitted for the Windows servers all exploited the same threat vector as proven by Terrence with the exception of one privileged flag capture that exploited a particular application that was not in scope for The Gauntlet exercise At the time of this writing CloudPassage is actively working with the vendor to ensure that the issue is corrected while following responsible disclosure rules
RecommendationsThe Gauntlet project highlighted several common deficiencies in the configurations of servers deployed without the protection of rigorous security scrutiny The following recommendations may be considered as ldquolessons learnedrdquo guidance for current and future cloud server instance deployments
1 Change default and use strong credentials for system and application accountsEnsure that passwords are sufficiently complex so that attackers cannot readily guess them According to section 321 of the NIST Special Publication 800-118 Guide to Enterprise Password Management it is particularly important to change all default OS and application passwords lists of default accounts and passwords are widely available to attackers
According to the Penetration Testing Execution Standard (PTES) identifying whether a device application or operating system is vulnerable to a default credential attack is really as simple as trying to enter known default passwords
Many applications store their credentials in system configuration files Windows Registry Keys or application databases Often these credentials are stored in unencrypted clear text format in which case validating that the credentials have changed from the default is trivial If the password is obfuscated using something as commonly implemented as ROT13 character substitution it is not as trivial to inspect but easily reversible If the password is encrypted it may be impossible to validate that it has been changed from the default
3 Source of the websites listed bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCommon2Fdefault_passwords)
Note Defaulft passwords can be obtained from the following websites3 bull httpwwwphenoelit-usorgdpldplhtml bull httpwwwcirtnetpasswords bull httpwwwdefaultpasswordcom bull httpwwwapsswordsdatabasecom bull httpwwwisdpodcastcomrecources62k-common-passwords
reg 11
2 Use non-trivial passwordsOrganizations should ensure that other trivial passwords cannot be set According to section 323 of the NIST Special Publication 800-118 Guide to Enterprise Password Management having strong passwords helps mitigate guessing and cracking Password strength is determined by a passwordrsquos length and complexity which is determined by the unpredictability of its characters
An example of a good password complexity policy is requiring that characters from at least three of the following four groups be present in every password lowercase letters uppercase letters digits and symbols Username or personrsquos name ldquopasswordrdquo the organizationrsquos name simple keyboard patterns (eg ldquoqwertyrdquo ldquo1234$rdquo) dates (eg ldquo03011970rdquo) dictionary words and names of people and places should not be used
3 Employ multiple factors of authenticationMulti-factor authentication refers to the use of more than one authentication factor in place of a single factor The three types of authentication factors are something you know something you have and something you are The number of factors incorporated by the system largely determines the strength of authentication systems According to NIST Special Publication 800-63-2 Electronic Authentication Guideline implementations that use two factors are considered to be stronger than those that use only one factor and systems that incorporate all three factors are stronger than systems that only incorporate two of the factors
With regards to application and operating system authentication many tools exist to facilitate additional authentication factors With randomly generated hardware
or software authentication tokens (as seen in Figure 8) integrated Single Sign-On (SSO) frameworks and dynamic user access to applications and administrative ports multi-factor authentication is a relatively easy way to add additional layers of access control (and user monitoring) to existing cloud server instances
Whichever methodology or tool you use know that multi-factor authentication can only help to add additional access control to your servers and applications
4 Block access to administrative ports until neededDo your administrators need to access your administrative access ports 247 What about the rest of the world Allowing access to sensitive administrative and remote access ports may entice attackers to undertake brute forcing and password guessing exercises against your servers To limit the attack surface area of your servers and applications we advise blocking access to sensitive ports until an authorized user requires access
Figure 8 - Example display of a software authentication token
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
The types of security submissions varied but included everything from the ability to anonymously log into the FTP server typical information disclosure about applications or services to actual flag submissions
As shown in Figure 7 the majority of submissions were in fact flag submissions (38) information disclosures (34) and anonymous FTP access (12)
When submitting a bug each attacker was asked which tools if any were used to achieve the resultant bug conditions Table 3 details the tool names disclosed by the attackers and includes a mixed bag of manual testing web application tools exploit frameworks and hostservice discovery tools Information about the disclosed tools can be found in Appendix A ndash Tool Information
Table 3 - Tools used
reg 9
Figure 7 Types of bug submissions by Percent
1 Banner Disclosure
38 Flag
2 Directory Permissions
34 Info Disclosure
2 No Anti-Automation
1 Default Credentials
12 Anon FTP
6 XSS
3 Web Server Conf
1 No SSL
Acunetix 4Backtrack 1Burp Suite 4FileZilla 2Firefox 2FTP (manual) 1Iceweasel browser 1Manual 3
Metasploit 1NetSparker 2Nmap 5None 4SSH client 2und3ath injector 1Visual Studio 2010 Express 1WinSCP 1
38
34
12
reg 10
The flags submitted for the Windows servers all exploited the same threat vector as proven by Terrence with the exception of one privileged flag capture that exploited a particular application that was not in scope for The Gauntlet exercise At the time of this writing CloudPassage is actively working with the vendor to ensure that the issue is corrected while following responsible disclosure rules
RecommendationsThe Gauntlet project highlighted several common deficiencies in the configurations of servers deployed without the protection of rigorous security scrutiny The following recommendations may be considered as ldquolessons learnedrdquo guidance for current and future cloud server instance deployments
1 Change default and use strong credentials for system and application accountsEnsure that passwords are sufficiently complex so that attackers cannot readily guess them According to section 321 of the NIST Special Publication 800-118 Guide to Enterprise Password Management it is particularly important to change all default OS and application passwords lists of default accounts and passwords are widely available to attackers
According to the Penetration Testing Execution Standard (PTES) identifying whether a device application or operating system is vulnerable to a default credential attack is really as simple as trying to enter known default passwords
Many applications store their credentials in system configuration files Windows Registry Keys or application databases Often these credentials are stored in unencrypted clear text format in which case validating that the credentials have changed from the default is trivial If the password is obfuscated using something as commonly implemented as ROT13 character substitution it is not as trivial to inspect but easily reversible If the password is encrypted it may be impossible to validate that it has been changed from the default
3 Source of the websites listed bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCommon2Fdefault_passwords)
Note Defaulft passwords can be obtained from the following websites3 bull httpwwwphenoelit-usorgdpldplhtml bull httpwwwcirtnetpasswords bull httpwwwdefaultpasswordcom bull httpwwwapsswordsdatabasecom bull httpwwwisdpodcastcomrecources62k-common-passwords
reg 11
2 Use non-trivial passwordsOrganizations should ensure that other trivial passwords cannot be set According to section 323 of the NIST Special Publication 800-118 Guide to Enterprise Password Management having strong passwords helps mitigate guessing and cracking Password strength is determined by a passwordrsquos length and complexity which is determined by the unpredictability of its characters
An example of a good password complexity policy is requiring that characters from at least three of the following four groups be present in every password lowercase letters uppercase letters digits and symbols Username or personrsquos name ldquopasswordrdquo the organizationrsquos name simple keyboard patterns (eg ldquoqwertyrdquo ldquo1234$rdquo) dates (eg ldquo03011970rdquo) dictionary words and names of people and places should not be used
3 Employ multiple factors of authenticationMulti-factor authentication refers to the use of more than one authentication factor in place of a single factor The three types of authentication factors are something you know something you have and something you are The number of factors incorporated by the system largely determines the strength of authentication systems According to NIST Special Publication 800-63-2 Electronic Authentication Guideline implementations that use two factors are considered to be stronger than those that use only one factor and systems that incorporate all three factors are stronger than systems that only incorporate two of the factors
With regards to application and operating system authentication many tools exist to facilitate additional authentication factors With randomly generated hardware
or software authentication tokens (as seen in Figure 8) integrated Single Sign-On (SSO) frameworks and dynamic user access to applications and administrative ports multi-factor authentication is a relatively easy way to add additional layers of access control (and user monitoring) to existing cloud server instances
