Today during a Penetration Test of a client I came across a piece of software called “Track-It!” by Numara, who was since acquired by BMC. Now this application is used by IT Helpdesks to offer centralised control of assets, so it was definitely worth a look at from a testing point of view. I found an open (Readable by Domain Users) network share on the installation server named “TrackIt” which internally exposed configuration files such as trackit.cfg which contained intersting lines such as: RemoteInstallPass=AAABASE64HEREAAA== DomainAdminPass=BBBBASE64HEREBBB==
The aim of this post is not to talk about how to perform effective penetration tests, but it’s more around taking the first steps towards a career as a Penetration Tester. I want to talk about the kind of things that I look for in candidates, the kind of skills that I found useful when starting out, and as a candidate what to look at first. Information Security is a huge field and you’ve got a whole career to learn all of the details, but where should you start?
Now I’ve posted previously about cross-domain communication with things like HTML5 CORS and HTML5 postMessages, I’ve also written about the browsers built in protections through Same-Origin Policy. However, recently I saw a discussion about Cross-domain Flash and Silverlight and how those are different, how specifically the exploitation works and what it offers an attacker.
HTTP Header Injection vulnerabilities occur when user input is insecurely included within server responses headers. Specifically they are based around the idea that an attacker can cause the server to generate a response which includes carriage-return and line-feed characters (or %0D and %0A respectively in their URI encoded forms) within the server response header the attacker may be able to add crafted headers themselves. Header Injection can allow for attacks such as response splitting, session fixation, cross-site scripting, and malicious redirection.
I posted a while ago on the very basics of SQL Injection. Then after than I did a complete breakdown of the manual exploitation of SQL Injection. Armed with that post and a cheatsheet or two, you should be able to get knee deep in almost any injection point. However, the truth is that often these injection points can be exploited using free, publicly available tools such as SQLmap! SQL injection can be a time consuming thing to exploit, especially when it comes to blind or out-of-band injection! So why not take the path of least resistance and automate wherever …
A friend of mine mentioned recently that he has to work out subnet masks in his head for an exam and commented in reality he’d just use a subnet calculator. Whilst this is probably true, there’s a quick trick that might help if you’re calculating subnets under duress. This isn’t a full write up and offers no real explanation of why it works, it’s just pointing out a trick you may have missed which might come in handy one day!
I posted recently about calculating subnets and CIDR notation quickly, but I didn’t mention in that post host to quickly get the Network ID, first host and Broadcast address for a subnet given an awkward address. This is another easy trick that covers that!
Metasploit is a suite of tools built into a framework which automates and tracks many of the tasks of a penetration test, plus it integrates nicely with other common Penetration Testing tools like Nessus and Nmap. Metasploit was acquired by Rapid-7 in 2009 and there are now commercial variants however the free framework does provide everything you need for a successful Penetration Test from a command-line interface. If you’re curious of the differences Rapid-7 has a page where you can compare the free version against the commercial version here. Metasploit includes port scanners, exploit code, post-exploitation modules – all sorts!#
There are a couple of sites out there which will take a look at the configuration of your site and give pointers as to where you can tighten up your configuration, pointing out if you’re missing headers such as Content-Security-Policy, X-Frame-Options or X-XSS-Protection. If you run a WordPress Blog there’s a quick way of adding and removing headers – you can do it within the WordPress Admin interface, with the Appearance Editor: