Paros Web Proxy

As this semester wraps up at both universities I found myself rapidly trying to grade papers as well as complete my own projects. One of the projects I needed to complete was a network and web security course at DSU. I used nikto in a previous post to discuss the use of the software in vulnerability assessment.

I have used proxy software in the past, but never in the capacity of vulnerability assessment. Now the project was to break a PHP script and gain remote access. This actually turned out to be more simplistic than I anticipated, but what was surprising was how useful the paros proxy software was in accomplishing that particular goal.

The software is designed to allow you to see all the GET and POST messages, content, delivery of regular web traffic between your host and the remote server. It has two nifty features though; cookie storage and spider crawl. I used the spider functionality to grab the listing of html the did a directory grep for *.php to find my script call. This saved hours of time looking though the site and really let me get to the heart of the assignment.

Paros should be added to any suite of network vulnerability tools for use in pen testing. I highly recommend it.

My Apple Story

To all of you in Cupertino and Austin and to the family of Steve, my heart and thoughts are with you.

The world is mourning the passing of Steve Jobs today, and so am I. Steve passed away yesterday after a long battle with cancer. For those of you who use apple products, the iPhone, iPad, iPod, Macs, this is a sad day. For those of us who spent time at Apple, it's almost a personal loss.

My first computer was a Commodore 64 with dual floppy (5.25) drives. It was soon and quickly replaced with the first Macintosh. I was in love. I bounced from the 128 to the 512k model in a year, then to the SE, SE/30, and ultimately to the LC I. My first personal computer at home was the LCII followed by a Performa 6116CD (my first PPC chip), 8150 WGS, beige G3/233, and finally Blue&white G3 with a G4 upgrade. Twenty years of history and memories defined by the Apple products I used at home and at work. I learned almost everything I know about computing (which is a lot, but not exhaustive) on the Macintosh Platform.

In 1995 I started a contract with Apple at a call center for the AAC (I still have my 1990s Apple Assistance coffee cup). I worked for Apple during the dark times. The times of licensing the OS, clones, Pippen, OS 7.5, and Gil Amelio. It was a hard time for Apple, there was a loss of focus on innovation, easy of use, and technology. Stock prices and market share were at an all time low and nay-sayers were constantly predicting the closure of Apple's doors. Yet there was always this spirit of hope. In the last few months of my tenure there, Apple bought NeXT, and it was announced that Steve would be returning as a consultant. I left that job to go work elsewhere. I received my hardware and software certifications during that time and was happy to see things beginning to change.

Then the most amazing thing happened, iMac. Ditch the beige boxes of yesterday and make the internet and home computing fun again for the everyday person. Apple stopped trying to compete with the PC market and made something fun and interesting again. iTunes and iPod were just around the corner bringing to the masses the wonders of mp3s. iPod was not the first mp3 player. I owned a Rio (which worked with iTunes at the time), but in my opinion, the iPod changed the world. Mobile devices were never so easy to use, so well integrated with the GUI and operating environment.

With the dissolving of the AIM alliance and the release of OSX, Macintosh computers exploded on the scene as well. Innovation and design was alive again at Apple.

I could go on about the innovation of the iPhone and iPad as well, but those are much less personal to me. I turned many people to the Mac platform. I've used it for 27 years now.

The world became a better place for the technology and innovation developed by the Steves (yes I hold Woz in the same regard). My only hope is that Apple continues to foster and nurture the abilities of other visionaries and innovators.

Thank you Steve, you will be missed. Rest now our friend.

Nikto2

I have been working on a project for my information security class. It requires me to test and gather information on a server before attempting to penetrate it. I have managed to build a good list of information on the server, but I have not managed to penetrate it yet. Of course I'm trying to do this without the use of scripts or applications designed for this server's vulnerabilities, so I'm doing it the hard way, but honestly, did anyone expect anything less of me?

So I'm working though trying to find all the tools I can use to discover all the possible vulnerabilities and I remember nikto. For those who are not familiar with Nikto, it is a web server vulnerability tool, a very vertically aligned form of metasploit (which I wish had student licenses). Nikto 2 has come along way since the last time I looked at it and seems to be very stable. The thing I like most about Nikto is the mutation capability, being able to change what I need to accomplish my goal. This goes beyond just adding parameter tags, to being able to actively get content loaded on the server. It also has a export to metasploit function which enables this to be added to a pen tester's suite of tools. Nice.

Within a few minutes and a good nmap scan I was able to determine a mostly complete range of vulnerabilities on the project server. Of course the hard part is actually utilizing these vulnerabilities and exploiting them, but then again, that what I'm being graded on. Nikto 2 is working flawlessly on my ubuntu server, my Solaris VM, and my OSX laptop (10.7 Lion).

Slowloris and RDP

I was reading up on one of the latest worms to be released this week. It uses RDP to initiate a session and then attempts a dictionary attack against windows based hosts. It would seem that this is one of the first attempts to utilize what is really thought of as a utility to initiate a penetration. If one were to be cleaver enough, RDP as a utility and terminal services could become a more prominent attack vector.

I remembered reading about a HTTP SYN flood utility in an IRC channel once a few months ago. Slowloris had been demonstrated at a defcon at one point (I'm not sure which one), but it made me wonder if there have been attempts to initiate half open sessions to terminal services in the past. It could be argued that since the TCP stack in slowloris actually initiates and completes a connection, many of the more common remote options could be targeted via DoS. Since most use the TCP stack and then hand off to another service, most of them could be real targets, especially ones which are not used in the main arena of remote connectivity, like TeamView or something similar.

Now I know that there are defenses against Slowloris, but it requires looking at the number of open connections and determining if that number is too many. This defense would need to be set against each type of remote connection across any number of ports for RDP, ARD, and VNC. Whitelists and constant monitoring would also have to be setup.

It also make me wonder if NetFlow can detect the number of simultaneous connections rather than leaving it to a script running on the host. I will look to see if snort has any specific signatures to determine a slowloris attack and if that sig can be tweaked to look at other services beyond HTTP. I also wonder if Metasploit has a similar vulnerability in the framework.

I guess it's time to go read more...

Regular Expressions

I was setting up a sed script last week when I realized that I needed a regular expression. No big deal right, Google is your friend and I should just be able to find it quickly. I can never do things the easy way though.

I went on a search to improve my limited understanding of regex. I found it...a book. Sam's Teach Yourself Regular Expressions in 10 minutes. I'm not normally a fan of the Sams Teach Yourself line. First off with work, school, and classes finding extra time to read something "on the side" is more than problematic (just ask my growing collection of unread Asimov's Sci-Fi). Secondly, I have found  in the past that the tutorials in the Sams books have been inadequate for what I was needing. I am pleasantly wrong about this book.

The examples are simple, to the point, and reasonably well explained with each lesson building on the last with good results. Being able to use this in command line with grep is solidifying my grep practice as well. I'm hitting one chapter each morning just after normal studies and before my sysadmin jobs starts. Completing a chapter and being able to use what I learned throughout the day is a pleasant feeling and quite rewarding.

Now I just need to see if they produce a vi book, I'm probably the last emacs holdout in North Texas and the pressure is mounting, the senior unix admin refuses to let me install emacs or nano on any of the solaris boxes.

If you want to beef up on regex, check out the book. I believe I got it from Amazon for about $11. I would also recommend getting a copy of the Added Bytes Cheat Cheets, which is an excellent resource for regex as well as many other programming topics. You can find Added Bytes here.

Summer Semester: Shift in Focus

EC2...wow, just wow. As I sit here trying desperately to wade through the massive amount of material I must read and prep in 23 days, I sit in awe of how Amazon has implemented the EC2. You are probably wondering why I have sprung this topic without any sort of prelude or previous mention, well that's a funny story actually and it all revolves around being flexible.

So I registered for a seminar course this summer, INFS 890. I must take and pass six of these courses to meet the requirements for the DSc program. What I did not realize involves two things: 1. I have completed my core and 2. It's all specialization and dissertation work from here on out. INFS 890 prepares you for dissertation by allowing you to schedule time and resources for your dissertation topic. I now have a dissertation area, professor, and direction. So when discussing the needs of the course with the instructor I came to a choice, a fork in the road if you will, between network security and cloud security. Given the resources and position of my current work projects I chose cloud security, and to quote Indiana Jones, it would seem that I have chosen wisely.

I started playing with EC2 last week after reading the apology letter from Amazon regarding the recent outage. The way that the infrastructure is set up is amazing. I started creating my own instances and modifying other AMIs to meet my curiosity. Wow...30 seconds to VM creation. So many distributions and so inexpensive. Being able to set the instances in a good arrangement then setting that arrangement as a cloud formation. Wow. I loved being able to setup Ubuntu in just minutes. I doubt I will ever need a home machine to do OS testing and learning. I have been trying to get back into SuSE and instead of buying or re-purposing a machine to do this, I can now just launch a AMI, make the changes I need, and continue on my merry way.

This does leave some serious security questions though, and if the literature at this point is any indication, EC2 security is being left in the hands of the users. The literature on this is far from sparse (YAY), meaning it's a hot topic and there is no great silver bullet answer. I have seen some excellent ideas in the articles so far and I am starting to implement them myself in my own test cloud. Of course I do have to watch the cost, but that's why I applied to the AWS in Education program, perhaps with a little luck, Amazon will allow me to play and learn at a reduced cost.

Spring Update: So Far Behind!

I managed to pull away from work and studies for two stimulating days and drive to San Antonio for the 1st annual ACM SIGSAC CODASPY conference. I learned quite a lot and managed to meet some fascinating academics and practitioners.

The conference itself was good and the papers were a great read. Dr. Sandhu made an excellent keynote presentation about the upcoming challenges in security, especially on application security in a mobile market. I also really enjoyed several of the discussions I had with the presenters. I was also extremely excited to know that my curiosity in certain fields, mainly security related to mobile and embedded devices, seems to be a expanding field. I even managed to meet the author of a textbook I plan on using at my local university in the next year to meet my teaching requirement.

I also walked away having met some fantastic people in the realm of practitioner security. I am now, more than ever, ready to take and pass my CISSP exam. I received a lot of great advice and encouragement from current CISSP holders and was taken up on my offer to assist in the working of the conference next year.

All in all - an awesome experience.

DSU Spring 2011 Semester

Well I am registered for this semester and taking System analysis and design as well as Information technology Strategy and Policy. It looks like it is going to be a great semester although a very busy one. After this semester I will be in specialization coursework only (Yay for core completion)!

I am going to throw my spring project ideas out to my FB friends and see what comes up as a possible spring project. I will post here what the results of that will be.