Whichever methodology or tool you use know that multi-factor authentication can only help to add additional access control to your servers and applications
4 Block access to administrative ports until neededDo your administrators need to access your administrative access ports 247 What about the rest of the world Allowing access to sensitive administrative and remote access ports may entice attackers to undertake brute forcing and password guessing exercises against your servers To limit the attack surface area of your servers and applications we advise blocking access to sensitive ports until an authorized user requires access
Figure 8 - Example display of a software authentication token
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
reg 10
The flags submitted for the Windows servers all exploited the same threat vector as proven by Terrence with the exception of one privileged flag capture that exploited a particular application that was not in scope for The Gauntlet exercise At the time of this writing CloudPassage is actively working with the vendor to ensure that the issue is corrected while following responsible disclosure rules
RecommendationsThe Gauntlet project highlighted several common deficiencies in the configurations of servers deployed without the protection of rigorous security scrutiny The following recommendations may be considered as ldquolessons learnedrdquo guidance for current and future cloud server instance deployments
1 Change default and use strong credentials for system and application accountsEnsure that passwords are sufficiently complex so that attackers cannot readily guess them According to section 321 of the NIST Special Publication 800-118 Guide to Enterprise Password Management it is particularly important to change all default OS and application passwords lists of default accounts and passwords are widely available to attackers
According to the Penetration Testing Execution Standard (PTES) identifying whether a device application or operating system is vulnerable to a default credential attack is really as simple as trying to enter known default passwords
Many applications store their credentials in system configuration files Windows Registry Keys or application databases Often these credentials are stored in unencrypted clear text format in which case validating that the credentials have changed from the default is trivial If the password is obfuscated using something as commonly implemented as ROT13 character substitution it is not as trivial to inspect but easily reversible If the password is encrypted it may be impossible to validate that it has been changed from the default
3 Source of the websites listed bull (REF httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCommon2Fdefault_passwords)
Note Defaulft passwords can be obtained from the following websites3 bull httpwwwphenoelit-usorgdpldplhtml bull httpwwwcirtnetpasswords bull httpwwwdefaultpasswordcom bull httpwwwapsswordsdatabasecom bull httpwwwisdpodcastcomrecources62k-common-passwords
reg 11
2 Use non-trivial passwordsOrganizations should ensure that other trivial passwords cannot be set According to section 323 of the NIST Special Publication 800-118 Guide to Enterprise Password Management having strong passwords helps mitigate guessing and cracking Password strength is determined by a passwordrsquos length and complexity which is determined by the unpredictability of its characters
An example of a good password complexity policy is requiring that characters from at least three of the following four groups be present in every password lowercase letters uppercase letters digits and symbols Username or personrsquos name ldquopasswordrdquo the organizationrsquos name simple keyboard patterns (eg ldquoqwertyrdquo ldquo1234$rdquo) dates (eg ldquo03011970rdquo) dictionary words and names of people and places should not be used
3 Employ multiple factors of authenticationMulti-factor authentication refers to the use of more than one authentication factor in place of a single factor The three types of authentication factors are something you know something you have and something you are The number of factors incorporated by the system largely determines the strength of authentication systems According to NIST Special Publication 800-63-2 Electronic Authentication Guideline implementations that use two factors are considered to be stronger than those that use only one factor and systems that incorporate all three factors are stronger than systems that only incorporate two of the factors
With regards to application and operating system authentication many tools exist to facilitate additional authentication factors With randomly generated hardware
or software authentication tokens (as seen in Figure 8) integrated Single Sign-On (SSO) frameworks and dynamic user access to applications and administrative ports multi-factor authentication is a relatively easy way to add additional layers of access control (and user monitoring) to existing cloud server instances
Whichever methodology or tool you use know that multi-factor authentication can only help to add additional access control to your servers and applications
4 Block access to administrative ports until neededDo your administrators need to access your administrative access ports 247 What about the rest of the world Allowing access to sensitive administrative and remote access ports may entice attackers to undertake brute forcing and password guessing exercises against your servers To limit the attack surface area of your servers and applications we advise blocking access to sensitive ports until an authorized user requires access
Figure 8 - Example display of a software authentication token
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
reg 11
2 Use non-trivial passwordsOrganizations should ensure that other trivial passwords cannot be set According to section 323 of the NIST Special Publication 800-118 Guide to Enterprise Password Management having strong passwords helps mitigate guessing and cracking Password strength is determined by a passwordrsquos length and complexity which is determined by the unpredictability of its characters
An example of a good password complexity policy is requiring that characters from at least three of the following four groups be present in every password lowercase letters uppercase letters digits and symbols Username or personrsquos name ldquopasswordrdquo the organizationrsquos name simple keyboard patterns (eg ldquoqwertyrdquo ldquo1234$rdquo) dates (eg ldquo03011970rdquo) dictionary words and names of people and places should not be used
3 Employ multiple factors of authenticationMulti-factor authentication refers to the use of more than one authentication factor in place of a single factor The three types of authentication factors are something you know something you have and something you are The number of factors incorporated by the system largely determines the strength of authentication systems According to NIST Special Publication 800-63-2 Electronic Authentication Guideline implementations that use two factors are considered to be stronger than those that use only one factor and systems that incorporate all three factors are stronger than systems that only incorporate two of the factors
With regards to application and operating system authentication many tools exist to facilitate additional authentication factors With randomly generated hardware
or software authentication tokens (as seen in Figure 8) integrated Single Sign-On (SSO) frameworks and dynamic user access to applications and administrative ports multi-factor authentication is a relatively easy way to add additional layers of access control (and user monitoring) to existing cloud server instances
Whichever methodology or tool you use know that multi-factor authentication can only help to add additional access control to your servers and applications
4 Block access to administrative ports until neededDo your administrators need to access your administrative access ports 247 What about the rest of the world Allowing access to sensitive administrative and remote access ports may entice attackers to undertake brute forcing and password guessing exercises against your servers To limit the attack surface area of your servers and applications we advise blocking access to sensitive ports until an authorized user requires access
Figure 8 - Example display of a software authentication token
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
reg 12
Using a firewall to dynamically facilitate access is the preferred method especially in cloud environments Though many CSPs provide rudimentary firewall capability at its networkrsquos perimeter in many cases additional network protection is required According to NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Policy network firewalls are not able to recognize all instances and forms of attack allowing some attacks to penetrate and reach internal hosts - and attacks sent from one internal host to another may not even pass through a network firewall
As such host-based firewalls for servers provide an additional layer of security against network-based attacks These firewalls are software-based residing on the hosts they are protecting Also each monitors and controls the incoming and outgoing network traffic for a single host and can provide more granular protection than network firewalls to meet the needs of specific hosts
5 Validate user and group ownership and permissions of sensitive filesValidating that data access is limited only to those individuals or groups that require access is perhaps one of the oldest security guidance tenets since the dawn of computers
The correct ownership and permissions of files and directories could mean the difference between protecting sensitive files like flags in a capture-the-flag exercise and incorrectly exposing them to the rest of the world
Administrators must ensure that permissions and ownership are defined for any files or directories present on a server and that only those authorized to access them can do so If the permissions and ownership deviate from the expected state organizations should be alerted to the fact as depicted in Figure 9
Figure 9 - Example of file permission and ownership violations
Source CloudPassage Halo Configuration Security Monitoring module
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
13reg
6 Monitor for vulnerabilities and apply patchesKeeping software up-to-date with the latest patches is a critical piece of ongoing security and compliance programs According to NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system Vulnerabilities can be exploited by a malicious entity to violate policies - for example to gain greater access or permission than is authorized on a server or within an application
When a new vulnerability is found you should be able to easily rank it and give the security and operations teams a complete set of information as to the scope and exposure of your system as shown in Figure 10
Figure 10 - Example of detected vulnerabilities on a server
This allows the organization to prioritize issues across your entire cloud infrastructure and ensure that packages remain secure and up-to-date
Source CloudPassage Halo Software Vulnerability Assessment module
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
14reg
7 Monitor directories used by applications for uploads (and those not)If your application or server allows files to be uploaded by employees partners or customers the directory within which the files are stored should be continuously monitored to ensure that no unintended data is stored on your servers
Perhaps even more important is the monitoring of application and server directories for newly created files as seen in Figure 11 that should never have files uploaded to them ndash unless by an authorized individual
Figure 11 - Example of the detection of a newly added file
As recently as October 25 2013 the creators of the PHP application framework had their website compromised (httpwwwphpnet) According to their official report their team found that ldquotwo servers were compromised the server which hosted the wwwphpnet staticphpnet and gitphpnet domains and was previously suspected based on the JavaScript malware and the server hosting bugsphpnetrdquo
The method by which these servers were compromised was not known at the time this report was written but the PHP team was only alerted to the issue after it was flagged by Googlersquos Safe Browsing initiative as a malicious website According to Steve Ragan Staff Writer at CSO
Long before the admission of a breach security experts were certain that Googles flag was no false positive Barracuda Labs released a pcap (packet capture) file showing clear signs of malicious activity including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded Later in the evening Fabio Assolini from Kaspersky Labs reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit and it was attempting to drop an information-stealing Trojan called Tepfer
Source CloudPassage Halo File Integrity Monitoring module
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
15reg
ldquoIts unknown how many users may have been infected by the rogue JavaScript but PHPnet says the malicious code was active from October 22 until it was discovered and removed on October 24rdquo said Ragan ldquoThe attack window is small but PHPnet is in the top 250 domains on the Internet according to Alexa rankings so the pool of potential victims is massiverdquo
8 Monitor configuration files and application code for changesSimilar to monitoring for newly created files organizations should continuously monitor that production configuration files and application code do not change during normal operation
Should the company websitersquos HTML PHP or JavaScript code change or the configuration files of web database file or other application servers change without your knowledge detecting the change early could be the difference between quick mitigation and having your companyrsquos name strewn across the front page of every major news publication Figure 12
9 Automate your securityThe above recommendations may sound like an insurmountable task especially given the rate your organization is looking to deploy servers in cloud environments Though cloud environments have a multitude of benefits getting a handle on security in such a dynamic and elastic environment is a challenge
Source CloudPassage Halo Configuration Risks dashboard
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
To keep up with the organizational requirements of securing instances at scale security automation must be directly integrated into any cloud platform (eg VMware Citrix OpenStack) or cloud service provider (eg Amazon Web Services Rackspace Savvis) you are using as illustrated in Figure 13
Figure 13 - Security automation
Such an automation strategy should be able to facilitate
bull Automated provisioning to ensure critical security controls are ubiquitous across environments
bull Direct cloud stack integration so that security transparently grows and changes with your cloud
bull Cloud-agnostic architecture so that one solution is deployed integrated and managed for all cloud environments
bull Continuous security monitoring and control
bull Group-based management for orchestration across thousands of systems and automatic protection as systems are added to your cloud fleet
bull Integration with other automation tools (eg vCloud Puppet Chef) and security systems (eg Splunk HPArcSight Sumo Logic) for complete enterprise visibility and configuration management
16reg
ENTERPRISE CLOUD
Saas Hosting
Big Data
Test-Dev Data Center
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
17reg
Closing ThoughtsIn our opinion the results of The Gauntlet exercise were very valuable and telling Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types it also showed just how briefly carelessly deployed servers in cloud environments might survive
Not only was a popular and widely used application exploited but so too was the carelessness of the administrator in securing the flags on the target The latter (all too common) oversight is something that must not happen in production deployments yet continues to appear in penetration tests audit findings and in the headlines of international news publications Likewise the former exploit vector could have been easily avoided by continuously monitoring the configuration settings of the application However the issue continues to surface
About CloudPassageCloudPassage is the leading cloud infrastructure security provider and creator of Halo the industryrsquos only security and compliance platform purpose-built for elastic cloud environments Halo operates seamlessly across public private and hybrid clouds Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments Headquartered in San Francisco CA CloudPassage is backed by Benchmark Capital Tenaya Capital Shasta Ventures and other leading investors For more information please visit httpwwwcloudpassagecom
CloudPassagereg and Haloreg are registered trademarks of CloudPassage Inc
About BugcrowdBugcrowd makes bug bounty programs accessible and affordable Bugcrowd provides enterprise customers with a technology platform and a vetted community of security testers to allow them to outsource their bug bounty program Bugcrowd customers are able to perform penetration testing on their web and mobile platforms using a burgeoning community of security researchers vetted by Bugcrowd and competing for cash lsquobountiesrsquo as well as community status For more information please visit httpwwwbugcrowdcom
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
18reg
Appendix A ndash Tool InformationAcunetix Web Vulnerability ScannerURL httpwwwacunetixcomvulnerability-scanner Description Acunetix develops an heuristic non-signature based web vulnerability scanner - Acunetix WVS - to help companies combat web site hacking
BacktrackURL httpwwwbacktrack-linuxorg Description BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking
Burp SuiteURL httpwwwportswiggernetburp Description Burp Suite is an integrated platform for performing security testing of web applications Its various tools work seamlessly together to support the entire testing process from initial mapping and analysis of an applications attack surface through to finding and exploiting security vulnerabilities
FileZillaURL httpsfilezilla-projectorg Description FileZilla Client is a fast and reliable cross-platform FTP FTPS and SFTP client with lots of useful features and an intuitive graphical user interface
Mozilla FirefoxURL httpwwwmozillaorgen-USfirefoxnew Description Mozilla Firefox is a free and open source web browser developed for Windows OS X and Linux with a mobile version for Android by the Mozilla Foundation and its subsidiary The Mozilla Corporation
Iceweasel Browser URL httpwwwgeticeweaselorg Description Debian project rebranded Mozilla Firefox browser
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19
19reg
MetasploitURL httpwwwmetasploitorg Description Metasploit is a tool for developing and executing exploit code against a remote target machine Other important sub-projects of the Metasploit Project include the Opcode Database shellcode archive and related research
NetSparkerURL httpswwwmavitunasecuritycomnetsparker Description Netsparker bills itself as the only ldquoFalse-positive-free web application security scannerrdquo that can automatically discover the flaws that could leave you dangerously exposed
NmapURL httpwwwnmaporg Description Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing
und3ath injectorURL httpund3athblogspotfr201210source-d3ath-jector-mono-cecil-injectorhtml (no longer works) Description Tool capable of injecting arbitrary code into NET assemblies without harming the original code In short a stealth backdooring tool for NET executables More information can be found at httpinsecuretynetp=668
Visual Studio 2010 Express URL httpwwwmicrosoftcomvisualstudioengproductsvisual-studio-2010-express Description Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft
WinSCPURL httpwinscpnetengindexphp
Description WinSCP is an open source free SFTP client and FTP client for Windows Its main function is the secure file transfer between local and remote computer
- next page 2
- next page 1
- previous page 1
- next page 3
- previous page 2
- next page 4
- previous page 3
- next page 5
- previous page 4
- next page 6
- previous page 5
- next page 7
- previous page 6
- next page 8
- previous page 7
- next page 9
- previous page 8
- next page 10
- previous page 9
- next page 11
- previous page 10
- next page 12
- previous page 11
- next page 13
- previous page 12
- next page 14
- previous page 13
- next page 15
- previous page 14
- next page 16
- previous page 15
- next page 17
- previous page 16
- next page 18
- previous page 17
- next page 19
- previous page 18
- next page 20
- previous page 19